This Tech Tip outlines three steps security teams should take to protect information stored in Salesforce.

No one likes to hear the B-word: _breach_. Developers definitely don't want to hear that word in relation to a platform they use day in and day out.

When GitHub revealed details about a security breach that allowed an unknown attacker to download data from dozens of private code repositories earlier this year, it was a nightmare scenario. Attackers were using information collected from GitHub to target two third-party cloud platforms-as-a-service (PaaS): Heroku and Travis CI.

Attackers had stolen OAuth tokens issued to Heroku and Travis CI and used them to access and download the contents of private repositories, GitHub found.

Where does the most sensitive information reside in your organization? For organizations using Heroku, Salesforce houses the information that, if exposed, could cripple the organization. Security teams need to think about protecting their Salesforce data. Why should they put the organization's cybersecurity at risk by relying on third-party integrations?

These three simple steps can help improve cybersecurity posture on Salesforce.

**1\. Use Salesforce-Native Applications**

Applications built on Salesforce ensure that your data remains in one place with the same cybersecurity posture as the Salesforce platform. With apps consolidated on a single platform, the attack surface is greatly reduced.

**2\. Establish a Zero-Trust Model**

Never trust, always verify. All users should have the minimum level of permissions and access needed to be able to complete their necessary tasks while requiring users to prove their need and identities before access. Audit everything.

**3\. Utilize Secrets Management**

Never store credentials in clear text, and always assume private repositories are public. Having a secrets management solution ensures that your secrets are rotated along with having an appropriate level of security compliance around your credentials.

With this improved cybersecurity posture, developers, infosec teams, and the CEO will be at ease knowing that the organization's most sensitive data is secure.

Lessons From the GitHub Cybersecurity Breach

TCP-based, DNS water-torture, and carpet-bombing attacks dominate the DDoS threat landscape, while Ireland, India, Taiwan, and Finland are battered by DDoS attacks resulting from the Russia/Ukraine war.

**WESTFORD, Mass.,** **September 27, 2022** — NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT) today announced findings from its 1H2022 DDoS Threat Intelligence Report. The findings demonstrate how sophisticated cybercriminals have become at bypassing defenses with new DDoS attack vectors and successful methodologies.

"By constantly innovating and adapting, attackers are designing new, more effective DDoS attack vectors or doubling down on existing effective methodologies," said Richard Hummel, threat intelligence lead, NETSCOUT. "In the first half of 2022, attackers conducted more pre-attack reconnaissance, exercised a new attack vector called TP240 PhoneHome, created a tsunami of TCP flooding attacks, and rapidly expanded high-powered botnets to plague network-connected resources. In addition, bad actors have openly embraced online aggression with high-profile DDoS attack campaigns related to geopolitical unrest, which have had global implications."

NETSCOUT's Active Level Threat Analysis System (ATLAS™) compiles DDoS attack statistics from most of the world's ISPs, large data centers, and government and enterprise networks. This data represents intelligence on attacks occurring in over 190 countries, 550 industries, and 50,000 autonomous system numbers (ASNs). NETSCOUT's ATLAS Security Engineering and Response Team (ASERT) analyzes and curates this data to provide unique insights in its biannual report. Key findings from the 1H2022 NETSCOUT DDoS Threat Intelligence Report include:

*   There were 6,019,888 global DDoS attacks in 1st half of 2022.
*   TCP-based flood attacks (SYN, ACK, RST) remain the most used attack vector, with approximately 46% of all attacks continuing a trend that started in early 2021.
*   DNS water-torture attacks accelerated into 2022 with a 46% increase primarily using UDP query floods, while carpet-bombing attacks experienced a big comeback toward the end of the second quarter; overall, DNS amplification attacks decreased by 31% from 2H2021 to 1H2022.
*   The new TP240 PhoneHome reflection/amplifications DDoS vector was discovered in early 2022 with a record-breaking amplification ratio of 4,293,967,296:1; swift actions eradicated the abusable nature of this service.
*   Malware botnet proliferation grew at an alarming rate, with 21,226 nodes tracked in the first quarter to 488,381 nodes in the second, resulting in more direct-path, application-layer attacks.

**Geopolitical Unrest Spawns Increased DDoS Attacks**

As Russian ground troops entered Ukraine in late February, there was a significant uptick in DDoS attacks targeting governmental departments, online media organizations, financial firms, hosting providers, and cryptocurrency-related firms, as previously documented. However, the ripple effect resulting from the war had a dramatic impact on DDoS attacks in other countries including:

*   Ireland experienced a surge in attacks after providing service to Ukrainian organizations.
*   India experienced a measurable increase in DDoS attacks following its abstention from the UN Security Council and General Assembly votes condemning Russia's actions in Ukraine.
*   On the same day, Taiwan endured its single-highest number of DDoS attacks after making public statements supporting Ukraine, as with Belize.
*   Finland experienced a 258% increase in DDoS attacks year-over-year, coinciding with its announcement to apply for NATO membership.
*   Poland, Romania, Lithuania, and Norway were targeted by DDoS attacks linked to Killnet; a group of online attackers aligned with Russia.
*   While the frequency and severity of DDoS attacks in North America remained relatively consistent, satellite telecommunications providers experienced an increase in high-impact DDoS attacks, especially after providing support for Ukraine's communications infrastructure.
*   Russia experienced a nearly 3X increase in daily DDoS attacks since the conflict with Ukraine began and continued through the end of the reporting period.

