When a CISO can articulate risk in context to the business as a whole, development teams can better prioritize their activities.

Source: JHENG YAO LIN via Alamy Stock Photo

COMMENTARY

When it comes to making a difference to business performance, chief information officers (CIOs) are investing in application development and improvements to software. According to Gartner, 60% of companies plan to spend more on software, with 52% of companies increasing their spend on software to improve productivity. Analyst firm Omdia points to modernization and investment in applications as a critical goal, due to the cost of maintaining existing technology stacks over time. 

For chief information security officers (CISOs), these investments represent a significant challenge. How can you keep up with the relentless pace of change taking place, where new IT infrastructures are created, used, and torn down every minute, every day? One CISO I discussed this with described it as like trying to dam a river — impossible to achieve, a thankless task, and one that leaves you considerably more uncomfortable than when you started. Worse, trying to impose standards left them feeling like the "department of no," and antagonistic to the business's overall goals, affecting their internal standing and making them more likely to be ignored. 

So, we can't go against this pace of change. Instead, how can we understand developer velocity and the goals that these teams have? How can we get ahead of these changes so we can apply security at the source, and what is in that approach for us? 

**Starting at the Beginning**

Understanding the software development process in your organization is a good place to begin looking at how you can insert security measures into the mix. How do those teams manage their requests, requirements, and changes over time, and how does their life cycle work? How do those teams work faster and more efficiently, and what steps are they taking to improve their performance?  

For CISOs, each phase in the software development process is a potential place to insert security into the conversation. Yet many developers are wary of security asks. The reason for this? Security often gives them huge volumes of change requests, with no guidance beyond "This needs to be fixed." This can lead to resentment at the additional work, as the business is already asking them to deliver new functionality or services. 

To improve this situation, look at the overall goals that all the teams involved have to deliver on, and what information can directly benefit them. Developers want to build, and the business wants those results as fast as possible. For CISOs, the guidance here is to enable that pace of change, or at least get out of the way. To make this work in practice, security teams must look at what they can automate so that it delivers security results directly into the developer workflow. 

Developers themselves live in code. They don't want any manual tasks in their processes, let alone in processes that are dictated to them by outside teams. To get over this hurdle, put your security approach into that code workflow so that it gets applied by default to any part of the development environment within those tools that are already in use. A security defect can then be flagged for fixing to that developer in the same way as a code component not compiling properly, or an API integration failing.  

**Moving Up the Stack**

The security sector has been keen to promote more secure development and design practices in software. The promise here is that fixing issues earlier in the process is cheaper in the long run than doing so later in the process, whether that is in production or in later test and deployment phases. The secure-by-design mantra is brilliant in theory. However, developers are moving so fast that this framework will be hard to apply and keep up on its own.

Instead, we must treat software security as a methodology. We can still support developers in making changes as fast as the business needs, let developers know about issues, and then try to fix those problems before they hit production. However, that is not enough on its own. One CISO in France let me know that he had successfully implemented security checks and controls for the company's containerized applications only during the build phase. In theory, this would mean that any image developers deployed should be secure through into production without the requirement for checks in later stages. Yet his team members found that they still faced problems in production, and vulnerabilities and misconfigurations were still occurring. The issue was that those containers would drift over time, where they would then need to be remediated, or as sometimes happens, the risk is accepted and those images are in run time with known issues.  

This is where CISOs can come into their own — by providing context. Articulating risk in context to the business as a whole, or to specific platforms or departments, allows development teams to prioritize their activities. Additionally, it empowers teams to continuously improve their coding practices and build more secure applications faster. Security teams are then only providing guard rails versus slowing down developer velocity — security can then get out of the way, while still reducing risk and putting remediation efforts where they are needed. The end result? When the CISO really needs to communicate around risk, the rest of the business is more likely to pay attention. 

**About the Author**

Managing Director for EMEA North, Qualys

Matt Middleton-Leal is Managing Director for EMEA North at Qualys, a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions designed to streamline and consolidate customer’s security and compliance solutions in a single platform. Qualys helps organizations build security into digital transformation initiatives for greater agility, better business outcomes, and substantial cost savings. Matt has over 20 years' experience in the cybersecurity industry with a deep understanding of both customers' and suppliers' needs. Matt is also a Certified Information Systems Security Professional (CISSP®).

Developer Velocity &amp; Security: Can You Get Out of the Way in Time?

"See one, teach one, do one" takes a page out of the healthcare playbook to reduce human vulnerabilities where they matter most in cybersecurity.

