DeepSurface’s Tim Morgan explains how network complexity and cloud computing have contributed to the challenge, and how automation can help.

Vulnerability management has changed dramatically in recent years, thanks to greater volume of risks. DeepSurface’s Tim Morgan explains how network complexity and cloud computing have contributed to this challenge, and how automation can help. Morgan parses automation, artificial intelligence, and machine learning, plus a few tips on how to cut through the hype. He also offers advice on how CISOs can better communicate about risk with their boards.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DeepSurface Adds Risk-Based Approach to Vulnerability Management

Neko Papez, senior manager, cybersecurity strategy for Menlo Security, helps customers understand if they’re vulnerable to highly evasive adaptive threats (HEAT).

Neko Papez, senior manager, cybersecurity strategy for Menlo Security, helps customers understand if they’re vulnerable to highly evasive adaptive threats (HEAT).

Dark Reading

Highly evasive adaptive threats (HEAT) are used to launch ransomware and phishing attacks. Neko Papez, senior manager, cybersecurity strategy for Menlo Security, helps customers understand if they’re protected against or susceptible to such attacks. Papez also distinguishes between HEAT attacks and more run-of-the-mill threats. And he describes how security teams must adapt to handle this new category of threats.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

The HEAT Is On, Says Menlo Security

Chris Cleveland, founder of PIXM, talks about phishers’ evasive maneuvers and how organizations can tap Computer Vision to keep email and its users safe.

Chris Cleveland, founder of PIXM, talks about phishers’ evasive maneuvers and how organizations can tap Computer Vision to keep email and its users safe.

Dark Reading

Phishing remains one of the biggest enterprise vulnerabilities for security professionals. Chris Cleveland, founder of PIXM, talks about phishers’ evasive maneuvers and how organizations can tap Computer Vision to keep email and its users safe. He also describes recent phishing threat activity that PIXM has been tracking, and he discusses the effectiveness of security training efforts for employees.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

White Papers

*   Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
*   Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report

Webinars

*   Black Hat Spring Trainings - June 13-16 - Learn More
*   Preventing Attackers from Navigating Your Enterprise Systems

Reports

*   Zero Trust and the Power of Isolation for Threat Prevention
*   2021 Digital Transformation Report

Editors' Choice

Robert Lemos, Contributing Writer, Dark Reading

Jai Vijayan, Contributing Writer, Dark Reading

Ericka Chickowski, Contributing Writer, Dark Reading

Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5

Webinars

*   Black Hat Spring Trainings - June 13-16 - Learn More
*   Preventing Attackers from Navigating Your Enterprise Systems
*   Protecting Enterprise Data from Malicious Insiders
*   Cybersecurity Outlook 2022 - December 8 Virtual Event
*   Beyond Patch Management: Next-Generation Approaches to Finding and Fixing Vulnerable Code

White Papers

*   Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
*   Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report
*   Business Buyers Guide to Password Managers
*   The Rise of Extended Detection & Response
*   Supply Chain Cyber Risk Management Whitepaper

More Insights

White Papers

*   Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
*   Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report

Webinars

*   Black Hat Spring Trainings - June 13-16 - Learn More
*   Preventing Attackers from Navigating Your Enterprise Systems

Reports

*   Zero Trust and the Power of Isolation for Threat Prevention
*   2021 Digital Transformation Report

PIXM: Stopping Targeted Phishing Attacks With 'Computer Vision'

The countermeasure, which compares the time and voltage at which circuits are activated, is being implemented in 12th Gen Intel Core processors.

Intel has developed and incorporated a circuit into its latest line of PC chips that can detect when attackers are using motherboard exploits to extract information from PC devices.

The "tunable replica circuit" on the latest Intel chips can detect attempts to glitch systems through voltage, clock, or electromagnetic techniques, Intel said during Black Hat. Attackers use these techniques to insert their own firmware and take control of the device.

"Every semiconductor ever produced is vulnerable to these attacks. The question is, how easy is it to exploit? We've just made it a lot harder to exploit because we detect these attacks," says Daniel Nemiroff, senior principal engineer at Intel.

The circuit is being implemented in Alder Lake, the 12th Gen Intel Core processors, which are used in laptops. Servers may get this technology at a later date, Nemiroff says.