Similarly, as tensions between Taiwan, China, and Hong Kong escalated in 1H2022, DDoS attacks against Taiwan regularly occurred in concert with related public events.

**Unparalleled** **Intelligence**

No other vendor sees and knows more about DDoS attack activity and best practices in attack protection than NETSCOUT. In addition to publishing the DDoS Threat Intelligence Report, NETSCOUT also presents its highly curated real-time DDoS attack data on its Omnis Threat Horizon portal to give customers visibility into the global threat landscape and understand the impact on their organizations. This data also fuels NETSCOUT's ATLAS Intelligence Feed (AIF) which continuously arms NETSCOUT's Omnis and Arbor security portfolio. Together with AIF, the Omnis and Arbor products automatically detect and block threat activity for enterprises and service providers worldwide.

Visit our interactive website for more information on NETSCOUT's semi-annual DDoS Threat Intelligence Report. You can also find us on Facebook, LinkedIn, and Twitter for threat updates and the latest trends and insights.

**About NETSCOUT**

NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT) protects the connected world from cyberattacks and performance disruptions through advanced network detection and response and pervasive network visibility. Powered by our pioneering deep packet inspection at scale, we serve the world's largest enterprises, service providers, and public sector organizations. Learn more at www.netscout.com or follow @NETSCOUT on LinkedIn, Twitter, or Facebook.

Adversaries Continue Cyberattacks with Greater Precision and Innovative Attack Methods According to NETSCOUT Report

Netography Fusion® gives security and cloud operations teams visibility and control of network traffic and context across users, applications, data, and devices.

**Annapolis, MD – September 27, 2022 —** Netography today announced further innovation to its Netography Fusion® platform, delivering scalable, continuous network visibility and control required by security operations center (SOC) and cloud operations teams. Netography Fusion enables organizations to significantly reduce cyber threat risks and costly downtime in real-time with improved security and business context, as well as powerful remediation automation capabilities through alerts, custom detections, and integrations. The platform is the only security product that secures the Atomized Network—including legacy, on-premises, hybrid, multi-cloud, and edge environments.

“Since the pandemic hit, networks have rapidly evolved into composites of multi-cloud, hybrid-cloud, and on-prem infrastructure with mobile and remote workforces. The implications for network security are massive,” said Martin Roesch, Netography CEO. “The Atomized Network is elastic, ephemeral, and encrypted, and organizations are blinded to the composition of their networks and entire categories of attack. This creates gaps where attackers can hide between the technologies and operational teams who use them. Defending the Atomized Network must be done in real-time, detecting and responding to threats as they emerge with a solution architected for the world we are now in.”

Netography Fusion is a cloud-scale, network-centric platform; it reconstitutes capabilities disrupted by the combined impact of encryption in security-as-a-service (SaaS) and Zero Trust environments and atomization and replaces network-scoped capabilities formerly delivered by deep packet inspection (DPI) hosted on appliances. It also provides visibility in places where Endpoint Detection and Response (EDR) solutions simply cannot see independently. A frictionless deployment model enables defenders to secure their Atomized Networks immediately, when, and where needed.

Newly added context labels and tagging allow security and cloud teams to visualize and analyze networks by application, location, compliance groups, or any other scheme. The UX/UI provides analysts with a flexible and optimized workflow to pivot and analyze massive amounts of data quickly.

“Multiple teams, including the SOC and Cloud Ops teams at FICO are continuing to expand their use of Netography Fusion’s scalable network visibility and control platform,” said Shannon Ryan, Senior Director, Core Security Services and Architecture, FICO. “The addition of context labels enables new use cases, including policies that we can apply to specific applications or our on-premises or multi-cloud infrastructure, enabling us with visibility and alerts for specific compliance controls. Context labels also make it easier for more team members to analyze incidents and answer audit questionnaires quicker.”

Netography Fusion customers also:

*   **Close Visibility Gaps:** From north-south to east-west and cloud to cloud only Netography Fusion provides the actionable visibility teams need.
*   **Analyze Incidents and Alerts with Context:** Context labels are provisioned by loading context from both cloud and on-prem infrastructure, allowing custom searches with Netography’s Query Language (NQL) to set up detections, alerts, and reports all with security or business context.
*   **Squash Silos Between Teams:** From security operations to IT to cloud operations, DevOps, threat hunters, forensics, and risk and compliance, all benefit from a single source of truth, the enriched Flow logs, and context.
*   **Lower Mean Time to Detect (MTTD):** Netography Fusion’s robust visualization and graphing interfaces combine with NQL and Netography Detection Models (NDM) to enable security teams to stop attacks quickly and limit the “blast zone” of those attacks.
*   **Lower Mean Time to Respond (MTTR):** Teams will have unprecedented control to limit downtime and the costs associated with remediating post intrusion. Regaining control of your network in the face of a successful breach is key to minimizing the cost of breaches and getting back to business.
*   **Supercharge Threat Hunting:** Forensics teams can achieve gap-free visibility and flexible data retention policies to investigate incidents, understand the attack path and implement proactive measures to prevent future intrusions and reduce attacker dwell time.
*   **Accelerate Audits and Improve Compliance:** Streamline audits and proof of network policy enforcement with context labeling, tagging, and flexible retention capabilities. Teams can isolate network traffic visibility and control by application, location, line of business (LOB), asset type, and more.
*   **Get More Out of Existing Tech Stack:** Extend endpoint visibility and control capabilities to devices and network points that do not support agents, or simply cannot do so cost-effectively. Teams gain comprehensive support for alerting platforms like PagerDuty, Slack, Teams, Twilio, and more via Webhook functionality.

