There are numerous strategies to lessen the possibility and effects of a cyberattack, but doing so takes careful planning and targeted action.

Digital transformation is transforming every aspect of the way organizations compete and operate today. This radical change is reshaping the way that enterprises produce, store, and manipulate an ever-increasing amount of data — emphasizing the need to ensure data governance.

Computing environments are also more sophisticated than they used to be, frequently encompassing the public cloud, the enterprise data center, and a variety of edge devices — including remote servers and Internet of Things (IoT) sensors. This complexity increases the attack surface, making it more difficult to monitor and secure.

A lack of data protection, global pandemic effects, and an increase in attack complexity have allowed for a significant rise in compromised and hacked data that is increasingly common in the workplace. In fact, an external attacker may breach the network perimeter of an organization and access local network resources 93% of the time.

It's a good thing, however, that the sensitivity of distinct data sets and the accompanying regulatory compliance requirements are taken into account by adequate data security.

**Data Security Is More Important Than Ever**

During the pandemic, more customers also became remote customers as more workers became remote workers. As a result, keeping an online environment secure has increased in significance for companies.

When supply chain and labor concerns are already making business difficult, such interruptions can make things even more difficult. As a consequence, a cyberattack can harm a company's reputation with clients and business partners, result in lost revenue, and pose a risk of data loss.

In fact, according to the 2022 data breach report from IBM and the Ponemon Institute, the average cost of a data breach has increased to a record high of $4.4 million.

This highlights the importance of protecting confidential information, which must be a significant responsibility for businesses and organizations.

**Four Data Security Practices Your Organization Should Implement**

A recent study indicated that most businesses have weak cybersecurity procedures, leaving them open to data loss. Although data security isn't the be-all, end-all of cybersecurity defenses — like perimeter and file security, to mention a couple — it is still one of several essential techniques for assessing dangers and lowering the risk involved in managing and storing data.

Fortunately, practical methods and strategies have been created to prevent poor data security practices. Here are four of the best data security practices you should know about.

**1\. Implement Access Controls**

Access controls are crucial to data security because they regulate who has access to and uses business data and resources. Access control rules ensure users have the proper access to corporate data and are who they say they are through authentication and authorization.

They are essentially the selective limiting of data access. Authentication and authorization are two important parts of access control. There can be no data security without authentication and authorization.

Access control reduces the possibility of unapproved users entering logical and physical systems and jeopardizing security. It is an essential part of security compliance programs, as it ensures that access control policies and security technology are in place to protect sensitive data, such as customer information.

**2\. Utilize Endpoint Security Tools to Safeguard Your Data**

Endpoints on your network are continuously in danger. As a result, you must have a robust endpoint security infrastructure to reduce the likelihood of potential data breaches. Start by putting the following strategies into practice:

*   **Antivirus software:** Ensure it is set up on all workstations and servers. Run routine scans to keep your system healthy and detect any infestations, such as ransomware.
*   **Anti-spyware software:** Spyware is a type of harmful computer software frequently installed without the user's awareness. You can remove or block those with the aid of anti-spyware and anti-adware software.
*   **Firewalls:** These operate as a barrier between your data and fraudsters, which is why most experts consider them among the best data protection practices. Internal firewalls are another option for enhancing security.

**3\. Employ Data Encryption**

One of the most fundamental data security best practices is encryption, which is frequently disregarded despite its importance. Data encryption serves to protect digital data confidentiality while it is stored on computers and sent over the Internet or other networks. These algorithms ensure confidentiality and support key security initiatives such as authentication, integrity, non-repudiation, and authenticity.

**4\. Develop a Risk-Based Security Strategy**

Pay close attention to the minor things, such as the hazards your business may encounter and how they might damage employee and customer data. Here, a thorough risk assessment is necessary. The following are some actions that risk assessment enables you to take:

*   Determine the kind and location of your assets.
*   Determine the cybersecurity condition you are in.
*   Maintain an accurate security approach.

Using a risk-based approach, you can adhere to regulations and safeguard your company from potential leaks and breaches.

**Safeguard Your Organization's Data and Protect Your Business in the Future**

Although it frequently appears on the agenda of executive committee meetings, given the escalating concerns posed by the pandemic, strengthening data security must require additional attention. Businesses should be proactive in addressing the threats and develop strategies for preventing successful cyberattacks — rather than reacting when they are already happening. Despite the fact that recovery measures exist, prevention is always better than a cure.

This pandemic has shown us that minimizing the hazards associated with cyberattacks requires careful planning and stronger data security practices. The proper procedures, such as implementing access controls and data encryption, must be used in conjunction with the appropriate security software in order to avoid the magnitude of a data breach and the hidden costs that come with it.

There are numerous strategies to lessen the possibility and effects of a cyberattack, but doing so takes careful planning and targeted action. Businesses must improve the creation and implementation of security measures and make remote working methods resistant to cyberattacks. Start by following these data security practices so that you will be better equipped to handle the rising number of cyberthreats, and protect your company in the future.

4 Data Security Best Practices You Should Know

This Tech Tip outlines three steps security teams should take to protect information stored in Salesforce.