Source: Ben3images via Alamy Stock Photo

COMMENTARY

In healthcare, the "see one, teach one, do one" model refers to an incremental learning process: Trainees first observe a procedure, then learn to teach it to others, then perform it themselves. This framework can be applied to cybersecurity by encouraging employees, especially those identified as high-risk users, to progress through a similar cycle of observation and education, followed by a combination of tool implementation and practice. This approach fosters a deep understanding of cybersecurity risks, increases tool efficiency, and empowers users to mitigate risks actively.

As organizations accumulate a growing array of cybersecurity tools, many fail to consider that their riskiest users can be the weakest link in their defenses. Reach Security's analysis reveals that 80% to 90% of threats relate to just 3% to 5% of the organization's user population. This is further complicated if you consider that roughly 20% of the users in a company's most attacked group change monthly.

These users, whether high-profile executives, employees with privileged access, or those who engage in risky behavior, have the potential to cause significant damage, either through negligence or intentional actions.

By focusing on high-risk individuals, organizations can address the root causes of many cybersecurity threats, allowing them to allocate resources more effectively and reduce reliance on sprawling security tools that attempt to protect everyone equally.

When it comes to managing the riskiest users, the "see one, teach one, do one" methodology can guide a more human-centered approach to cybersecurity. This model can be applied to not only help users understand the risks they face but also enable them to become advocates for cybersecurity within the organization. It also it reduces overall risk and tool sprawl.

**See One: Observation and Awareness**

The first stage of the process is to identify the most attacked people (MAP), which can be done using a solution that provides visibility into the data that teams already have in place. For instance, syncing the central record of identity (e.g. Active Directory, Azure Active Directory, Google Workspace, Okta) can uncover high-risk user data.

Once these high-risk users — such as CEOs, senior executives, and IT personnel with elevated privileges — are identified, security teams can provide personalized demonstrations of how they might be targeted, showcasing real-world examples, such as phishing emails tailored to executives or potential data breaches from insecure networks. In addition, executives can observe how inadequate use of multifactor authentication (MFA) or improper handling of sensitive data can increase their exposure to threats.

The "see one" stage is crucial for both identifying the MAP and helping those users gain a baseline awareness of the specific threats they face.

**Teach One: Educating Others**

In the second phase, high-risk users transition from observers to educators. The "teach one" phase helps break down silos within an organization by fostering a shared responsibility for cybersecurity. For instance, an executive who has learned the dangers of targeted phishing can then relay that information to their team, strengthening collective awareness.

Teaching cybersecurity concepts to others creates a ripple effect, reducing the reliance on technical tools by embedding good security practices into the organization's daily behavior.

**Do One: Practice and Implementation**

Finally, the "do one" phase focuses on real-world application. Organizations face the dual challenge of pinpointing high-risk users and integrating data from multiple security tools to monitor these risks over time. This can be further complicated by the necessity to continuously update and enhance security measures across the enterprise to stay ahead of evolving threats. With continuous monitoring, teams can better identify and track shifts in the threat landscape, ensuring that those in the MAP are always under watch. Finally, putting forth a holistic security strategy that is both user- and device-aware will ensure that protective measures are as personalized and effective as possible.

Knowing where risk lives introduces an ability to focus. An ability to focus allows teams to see the biggest impact on the smallest number of folks. From there that focus group learns and teaches. Once they have knowledge, they're open to ways in which they can be protected — and can use the security controls in the most efficient ways possible.

**A Different Approach to Risk-Based Management**

Managing human-based cybersecurity risk requires a shift toward a more focused strategy that considers the riskiest users in your organizations. By identifying and supporting the riskiest users with the "see one, teach one, do one" model, organizations can reduce vulnerabilities where they matter most.

**About the Author**

CEO & Co-Founder, Reach Security

Garrett's career has included leadership roles in SaaS Product Management, plus Go-To-Market at industry leaders like Palo Alto Networks, as well as hands-on threat analysis, training, & consulting at firms including HBGary. While at Palo Alto Networks, Garrett was responsible for the WildFire product supporting its growth from launch to more than 60,000 customers.

The Overlooked Importance of Identifying Riskiest Users

The threat actors deceive their victims by impersonating the legal teams of companies, well-known Web stores, and manufacturers.

Source: Andrea Danti via Alamy Stock Photo

An unknown threat actor is targeting Facebook businesses and advertising account users in Taiwan through a phishing campaign, using decoy emails and fake PDF filenames.

These dupes are designed to impersonate a company's legal team and lure the victim in with its falsified details, convincing them to download and execute malware.

In addition, the bad actors sent phishing emails from a well-known industrial motor manufacturer and a famous online store in Taiwan, claiming copyright infringement by the business.