To learn more about Netography Fusion, schedule a quick conversation with one of our engineers to explore visibility gaps and discuss use cases and benefits to your team.

**About Netography**

Netography® has created the first network-centric platform that reconstitutes capabilities disrupted by the combined impact of encryption and Atomized Networks across the security world. Enterprises have become functionally blind to the composition and activities of their networks, resulting in increased dwell time and more attackers leveraging the gaps between the capabilities of an organization’s other tools and the siloed operations teams who operate them.

Netography Fusion® is for enterprise security operations center (SOC) and cloud operations teams that need scalable, continuous network visibility across the Atomized Network – legacy, on-premises, hybrid, multi-cloud, and edge environments. With the Netography Fusion platform, these teams gain visibility and control of network traffic and context across users, applications, data, and devices, to see what they are, what they are doing, and what’s happening to them.

Netography is the only company that delivers Security for the Atomized Network®. Based in Annapolis, MD, Netography is backed by some of the world’s leading venture firms, including Bessemer Venture Partners, SYN Ventures, A16Z, and more. For more information, visit netography.com.

Netography Upgrades Platform to Provide Scalable, Continuous Network Security and Visibility

SOC metrics will allow stakeholders to track the current state of a program and how it's supporting  business objectives.

Given the current financial climate, cybersecurity budgets may be under review, along with all other expenditures, and, in some cases, on the chopping block. One of the best ways for security leaders to protect their security operations program is to ensure alignment with the business priorities of their executive teams and boards. An important part of this is providing metrics that demonstrate the effectiveness of the program. Developing metrics for your security operations will allow your stakeholders to track the current state of the program as well as how the program supports the business objectives.

The security operations center is a business-critical function, but measuring the effectiveness of the SOC isn’t easy. Organizations may choose from a wide variety of different approaches. Speed of response in security operations is one important aspect and can make all the difference between a compromise that’s quickly contained and a catastrophic data breach. 

Therefore, starting with basic metrics such as mean time to detect (MTTD) and mean time to respond (MTTR) will enable both you and your stakeholders to gain greater insight into the operations, and to make better investment decisions, as well as demonstrate value to the executive leadership and board.

**Improve Your Effectiveness**

The main objective of a resilient security operations program should be lowering an organization's MTTD and MTTR to limit any damage done by a cyber incident to your organization. 

MTTD measures the amount of time it takes to discover a potential security threat. This metric helps you understand the effectiveness of your organization's security operations and your team's speed and ability to recognize a threat. Therefore, the goal is to keep this metric as low as possible in order to reduce the impact of a compromise on your organization.

Meanwhile, MTTR helps you measure the time it takes to respond to a threat once it is detected. A higher response time indicates that a compromise could lead to a damaging data breach. The goal is to speed up your response and decrease your risk, just like MTTD. 

Both MTTD and MTTR are key metrics to measure and improve your team's capabilities since it is crucial to track the effectiveness of your team as your organization's maturity grows. Like any fundamental business operation, to mature your organization you should measure operational effectiveness to determine whether your organization is reaching its KPIs and SLAs.

In addition to MTTD and MTTR, there are other metrics you should monitor to make sure that you are effectively measuring and communicating operational effectiveness.

**Ensuring Security Operations Success**

Here are the seven metrics you should measure to help see where your security operations program may need improvements.

**Alarm time to triage (TTT):** Measures the team's ability to urgently inspect an alarm. It helps you understand the level of responsiveness to threats in real time. This could indicate that your team might need additional staff to narrow its monitoring focus or that you have enough staff to take on a larger monitoring load. 

**Alarm time to qualify (TTQ):** Measures and indicates how long it takes an alarm to be fully investigated and qualified. TTQ helps you spot blockages and understand your team's scope when it comes to qualifying threats. 

**Threat time to investigate (TTI):** Measures and indicates the number of hours it takes to thoroughly investigate a qualified threat. It enables you to identify bottlenecks and understand your team's capabilities when investigating threats in an efficient manner.

**Time to mitigate (TTM):** Measures the length of time it takes to mitigate an incident and address the immediate business risk. TTM helps you understand how quickly your team can mitigate the issue to stop or impede an active threat. 

**Time to recover (TTV):** Measures the amount of time it takes to fully recover from an incident. Measuring TTV helps you figure out how quickly your security team and others involved can completely restore operations back to normalcy. Bottlenecks in operations and collaboration can also be found. 

