Managed firewalls are increasingly popular. This post examines the strengths and weaknesses of managed firewalls to help your team decide on the right approach.

The recent remote work explosion driven by the COVID pandemic has forced many organizations to reconsider how they provide network security. The incredible proliferation of potential attack vectors and constantly changing types of attacks present in such a heavily distributed computing environment mean that keeping firewalls up to date has become a burden on security teams that's heavier than ever.

Firewall configurations are a touchy subject. Every network security professional has their preferred hardware and software, and we can all share horror stories about challenges we've experienced in their absence.

In this article, I'll examine the pros and cons of managed firewalls (MFWs) to help make the decision a little easier for your team.

**What Are Managed Firewall Services?**

MFW services typically provide on-demand, administration, monitoring, maintenance, and management of your firewall. These services are available for both cloud-based and on-premises firewalls.

The typical MFW service provider will offer services such as:

*   Firewall system health monitoring and alerting
*   Service and incident management
*   Software lifecycle management (updates, patches, etc.)
*   Security policy implementation, reporting, analysis and remediation
*   System vulnerability checks and security reviews
*   Network traffic monitoring

"Think of a managed firewall service as bringing in an expert, rather than outsourcing. You're partnering with someone with decades of experience and advanced training on your infrastructure in order to secure every last packet. Network security is hard, and a lot of times the easiest way to achieve your requirements is through a specialist." **—Eddie Doyle, Cybersecurity Evangelist, Check Point**

**What Are the Pros and Cons of Managed Firewall Services?**

**Pros**

MFW services offer the following potential benefits:

*   **Greater expertise:** Providers will generally have experts in your preferred hardware and software already on staff, speeding implementation.
*   **Reduced staff burden:** Outsourced providers maintain their own certifications and trainings, and they take over all equipment and software updates. This allows your team to focus on more strategic areas that can add greater value to the organization.
*   **Faster incident response:** Service-level agreements (SLAs) can ensure immediate incident response without adding additional organizational head count or off-hour team load.
*   **Proactive security:** MSPs typically devote significant attention to threat intelligence monitoring in order to adjust your protection as events and updates warrant. Doing so takes the burden off of your internal team.
*   **Reduced update burden:** Hardware, software, and firmware updates are time-consuming chores. MSPs will keep your equipment up to date and save your team time.
*   **Improved manufacturer support:** MFW providers often have direct manufacturer connections due to the volume of devices they operate. For an organization that may not have a large volume of equipment, an MSP may be able to improve issue resolution.
*   **Easier scale:** Growing organizations may be able to scale their protection more quickly and more cost-effectively using an MFW provider by eliminating hiring and equipment purchase processes.
*   **Improved backup and recovery:** An MFW provider will often have access to significant backup and recovery resources (including on-call staff) that can result in faster restore times than internal resources.
*   **Compliance expertise:** Industries with complex regulatory and/or data-handling requirements such as healthcare or payment processing can often use an MFW provider with regulated industry experience.

**Cons**

MFW services may not be good solutions for organizations that have concerns in the following areas:

*   **Small size:** Organizations with smaller budgets, lower traffic volumes, or more streamlined networks may find managing their firewalls internally is more cost effective.
*   **Strict data access requirements:** Organizations with strict compliance and data security may find that the liability of individuals from outside the organization potentially accessing sensitive data is too great. Public companies, for example, may find that providers accessing logs represent a privileged disclosure.
*   **Security context:** If your organization runs particularly complex operations, or is subject to novel attacks, an outsourced provider may not have enough context regarding your internal infrastructure to understand the severity level of alerts they are seeing.
*   **Knowledge loss:** Network security is an important IT function. If you fully outsource your firewall with the intent of reducing staff, your organization may lose significant internal capabilities knowledge.

**The Co-Managed Firewall Option**

To minimize some of the cons and other objections, it's also possible to subscribe to a co-management model. Many providers offer shared responsibility programs that allow the organization to maintain full access and perform their own administrative tasks as desired or required. While this can increase complexity, it can also offer increased flexibility.

I hope the above has helped you determine whether a managed firewall service is right for your organization. If you're struggling with your network security, or want to know if it's time to make a change, visit Atlantic Data Security.

**About the Author**

    

Eric Anderson is a cybersecurity architect, instructor, and evangelist at Atlantic Data Security. He's been working in technology and network security since 1985, loves sharing his experiences and insights, and frequently speaks on security issues.