"The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance," said Cisco Talos researchers, which observed the scams in action.

They said the threat actors also use a variety of techniques and tools to evade antivirus detection and sandbox analysis, such as shellcode encryption, code obfuscation, and embedding LummaC2 and Rhadamanthys information stealers into legitimate binaries.

Lumma Stealer is a malware designed to exfiltrate information from compromised systems, targeting system details, Web browsers, and browser extensions, among other data.

Rhadamanthys is a sophisticated infostealer sold on underground forums that first emerged two years ago. It gathers system information, credentials, cryptocurrency wallets, passwords, cookies, and data from other applications. 

This phishing campaign has been ongoing since at least July; the initial vector of the campaign is a malware download link included in a phishing email using typical decoys in traditional Chinese, indicating that the target victims are Chinese speakers.

Facebook Businesses Targeted in Infostealer Phishing Campaign

The 2024 ISC2 Cybersecurity Workforce Study found that amid a tightening job market and dynamic cyber-threat environment, ongoing staffing and skills shortages are putting organizations at serious risk. Can AI move the needle in defenders' favor?

Source: Helen Sessions via Alamy Stock Photo

Even though 90% of organizations have unfilled positions or underskilled workers on their cybersecurity teams, hiring for those jobs has, for the first time in six years, ground to a halt.

That's according to the 2024 ISC2 Cybersecurity Workforce Study, which found that the global workforce has held steady at 5.5 million people year-over-year, recording just a negligible 0.1% increase from 2023 (though some pockets of increased cyber hiring remain).

To put that in perspective, last year, the cybersecurity workforce grew 8.7% year-on-year, despite declining investment in technology and cyber platforms.

The main driver for 2024's job market inertia is straightforward: a lack of budget for adding head count and upskilling. A full 67% of respondents to the ICS2 survey cited budget as their top cause for staffing shortages, replacing last year's No. 1 cited reason for empty positions, which was a lack of qualified talent.

Even though 74% of respondents said the threat landscape is the most challenging they have experienced in the past five years, "professionals are feeling the impact of declining investments in the cybersecurity workforce, including budget cutbacks and layoffs, \[which affects\] workforce satisfaction, the development of organizational security, the adoption of new technologies, and more," according to the report.

Related:News Desk 2024: Hacking Microsoft Copilot Is Scary Easy

Source: 2024 ISC2 Cybersecurity Workforce Study

Indeed, ISC2 found that cybersecurity job satisfaction has fallen from 74% in 2022 to 66% in 2024. Furthermore, respondents said that worker shortages were their biggest challenge over the past 12 months, but there's no end in near-term sight. They also predicted that shortages will continue to be a significant challenge over the next two years.

"As economic conditions continue to impact workforce investment, this year’s Cybersecurity Workforce Study underscores that many organizations are putting their cyber teams under significant strain, risking burnout and attrition as job satisfaction rates fall,” said ISC2 acting CEO and CFO Debra Taylor, in a statement.  

Meanwhile, more than half of those surveyed (58%) believe a shortage of skills puts their organization at significant risk; 59% of respondents agree that skills gaps have already substantially affected their ability to secure their organizations. The statistics bear this out: ISC2 found that organizations with critical or significant skills gaps are almost twice as likely to experience a material breach compared with organizations that reported no skills gaps.

The good news is that out of those already in cyber-related jobs, three-quarters (73%) said they're focused on building their cybersecurity skill set, with 48% interested in learning more AI-related skills (more than one-third of respondents cited AI as the biggest skills shortfall on their teams).

Related:Noma Launches With Plans to Secure Data, AI Life Cycle

About half (52%) said they're focused on hanging on to their positions by becoming a more strategic contributor to their organizations.

**AI to the Cyber Job Rescue?**

If there's a silver lining to the perceived staffing shortage, respondents believe it will come from the year's hottest buzz category: generative artificial intelligence (GenAI).  

ISC2 respondents said that AI and automation will have the most significant impact on their ability to secure their organizations. A full 68% agree that within the next two years, they will be able to use GenAI effectively as part of their roles. And a large majority (80%) said their cybersecurity skill set will be more important in an AI-driven world.

"AI is viewed by professionals as a solution to strengthen their organizations' security and create new efficiencies for their teams," Taylor said. "They also view effectively managing risk associated with AI adoption and its strategic importance to their organization’s future success as career growth opportunities for themselves and their peers. Organizations and cybersecurity leaders must recognize how AI can contribute to creating more resilient security teams, especially while economic challenges persist."