No one likes to hear the B-word: _breach_. Developers definitely don't want to hear that word in relation to a platform they use day in and day out.

When GitHub revealed details about a security breach that allowed an unknown attacker to download data from dozens of private code repositories earlier this year, it was a nightmare scenario. Attackers were using information collected from GitHub to target two third-party cloud platforms-as-a-service (PaaS): Heroku and Travis CI.

Attackers had stolen OAuth tokens issued to Heroku and Travis CI and used them to access and download the contents of private repositories, GitHub found.

Where does the most sensitive information reside in your organization? For organizations using Heroku, Salesforce houses the information that, if exposed, could cripple the organization. Security teams need to think about protecting their Salesforce data. Why should they put the organization's cybersecurity at risk by relying on third-party integrations?

These three simple steps can help improve cybersecurity posture on Salesforce.

**1\. Use Salesforce-Native Applications**

Applications built on Salesforce ensure that your data remains in one place with the same cybersecurity posture as the Salesforce platform. With apps consolidated on a single platform, the attack surface is greatly reduced.

**2\. Establish a Zero-Trust Model**

Never trust, always verify. All users should have the minimum level of permissions and access needed to be able to complete their necessary tasks while requiring users to prove their need and identities before access. Audit everything.

**3\. Utilize Secrets Management**

Never store credentials in clear text, and always assume private repositories are public. Having a secrets management solution ensures that your secrets are rotated along with having an appropriate level of security compliance around your credentials.

With this improved cybersecurity posture, developers, infosec teams, and the CEO will be at ease knowing that the organization's most sensitive data is secure.

Lessons From the GitHub Cybersecurity Breach

TCP-based, DNS water-torture, and carpet-bombing attacks dominate the DDoS threat landscape, while Ireland, India, Taiwan, and Finland are battered by DDoS attacks resulting from the Russia/Ukraine war.

**WESTFORD, Mass.,** **September 27, 2022** — NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT) today announced findings from its 1H2022 DDoS Threat Intelligence Report. The findings demonstrate how sophisticated cybercriminals have become at bypassing defenses with new DDoS attack vectors and successful methodologies.

"By constantly innovating and adapting, attackers are designing new, more effective DDoS attack vectors or doubling down on existing effective methodologies," said Richard Hummel, threat intelligence lead, NETSCOUT. "In the first half of 2022, attackers conducted more pre-attack reconnaissance, exercised a new attack vector called TP240 PhoneHome, created a tsunami of TCP flooding attacks, and rapidly expanded high-powered botnets to plague network-connected resources. In addition, bad actors have openly embraced online aggression with high-profile DDoS attack campaigns related to geopolitical unrest, which have had global implications."

NETSCOUT's Active Level Threat Analysis System (ATLAS™) compiles DDoS attack statistics from most of the world's ISPs, large data centers, and government and enterprise networks. This data represents intelligence on attacks occurring in over 190 countries, 550 industries, and 50,000 autonomous system numbers (ASNs). NETSCOUT's ATLAS Security Engineering and Response Team (ASERT) analyzes and curates this data to provide unique insights in its biannual report. Key findings from the 1H2022 NETSCOUT DDoS Threat Intelligence Report include:

*   There were 6,019,888 global DDoS attacks in 1st half of 2022.
*   TCP-based flood attacks (SYN, ACK, RST) remain the most used attack vector, with approximately 46% of all attacks continuing a trend that started in early 2021.
*   DNS water-torture attacks accelerated into 2022 with a 46% increase primarily using UDP query floods, while carpet-bombing attacks experienced a big comeback toward the end of the second quarter; overall, DNS amplification attacks decreased by 31% from 2H2021 to 1H2022.
*   The new TP240 PhoneHome reflection/amplifications DDoS vector was discovered in early 2022 with a record-breaking amplification ratio of 4,293,967,296:1; swift actions eradicated the abusable nature of this service.
*   Malware botnet proliferation grew at an alarming rate, with 21,226 nodes tracked in the first quarter to 488,381 nodes in the second, resulting in more direct-path, application-layer attacks.

**Geopolitical Unrest Spawns Increased DDoS Attacks**

As Russian ground troops entered Ukraine in late February, there was a significant uptick in DDoS attacks targeting governmental departments, online media organizations, financial firms, hosting providers, and cryptocurrency-related firms, as previously documented. However, the ripple effect resulting from the war had a dramatic impact on DDoS attacks in other countries including:

*   Ireland experienced a surge in attacks after providing service to Ukrainian organizations.
*   India experienced a measurable increase in DDoS attacks following its abstention from the UN Security Council and General Assembly votes condemning Russia's actions in Ukraine.
*   On the same day, Taiwan endured its single-highest number of DDoS attacks after making public statements supporting Ukraine, as with Belize.
*   Finland experienced a 258% increase in DDoS attacks year-over-year, coinciding with its announcement to apply for NATO membership.
*   Poland, Romania, Lithuania, and Norway were targeted by DDoS attacks linked to Killnet; a group of online attackers aligned with Russia.
*   While the frequency and severity of DDoS attacks in North America remained relatively consistent, satellite telecommunications providers experienced an increase in high-impact DDoS attacks, especially after providing support for Ukraine's communications infrastructure.
*   Russia experienced a nearly 3X increase in daily DDoS attacks since the conflict with Ukraine began and continued through the end of the reporting period.