**The Circuit's Inner Workings**

Typically, when a computer turns on, the silicon's power management controller waits for the voltage to ramp to a certain value before it starts activating components. For example, the power management controller activates the security engine, the USB controller, and other circuits when they reach their voltage values.

Under normal operations, once the microcontrollers activate, the security engine loads its firmware. In this motherboard hack, attackers attempt to trigger an error condition by lowering the voltage. The resulting glitch gives attackers the opportunity to load malicious firmware, which provides full access to information such as biometric data stored in trusted platform module circuits.

The tunable replica circuit protects systems against such attacks. Nemiroff describes the circuit as a countermeasure to prevent the hardware attack by matching the time and corresponding voltage at which circuits on a motherboard are activated. If the values don't match, the circuit detects an attack and generates an error, which will cause the chip's security layer to activate a failsafe and go through a reset.

"The only reason that could be different is because someone had slowed down the data line so much that it was an attack," Nemiroff says.

Such attacks are challenging to execute because attackers need to get access to the motherboard and attach components, such as voltage regulators, to execute the hack. The attackers will also need to know the exact time at which to mount a voltage glitch and what voltage they should drive to the pin.

"It's practical in the sense that if someone has stolen your machine from a taxi \[and\] brings it to their lab, they've got all the time in the world to open the laptop and then solder the right voltage generator lines to the machine itself," Nemiroff said.

That is the reason why the circuit is currently being integrated into chips used for laptops and not servers and desktops. Servers and desktops are not as portable and, thus, harder to steal, Nemiroff says.

**Deploying Countermeasures**

While no evidence of a motherboard exploit used in this manner exists, defenses need to be incorporated now, before attacks become widespread.

"There's no recorded exploit of an Intel PC system using these attacks, but there are various examples of other devices that have been attacked that are more interesting, like discrete TPMs and smart cards," Nemiroff says.

Glitching the security of a system isn't novel; it has existed in pay TV and smart cards for more than two decades, said Dmitry Nedospasov, who runs hardware security services provider Toothless Consulting and Advanced Security Training, which provides information security training.

Intel is adding system countermeasures to its platform controller hub, not its CPU. It's not clear to what extent the countermeasure implemented in the controller hub would be capable of protecting the system.

"The threat model is not clear and so is the reason why this mitigation is required," Nedospasov said.

As to the effectiveness of the circuit, it will be hard to verify whether it works without some kind of peer review, Nedospasov said.

"It's not clear what will and will not work in practice," Nedospasov said.

A lot of the patents on hardware countermeasures for chips were created in the 1990s and early 2000s, many of which came from pay TV.

"What this also means is that the 20-year patent periods have already expired or are expiring in the coming years. Many in the industry believe that we can expect more and more hardware countermeasures as manufacturers will no longer have to license the patents to implement these protections," Nedospasov said.

It is possible customers are putting pressure on Intel to shore up its on-chip security mechanisms, Nedospasov said.

"The bar is being raised and people are running out of software and firmware attacks, but they are going to come at us with hardware attacks. We figure this is the right time to deploy those kinds of countermeasures," Nemiroff said.

Intel Adds New Circuit to Chips to Ward Off Motherboard Exploits

NIST is developing the AI Risk Management Framework and a companion playbook to help organizations navigate algorithmic bias and risk.

As organizations begin to adopt AI products, systems, and services into their environment, they are looking for guidance on mitigating algorithmic biases and other risks. The big fear of AI is that it may be used in ways the designers did not attend.  

This focus – being aware of human impact on technology – is part of the “socio-technical” effort by the National Institute of Standards and Technology to develop a framework to help organizations navigate bias in AI and incorporating trust in the systems. NIST is currently asking for public and private comments on the second draft of the Artificial Intelligence Risk Management Framework and on the companion NIST AI RMF Playbook. The AI RMF Playbook is intended to help organizations implement the framework, with suggested actions, references, and supplementary guidance.

The framework is split into to four functions: Govern, Map, Measure, and Manage. The playbook will offer guidance on the first two functions, Govern and Map. Recommendations for the latter two, Measure and Manage, will be available at a later date.

NIST says its socio-technical approach will “connect the technology to societal values,” and will develop guidance that considers ways humans can impact how technology is used. The framework also examines “the interplay between bias and cybersecurity and how they interact with each other,” NIST said when the first draft was introduced.