Related:Zenity Raises $38M Series B Funding Round to Secure Agentic AI

Already, 45% of respondents' teams are using AI in cybersecurity tools. ISC2 found the top five use cases to be:

*   Augmenting common operational tasks (56%)
    
*   Speeding up report writing and incident reporting (49%)
    
*   Simplifying threat intelligence (47%)
    
*   Accelerating threat hunting (43%)
    
*   Improving policy simulations (41%)
    

That said, the lack of a clear GenAI strategy was cited as one of the top barriers to its organizational adoption by nearly half (45%) of all participants. And just how AI will affect the kinds of expertise a future cyber workforce will need remains unclear.

According to the report, "AI is a game changer for two main reasons. First, experts predict AI will be able to replace some of the technical skills needed in cybersecurity. Second, and arguably more important, no one is certain how AI will manifest in cybersecurity since they currently cannot predict what skills, if any, it will replace. As a result of this uncertainty, hiring managers aren’t rushing to hire more specialized workers. Instead, they are prioritizing nontechnical skills, like problem-solving, that will be transferable through the increased use of AI."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Cybersecurity Job Market Stagnates, Dissatisfaction Abounds

Chinese APTs lurked in Canadian government networks for five years — and that's just one among a whole host of threats from Chinese bad actors.

Source: tunasalmon via Alamy Stock Photo

Chinese state-backed actors have become Canada's most pressing cyber threat, with the People's Republic of China (PRC) collecting data from Canada's government networks for the past five years.

The Canadian Centre for Cyber Security's National Cyber Threat Assessment calls Beijing's cyber operations "second to none," and noted that at least 20 Canadian government agencies and departments have been breached by PRC state-backed actors. The cyberattackers are mainly attempting to gain information that could lead to strategic, economic, and diplomatic advantages — a play that has only grown in its intensity due to escalating tensions between the West and the PRC.

The center assured the public that the federal government networks that were compromised have since been resolved, but it warned that the threat actors who are responsible for the intrusions are now very familiar with these networks, and could be back to try again. It also stressed that the PRC's aggressive cyber campaigns represent some of the most sophisticated and active threats Canada is facing.

On a related note, the center's researchers also found that the cyber landscape around critical infrastructure in Canada is growing and becoming more complex and unpredictable, with a cast of a variety of threat actors from cybercriminals to hacktivists targeting the sector.

"We assess that our adversaries very likely consider civilian critical infrastructure to be a legitimate target for cyber sabotage in the event of a military conflict," reads their report.

Other key findings include adversaries using network attacks and online information campaigns to disrupt and shape public opinion, and the center flagged ransomware as the top cybercrime threat that Canada's critical infrastructure must grapple with.

**About the Author**

Canada Grapples With 'Second-to-None' PRC-Backed Threat Actors

The prominent state-sponsored advanced persistent threat (APT), aka Jumpy Pisces, appears to be moving away from its primary cyber-espionage motives and toward wreaking widespread disruption and damage.

Source: DD Images via Shutterstock

One of North Korea's most prominent state-sponsored threat groups has pivoted to using Play ransomware in recent attacks, signifying the first time the group has partnered up with an underground ransomware network. Worryingly, it sets the stage for future high-impact attacks, researchers surmise.

According to Palo Alto Networks' Unit 42, which tracks the advanced persistent threat (APT) as Jumpy Pisces (aka Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly, and TDrop2), Andariel is now working with the Play ransomware gang, but whether it's as an initial access broker (IAB) or affiliate of the ransomware group is not clear, the researchers observed in a blog post on Oct. 31. Previously, Andariel was associated with a ransomware strain called "Maui" that's been active since at least 2022.

Unit 42 researchers believe the group is responsible for a Play ransomware attack discovered last month in which attackers gained initial access to a network via a compromised user account several months before, in May. Andariel moved laterally after its initial network breach and maintained persistence by spreading the open source tool Sliver and its unique custom malware, DTrack, to other hosts via the Server Message Block (SMB) protocol, according to Unit 42. Months later, in early September, it deployed the Play payload.

Related:Cybersecurity Training Resources Often Limited to Developers

"This shift in their tactics, techniques and procedures (TTPs) signals deeper involvement in the broader ransomware threat landscape," Unit 42 researchers wrote in the post. "This development could indicate a future trend where North Korean threat groups will increasingly participate in broader ransomware campaigns, potentially leading to more widespread and damaging attacks globally."

**Ransomware in Transition?**

Play ransomware, maintained and deployed by a group tracked as Fiddling Scorpius, made its claim to fame by targeting the city of Oakland, Calif., in February 2023 with a crippling attack. It then quickly rose up the threat ranks to become a major player in the game.