The Pros and Cons of Managed Firewalls

Having a better understanding of how clouds are built, connected, and managed helps organizations mitigate risks and reduce attack surfaces.

Enterprises are investing in multiple cloud solutions to fuel growth and transform legacy applications into something more universally usable. However, the path to success can be fraught with missteps and unknowns that can create excessive risk. Cloud environments are often stitched together using APIs, custom coding, and other methods that add complexity.

That growing complexity has the potential to substantially increase risk and open organizations up to cyberattacks, and complexity further increases as more services and capabilities are added, compounding risk. Having a better understanding of how clouds are built, connected, and managed helps organizations mitigate risks and reduce attack surfaces.

**Establish Situational Awareness**

Business management expert Peter Drucker famously wrote, "You can't manage what you don't measure," and measurement is one of the most important tools for successfully managing a complex cloud environment. Organizations must take the critical step of measuring their infrastructure by establishing an inventory of systems, applications, and users.

There are numerous ways to measure, ranging from manually performing inventory to using automated tools to help with the process. Most firms settle on a mix of both. Selecting the appropriate management and monitoring tools is challenging, especially in hybrid and multi-cloud environments. Those environments use APIs to integrate dissimilar technologies and usually have their own monitoring and management tools and multiple tools can obscure situational awareness, which creates additional risk.

Properly remediating risk requires creating a single source of truth, which means that new management and monitoring tools must be deployed. Those tools should provide a unified and centralized view of the organization’s infrastructure, while also tearing down the silos created by dissimilar tools. However, people often create a false equivalency between multiple-cloud deployments and managing multiple datacenters, which can lead to selecting the wrong tools. The tools and skillsets differ between cloud and datacenter management, which can lead to missteps that will derail implementation. Organizations may have to purchase new tools or turn to experts to integrate the tools.

**Minimizing Mistakes**

In the rush to deploy cloud solutions, many may overlook what may be obvious to seasoned professionals. Reducing errors means defining objectives and building plans. Those deploying to the cloud must have a clear understanding of the business case, who the stakeholders are, and the desired results.

The flexibility and speed of the cloud make it easy to overlook security leading practices. Establishing those practices requires plans that incorporate cybersecurity at the earliest possible moment. Without proper cybersecurity controls, actions such as establishing a new feature or granting access will increase the attack surfaces and the associated risk.

Simply adding external users can lead to unexpected cybersecurity issues and can expand potential attack surfaces. Case in point is when an organization grants external access to a vendor or partner. Organizations must carefully consider the overall impact of granting that access and if that third party can make unauthorized changes, or access proprietary information, as well as how those user credentials are being secured.

Leading practices include defining security policies, deploying multifactor authentication, auditing access and being aware of threat environments. Some organizations will need to train in-house staff or turn to external experts to ensure that cyber issues are addressed and resolved before they have an impact.

**Building a Continuous Process**

Clouds are very fluid and allow changes to be accomplished quickly. New services can often be enabled with a simple command or click of the mouse. However, that fluidity can create unexpected complexity. What's more, change can have a cascading impact that brings additional risk and complexity to cloud management.

Mitigating risk using a set-and-forget approach is no longer appropriate for securing the cloud; organizations must make risk mitigation as fluid as the cloud. What's more, developers today have the power to constantly change, update, and expand the cloud environment. Accelerated change means that organizations need to be proactive and establish controls and policies to reduce risk.

By adopting continuous processes that insert controls into the development and deployment process, organizations can inject security into the development process. However, keeping security controls up to date can be an onerous task, which ultimately reduces the velocity of enabling change. Here, automation reduces the burden associated with cybersecurity in the cloud.

There are numerous tools that automatically validate code, perform testing of new code, and identify potential problems in real-time. Those tools leverage automation so that interference with the creative process is kept to a minimum. This type of automation does not simply enhance the security of the cloud environment, it will also enhance its resiliency and uptime.

Embracing multicloud, hybrid, or public cloud solutions does not have to be a step into the unknown. Enterprises can ease the transition to the cloud and avoid unnecessary risk by implementing policies, controls, and leveraging automation at the outset of cloud adoption. Having a proper handle on managing the cloud helps when further mitigating risk. What’s more, with the proper tools in place, enterprises may be able to expose additional opportunities, which in turn can help to grow the business.

3 Critical Steps for Reducing Cloud Risk

The US government and the Open Source Security Foundation have released guidance to shore up software supply chain security, and now it's up to developers to act.