The NIST Artificial Intelligence Risk Management Framework has focused on three types of biases associated with AI: statistical, systemic, and human. Current recommendations include fostering a governance structure with clear individual roles and responsibilities, and a professional culture that supports transparent feedback on technologies and products. A systemic bias would be a business or operating process which contributes to a consistently skewed decision.

“From my experience, what I’ve seen is the reliance on AI too much,” says Chuck Everette, director of cybersecurity advocacy at Deep Instinct. ”I see it too often that organizations forget that threats are constantly evolving and changing, therefore you have to make sure your AI algorithms are properly tuned and your models are properly being adapted to the newest threats. Also, I’ve seen cases where bias data has been used and introduced, therefore leaving environments open to certain types of attack due to inaccurate data training.”

The comment period for both draft versions end Sept. 29. The final version of the AI RMF is expected in early 2023, and playbook will be after that.

NIST Weighs in on AI Risk

The fact that the flaws enable remote code execution, exist across all major Apple OS technologies, and are being actively exploited heightens the need for a quick response.

Security researchers are urging users of Apple Mac, iPhone, and iPad devices to immediately update to newly released versions of the operating systems for each technology, to mitigate risk from two critical vulnerabilities in them that attackers are actively exploiting.

The zero-day flaws allow threat actors to take complete control of affected devices. They impact users of iPhone 6s and later, all models of iPad Pro, iPod touch (7th generation), iPad Ai2 and later, iPad 5th generation and later, and iPad mini 4 and later. Also affected are users with Macs running macOS Monterey, macOS Big Sur, and macOS Catalina. Apple disclosed the vulnerabilities and the updates addressing them on Wednesday.

**Remote Code Execution Flaws**

One of the zero-days (CVE-2022-32893) exists in WebKit, Apple's browser engine for Safari and for all iOS and iPadOS Web browsers. Apple described the flaw as tied to an out-of-bounds write issue that attackers could use to remotely take control of vulnerable devices. "Processing maliciously crafted web content may lead to arbitrary code execution," Apple warned in one of its typically terse vulnerability disclosures this week. "Apple is aware of a report that this issue may have been actively exploited," the company noted.

The other vulnerability (CVE-2022-32894) is also an out-of-bounds write flaw that gives attackers a way to execute code with kernel-level privileges on vulnerable devices. Such vulnerabilities allow attackers to gain complete access to the underlying hardware. The company said it is aware of reports of attackers actively exploiting the bug.

Apple said it had implemented "improved bounds checking" in iOS 15.6.1, iPadOS 15.6.1, macOS Monterey 12.5.1, and Safari 15.6.1 to address both issues.

Lisa Plaggemier, executive director of the National Cybersecurity Alliance, said the widespread use of Apple's technologies puts both businesses and consumers at risk from the vulnerabilities. "While cyber criminals will no doubt try to access personal information about consumers, accessing a business often has significantly more upside for malicious actors," she says.

**WebKit Flaw Has Wider Impact**

In a blog, Sophos identified CVE-2022-32893 as having potentially the wider impact compared to the other flaw that Apple disclosed this week. The flaw gives attackers a way to set up "booby-trapped" Web pages that can trick Macs, iPhones, and iPads into running untrusted software. "Simply put, a cybercriminal could implant malware on your device even if all you did was to view an otherwise innocent web page," the security vendor said.

The flaw has widespread impact because WebKit powers all Web rendering software on Apple's mobile devices and is used widely by Mac users as well. The vulnerability impacts more applications and systems components than just the Safari browser itself, so steering clear of the browser alone is not enough to mitigate risk, Sophos said.

"The WebKit component is particularly problematic, as it is the browser engine across all Apple software," says Rick Holland, chief information security officer and vice president of strategy at Digital Shadows. "Apple users should patch now. These updates need to be applied as soon as possible."

**Both Consumers & Organizations at Risk**

Like many others have noted about the sparse nature of software vendor vulnerability disclosures recently, Holland too said it would have been more useful for defenders if Apple had provided more context and details around the flaws.

"Apple is light on the technical details of this week's two zero-day vulnerabilities," he says. "However, it is never reassuring to see the phrase 'execute arbitrary code with kernel privileges'," as Apple's disclosure reads.