Some researchers have suggested that Fiddling Scorpius has transitioned from mounting its own attacks to a ransomware-as-a-service (RaaS) model, according to Unit 42. However, the group itself has announced on its Play ransomware leak site that it does not provide a RaaS ecosystem, according to the researchers. If this is true, then Andariel most likely acted as an IAB in the attack rather than an affiliate, they said.

Either way, "network defenders should view … \[the\] activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance," according to Unit 42.

Related:Codasip Donates Tools to Develop Memory-Safe Chips

There were several clues in the attack sequence that point to collaboration between Andariel and the Play ransomware. For one, the compromised account that attackers used for initial access and subsequent spreading of Andariel's signature tools, including Silver and Dtrack, was the same one used prior to ransomware deployment.

"The ransomware actor leveraged the account to abuse Windows access tokens, move laterally and escalate to SYSTEM privileges via PsExec," according to the post. "This eventually led to the mass uninstallation of endpoint detection and response (EDR) sensors and the onset of Play ransomware activity."

The researchers also observed command-and-control (C2) communication with the Silver malware the day before Play ransomware was deployed. Moreover, Play ransomware attacks are known for leaving tools in the in the folder C:\\Users\\Public\\Music, and some tools used prior to ransomware deployment in the Andariel attack also were located there, the researchers noted.

**Defenders Beware Rising North Korean Ransomware Threat**

Andariel has been active for several years and has mounted a number of high-profile attacks that have targeted critical defense, aerospace, nuclear, and engineering companies as well as global managed service providers.

Related:Samsung Zero-Day Vuln Under Active Exploit, Google Warns

Andariel is controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, which is involved in the nation's illicit arms trade and responsible for its malicious cyber activity. The group's antics already have drawn the attention of international law enforcement, including the US National Security Agency (NSA), which considers the group an ongoing threat to various industry sectors, particularly in the US, South Korea, Japan, and India.

The US Department of State's Rewards for Justice (RFJ) is even offering a reward of up to $10 million for information that could lead it to Rim Jong Hyok, a key player in Andariel's management structure, or any co-conspirators in the group.

Given the need for worldwide organizations to be on alert, Unit 42 included a list of indicators of compromise (IoCs) in its blog post. The researchers advised that defenders leverage the latest threat intelligence to identify malware on networks, and advanced URL filtering and DNS security products to spot known URLs and domains associated with Andariel's malicious activity.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

North Korea's Andariel Pivots to 'Play' Ransomware Games

Application security teams from Fortune 500 companies are already using Noma's life cycle platform, which offers organizations data and AI supply chain security, AI security posture management, and AI threat detection and response.

Source: BillionPhotos.com via Adobe Stock Photo

The rapid adoption of artificial intelligence (AI) and machine learning (ML) tools in enterprises has put the pressure on security teams to secure the data and AI life cycle. Organizations can be compromised via misconfigured data pipelines, insecure MLOps tools, and vulnerable and malicious open source models.

Noma emerged from stealth today with a platform to help organizations manage the risks around AI applications. The platform offers organizations with end-to-end AI discovery, security, protection, and compliance. Noma deploys across any cloud-based, software-as-a-service, or self-hosted environment, and does not require agents or code changes, the company said.

Noma protects against supply chain risks, such as vulnerable data pipelines, unscanned code in data science environments, misconfigured MLOps tools, and sensitive data used for model training. The platform also protects organizations vulnerable and malicious models, runtime prompt injection, and other threats.

The Noma platform is already in use by paying customers, including Fortune 500 companies.

As part of the launch, Noma announced $32 million in series A funding from Ballistic Ventures and "dozens of strategic angel investors." The company had a previously undisclosed seed round less than a year ago. Noma's co-founders, Niv Braun and Alon Tron, have experience leading security and data science teams, the company said.

Noma Launches With Plans to Secure Data, AI Life Cycle

Knee-jerk reactions to major vendor outages could do more harm than good.

Source: SOPA Images Limited

COMMENTARY

The now-infamous July CrowdStrike outage sparked global chaos and countless conversations about vendor security. Despite the industry noise and myriad headlines about the outage — and its potential cost of more than $5 billion to Fortune 500 companies alone — there is a bigger picture we must consider. And that is how, as an industry, we understand the risks involved and respond to major outages and other cybersecurity crises. 