**Incident time to detect (TTD):** Measures the time it takes to confirm an Incident was initially detected and ultimately qualified. TTD is a crucial indicator of security operations effectiveness as it demonstrates the time it takes to identify threats that actually resulted in incidents.

**Incident time to response (TTR):** Measures the duration of time it takes to fully investigate as well as mitigate a confirmed Incident. TTR is an essential measure of security operations effectiveness given that it presents the time it takes to analyze and mitigate threats that resulted in an incident.

Metrics are designed to provide insights on information about your security program's effectiveness, performance and accountability through the collection, analysis, and reporting of data. They also give you the ability to surface bottlenecks in process as well as identify where tools or processes need reworking. All business processes need to be measured in order to improve, and security operations are no different in this regard. Demonstrating effectiveness through metrics is a necessary element in showing value to the wider business.

7 Metrics to Measure the Effectiveness of Your Security Operations

Infrastructure as code can help teams build more consistently in the cloud. But who owns it? Are teams getting the insights they need from your IaC security tool?

Everything you read about infrastructure as code (IaC) is focused on how it works or why you want to make sure that it actually is building the way you want it to build.

These are critical areas. But are we thinking enough about how we use this approach in our organization?

As Melinda Marks from ESG states in a company report, "83% of organizations experienced an increase in IaC template misconfigurations" as they continue to adopt the technology.

We know from work done by the Cloud Security Alliance ("Top Threats to Cloud Computing: Egregious Eleven") and others, misconfigurations continue to be a top risk in the cloud.

IaC is supported to _reduce_ misconfigurations by systematizing the creation of infrastructure, adding a level of rigor and process that ensures teams are building what they want and only what they want. If ~83% of teams aren't seeing that, there's a deeper issue at play.

On smaller teams, one where the Dev and Ops bits of the DevOps philosophy are together, that makes sense. IaC allows these small teams to use the same language — code — to describe everything they're doing.

This is why we're seeing even higher-level abstractions than tools like Terraform or AWS CloudFormation in the AWS CDK and projects like cdk8s. Those high-level abstractions are more comfortable for developers.

An ops/SRE/platform perspective of a cloud service will be wildly different from a developer perspective of the same service. A developer will look at a queuing service and dive into its interface — a simple endpoint to add and one to read? Sold. That's an easy integration.

This operational perspective aims to find the edges. So, when does this queue reach its limit? Is the performance constant or does it change radically under load?

Yes, there are overlapping concerns. And yes, this is a simplified view. But the idea holds. IaC solves a lot of problems, but it can also create and amplify the disconnect between teams. More importantly, it can highlight the gap between the intention of what you're trying to build and the reality of what you have built.

As a result, this is where the security concerns often escalate.

Most tooling — commercial or open source — is focused on identifying things that are wrong with the infrastructure templates. _This_ is a good construct. Making _this_ would be bad. These tools aim to generate these results as part of the continuous integration/continuous delivery (CI/CD) pipeline.

That's a great start. But it echoes the same language issue.

**Who's Talking and Who's Listening?**

When an IaC tool highlights an issue, who will address it? If it’s the development team, does it have enough information to know why this was flagged as an issue? If it's the operations team, are the consequences of the issue laid out in the report?

For developers, what often happens is that they will simply adjust the configuration to make the IaC testing pass.

For operations, it's typically a matter of whether the tests are passing. If they are, then on to the next task. That's not a knock on either team; rather, it highlights the gap of expectations versus reality.

What's needed is context. IaC security tooling provides visibility into what is about to (hopefully) be built. The goal is to stop issues _before_ they get into production.

Today's IaC security tooling is highlighting real issues that need to be addressed. Taking the output of these tools and enriching it with additional context that is specific to the team responsible for the code is a perfect opportunity for some custom automation.

This will also help bridge the language gap. The output from your tooling is essentially in a third language — just to make things more complicated — and needs to be communicated in a manner that makes sense to either a development or an operations audience. Often both.

For example, when a scan flags that a security group rule doesn't have a description, why does that matter? Just getting an alert that says "Add a description for context" doesn't help anyone build better.

This type of flag is a great opportunity to educate the teams that are building in the cloud. Adding an explanation that security group rules should be as specific as possible reduces the opportunity for malicious attacks. Provide references to examples of strong rules. Call that out without knowing the intention, and other teams can't test the validity of the security confirmation.

Security is everyone's responsibility, so acknowledging the language gap between developers and operations will highlight opportunities like this to add simple automations that provide insights to your teams. This will help improve what they are building and, as a result, will drive better security outcomes.

**About the Author**

    

I'm a forensic scientist, speaker, and technology analyst trying to help you make sense of the digital world and it's impact on us. For everyday users, my work helps to explain what the challenges of the digital world. Just how big of an impact does using social media have on your privacy? What does it mean when technologies like facial recognition are starting to be used in our communities? I help answer questions like this and more. For people building technology, I help them to apply a security and privacy lens to their work, so that they can enable users to make clearer decisions about their information and behavior. There is a mountain of confusion when it comes to privacy and security. There shouldn't be. I make security and privacy easier to understand.