Similarly, as tensions between Taiwan, China, and Hong Kong escalated in 1H2022, DDoS attacks against Taiwan regularly occurred in concert with related public events.

**Unparalleled** **Intelligence**

No other vendor sees and knows more about DDoS attack activity and best practices in attack protection than NETSCOUT. In addition to publishing the DDoS Threat Intelligence Report, NETSCOUT also presents its highly curated real-time DDoS attack data on its Omnis Threat Horizon portal to give customers visibility into the global threat landscape and understand the impact on their organizations. This data also fuels NETSCOUT's ATLAS Intelligence Feed (AIF) which continuously arms NETSCOUT's Omnis and Arbor security portfolio. Together with AIF, the Omnis and Arbor products automatically detect and block threat activity for enterprises and service providers worldwide.

Visit our interactive website for more information on NETSCOUT's semi-annual DDoS Threat Intelligence Report. You can also find us on Facebook, LinkedIn, and Twitter for threat updates and the latest trends and insights.

**About NETSCOUT**

NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT) protects the connected world from cyberattacks and performance disruptions through advanced network detection and response and pervasive network visibility. Powered by our pioneering deep packet inspection at scale, we serve the world's largest enterprises, service providers, and public sector organizations. Learn more at www.netscout.com or follow @NETSCOUT on LinkedIn, Twitter, or Facebook.

Adversaries Continue Cyberattacks with Greater Precision and Innovative Attack Methods According to NETSCOUT Report

Netography Fusion® gives security and cloud operations teams visibility and control of network traffic and context across users, applications, data, and devices.

**Annapolis, MD – September 27, 2022 —** Netography today announced further innovation to its Netography Fusion® platform, delivering scalable, continuous network visibility and control required by security operations center (SOC) and cloud operations teams. Netography Fusion enables organizations to significantly reduce cyber threat risks and costly downtime in real-time with improved security and business context, as well as powerful remediation automation capabilities through alerts, custom detections, and integrations. The platform is the only security product that secures the Atomized Network—including legacy, on-premises, hybrid, multi-cloud, and edge environments.

“Since the pandemic hit, networks have rapidly evolved into composites of multi-cloud, hybrid-cloud, and on-prem infrastructure with mobile and remote workforces. The implications for network security are massive,” said Martin Roesch, Netography CEO. “The Atomized Network is elastic, ephemeral, and encrypted, and organizations are blinded to the composition of their networks and entire categories of attack. This creates gaps where attackers can hide between the technologies and operational teams who use them. Defending the Atomized Network must be done in real-time, detecting and responding to threats as they emerge with a solution architected for the world we are now in.”

Netography Fusion is a cloud-scale, network-centric platform; it reconstitutes capabilities disrupted by the combined impact of encryption in security-as-a-service (SaaS) and Zero Trust environments and atomization and replaces network-scoped capabilities formerly delivered by deep packet inspection (DPI) hosted on appliances. It also provides visibility in places where Endpoint Detection and Response (EDR) solutions simply cannot see independently. A frictionless deployment model enables defenders to secure their Atomized Networks immediately, when, and where needed.

Newly added context labels and tagging allow security and cloud teams to visualize and analyze networks by application, location, compliance groups, or any other scheme. The UX/UI provides analysts with a flexible and optimized workflow to pivot and analyze massive amounts of data quickly.

“Multiple teams, including the SOC and Cloud Ops teams at FICO are continuing to expand their use of Netography Fusion’s scalable network visibility and control platform,” said Shannon Ryan, Senior Director, Core Security Services and Architecture, FICO. “The addition of context labels enables new use cases, including policies that we can apply to specific applications or our on-premises or multi-cloud infrastructure, enabling us with visibility and alerts for specific compliance controls. Context labels also make it easier for more team members to analyze incidents and answer audit questionnaires quicker.”

Netography Fusion customers also:

*   **Close Visibility Gaps:** From north-south to east-west and cloud to cloud only Netography Fusion provides the actionable visibility teams need.
*   **Analyze Incidents and Alerts with Context:** Context labels are provisioned by loading context from both cloud and on-prem infrastructure, allowing custom searches with Netography’s Query Language (NQL) to set up detections, alerts, and reports all with security or business context.
*   **Squash Silos Between Teams:** From security operations to IT to cloud operations, DevOps, threat hunters, forensics, and risk and compliance, all benefit from a single source of truth, the enriched Flow logs, and context.
*   **Lower Mean Time to Detect (MTTD):** Netography Fusion’s robust visualization and graphing interfaces combine with NQL and Netography Detection Models (NDM) to enable security teams to stop attacks quickly and limit the “blast zone” of those attacks.
*   **Lower Mean Time to Respond (MTTR):** Teams will have unprecedented control to limit downtime and the costs associated with remediating post intrusion. Regaining control of your network in the face of a successful breach is key to minimizing the cost of breaches and getting back to business.
*   **Supercharge Threat Hunting:** Forensics teams can achieve gap-free visibility and flexible data retention policies to investigate incidents, understand the attack path and implement proactive measures to prevent future intrusions and reduce attacker dwell time.
*   **Accelerate Audits and Improve Compliance:** Streamline audits and proof of network policy enforcement with context labeling, tagging, and flexible retention capabilities. Teams can isolate network traffic visibility and control by application, location, line of business (LOB), asset type, and more.
*   **Get More Out of Existing Tech Stack:** Extend endpoint visibility and control capabilities to devices and network points that do not support agents, or simply cannot do so cost-effectively. Teams gain comprehensive support for alerting platforms like PagerDuty, Slack, Teams, Twilio, and more via Webhook functionality.