Defenders should push patches out immediately and send notifications that employees should be patching any personal iPhones, iPads, or Macs. These updates present a security awareness opportunity to discuss the risks to employees' lives and provide patching instructions, including how to enable automatic updates.

Mike Parkin, senior technical engineer at Vulcan Cyber, says there's not enough information to determine how easily attackers can exploit these vulnerabilities. But reports about the flaws being already used in the wild is concerning, he says, especially because they allow for remote code execution. Apple products are widely used both in enterprise and consumer markets, and often overlap for people who work in Bring Your Own Device (BYOD) environments, he says. Given that, and the relative lack of detail, it's hard to say who'll be more at risk.

"Organizations should deploy the appropriate controls to minimize the risk to their environments," Parkin advocates. "The ones that allow BYOD devices will face some additional challenges, as they'll need to address systems that they don't directly control."

Patch Now: 2 Apple Zero-Days Exploited in Wild

Just as cyber criminals change tactics and strategy for more effectiveness, so must infosec pros and their organizations, according to Martin Roesch of Netography.

Just as cyber criminals change tactics and strategy for more effectiveness, so must infosec pros and their organizations, according to Martin Roesch of Netography. He discusses why end-user organizations struggle to adapt to the latest threats, and describes how the “atomized network” can help here. Roesch also talks about how startups regularly contribute to the advancement of security innovation, and he offers up some suggestions for new ways for defenders to safeguard their networks.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cybersecurity Solutions Must Evolve, Says Netography CEO

APTs continue to exploit the dynamic job market and the persistent phenomenon of remote working, as explored by PwC at Black Hat USA.

Fake job offers have become a top phishing tactic for state-sponsored threat actors to lure in unsuspecting targets in the wake of the COVID-19 pandemic, as many reconsider their careers amid growing demand for skilled workers and managers.

The cyber-threat analyst team at PwC, which has followed a prime example of this (the Lazarus Group's Operation In(ter)ception) closely, presented a detailed account of the Lazarus campaign and how the group implemented the strategy during last week's Black Hat USA 2022 conference in Las Vegas.

PwC principal threat analyst Sveva Vittoria Scenarelli, who studies advanced persistent threats (APTs) in the Asia-Pacific region with an emphasis on North Korea, noted that the stakes are high.

"This is an espionage-motivated campaign that is incredibly persistent in targeting the aerospace sector, the defense industrial base, manufacturing chemical sector, for everything from military secrets to intellectual property to confidential information of strategic interest," Scenarelli explained during her presentation at Black Hat, called "Talent Need Not Apply: Tradecraft and Objectives of Job-themed APT Social Engineering."

The Cybersecurity & Infrastructure Security Agency (CISA) agrees, and has warned that the threat actors (aka APT38, Black Artemis, BlueNoroff, Hidden Cobra, and Stardust Chollima) "employ malicious cyberactivity to collect intelligence, conduct attacks, and generate revenue."

Scenarelli explained that Lazarus follows up with its targets via messaging apps such as WhatsApp.

This is "to make sure that the victims do open the malicious viewer documents or the malicious executables that the threat actor has sent," she said. "Black Artemis will also set up domains. This can be for command and control of its malicious implants to send emails that appear to come from on a legit site, or indeed to perform Web exploitation as an initial access method."

Scenarelli explained that Black Artemis creates domains that spoof prominent job search websites like Indeed, with attractive positions at high-profile companies such as Google and Oracle. She underscored that many sites look legitimate, though there are obvious signs they are fake. For instance, the Indeed decoy site URL is Indeed.US.org, she said. Scenarelli noted that the job descriptions disguised as .docx, .pdf, or .rtx files launch when the victims click on the documents, which may enable macros.

Similarly, Scenarelli recalled another attack by the group, which made off with $625 million in cryptocurrency. She warned that this variant, which PwC researchers call "Black Alicanto," is financially motivated and dangerous. In the wake of Microsoft recently disabling macros in Office documents, Scenarelli said this malware might use .lnk files, perhaps embedded in password-protected Microsoft Word documents.

"Threat actors are having to pivot a bit in their initial access techniques and using more and more .lnk files, ISO files, MSI installers, and stuff like that," she said. But in the background, she noted, the .lnk file is calling MSHDA.exe, which connects to a remote server to pull down a malicious JavaScript script that PwC calls "Cabbage Loader."