IaC Scanning: A Fantastic, Overlooked Learning Opportunity

Using its "Exmatter" tool to corrupt rather than encrypt files signals a new direction for financially motivated cybercrime activity, researchers say.

Malware wielded by BlackCat/ALPHV is putting a new spin on the ransomware game by deleting and destroying an organization's data rather than merely encrypting it. The development provides a glimpse of the direction in which financially motivated cyberattacks likely are heading, according to researchers.  

Researchers from security firms Cyderes and Stairwell have observed a .NET exfiltration tool being deployed in relation to BlackCat/ALPHV ransomware called Exmatter that searches for specific file types from selected directories, uploads them to attacker-controlled servers, and then corrupts and destroy the files. The only way to retrieve the data is by purchasing the exfiltrated files back from the gang.

"Data destruction is rumored to be where ransomware is going to go, but we haven’t actually seen it in the wild," according to a blog post published recently on the Cyderes website. Exmatter could signify that the switch is happening, demonstrating that threat actors are actively in the process of staging and developing such capability, researchers said.

Cyderes researchers performed an initial assessment of Exmatter, then Stairwell's Threat Research Team discovered "partially-implemented data destruction functionality" after analyzing the malware, according to a companion blog post.

"The use of data destruction by affiliate-level actors in lieu of ransomware-as-a-service (RaaS) deployment would mark a large shift in the data extortion landscape, and would signal the balkanization of financially-motivated intrusion actors currently working under the banners of RaaS affiliate programs," Stairwell threat researcher Daniel Mayer and Shelby Kaba, director of special operations at Cyderes, noted in the post.

The emergence of this new capability in Exmatter is a reminder of the rapidly evolving and increasingly sophisticated threat landscape as threat actors pivot to find more creative ways to criminalize their activity, notes one security expert.

"Contrary to popular belief, modern attacks are not always just about stealing data, but can be about destruction, disruption, data weaponization, disinformation, and/or propaganda," Rajiv Pimplaskar, CEO of secure communications provider Dispersive Holdings, tells Dark Reading.

These ever-evolving threats demand that enterprises also must sharpen their defenses and deploy advanced security solutions that harden their respective attack surfaces and obfuscate sensitive resources, which will make them difficult targets to attack in the first place, Pimplaskar adds.

**Previous Ties to BlackMatter**

The researchers' analysis of Exmatter is not the first time a tool of this name has been associated with BlackCat/ALPHV. That group — believed to be run by former members of various ransomware gangs, including those from now-defunct BlackMatter — used Exmatter to exfiltrate data from corporate victims last December and January, before deploying ransomware in a double extortion attack, researchers from Kaspersky reported previously.

In fact, Kaspersky used Exmatter, also known as Fendr, to link BlackCat/ALPHV activity with that of BlackMatter in the threat brief, which was published earlier this year.

The sample of Exmatter that Stairwell and Cyderes researchers examined is a .NET executable designed for data exfiltration using FTP, SFTP, and webDAV protocols, and contains functionality for corrupting the files on disk that have been exfiltrated, Mayer explained. That aligns with BlackMatter's tool of the same name.

**How the Exmatter Destructor Works**

Using a routine named "Sync," the malware iterates through the drives on the victim machine, generating a queue of files of certain and specific file extensions for exfiltration, unless they are located in a directory specified in the malware’s hardcoded blocklist.

Exmatter can exfiltrate queued files by uploading them to an attacker-controlled IP address, Mayer said.

"The exfiltrated files are written to a folder with the same name as the victim machine’s hostname on the actor-controlled server," he explained in the post.

The data-destruction process lies within a class defined within the sample named "Eraser" that is designed to execute concurrently with Sync, researchers said. As Sync uploads files to the actor-controlled server, it adds files that have been successfully copied to the remote server to a queue of files to be processed by Eraser, Mayer explained.

Eraser selects two files randomly from the queue and overwrites File 1 with a chunk of code that's taken from the beginning of the second file, a corruption technique that may be intended as an evasion tactic, he noted.

"The act of using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers," Mayer wrote, "as copying file data from one file to another is much more plausibly benign functionality compared to sequentially overwriting files with random data or encrypting them." Mayer wrote.

**Work in Progress**

There are a number of clues to indicate that Exmatter's data-corruption technique is a work in progress and thus still being developed by the ransomware group, the researchers noted.

One artifact in the sample that points to this is the fact that the second file’s chunk length, which is used to overwrite the first file, is randomly decided and could be as short as 1 byte long.

The data-destruction process also has no mechanism for removing files from the corruption queue, meaning that some files may be overwritten numerous times before the program terminates, while others may never have been selected at all, the researchers noted.

Moreover, the function that creates the instance of the Eraser class — aptly named "Erase" — does not appear to be fully implemented in the sample that researchers analyzed, as it does not decompile correctly, they said.

**Why Destroy Instead of Encrypt?**

Developing data-corruption and destruction capabilities in lieu of encrypting data has a number of benefits for ransomware actors, the researchers noted, especially as data exfiltration and double-extortion (i.e., threatening to leak stolen data) has become a rather common behavior of threat actors. This has made developing stable, secure, and fast ransomware to encrypt files redundant and costly compared to corrupting files and using the exfiltrated copies as the means of data recovery, they said.