To learn more about Netography Fusion, schedule a quick conversation with one of our engineers to explore visibility gaps and discuss use cases and benefits to your team.

**About Netography**

Netography® has created the first network-centric platform that reconstitutes capabilities disrupted by the combined impact of encryption and Atomized Networks across the security world. Enterprises have become functionally blind to the composition and activities of their networks, resulting in increased dwell time and more attackers leveraging the gaps between the capabilities of an organization’s other tools and the siloed operations teams who operate them.

Netography Fusion® is for enterprise security operations center (SOC) and cloud operations teams that need scalable, continuous network visibility across the Atomized Network – legacy, on-premises, hybrid, multi-cloud, and edge environments. With the Netography Fusion platform, these teams gain visibility and control of network traffic and context across users, applications, data, and devices, to see what they are, what they are doing, and what’s happening to them.

Netography is the only company that delivers Security for the Atomized Network®. Based in Annapolis, MD, Netography is backed by some of the world’s leading venture firms, including Bessemer Venture Partners, SYN Ventures, A16Z, and more. For more information, visit netography.com.

Netography Upgrades Platform to Provide Scalable, Continuous Network Security and Visibility

SOC metrics will allow stakeholders to track the current state of a program and how it's supporting  business objectives.

Given the current financial climate, cybersecurity budgets may be under review, along with all other expenditures, and, in some cases, on the chopping block. One of the best ways for security leaders to protect their security operations program is to ensure alignment with the business priorities of their executive teams and boards. An important part of this is providing metrics that demonstrate the effectiveness of the program. Developing metrics for your security operations will allow your stakeholders to track the current state of the program as well as how the program supports the business objectives.

The security operations center is a business-critical function, but measuring the effectiveness of the SOC isn’t easy. Organizations may choose from a wide variety of different approaches. Speed of response in security operations is one important aspect and can make all the difference between a compromise that’s quickly contained and a catastrophic data breach. 

Therefore, starting with basic metrics such as mean time to detect (MTTD) and mean time to respond (MTTR) will enable both you and your stakeholders to gain greater insight into the operations, and to make better investment decisions, as well as demonstrate value to the executive leadership and board.

**Improve Your Effectiveness**

The main objective of a resilient security operations program should be lowering an organization's MTTD and MTTR to limit any damage done by a cyber incident to your organization. 

MTTD measures the amount of time it takes to discover a potential security threat. This metric helps you understand the effectiveness of your organization's security operations and your team's speed and ability to recognize a threat. Therefore, the goal is to keep this metric as low as possible in order to reduce the impact of a compromise on your organization.

Meanwhile, MTTR helps you measure the time it takes to respond to a threat once it is detected. A higher response time indicates that a compromise could lead to a damaging data breach. The goal is to speed up your response and decrease your risk, just like MTTD. 

Both MTTD and MTTR are key metrics to measure and improve your team's capabilities since it is crucial to track the effectiveness of your team as your organization's maturity grows. Like any fundamental business operation, to mature your organization you should measure operational effectiveness to determine whether your organization is reaching its KPIs and SLAs.

In addition to MTTD and MTTR, there are other metrics you should monitor to make sure that you are effectively measuring and communicating operational effectiveness.

**Ensuring Security Operations Success**

Here are the seven metrics you should measure to help see where your security operations program may need improvements.

**Alarm time to triage (TTT):** Measures the team's ability to urgently inspect an alarm. It helps you understand the level of responsiveness to threats in real time. This could indicate that your team might need additional staff to narrow its monitoring focus or that you have enough staff to take on a larger monitoring load. 

**Alarm time to qualify (TTQ):** Measures and indicates how long it takes an alarm to be fully investigated and qualified. TTQ helps you spot blockages and understand your team's scope when it comes to qualifying threats. 

**Threat time to investigate (TTI):** Measures and indicates the number of hours it takes to thoroughly investigate a qualified threat. It enables you to identify bottlenecks and understand your team's capabilities when investigating threats in an efficient manner.

**Time to mitigate (TTM):** Measures the length of time it takes to mitigate an incident and address the immediate business risk. TTM helps you understand how quickly your team can mitigate the issue to stop or impede an active threat. 

**Time to recover (TTV):** Measures the amount of time it takes to fully recover from an incident. Measuring TTV helps you figure out how quickly your security team and others involved can completely restore operations back to normalcy. Bottlenecks in operations and collaboration can also be found. 