While the CrowdStrike outage was a freak accident, it's likely not the last time we'll witness this kind of meltdown from a major technology provider. As our digital ecosystems become further interconnected and enterprises increasingly put their trust in singular vendors, business leaders will have to grapple with the inevitability of similar events, whether from a simple outage or a malicious hack. In every case along that spectrum, however, these leaders must avoid knee-jerk reactions that could ultimately do more harm than good. Blindly switching to a new vendor or making drastic changes to IT and security processes could introduce security holes that exacerbate vulnerabilities in an organization's overall security posture, rather than improving it.  

Instead of immediately jumping ship, here are the three things companies should do in the wake of a CrowdStrike-like event to ensure business continuity and high operational standards.  

**1\. Assess Vendors' Overall Reliability and Risk**

Switching vendors after an incident isn't as simple — or as beneficial — as it may seem. Before switching, businesses must evaluate both the existing and potential vendor, and assess each vendor's overall reliability and risk. For instance, Resilience customer data shows that despite the July incident, CrowdStrike Falcon is highly effective. It has the lowest percentage of material claims of endpoint detection and response (EDR) vendors in Resilience's portfolio, with fewer than 3% of clients with Falcon experiencing a cyber-insurance claim with losses. Of course, no company can — or should — claim the ability to avoid 100% of incidents, but in these kinds of deliberations, it's critical to put a vendor's long-term track record into perspective. On the flip side, however, if a vendor shows a consistent history of outages or vulnerabilities (as has VPN provider Ivanti, of late), poor performance or communication, and long delays in remediation, an incident could be the helpful forcing factor in considering the benefits of trying something new.  

It's also important to note the costs of switching vendors that go beyond sticker price, such as implementation time, staff training costs, and adjusting workflows to incorporate the new system and meet business needs. These third-party risk considerations must be considered, with leadership weighing the business interruption costs of an outage with the existing vendor against the total costs that come with making a switch.  

**2\. Avoid Radical Changes to the Update Process**

This particular outage raised the issue of update cadence and testing frequency, with many arguing that the affected organizations should have taken a more cautious, thorough approach to testing the update before rolling it out. But delaying updates is a calculated risk, and not necessarily one that most companies should be taking. Antivirus and EDR signatures are designed to counter quick-breaking, emerging threats toward existing systems, so while you can decide to wait to allow the days or weeks it may take to fully test the update, you may be leaving your systems vulnerable to new exploits in the process. Threat actors only grow faster and more sophisticated in their approaches, so quick security updates are more crucial than ever. The risk of taking additional precautions in testing may not be worth it for every company, especially since most updates happen seamlessly. After all, part of the reason CrowdStrike made headlines was because the outage was so out of the ordinary. 

In a perfect world, where bad actors weren't a consistent threat and update processes took no extra time, following the typical best practice of testing each and every update that comes from each and every vendor might be feasible. But in the real world, changes to the update process are likely to slow down your defenses. Ultimately, there is no one-size-fits-all answer, and the best approach will depend on the specific organization and its risk tolerance.  

**3\. Don't Panic**

It's tempting to liken incidents like CrowdStrike to natural disasters (such as catastrophic hurricanes), but that oversimplification distracts from the heart of the issue. While many insurers use this analogy to describe cyber events, it's neither accurate nor useful, as it becomes an apples-to-oranges comparison that frames cyber incidents or outages as one-sided and world-ending. But the reality is far different. There's no tangible way for individuals to prevent or mitigate the intensity of category hurricanes or tornadoes, but there are certainly simple, actionable steps we can take to mitigate the financial impact of an outage or counteract the negative effects of a potential attack. This includes implementing proper cyber hygiene, transferring financial risk through cyber insurance, and having a detailed cybersecurity action plan in the event of an attack or outage. It's not only feasible but essential that companies take these steps to remain operable and functioning in the midst of an incident.  

In short, decision-makers across the board can't allow themselves to make reactive or fear-based decisions on their security posture directly following a cyber incident. These knee-jerk reactions could lead to greater complications and introduce a host of new vulnerabilities just waiting to be exploited. Instead, leaders must focus on understanding the root cause of the incident, learning from it, and making risk-driven decisions that mitigate the greatest financial loss and improve their organization's overall cyber resilience. This includes taking a proactive approach and incorporating third-party risk management into business continuity planning. That way, you'll be able to avoid catastrophic interruptions to your day-to-day business and maintain continuity and resilience in the face of a cyber incident. 