Lessons learned from the SolarWinds software supply chain attack were translated into concrete guidance this week when the US Cybersecurity and Infrastructure Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) released a joint best practices framework for developers to avoid future supply chain attacks.

Besides the US government's recommendations, developers also received npm Best Practices from the Open Source Security Foundation, to establish supply chain security open source best practices.

"The developer holds a critical responsibility to the security of our software," the agencies said about the publication, titled Securing the Software Supply Chain for Developers. "As ESF examined the events that led up the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer."  

OpenSSF's announcement, meanwhile, noted that the npm code repository has grown to include 2.1 million packages.

Developers like Michael Burch, director of application security for Security Journey, applaud the industry's proactive approach, but Burch adds that it's now up to the cybersecurity sector to put these guidelines into action, particularly a recommendation for the implementation of software bills of materials (SBOMs).

"What we need now is the AppSec community to come together on the back of this guidance, and create a standard format and implementation for SBOMs to boost software supply chain security," Burch said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Feds, npm Issue Supply Chain Security Guidance to Avert Another SolarWinds

The operators of the emerging cross-platform ransomware BianLian increased their command and control infrastructure this month, indicating an acceleration in their operational pace.

A new player to the ransomware space called BianLian is ramping up activity, and has already targeted organizations in Australia, North America, and the United Kingdom.

According to an advisory from cybersecurity firm Redacted, there has been a "troubling" rise in the rate at which BianLian is bringing new command-and-control (C&C) servers online.

The ransomware was created with Golang (Go), the Google-created open source programming language, and targets SonicWall VPN devices and the Microsoft Exchange Server ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

"While we lack the insight to know the exact cause for this sudden explosion in growth, this may signal that they are ready to increase their operational tempo, though whatever the reason, there is little good that comes from a ransomware operator having more resources available to them," the researchers noted in the Friday post.

BianLian has been rising popularity since it was first outed in mid-July, according to researchers at Cyble Research Labs, which published details on the ransomware last month.

**The BianLian Ransomware Attack Flow**

To begin its attacks, the ransomware gang leverages the access gained through the ProxyShell vulnerabilities to install a Web shell or ngrok payload for monitoring activities. The group has been taking care to avoid detection and minimize observable events as it hunts for data and identifies machines to encrypt, researchers said.

In a campaign observed by Redacted, once in, BianLian most often utilized standard "living off the land" (LoL) techniques for network profiling and lateral movement, the report noted. These included net.exe to add and/or modify user permissions; netsh.exe to configure host firewall policies; and reg.exe to adjust various registry settings related to remote desktop and security policy enforcement.

In addition to leveraging the LoL techniques, the group is also known to deploy a custom implant as an alternative means to maintain persistent network access. The main objective of this "simple but effective" backdoor is to retrieve arbitrary payloads from a remote server, load them into memory, and then execute them.

"BianLian have shown themselves to be adept with the methodology to move laterally, adjusting their operations based on the capabilities and defenses they encountered in the network," the report stated.

BianLian, like other new cross-platform ransomware such as Agenda, Monster, and RedAlert, is also able to start servers in Windows Safe Mode to execute its file-encrypting malware while remaining undetected by security solutions installed on the system. Other measures taken to circumvent security barriers include deleting snapshots, purging backups, and running its Golang encryption module via Windows Remote Management (WinRM) and PowerShell scripts.

The group's emergence adds to the growing number of threats using Go as a base language, allowing adversaries to make quick changes in a single code base that can then be compiled for multiple platforms.

**Ransomware Runs Wild**

Acronis' mid-year cyber-threats report found that ransomware continues to be the top threat to large and midsize businesses, including government organizations, while research from Sophos indicates ransomware gangs may be working in concert to orchestrate multiple attacks.

Further complicating the security landscape is the emergence of data marketplaces that make it easier for threat actors to find and use data exfiltrated during ransomware attacks in follow-up attacks.

Despite the growing risk level and sophistication of ransomware attacks, ransomware coverage is lacking even among businesses with cyber insurance, according to a BlackBerry survey.

The Redacted advisory recommended using a layered approach when trying to mitigate the threat posed by ransomware actors.

"Focus needs to be placed on reducing your attack surface to avoid the most common types of exploitation techniques, but also preparing to act quickly and effectively when a compromise inevitably happens," the report said.