**Incident time to detect (TTD):** Measures the time it takes to confirm an Incident was initially detected and ultimately qualified. TTD is a crucial indicator of security operations effectiveness as it demonstrates the time it takes to identify threats that actually resulted in incidents.

**Incident time to response (TTR):** Measures the duration of time it takes to fully investigate as well as mitigate a confirmed Incident. TTR is an essential measure of security operations effectiveness given that it presents the time it takes to analyze and mitigate threats that resulted in an incident.

Metrics are designed to provide insights on information about your security program's effectiveness, performance and accountability through the collection, analysis, and reporting of data. They also give you the ability to surface bottlenecks in process as well as identify where tools or processes need reworking. All business processes need to be measured in order to improve, and security operations are no different in this regard. Demonstrating effectiveness through metrics is a necessary element in showing value to the wider business.

7 Metrics to Measure the Effectiveness of Your Security Operations

Infrastructure as code can help teams build more consistently in the cloud. But who owns it? Are teams getting the insights they need from your IaC security tool?

Everything you read about infrastructure as code (IaC) is focused on how it works or why you want to make sure that it actually is building the way you want it to build.

These are critical areas. But are we thinking enough about how we use this approach in our organization?

As Melinda Marks from ESG states in a company report, "83% of organizations experienced an increase in IaC template misconfigurations" as they continue to adopt the technology.

We know from work done by the Cloud Security Alliance ("Top Threats to Cloud Computing: Egregious Eleven") and others, misconfigurations continue to be a top risk in the cloud.

IaC is supported to _reduce_ misconfigurations by systematizing the creation of infrastructure, adding a level of rigor and process that ensures teams are building what they want and only what they want. If ~83% of teams aren't seeing that, there's a deeper issue at play.

On smaller teams, one where the Dev and Ops bits of the DevOps philosophy are together, that makes sense. IaC allows these small teams to use the same language — code — to describe everything they're doing.

This is why we're seeing even higher-level abstractions than tools like Terraform or AWS CloudFormation in the AWS CDK and projects like cdk8s. Those high-level abstractions are more comfortable for developers.

An ops/SRE/platform perspective of a cloud service will be wildly different from a developer perspective of the same service. A developer will look at a queuing service and dive into its interface — a simple endpoint to add and one to read? Sold. That's an easy integration.

This operational perspective aims to find the edges. So, when does this queue reach its limit? Is the performance constant or does it change radically under load?

Yes, there are overlapping concerns. And yes, this is a simplified view. But the idea holds. IaC solves a lot of problems, but it can also create and amplify the disconnect between teams. More importantly, it can highlight the gap between the intention of what you're trying to build and the reality of what you have built.

As a result, this is where the security concerns often escalate.

Most tooling — commercial or open source — is focused on identifying things that are wrong with the infrastructure templates. _This_ is a good construct. Making _this_ would be bad. These tools aim to generate these results as part of the continuous integration/continuous delivery (CI/CD) pipeline.

That's a great start. But it echoes the same language issue.

**Who's Talking and Who's Listening?**

When an IaC tool highlights an issue, who will address it? If it’s the development team, does it have enough information to know why this was flagged as an issue? If it's the operations team, are the consequences of the issue laid out in the report?

For developers, what often happens is that they will simply adjust the configuration to make the IaC testing pass.

For operations, it's typically a matter of whether the tests are passing. If they are, then on to the next task. That's not a knock on either team; rather, it highlights the gap of expectations versus reality.

What's needed is context. IaC security tooling provides visibility into what is about to (hopefully) be built. The goal is to stop issues _before_ they get into production.

Today's IaC security tooling is highlighting real issues that need to be addressed. Taking the output of these tools and enriching it with additional context that is specific to the team responsible for the code is a perfect opportunity for some custom automation.

This will also help bridge the language gap. The output from your tooling is essentially in a third language — just to make things more complicated — and needs to be communicated in a manner that makes sense to either a development or an operations audience. Often both.

For example, when a scan flags that a security group rule doesn't have a description, why does that matter? Just getting an alert that says "Add a description for context" doesn't help anyone build better.

This type of flag is a great opportunity to educate the teams that are building in the cloud. Adding an explanation that security group rules should be as specific as possible reduces the opportunity for malicious attacks. Provide references to examples of strong rules. Call that out without knowing the intention, and other teams can't test the validity of the security confirmation.

Security is everyone's responsibility, so acknowledging the language gap between developers and operations will highlight opportunities like this to add simple automations that provide insights to your teams. This will help improve what they are building and, as a result, will drive better security outcomes.

**About the Author**

    

I'm a forensic scientist, speaker, and technology analyst trying to help you make sense of the digital world and it's impact on us. For everyday users, my work helps to explain what the challenges of the digital world. Just how big of an impact does using social media have on your privacy? What does it mean when technologies like facial recognition are starting to be used in our communities? I help answer questions like this and more. For people building technology, I help them to apply a security and privacy lens to their work, so that they can enable users to make clearer decisions about their information and behavior. There is a mountain of confusion when it comes to privacy and security. There shouldn't be. I make security and privacy easier to understand.