**About the Author**

CEO & Co-Founder, Resilience

Vishaal Hariprasad, best known as "V8," co-founded what is now known as Resilience in 2016 to bridge the divide between cyber insurance and cybersecurity. As a licensed insurance broker and producer, as well as a veteran of both the US Air Force and the cybersecurity industry, Vishaal brings the leadership skills he honed in his years with the military to his position as CEO for Resilience. After graduating from the United States Air Force Academy, V8 was commissioned to military service as a Cyber Operations Officer for the Air Force. Hariprasad is an Iraq War veteran and a recipient of a Bronze Star Medal. In 2012, he co-founded Morta Security, which was acquired by Palo Alto Networks, where he then served as a threat intelligence architect. In 2015, V8 was tapped to serve as a founding partner at the Pentagon's newly established Defense Innovation Unit Experimental (DIUx) in Mountain View, California, an office under the Secretary of Defense charged with leveraging commercial technology to solve defense challenges. V8 holds a B.A. in Mathematics from the US Air Force Academy and an M.S. in Information Technology from Virginia Polytechnic Institute and State University (Virginia Tech).

The Case Against Abandoning CrowdStrike Post-Outage

On the heels of a Chinese APT eavesdropping on phone calls made by Trump and Harris campaign staffers, Beijing says foreign nations have mounted an extensive seafaring espionage effort.

Source: US Navy Photo via Alamy Stock Photo

Just days after Chinese state-sponsored hackers attacked the presidential campaigns of both Donald Trump and Kamala Harris, Beijing is leveling accusations at unnamed foreign entities, accusing them of using secret maritime buoys and seabed equipment to spy on its naval activities.

In a message on WeChat — China's biggest social media app — the country's Ministry of State Security (MSS) claimed it has discovered devices designed for "reconnaissance and monitoring of our country's waters" and "intelligence collection and technical theft activities."

It went on to allege that foreign "secret guards" are lurking as drifting "spies" and acting as "lighthouses" to guide outsider submarines.

"Faced with the severe and complex situation of covert struggle in the deep-sea security field and the real threat of foreign espionage intelligence agencies, the national security agencies will ... firmly defend our sovereignty," the MSS reportedly said. 

"It’s highly unlikely we will ever find out for definite if these claims are accurate, but when it comes to the culprits, suspicion will definitely land on the West," says Ryan McConechy, chief technology officer at Barrier Networks. "The key lesson here is that the online world has become the preferred playing field for all adversaries today. Nation-states and criminals can operate much stealthier, they can often get deeper into networks and secrets than physical access would allow, and it is much safer for the troops who can physically distance themselves from targets."

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

William Wright, CEO of Closed Door Security, noted that at-sea ships do make for juicy espionage targets.

"Few people fully understand the importance of the maritime industry today, but vessels are like floating computers, and they often contain highly sensitive information," he explains. "Whether the information relates to China's rapidly growing navy, or information on trading, it could prove to be very valuable to another nation-state and China is clearly concerned."

**Tit for Tat? News Follows Reported Chinese Campaign Hacks**

The claims from Beijing come on the heels of reports from the Washington Post and Reuters last weekend that an unnamed advanced persistent threat (APT) infiltrated the Verizon Communications telecom network and intercepted phone calls and texts made by campaign staffers for both Trump and Harris.

In addition, the eavesdroppers also reportedly targeted Trump's own phone calls, along with those of his running mate JD Vance — though how successful these latter attempts were is unknown.

Related:Facebook Businesses Targeted in Infostealer Phishing Campaign

Following the reports, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed they were investigating "unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People's Republic of China," and acknowledged they were seeing "specific malicious activity targeting the sector," though they did not name victims or mention the candidates.

Verizon told Reuters meanwhile that it was "aware of a sophisticated attempt to target US telecoms and gather intelligence."

**China-US Tensions: Time to Up Critical Infrastructure Cyber Defense**

The activity aligns with prior attacks from the now-infamous Chinese state-sponsored APT Volt Typhoon, which first came to light in March 2023 after compromising telecom networks in Guam. It has since consistently targeted critical infrastructure in the US, with the observed purpose of espionage — and, potentially, the ability down the line to disrupt communications in the event of military conflict in the South China Sea and across the Pacific.

Similarly, another Chinese APT known as Salt Typhoon attacked US ISPs last month. The focus on high-value communications service provider networks in the US likely indicates a similar dual set of goals, researchers said at the time — to steal information and set up a launchpad for disruptive attacks.

Related:Canada Grapples With 'Second-to-None' PRC-Backed Threat Actors

"While it's alarming, the recent campaign targeting is also pretty unsurprising," says Casey Ellis, founder and adviser at Bugcrowd. "Given the US election season, and the access that Salt Typhoon had, I'd be surprised if they didn't target the elected officials and candidates for the presidential election."