This script places a .lnk file in the victim's startup folder "to ensure persistence and then pulls down a whole series of other JavaScript payloads," she explained. "These are essentially profilers that want to make sure that the actual person that's interacting with them is not a sandbox, is not a researcher, but it's actually a target of interest."

Scenarelli concluded that Lazarus and other North Korea-based threat actors continue to exploit the growing demand for skilled people, who, despite their training and awareness of threats, can be caught off guard.

"The job market right now is a really key area for North Korea-based threat actors," she said. "So, keep your eyes peeled, make sure you're aware of whom you're interviewing. And for the love of all that is holy, don't open those links that you get sent on LinkedIn, do not open them."

State-Sponsored APTs Dangle Job Opps to Lure In Spy Victims

Version 2.0 of the ransomware group's operation borrows extortion tactics from the LockBit 3.0 group.

The BlackByte ransomware group, which has connections to Conti, has resurfaced after a hiatus with a new social media presence on Twitter and new extortion methods borrowed from the better-known LockBit 3.0 gang.  

According to reports, the ransomware group is using various Twitter handles to promote the updated extortion strategy, leak site, and data auctions. The new scheme lets victims to pay to extend the publishing of their stolen data by 24 hours ($5,000), download the data ($200,000) or destroy all the data ($300,000). It's a strategy the LockBit 3.0 group already pioneered.

"It is not surprising BlackByte is taking a page out of LockBit's book by not only announcing a version 2 of their ransomware operation but also adopting the pay to delay, download, or destroy extortion model," says Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, who calls the market for ransomware groups "competitive" and explains LockBit is one of the most prolific and active ransomware groups globally.

Hoffman adds it is possible BlackByte is trying to gain a competitive advantage or trying to gain media attention to recruit and grow its operations.

"Although the double-extortion model is not broken by any means, this new model may be a way for groups to introduce multiple revenue streams," she says. "It will be interesting to see if this new model becomes a trend among other ransomware groups or just a fad that is not widely adopted."

Oliver Tavakoli, CTO at Vectra, calls this approach an "interesting business innovation."

"It allows smaller payments to be collected from victims who are almost certain they won’t pay the ransom but want to hedge for a day or two as they investigate the extent of the breach," he says.

John Bambenek, principal threat hunter at Netenrich, points out ransomware actors have played around with a variety of models to maximize their revenue.

"This almost looks like an experiment on if they can get lower tiers of money," he says. "I just don't know why anyone would pay them anything except for destroying all the data. That said, attackers, like any industry, are experimenting with business models all the time."

**Causing Disruption With Common Tactics**

BlackByte has remained one of the more common ransomware variants, infecting organizations worldwide and previously employing a worm capability similar to Conti's precursor Ryuk. But Harrison Van Riper, senior intelligence analyst at Red Canary, notes that BlackByte is just one of several ransomware-as-a-service (RaaS) operations that have the potential to cause a lot of disruption with relatively common tactics and techniques.

"Like most ransomware operators, the techniques BlackByte uses are not particularly sophisticated, but that doesn’t mean they aren’t impactful," he says. "The option to extend the victim's timeline is likely an effort to get at least some sort of payment from victims who may want extra time for a variety of reasons: to determine legitimacy and scope of the data theft or continue ongoing internal discussion on how to respond, to name a couple of reasons."

Tavakoli says cybersecurity pros should view BlackByte less as an individual static actor and more as a brand that can have a new marketing campaign tied to it at any time; he notes the set of underlying techniques to carry off the attacks seldom change.

"The precise malware or entry vector utilized by a given ransomware brand may change over time, but the sum of techniques used across all of them are pretty constant," he says. "Get your controls in place, ensure you have detection capabilities for attacks which target your valuable data, and run simulated attacks to test your people, processes and procedures."

**BlackByte Targets Critical Infrastructure**

Bambenek says that because BlackByte has made some mistakes (such as an error with accepting payments in the new site), from his perspective it may be a little lower on the skill level than others.

"However, open source reporting says they are still compromising big targets, including those in critical infrastructure," he says. "The day is coming when a significant infrastructure provider is taken down via ransomware that will create more than just a supply chain issue than we saw with Colonial Pipeline."

In February, the FBI and US Secret Service released a joint cybersecurity advisory on BlackByte, warning that attackers deploying the ransomware had infected organizations in at least three US critical infrastructure sectors.