Eliminating encryption altogether also can make the process faster for RaaS affiliates, avoiding scenarios in which they lose profits because victims find other ways to decrypt the data, the researchers noted.

"These factors culminate in a justifiable case for affiliates leaving the RaaS model to strike out on their own," Mayer observed, "replacing development-heavy ransomware with data destruction."

BlackCat/ALPHV Gang Adds Wiper Functionality as Ransomware Tactic

Settling for "satisfactory" level of readiness may underestimate growing levels of risk.

**DOWNERS GROVE, Ill., September 27, 2022** — Fortifying cybersecurity defenses remains a work in progress for many organizations, who acknowledge their shortcomings but have yet to commit the necessary resources to the effort, new research from CompTIA, the nonprofit association for the information technology (IT) industry and workforce, reveals.

While a majority of respondents in each of seven geographic regions feels that their company’s cybersecurity is satisfactory, CompTIA’s “State of Cybersecurity” shows that a much smaller number rank the situation as “completely satisfactory.” Nearly everyone feels that there is room for improvement.

“Companies are aware of the threats they face and the potential consequences of an attack or breach,” said Seth Robinson, vice president, industry research, CompTIA. “But they may be underestimating their exposure and how much they need to invest in cybersecurity. Risk mitigation is the key, the filter through which everything should be viewed.”

Two of the top three issues driving cybersecurity considerations are the growing volume of cybercriminals, cited by 48% of respondents, and the growing variety of cyberattacks (45%). Additionally, ransomware and phishing have quickly become major areas of concern as digital operations have increased and human error has proven more costly.

“Digital transformation driven by cloud and mobile adoption requires a new strategic approach to cybersecurity, but this poses significant challenges, both tactically and financially,” Robinson said. “As IT operations and strategy have grown more complex, so has the management of cybersecurity.”

As cybersecurity is more tightly integrated with business objectives, zero trust is the overarching policy that should be guiding modern efforts, though its adoption will not take place overnight because it requires a drastically different way of thinking and acting. The report suggests there is small progress in recognizing a holistic zero trust approach, but better progress in adopting some elements that are part of an overarching zero trust policy. Multifactor authentication is in place at 46% of companies and cloud workload governance at 41%. Among other changes in organizations’ approach to cybersecurity:

*   43% of companies have placed a higher priority on incident response,
*   39% are deploying a more diverse set of technology tools, with SaaS monitoring and management tools making a substantial jump in adoption,
*   38% are increasing their focus on process improvements,
*   37% are shifting to more proactive measures, and
*   36% are expanding employee education.

Adopting a total zero-trust philosophy, including setting specific, strategic objectives will address many problems companies face. But there are substantial hurdles to overcome, such as closing the communications gap that exists between the technology and business sides of organizations. The overall rate of business staff participation is too low for a business-critical function. Nearly half (47%) of small businesses have the CEO or owner as part of the cybersecurity chain compared to 37% of mid-sized firms and 27% of large enterprises. In addition, companies are struggling to address technical skill needs, such as threat knowledge, network security and data analysis.

CompTIA’s “State of Cybersecurity” report is based on a Q3 2022 survey of technology and business professionals involved in cybersecurity. There were 500 respondents from the U.S. and 125 from each of six other regions around the world. The full report is available at https://www.comptia.org/content/research/cybersecurity-trends-research.  

**About CompTIA**

The Computing Technology Industry Association (CompTIA) is a leading voice and advocate for the $5 trillion global information technology ecosystem; and the estimated 75 million industry and tech professionals who design, implement, manage, and safeguard the technology that powers the world’s economy. Through education, training, certifications, advocacy, philanthropy, and market research, CompTIA is the hub for unlocking the potential of the tech industry and its workforce.

Organizations Finding the Need for New Approaches on the Cybersecurity Front, CompTIA Research Reveals

MITRE's new FiGHT framework describes adversary tactics and techniques used against 5G systems and networks.

The modernization of wireless technology is well underway with 5G deployments -- and so are the attacks. In response, MITRE, along with the Department of Defense, announced an adversarial threat model for 5G systems to help organizations assess the threats against their networks.

A "purpose-built model of observed adversary behaviors," FiGHT (5G Hierarchy of Threats) is a knowledge base of adversary tactics and techniques for 5G systems. The framework empowers organizations to "reliably assess the confidentiality, integrity, and availability of 5G networks, as well as the devices and applications using them," according to MITRE.

FiGHT is similar to MITRE ATT&CK, a knowledge base of adversary behaviors seen in attacks against the broader ecosystem. In fact, FiGHT is derived from ATT&CK, making FiGHT's tactics and techniques complementary to those described in ATT&CK. The FiGHT Matrix lists tactics used in attacks as columns, and some of the items listed are actually ATT&CK techniques or sub-techniques relevant for 5G.