IaC Scanning: A Fantastic, Overlooked Learning Opportunity

Using its "Exmatter" tool to corrupt rather than encrypt files signals a new direction for financially motivated cybercrime activity, researchers say.

Malware wielded by BlackCat/ALPHV is putting a new spin on the ransomware game by deleting and destroying an organization's data rather than merely encrypting it. The development provides a glimpse of the direction in which financially motivated cyberattacks likely are heading, according to researchers.  

Researchers from security firms Cyderes and Stairwell have observed a .NET exfiltration tool being deployed in relation to BlackCat/ALPHV ransomware called Exmatter that searches for specific file types from selected directories, uploads them to attacker-controlled servers, and then corrupts and destroy the files. The only way to retrieve the data is by purchasing the exfiltrated files back from the gang.

"Data destruction is rumored to be where ransomware is going to go, but we haven’t actually seen it in the wild," according to a blog post published recently on the Cyderes website. Exmatter could signify that the switch is happening, demonstrating that threat actors are actively in the process of staging and developing such capability, researchers said.

Cyderes researchers performed an initial assessment of Exmatter, then Stairwell's Threat Research Team discovered "partially-implemented data destruction functionality" after analyzing the malware, according to a companion blog post.

"The use of data destruction by affiliate-level actors in lieu of ransomware-as-a-service (RaaS) deployment would mark a large shift in the data extortion landscape, and would signal the balkanization of financially-motivated intrusion actors currently working under the banners of RaaS affiliate programs," Stairwell threat researcher Daniel Mayer and Shelby Kaba, director of special operations at Cyderes, noted in the post.

The emergence of this new capability in Exmatter is a reminder of the rapidly evolving and increasingly sophisticated threat landscape as threat actors pivot to find more creative ways to criminalize their activity, notes one security expert.

"Contrary to popular belief, modern attacks are not always just about stealing data, but can be about destruction, disruption, data weaponization, disinformation, and/or propaganda," Rajiv Pimplaskar, CEO of secure communications provider Dispersive Holdings, tells Dark Reading.

These ever-evolving threats demand that enterprises also must sharpen their defenses and deploy advanced security solutions that harden their respective attack surfaces and obfuscate sensitive resources, which will make them difficult targets to attack in the first place, Pimplaskar adds.

**Previous Ties to BlackMatter**

The researchers' analysis of Exmatter is not the first time a tool of this name has been associated with BlackCat/ALPHV. That group — believed to be run by former members of various ransomware gangs, including those from now-defunct BlackMatter — used Exmatter to exfiltrate data from corporate victims last December and January, before deploying ransomware in a double extortion attack, researchers from Kaspersky reported previously.

In fact, Kaspersky used Exmatter, also known as Fendr, to link BlackCat/ALPHV activity with that of BlackMatter in the threat brief, which was published earlier this year.

The sample of Exmatter that Stairwell and Cyderes researchers examined is a .NET executable designed for data exfiltration using FTP, SFTP, and webDAV protocols, and contains functionality for corrupting the files on disk that have been exfiltrated, Mayer explained. That aligns with BlackMatter's tool of the same name.

**How the Exmatter Destructor Works**

Using a routine named "Sync," the malware iterates through the drives on the victim machine, generating a queue of files of certain and specific file extensions for exfiltration, unless they are located in a directory specified in the malware’s hardcoded blocklist.

Exmatter can exfiltrate queued files by uploading them to an attacker-controlled IP address, Mayer said.

"The exfiltrated files are written to a folder with the same name as the victim machine’s hostname on the actor-controlled server," he explained in the post.

The data-destruction process lies within a class defined within the sample named "Eraser" that is designed to execute concurrently with Sync, researchers said. As Sync uploads files to the actor-controlled server, it adds files that have been successfully copied to the remote server to a queue of files to be processed by Eraser, Mayer explained.

Eraser selects two files randomly from the queue and overwrites File 1 with a chunk of code that's taken from the beginning of the second file, a corruption technique that may be intended as an evasion tactic, he noted.

"The act of using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers," Mayer wrote, "as copying file data from one file to another is much more plausibly benign functionality compared to sequentially overwriting files with random data or encrypting them." Mayer wrote.

**Work in Progress**

There are a number of clues to indicate that Exmatter's data-corruption technique is a work in progress and thus still being developed by the ransomware group, the researchers noted.

One artifact in the sample that points to this is the fact that the second file’s chunk length, which is used to overwrite the first file, is randomly decided and could be as short as 1 byte long.

The data-destruction process also has no mechanism for removing files from the corruption queue, meaning that some files may be overwritten numerous times before the program terminates, while others may never have been selected at all, the researchers noted.

Moreover, the function that creates the instance of the Eraser class — aptly named "Erase" — does not appear to be fully implemented in the sample that researchers analyzed, as it does not decompile correctly, they said.