The foundation of this strategy includes multifactor authentication (MFA), secure backups, and an incident response plan.

Researchers Spot Snowballing BianLian Ransomware Gang Activity

Our digital future depends on the choices we make today. We need to invest in cybersecurity technologies and skills so that humanity can control its future.

As we observe the evolution of the war in Ukraine, particularly the use of cyberwarfare, we are presented with many questions about the long-term evolution of the cybersecurity landscape. Likewise, we've seen the pandemic bring about the rapid acceleration of digitalization — its place in our lives is no longer in question. But before plunging headfirst into this technological race, should we not ask ourselves where this evolution might be taking us of in terms of cybersecurity?

Based on the trends we're seeing develop in 2022, we have several diverging roads ahead of us. For a moment, let's take a look at four possible scenarios that could emerge over the next 20 years. The one in which we end up will be the result of choices we make right now about how to regulate and implement cybersecurity measures and countermeasures; perhaps this will inspire us to do things differently.

**1\. Peace in the Digital Space, for the Common Good**

In 2040, due to technological breakthroughs caused by intense research and a worldwide awareness of the importance of preserving this now vital new space, the digital space is declared a "common good of humanity" by the United Nation's General Assembly. It is therefore protected by international conventions that prohibit its militarization, respect privacy, and enforce a high level of security to eliminate criminal action. A special agency based on the model of the WHO or the UNHCR is created to protect it.

**2\. A Balance of Power in Digital Space**

In 2040, through global investment and regulation, the digital space has become a vital area with a high level of security. Only the most powerful states are able to confront each other in this digital space — and at great expense. They do so with restraint because their societies and economies, as well as global trade, would suffer from a deterioration of digital security (just as today, aerial combat is rare, due to the high price of modern fighter planes and the high utilization of airspace by citizen travelers). Cybercrime would have disappeared because of the cost and the expertise it requires. The digital space would be globally inaccessible to non-state players. A Digital Security Council would be created, with the great digital powers as its only permanent members.

**3\. Digital Insecurity on a Controlled Scale**

Digital insecurity is present in 2040 as it is today, but it remains on a small scale and does not call into question the model we know. States adopt positions, establish regulations, and implement policy incentives to strengthen the level of security. They do so while continuously conducting offensive actions to preserve their interests, even if it means destabilizing what they are building. Cybercrime persists by exploiting vulnerabilities and reusing offensive techniques and tools developed by states, but its impact is sustainable, both politically and economically, thanks to cyber insurance. Unfortunately, as in the material space, the weakest — i.e., vulnerable users, small businesses, and fragile states — are the first victims.

**4\. The Global Digital Space Collapses, Regional Alternatives Rise**

A few years after a wave of global-scale attacks which in some cases generated major human and economic consequences, the unfettered expansion of the digital space has resulted in total collapse by 2040. The global model has become untenable, due to uncontrolled data localization, technological monopolies dictating conditions, toothless international law, and ineffective national rights. It is therefore deeply questioned by states and citizens. New spaces, based on a national or regional approach, have been built. Beyond the legal aspects, they rely on differentiated technologies to avoid systemic effects. Quality and safety are regulated, potentially at the expense of price and innovation, and interfaces are controlled. By losing its universal specificity, the digital space has aligned itself with the physical space, for better or for worse.

**What's Likely?**

The first scenario, resolutely optimistic and therefore unlikely, is nevertheless plausible and would allow everyone to take advantage of the benefits of digital technology. Many precedents currently exist to safeguard areas such as Antarctica or the deep seabed, and these have continued to be respected, so why not the digital space? More broadly, a high level of confidence in the digital space allows technological acceleration to address the major challenges of our time, particularly around healthcare and energy.

The beginnings of the fourth scenario are already perceptible with the balkanization of China and Russia. In that scenario, insecurity both of state and of cybercriminal origin has not disappeared — it has increased further in the most fragile regions, which we are seeing today with cyberattacks on Ukraine, Taiwan, and other rivals.

Obviously, the future is unwritten, and the most likely scenario will be a combination of the four. One certainty remains: the need to invest in cybersecurity technologies and skills so that humanity can control its future. If we can create a world where cybersecurity is global and digital systems are impervious to attack, we can establish a safe place for international commerce, communications, and community to flourish.

4 Scenarios for the Digital World of 2040

Infections attributed to the USB-based worm have taken off, and now evidence links the malware to Dridex and the sanctioned Russian cybercriminal group Evil Corp.