Tactics and techniques are grouped across three categories: theoretical, proof-of-concept, and observed. At the moment, most of the techniques are categorized as either theoretical or proof-of-concept as the information is based on academic research and other publicly available documents. Just a minority of the techniques described in FiGHT are based on real-world observations, reflecting the fact that the number of 5G attacks are still relatively low.

Even though 5G has built-in security features, there still some risks and vulnerabilities to be aware of. 

"We identified an industry need for a structured understanding of 5G threats because even though 5G represents the most secure cellular standard to date, it can be implemented and deployed in ways that still have risks and vulnerabilities," Dr. Charles Clancy, senior vice president and general manager of MITRE Labs, said in a statement.

During this year's RSA Conference, researchers from Deloitte & Touche described a potential avenue of attack targeting network slices, a fundamental part of 5G's architecture. Enterprises rolling out 5G LANs also need to consider that the new capabilities that come with these environments, such as cross-network roaming and cloud edge services, also increase that attack surface.

FiGHT can be used to conduct threat assessments, enable adversarial emulation, and identify gaps in security coverage. Security teams can also use FiGHT to determine which areas the organization should be investing in.

"FiGHT helps stakeholders assess where cyber investments should be made to achieve the highest impact as they build, configure, and deploy secure and resilient 5G systems," Clancy said.

MITRE's FiGHT Focuses on 5G Networks

A crime syndicate based in Russia steals millions of dollars from credit card companies using fake dating and porn sites on hundreds of domains to rack up fraudulent charges.

A subscription service scam has garnered millions of dollars in credit card charges by creating fake dating and porn sites, staffing them with live customer support, and using stolen credit card accounts to pay for "services." 

Endpoint security firm ReasonLabs stated in a Sept. 23 advisory that a Russian-speaking cybercrime group has created hundreds of fraudulent websites since 2019, likely using third-party proxies, as well as dozens of business sites that act as both a generic name for credit card charges and as a hub for customer support calls. By using recurring charges that are small enough to escape many customers' notice, the fraudsters were able to keep chargeback requests low enough to avoid being shut down and continue profiting from the scam.

While the different components of the scheme are not original, the sum total managed to bypass credit card companies' fraud detection and garner millions of dollars in revenue, ReasonLabs' research team said in the advisory.

"Eventually, once — some of — these users find these charges, they will immediately approach the issuer for a dispute and replacement of the card number, which will cause chargebacks."

The three-year scam highlights the resurgence of credit-card fraud, especially for businesses that are dealing with a hybrid workforce. Two-thirds of companies have experienced fraud in the past year, according to a recent study from KPMG. Security experts have meanwhile warned that third-party scripts on websites — part of the software supply chain — could be at risk of being co-opted to steal credentials and credit-card information.

**Designed to Seem Legitimate**

In the latest credit card scam, the cybercriminals created the right mix of components to dodge anti-fraud defenses and to remain unnoticed by consumers who don't always check their credit card bills, researchers said. While unsurprising, the scope of the fraud is quite brazen, Timothy Morris, technology strategist for security management firm Tanium, said in a statement sent to Dark Reading.

"Real companies can run virtually, so it isn’t hard to imagine fake companies running virtually," he said. "Front-end user interfaces, back-end customer support, payment providers, \[and other components\] give this swindle all the ingredients of legitimacy."

The business sites that originated the charges and appeared to be legitimate all have similar structure, with the organization's name, a motto, and information on how to contact support. ReasonLabs found 75 support sites, all with the same HTML code, importing the same JavaScript files, and having identical comments, the company said.

The scheme was also given the veneer of credibility by these 200 fake sites — mainly adult- and dating-themed — that supposedly were the source of the charges. While adult sites are classified as high risk in the financial industry, the combination of live sites and active business hubs helped make the scheme seem legitimate.

The type of fake site that the fraudsters used also likely made the scheme more successful, Matt Mullins, senior security researcher at Cybrary, said in a statement sent to Dark Reading.

"Dating sites, adult sites, and other services have social stigmas associated with them that puts the victim in a questionable light," he said. "This questionable light also makes it more likely that a victim will try to resolve it themselves versus calling up a customer service representative and trying to resolve it."

Finally, the criminal group uses typical credit card spending patterns to make the transaction less suspicious. Rather than use test transactions followed by large transaction, the criminal group uses recurring payments of small dollar amounts to escape notice.  

Because most financial providers have strict agreements with high-risk businesses — such as adult sites — to limit the level of chargebacks, the cybercriminal group takes a variety of actions to avoid chargebacks. The fake businesses' names are fairly generic, they charge small dollar amounts, allow the user to cancel their "subscription," and have live customer support, ReasonLabs said.

"The fraudsters applied each individual customer service website for payment processing in order to distribute the chargebacks between many websites rather than just one," the company stated in its advisory. "This would ensure that their payment processing capabilities will not be revoked once one site reaches the agreed rate of chargebacks, or refunds, which is divided by the number of legit transactions."

The campaign is ongoing, but ReasonLabs has notified the companies affected by the fraud to help shut down the cybercriminal enterprise.

Fake Sites Siphon Millions of Dollars in 3-Year Scam

Funding has been somewhat lower than last year, but investment remains healthy, analysts say, amid thirst for cloud security in particular.