**Why Destroy Instead of Encrypt?**

Developing data-corruption and destruction capabilities in lieu of encrypting data has a number of benefits for ransomware actors, the researchers noted, especially as data exfiltration and double-extortion (i.e., threatening to leak stolen data) has become a rather common behavior of threat actors. This has made developing stable, secure, and fast ransomware to encrypt files redundant and costly compared to corrupting files and using the exfiltrated copies as the means of data recovery, they said.

Eliminating encryption altogether also can make the process faster for RaaS affiliates, avoiding scenarios in which they lose profits because victims find other ways to decrypt the data, the researchers noted.

"These factors culminate in a justifiable case for affiliates leaving the RaaS model to strike out on their own," Mayer observed, "replacing development-heavy ransomware with data destruction."

BlackCat/ALPHV Gang Adds Wiper Functionality as Ransomware Tactic

Settling for "satisfactory" level of readiness may underestimate growing levels of risk.

**DOWNERS GROVE, Ill., September 27, 2022** — Fortifying cybersecurity defenses remains a work in progress for many organizations, who acknowledge their shortcomings but have yet to commit the necessary resources to the effort, new research from CompTIA, the nonprofit association for the information technology (IT) industry and workforce, reveals.

While a majority of respondents in each of seven geographic regions feels that their company’s cybersecurity is satisfactory, CompTIA’s “State of Cybersecurity” shows that a much smaller number rank the situation as “completely satisfactory.” Nearly everyone feels that there is room for improvement.

“Companies are aware of the threats they face and the potential consequences of an attack or breach,” said Seth Robinson, vice president, industry research, CompTIA. “But they may be underestimating their exposure and how much they need to invest in cybersecurity. Risk mitigation is the key, the filter through which everything should be viewed.”

Two of the top three issues driving cybersecurity considerations are the growing volume of cybercriminals, cited by 48% of respondents, and the growing variety of cyberattacks (45%). Additionally, ransomware and phishing have quickly become major areas of concern as digital operations have increased and human error has proven more costly.

“Digital transformation driven by cloud and mobile adoption requires a new strategic approach to cybersecurity, but this poses significant challenges, both tactically and financially,” Robinson said. “As IT operations and strategy have grown more complex, so has the management of cybersecurity.”

As cybersecurity is more tightly integrated with business objectives, zero trust is the overarching policy that should be guiding modern efforts, though its adoption will not take place overnight because it requires a drastically different way of thinking and acting. The report suggests there is small progress in recognizing a holistic zero trust approach, but better progress in adopting some elements that are part of an overarching zero trust policy. Multifactor authentication is in place at 46% of companies and cloud workload governance at 41%. Among other changes in organizations’ approach to cybersecurity:

*   43% of companies have placed a higher priority on incident response,
*   39% are deploying a more diverse set of technology tools, with SaaS monitoring and management tools making a substantial jump in adoption,
*   38% are increasing their focus on process improvements,
*   37% are shifting to more proactive measures, and
*   36% are expanding employee education.

Adopting a total zero-trust philosophy, including setting specific, strategic objectives will address many problems companies face. But there are substantial hurdles to overcome, such as closing the communications gap that exists between the technology and business sides of organizations. The overall rate of business staff participation is too low for a business-critical function. Nearly half (47%) of small businesses have the CEO or owner as part of the cybersecurity chain compared to 37% of mid-sized firms and 27% of large enterprises. In addition, companies are struggling to address technical skill needs, such as threat knowledge, network security and data analysis.

CompTIA’s “State of Cybersecurity” report is based on a Q3 2022 survey of technology and business professionals involved in cybersecurity. There were 500 respondents from the U.S. and 125 from each of six other regions around the world. The full report is available at https://www.comptia.org/content/research/cybersecurity-trends-research.  

**About CompTIA**

The Computing Technology Industry Association (CompTIA) is a leading voice and advocate for the $5 trillion global information technology ecosystem; and the estimated 75 million industry and tech professionals who design, implement, manage, and safeguard the technology that powers the world’s economy. Through education, training, certifications, advocacy, philanthropy, and market research, CompTIA is the hub for unlocking the potential of the tech industry and its workforce.

Organizations Finding the Need for New Approaches on the Cybersecurity Front, CompTIA Research Reveals

A crime syndicate based in Russia steals millions of dollars from credit card companies using fake dating and porn sites on hundreds of domains to rack up fraudulent charges.

A subscription service scam has garnered millions of dollars in credit card charges by creating fake dating and porn sites, staffing them with live customer support, and using stolen credit card accounts to pay for "services." 

Endpoint security firm ReasonLabs stated in a Sept. 23 advisory that a Russian-speaking cybercrime group has created hundreds of fraudulent websites since 2019, likely using third-party proxies, as well as dozens of business sites that act as both a generic name for credit card charges and as a hub for customer support calls. By using recurring charges that are small enough to escape many customers' notice, the fraudsters were able to keep chargeback requests low enough to avoid being shut down and continue profiting from the scam.

While the different components of the scheme are not original, the sum total managed to bypass credit card companies' fraud detection and garner millions of dollars in revenue, ReasonLabs' research team said in the advisory.

"Eventually, once — some of — these users find these charges, they will immediately approach the issuer for a dispute and replacement of the card number, which will cause chargebacks."