Raspberry Robin, a widespread USB-based worm that acts as a loader for other malware, has significant similarities to the Dridex malware loader, meaning that it can be traced back to the sanctioned Russian ransomware group Evil Corp.

Researchers from IBM Security reversed engineered two dynamic link libraries (DLLs) dropped during a Raspberry Robin infection and compared them to the Dridex malware loader, which is a tool that has been definitively linked to Evil Corp. in the past — in fact, the US Department of the Treasury sanctioned the Russia-based Evil Corp for developing Dridex in 2019.

They found that the decoding algorithms worked similarly, using random strings in the portable executables as well as having an intermediate loader code that decoded the final payload in a similar manner and contained anti-analysis code.

"The results show that they are similar in structure and functionality," Kevin Henson, a malware reverse engineer at IBM Security, wrote in the analysis. "Evil Corp is likely using Raspberry Robin infrastructure to carry out its attacks."

**Raspberry Robin Takes Flight**

Security firm Red Canary first analyzed and named Raspberry Robin in May. Soon after, it came to the attention of other researchers, including IBM Security.

The worm spreads quickly throughout internal networks, hitchhiking on USB devices passed between workers. While Raspberry Robin relies on social engineering techniques to convince victims to plug in an infected USB device, infections took off during the summer, with 17% of IBM Security's managed clients in targeted industries seeing infection attempts.

However, the malware puzzled researchers initially, because it simply hibernated on infected systems and appeared to have no second-stage payload. In July that changed: IBM and Microsoft researchers discovered that infected systems had begun downloading the FakeUpdates malware, typically a precursor to ransomware used by Evil Corp.

FakeUpdates, also known as SocGhoulish, masquerades as a legitimate software update, but installs popular attack software such as Cobalt Strike and Mimikatz, or ransomware, on the victim's computer.

Microsoft noted at the time that FakeUpdates is usually attributed to an access broker that the company tracks as DEV-206. If Evil Corp is distributing FakeUpdates through existing Raspberry Robin infections as suspected, it suggests a close partnership between the access broker and Evil Corp.

Historical analysis indicates that the Raspberry Robin activity can be traced as far back as September 2021. The malware is typically used against manufacturing, technology, oil and gas, and transportation industries.

Raspberry Robin Malware Connected to Russian Evil Corp Gang

Thousands of corporate mobile apps developed by businesses for use by their customers contain hardcoded AWS tokens that can be easily extracted and used to access the full run of corporate data stored in cloud buckets.

Thousands of customer-facing Android and iOS mobile apps — including banking apps — have been found to contain hardcoded Amazon Web Services (AWS) credentials that would allow cyberattackers to steal sensitive information from corporate clouds.

Symantec researchers uncovered 1,859 business apps that use hardcoded AWS credentials, specifically access tokens. Of these, three-quarters (77%) contain valid AWS access tokens for logging into private AWS cloud services; and close to half (47%) contain valid AWS access tokens that also crack open millions of private files housed in Amazon Simple Storage Service (Amazon S3) buckets.

That means that a malicious-minded user of the app could easily extract the tokens and be off to the data-theft races, tapping into the cloud resources of the businesses that created the applications.

**Thanks, Mobile Software Supply Chain**

This unfortunate state of affairs is thanks to a mobile code supply chain issue, Symantec researchers said — vulnerable components that allow developers to embed hardcoded access tokens.

"We discovered that over half (53%) of the apps were using the same AWS access tokens found in other apps," they said in an analysis on Sept. 1. "Interestingly, these apps were often from different app developers and companies. \[Eventually\] the AWS access tokens could be traced to a shared library, third-party SDK, or other shared component used in developing the apps."

The firm found that these shared, hardcoded AWS tokens are used by in-house app developers for a variety of reasons, including downloading or uploading large media files, recordings, or images from the company cloud; accessing configuration files for the app; collecting and storing user-device information; or accessing individual cloud services that require authentication, such as translation services. However, the tokens' reach into the cloud is often far greater than the developer may realize.

"The problem is, often the same AWS access token exposes all files and buckets in the Amazon S3 cloud, often corporate files, infrastructure files and components, database backups, etc.," according to the analysis. "Not to mention cloud services beyond Amazon S3 that are accessible using the same AWS access token."

As an example, one of the apps uncovered by the analysis was created by a B2B company that offers an intranet and communication platform. It also provides a mobile software-development kit (SDK) for customers to use to access the platform.