BlackByte Ransomware Gang Returns With Twitter Presence, Tiered Pricing

To lessen burnout and prioritize staff resiliency, put people in a position to succeed with staffwide cybersecurity training to help ease the burden on IT and security personnel.

Cyberattacks are on the rise — but if we're being honest, that statement has been true for quite a while, given the acceleration of cyber incidents over the past several years. Recent research indicates that organizations experienced 50% more attack attempts per week on corporate networks in 2021 than they did in 2020, and tactics such as phishing are becoming increasingly popular as attackers refine their tried-and-true methods to more successfully entice unsuspecting targets.

It's no surprise, then, that cyber resiliency has been a hot topic in the cybersecurity world. But although cyber resiliency refers broadly to the ability of an organization to anticipate, withstand, and recover from cybersecurity incidents, many experts make the mistake of applying the term specifically to technology. And while it's true that detection and remediation tools, backup systems, and other resources play an important role in cyber resiliency, organizations that focus exclusively on technology risk are overlooking an equally important element: people.

**People Are Vulnerable, but They Don't Have to Be**

People are often thought of as the weak link in cybersecurity. It's easy to understand why. People fall for phishing scams. They use weak passwords and procrastinate on installing security updates. They misconfigure hardware and software, leave cloud assets unsecured, and send confidential files to the wrong recipient. There's a reason so much cybersecurity technology is moving toward automation: removing people from the equation is seen as one of the most obvious ways to improve security. To many security experts, that's just common sense.

Except — is it, really? It's true that people make mistakes — it's called "human error" for a reason, after all — but many of those mistakes come when employees aren't put in a position to succeed. Phishing is a great example. Most people are familiar with the concept of phishing, but many may not be aware of the nefarious techniques that today's attackers deploy. If employees have not been properly trained, they may not be aware that attackers often impersonate real people within the organization, or that the CEO asking them to buy gift cards "for a company happy hour" probably isn't legit. Organizations that want to build strong cyber-resiliency cannot pretend that people don't exist. Instead, they need to prioritize the resiliency of their people just as highly as the resiliency of their technology.

Training the organization to recognize the signs of common attack tactics, practice better password and cyber hygiene, and report signs of suspicious activity can help ease the burden on IT and security personnel by providing them better information in a more timely manner. It also avoids some of the pitfalls that create a drain on their time and resources. By ensuring that people at every level of the business are more resilient, today's organizations will discover that their overall cyber-resiliency will improve significantly.

**Building the Necessary Support Systems**

The COVID-19 pandemic — and the resulting acceleration of digital transformation, cloud adoption, and remote work — perfectly encapsulates the need to prioritize people. Security teams have been in a pressure cooker since the pandemic began, constantly being asked to do more, account for additional variables, set up new capabilities. And of course, there is always a new vulnerability that catches the eye of a CEO or other senior leader and suddenly becomes a priority. These teams are tired, and burnout is a real concern. They need support from their organizations.

Because, as valuable as modern cybersecurity tools are, people still make the most important decisions —which means prioritizing the resiliency of those people is critical. Tired, overworked employees who don't feel appropriately valued by their employers are more prone to mistakes or lapses in judgment. It is important to maintain open dialogue with IT and security personnel to understand their needs. Employees who find themselves working 12-hour days again and again aren't just prone to mistakes. They're likely to leave for a better opportunity — one that lets them maintain a healthy work-life balance. Organizations must be prepared to hire and train new employees to help carry some of the load for teams already being tasked with making significant adjustments in the face of ongoing challenges.

Learning to recognize signs of burn-out in your people, talking openly about burnout and how you are addressing it, and encouraging a culture of well-being will make for a more resilient team. After all resiliency is about recovery, in both people and technology.

**Never Overlook the Importance of People**

Too many organizations today view people as replaceable, but organizations that want to remain steadfast in the face of today's threat landscape should recognize the value of a happy, motivated, well-trained, and well-rested workforce. Cyber-resiliency isn't just about having the right technology in place to deal with modern attackers, but about empowering people to make the right decisions, and ensuring that they have the knowledge and support they need to make them. Overlook the importance of people at your own peril —even with automation on the rise, they remain the backbone of a successful business.

Source

DARKReading