The three-year scam highlights the resurgence of credit-card fraud, especially for businesses that are dealing with a hybrid workforce. Two-thirds of companies have experienced fraud in the past year, according to a recent study from KPMG. Security experts have meanwhile warned that third-party scripts on websites — part of the software supply chain — could be at risk of being co-opted to steal credentials and credit-card information.

**Designed to Seem Legitimate**

In the latest credit card scam, the cybercriminals created the right mix of components to dodge anti-fraud defenses and to remain unnoticed by consumers who don't always check their credit card bills, researchers said. While unsurprising, the scope of the fraud is quite brazen, Timothy Morris, technology strategist for security management firm Tanium, said in a statement sent to Dark Reading.

"Real companies can run virtually, so it isn’t hard to imagine fake companies running virtually," he said. "Front-end user interfaces, back-end customer support, payment providers, \[and other components\] give this swindle all the ingredients of legitimacy."

The business sites that originated the charges and appeared to be legitimate all have similar structure, with the organization's name, a motto, and information on how to contact support. ReasonLabs found 75 support sites, all with the same HTML code, importing the same JavaScript files, and having identical comments, the company said.

The scheme was also given the veneer of credibility by these 200 fake sites — mainly adult- and dating-themed — that supposedly were the source of the charges. While adult sites are classified as high risk in the financial industry, the combination of live sites and active business hubs helped make the scheme seem legitimate.

The type of fake site that the fraudsters used also likely made the scheme more successful, Matt Mullins, senior security researcher at Cybrary, said in a statement sent to Dark Reading.

"Dating sites, adult sites, and other services have social stigmas associated with them that puts the victim in a questionable light," he said. "This questionable light also makes it more likely that a victim will try to resolve it themselves versus calling up a customer service representative and trying to resolve it."

Finally, the criminal group uses typical credit card spending patterns to make the transaction less suspicious. Rather than use test transactions followed by large transaction, the criminal group uses recurring payments of small dollar amounts to escape notice.  

Because most financial providers have strict agreements with high-risk businesses — such as adult sites — to limit the level of chargebacks, the cybercriminal group takes a variety of actions to avoid chargebacks. The fake businesses' names are fairly generic, they charge small dollar amounts, allow the user to cancel their "subscription," and have live customer support, ReasonLabs said.

"The fraudsters applied each individual customer service website for payment processing in order to distribute the chargebacks between many websites rather than just one," the company stated in its advisory. "This would ensure that their payment processing capabilities will not be revoked once one site reaches the agreed rate of chargebacks, or refunds, which is divided by the number of legit transactions."

The campaign is ongoing, but ReasonLabs has notified the companies affected by the fraud to help shut down the cybercriminal enterprise.

Fake Sites Siphon Millions of Dollars in 3-Year Scam

MITRE's new FiGHT framework describes adversary tactics and techniques used against 5G systems and networks.

The modernization of wireless technology is well underway with 5G deployments -- and so are the attacks. In response, MITRE, along with the Department of Defense, announced an adversarial threat model for 5G systems to help organizations assess the threats against their networks.

A "purpose-built model of observed adversary behaviors," FiGHT (5G Hierarchy of Threats) is a knowledge base of adversary tactics and techniques for 5G systems. The framework empowers organizations to "reliably assess the confidentiality, integrity, and availability of 5G networks, as well as the devices and applications using them," according to MITRE.

FiGHT is similar to MITRE ATT&CK, a knowledge base of adversary behaviors seen in attacks against the broader ecosystem. In fact, FiGHT is derived from ATT&CK, making FiGHT's tactics and techniques complementary to those described in ATT&CK. The FiGHT Matrix lists tactics used in attacks as columns, and some of the items listed are actually ATT&CK techniques or sub-techniques relevant for 5G.

Tactics and techniques are grouped across three categories: theoretical, proof-of-concept, and observed. At the moment, most of the techniques are categorized as either theoretical or proof-of-concept as the information is based on academic research and other publicly available documents. Just a minority of the techniques described in FiGHT are based on real-world observations, reflecting the fact that the number of 5G attacks are still relatively low.

Even though 5G has built-in security features, there still some risks and vulnerabilities to be aware of. 

"We identified an industry need for a structured understanding of 5G threats because even though 5G represents the most secure cellular standard to date, it can be implemented and deployed in ways that still have risks and vulnerabilities," Dr. Charles Clancy, senior vice president and general manager of MITRE Labs, said in a statement.

During this year's RSA Conference, researchers from Deloitte & Touche described a potential avenue of attack targeting network slices, a fundamental part of 5G's architecture. Enterprises rolling out 5G LANs also need to consider that the new capabilities that come with these environments, such as cross-network roaming and cloud edge services, also increase that attack surface.

FiGHT can be used to conduct threat assessments, enable adversarial emulation, and identify gaps in security coverage. Security teams can also use FiGHT to determine which areas the organization should be investing in.

"FiGHT helps stakeholders assess where cyber investments should be made to achieve the highest impact as they build, configure, and deploy secure and resilient 5G systems," Clancy said.

Source

DARKReading