"Unfortunately, the SDK also contained the B2B company's cloud infrastructure keys, exposing all of its customers' private data on the B2B company's platform," Symantec researchers noted, adding that they notified all organizations using vulnerable apps of the issue. "Their customers' corporate data, financial records, and employees' private data was exposed. All the files the company used on its intranet for over 15,000 medium-to-large-sized companies were also exposed."

The same situation held true for a collection of mobile banking apps on iOS that rely on the AI Digital Identity SDK for authentication. The SDK embeds AWS tokens that could be used to access private authentication data and keys belonging to every banking and financial app using it, as well as 300,000 banking users' biometric digital fingerprints used for authentication, and other personal data (names, dates of birth, and more).

"Apps with hardcoded AWS access tokens are vulnerable, active, and present a serious risk," Symantec researchers concluded. "\[And\] this is not an uncommon occurrence."

****Avoiding Cloud Compromise via Mobile Apps****

Organizations can take steps to ensure that the apps they build for their customers don't unwittingly offer a path to cyberespionage, according to Scott Gerlach, co-founder and CSO at StackHawk.

"Adding DevSecOps tools, like secret scanning, to continuous integration/continuous development pipelines (CI/CD) can help ferret out these types of secrets when building software," he noted in a statement. "And it's critical that you understand how to manage and securely provision AWS and other API keys/tokens to prevent unwarranted access."

From a design perspective, developers can also replace hardcoded credentials with API calls to a repository or software as-a-service (SaaS) vault, or to use temporary tokens, according to Tony Goulding, cybersecurity evangelist at Delinea.

"\[That way\] they can pull a credential or key down in real-time that doesn't persist on the device, in the app, or a local config file," he said in a statement. "An alternative approach is to use the AWS STS service to provision temporary tokens to grant access to AWS resources. They're similar to their long-term brethren except they have a short lifespan that's configurable — as little as 15 minutes. Once they expire, AWS won't recognize them as valid, preventing an illicit API request using that token."

AWS Tokens Lurking in Android, iOS Apps Crack Open Corporate Cloud Data

Threat hunters can help build defenses as they work with offensive security teams to identify potential threats and build stronger threat barriers.

Over the last few years, an influx of high-profile industry security issues (PDF) have placed offensive tactics among the top priorities for corporations to help mitigate the risk of a potential attack. With many companies opting to continue remote and hybrid working environments, potential security risks cannot go ignored or be left to chance, and an emphasis on developing greater defensive security tactics, working in tandem with offensive security teams, is essential for identifying behaviors of potential threats and building stronger barriers against evolving challengers.

Threat hunting, in particular, has emerged as a must-have security component for companies. It encompasses the tasks of identifying patterns of threat behaviors and hunting for anomalies and changes occurring in an environment based on suspicious activity — with the goal of building defenses to combat threats.

But what makes a successful threat-hunting program? The reality is that identifying suspicious activity may not be as straightforward as it seems. It requires a comprehensive approach with proactive manual detection, constant communication between teams, and an investment in the right people to bring the process to life.

**Hunting for the Right Skills**

Threat hunting requires a human touch to thoroughly review suspicious patterns and scour the environment for threats that haven't yet been identified by a company's existing security tooling and processes. It's a heavily strategic game of cat and mouse to find potential adversaries and advanced persistent threats (APTs), predict their next move, and stop them in their tracks.

A successful threat hunter needs to have a thorough understanding of their environment, the known threats their team has faced, and the ability to problem-solve and think critically about hidden avenues adversaries could take to gain access. In a way, this is the ultimate detective work, and it becomes the building blocks for designing better defensive protocols. Investing in the right people on the team and fostering a culture of open communication is essential.

To receive leads or hunt ideas, Adobe's threat-hunting team has created a messaging bot app that security teams, such as the security operations center or incident response, can use to have seamless collaboration with the hunt team. Once hunts are completed, hunt reports are shared with the cross-functional security teams and relevant stakeholders to improve the existing security posture of the organization.

The hunt team works hand-in-hand with the detection function to help improve current methods and input new data based on emerging tactics used by adversaries. They also collaborate closely with the team responsible for central operational security data to help identify gaps, misconfigurations, and bolster enrichments to help security teams utilize that data more effectively.

However, while threat hunting tends to mainly rely on manual processes, automated processes and machine learning can certainly aid in the hunting effort. Aggregated data analytics can help to quickly find anomalies in data patterns within a company's network, shortening the time teams need to spend combing through data.