The cybersecurity industry continues to remain largely unaffected by the uncertainty surrounding the rest of the economy.

Though funding activity this year is somewhat slower than in 2021 and market valuations of cybersecurity firms have taken a hit, mergers and acquisitions activity has remained strong through the year, as has investor interest in the sector.

So far in the third quarter, there have been multiple major transactions that, according to analysts, highlight the overall robustness of the sector amid broadening concerns of a recession.

**Robust M&A Activity**

Two of the biggest involved previously announced deals: In September, Google completed its planned acquisition of incident response firm Mandiant for $5.4 billion, and in August, private equity firm Thoma Bravo closed it $6.9 billion purchase of identity management vendor SailPoint.

That same month, Thoma Bravo announced plans to acquire Ping Identity for $2.8 billion in cash. The $28.50 per share that the private equity firm offered for Ping represented a 63% premium over the identity management vendor's closing share price on Aug. 2. Thoma Bravo will take Ping private once the deal is completed in the fourth quarter. 

Other examples of M&A activity in the third quarter include Devo's purchase of SOAR vendor LogicHub for an undisclosed amount, Volaris Group's acquisition of Hitachi ID Systems in September, Cerberus Sentinel's purchase of application security vendor CyberViking, and CrowdStrike's acquisition of Reposify last week.

M&A activity in the third quarter is consistent with activity in the previous two quarters. Data from Momentum Cyber shows there were a total of 148 cybersecurity M&A deals during the first half of 2022. Total M&A volume over the period was nearly $103 billion. Momentum Cyber identified eight M&A transactions during the first half of 2022 that topped $1 billion, including the SailPoint and Mandiant deals, and private equity firm KKR's $4 billion acquisition of Barracuda.

The most obvious trend of late has been the move by larger vendors to buy into the attack surface management (ASM) space, and more specifically external attack surface management (EASM), says Rik Turner, an analyst with Omdia.

"This has, of course, been underway for a while," he says, pointing to Palo Alto's purchase of Expanse in November 2020 and Microsoft picking up RiskIQ in July 2021. "But there has been something of an intensification of this tendency of late, with Tenable acquiring Bit Discovery in April, IBM buying Randori in June, and CrowdStrike picking up Reposify last week," Turner says.

There are numerous other EASM vendors, so there will be no shortage of acquisition targets for any other big players that want to get into this market, he says.

**Multiple Market Drivers**

Turner says one of the other trends driving the M&A activity is growing interest in proactive security technologies, as opposed to the focus on reactive detection and response of the past few years.

"The proactive wave posits not a replacement technology for the reactive ones, but rather complementary ones that seek to reduce a customer's overall attack surface before threat actors have even launched an attack," Turner says. "Unlike the extended detection and response (XDR) spectrum, proactive security doesn't have a single acronym or initialism yet that can capture the imagination of the market, though Omdia is tentatively proposing security posture management, or SPM." 

Examples of products that fall into this category include cloud-specific proactive technologies such as cloud security posture management (CSPM), SaaS security posture management (SSPM), and cloud permissions management (CPM). Breach and attack simulation technologies are other examples as are vulnerability management and patch management, Turner says.

Chris Stafford, a senior manager in West Monroe's M&A practice, sees another set of factors driving the financial activity in the cybersecurity space. According to Stafford, the big ones are accelerated cloud adoption, the shift to remote work, and the continuing talent shortage. 

 "Fundamentally, cybersecurity is a really durable sector from a growth and revenue perspective," Stafford says. "All companies across all sectors require cybersecurity tools and services. That is what is fundamentally driving growth in the industry."

**Funding & VC Interest Slow but Remain Healthy**

While M&A activity has maintained a robust pace through the year, funding activity has been somewhat lower than last year, as noted earlier. Data from analyst firm IT-Harvest shows that through Sept. 1, some 220 vendors received a total of $12.3 billion in direct funding from investors. 

"That is half of 2021's record $24 billion, but more than the previous year's $10 billion," says Richard Stiennon, chief research scientist at IT-Harvest, adding that just 33 companies received more than $100 million so far this year, compared with 69 in 2021. "I expect to see the industry finish the year at $15 billion total invested," Stiennon says.

Omdia's Turner says while venture capital funding overall appears to have dipped somewhat, there is still plenty of money available for projects that VC's find especially interesting. "I think they have gotten somewhat choosier than they were in 2021," Turner says.

IT-Harvest's analysis of funding activity so far this year showed that investors are pouring more money into the security analytics space — $2.6 billion — than any other segment. Stiennon points to the more than $500 million in total that Devo has raised so far and the massive $1-plus billion funding round that Securonix received in February as examples of investor interest in this segment.

Identity and network security were the next two most active categories, with $1.4 billion in funding in each. There is also a trend of investing in cloud analytics and general security operations center tools like XDR, and a resurgence in vulnerability management startups that are getting funding, Stiennon notes.

"In short, funding is extremely healthy. No surprise to me because venture funding is not like the stock market, where you invest on expectations of next quarter's results," he says. "Most VCs have a five-year horizon, and they can count on cybersecurity to still be a growing sector through an economic downturn."

Source

DARKReading