At Adobe, we are building multiple UEBA (user and entity behavior analytics) pipelines using machine learning and advanced data analytics to review large volumes of log data and help us spot anomalies that indicate a user's or entity's behavior change. These anomalies are turned into hunt leads (or alerts) after further enrichment and correlation for human review and escalation when needed.

**Stopping Adversaries in their Tracks**

With the right team in place, security teams can begin mapping out their plan of attack and strategy to identify APTs:

*   Rally behind a hypothesis of how adversaries could potentially gain access to the network
*   Create a clear goal for the program (e.g., reducing time adversaries spend in the network, reduce the number of high-impact threats, etc.)
*   Analyze data for anomalies and work cross-team to build new, improved defenses

Not all threat-hunting campaigns will be equally successful, so it's just as important to create a plan for tailoring threat-hunting programs as your company collects more insights on current data trends and adversaries. Be honest with your teams about what's working, what isn't, and new ways to leverage machine learning and other tools to support your goals.

When combined with offensive tactics, threat hunting is a valuable addition to your security efforts. It should be viewed as an ever-evolving strategic approach to identify potential issues, and an essential component of a successful, comprehensive security program.

The Makings of a Successful Threat-Hunting Program

TAP assures its customers that it stopped data theft in a recent cyberattack, but the Ragnar Locker ransomware group says it made off with user info.

Despite TAP Air Portugal's claims that a recent cyberattack was stopped and no airline customer data was compromised, the Ragnar Locker ransomware gang posted on its leak site that it's got the goods.

On Aug. 26, TAP announced it was targeted in an unsuccessful cyberattack.

"No facts have been found to conclude that there has been improper access to customer data," TAP tweeted. "The website and app still have some instability."

Yet, according to reports, Ragnar Locker responded on Aug. 31 claiming that it had indeed breached TAP's systems and stolen customer data, and included a screenshot of what it said was a sample of the exfiltrated records, loaded with personal identifiable information (PII).

TAP Air Portugal is sticking to the company's original position, releasing a new statement on Sept. 1 reiterating the company blocked the cyberattack, adding, however, that the airline's app, website, and miles program are still "registering some instability."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ragnar Locker Brags About TAP Air Portugal Breach

IT has to get its hands around cloud data sprawl. Another area of focus should be on ghost data, as it expands the organization's cloud attack surface.

Cloud sprawl is a big issue for organizations, with business teams to spinning up cloud systems and services on their own, often without IT oversight. That leads to cloud data sprawl as data is scattered across different environments. If IT doesn’t know about the cloud systems and services, then IT is also not managing the data being collected, processed, and stored there.

We all know about shadow IT, the systems and network devices in the organization’s environment that IT is not managing. Similarly, shadow data refers to unmanaged data store copies and snapshots or log data not part of IT’s backup and recovery strategy. Researchers at Cyera estimate that 60% of the data security posture issues present in cloud accounts stem from unsecured sensitive data.

Then there is the problem of ghost data.

When data gets deleted from cloud systems, it isn’t fully gone. Copies linger in backups or snapshots of data stores. Ghost data refers to those copies left behind after the original has been deleted, and Cyera’s recent analysis show that enterprises have quite a lot of it.

After scanning the three major cloud providers (Amazon Web Services, Azure, and Google Cloud), Cyera researchers found that over 30% of scanned customer cloud data stores are ghost data and more than 58% contain sensitive, or very sensitive, data. For example, researchers found unsecured database snapshots in non-production environments that contained sensitive customer data where the original database had been destroyed. Researchers also uncovered sensitive personal and authentication data in plain text where the production data and application were no longer in use.

Ghost data usually has no business value – the data was deleted for a reason -- and having it around unnecessarily increases business risk. Attackers don’t care if they get their hands on the original sensitive information or the copy because to them, all data has value, regardless of the form it takes. Organizations still are on the hook if the attackers get their hands on ghost data. The data security provisions of industry-specific regulations like HIPAA, PCI DSS, and the Sarbanes-Oxley Act still apply.

Organizations need to reduce cloud data exposure to reduce data sprawl. Proper data hygiene across clouds will also help clean up data when it is no longer in use.

On a final note, ghost data can increase the organization’s cloud costs: Researchers found over $50,000 in excess data store snapshots being retained in a cloud environment.

Source

DARKReading