All industries should learn from these types of campaigns, says Barrier Networks' McConechy, who notes that the seafaring espionage might be in retaliation for Volt Typhoon's assaults.

"Whether it's spyware implanted into routers, snooping hot air balloons, or spying submersibles, nation-states are getting increasingly creative when it comes to eavesdropping on other countries, so critical industries must be prepared for these assaults," he stresses. "In the digital world, these types of cyber-physical espionage campaigns have become the norm. Most countries will deny they conduct them, but they will be, they just won't want to publicly announce it, or let their target know."

He adds, "All systems must be scanned regularly for malware, and the locations close to where critical infrastructure resides must be continuously monitored for intruders, whether human or robotic. Improving defenses both physically and digitally must be a priority.”

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

China Says Seabed Sentinels Are Spying, After Trump Taps

Despite the absence of laws specifically covering AI-based attacks, regulators can use existing rules around fraud and deceptive business practices.

Source: mike via Adobe Stock Photo

As AI-generated deepfakes become more sophisticated, regulators are turning to existing fraud and deceptive practice rules to combat misuse. While no federal law specifically addresses deepfakes, agencies like the FTC and SEC are applying creative solutions to mitigate these risks.

The quality of AI-generated deepfakes is astounding. "We cannot believe our eyes anymore. What you see is not real," says Binghamton University professor Yu Chen. Tools are being developed in real time to distinguish between an authentic image and a deepfake. But even if a user knows an image isn't real, there are still challenges.

"Using AI tools to trick, mislead, or defraud people is illegal," Federal Trade Commission chair Lina M. Kahn said, back in September. AI tools used for fraud or deception are subject to existing laws, and Khan made it clear the FTC will be going after artificial intelligence fraudsters.

**Intent: Fraud and Deception**

Deepfakes can be used for other corporate unfair business practices, such as creating a false image of an executive who announces their company is taking an action that could cause stock prices to change. For example, a deepfake could declare a company is going out of business or make an acquisition. If stock trading stock is involved, the SEC could prosecute.

When a deepfake is created with the intent to deceive, "that is a classic element of fraud," says Joanna Forster, a partner at the law firm Crowell & Morning and the former deputy attorney general, Corporate Fraud Section, for the State of California

"We've all seen the past four years a very activist FTC on areas of antitrust and competition, on consumer protection, on privacy," Forster says.

In fact, an FTC official, speaking on background, says the agency is aggressively addressing the issue. In April, a rule on government or business impersonation went into effect. The agency also is continuing its efforts on voice clones designed to deceive and defraud victims. The agency has a business guidance blog that tracks many of these efforts.

Several state and local laws address deepfakes and privacy, but there is no federal legislation or clear rules defining which agency takes the lead on enforcement. In early October, U.S. District Judge John A. Mendez granted a preliminary injunction blocking a California law against election-related deepfakes. Even though the judge acknowledged AI and deepfakes pose significant risks, California's law likely violated the First Amendment, Mendez said. Currently, 45 states plus the District of Columbia have laws prohibiting using deepfakes in elections.

**Privacy and Accountability Challenges**

There are few laws that protect non-celebrities or politicians from a deepfake violating their privacy. The laws are written so that they protect the celebrity's trademarked face, voice and mannerisms. This differs from a comic impersonating a celebrity for entertainment's sake where there is no intent to deceive the audience. However, if a deepfake does try to deceive the audience, that crosses the line of intent to deceive.

In the case of a deepfake of a non-celebrity, there is no way to sue without first knowing who created the deepfake, which is not always possible on the internet, says Debbie Reynolds, privacy expert and CEO of Debbie Reynolds Consulting. Identity theft laws might apply in some cases, but internet anonymity is difficult to overcome. "You may never know who created this thing, but that harm still exists," Reynolds says.

While some states are looking at laws specifically focusing on the use of AI and deepfakes, the tool used for the fraud or deception is not significant, says Edward Lewis, CEO of CyXcel, a consulting firm specializing in cybersecurity law and risk management.  Many corporate executives do not realize how easy deepfakes and other AI-generated content are to create and distribute.

"It's not so much about what do I need to know about deepfakes; It's rather who has access, and how do we control that access in the workplace, because we wouldn't want our staff to be engaging for inappropriate reasons with any AI," Lewis says. "Secondly, what is our firm's policy on the use of AI? What context can or can't it be used for, and who actually do we grant access to AI so that they can carry out their jobs?"

Lewis notes, "It's much the same way as we have controls around other cyber security risks. The same controls need to be considered in the context of the use of AI."

As AI-generated deepfakes become more sophisticated, regulators are working to adapt by leveraging existing fraud and privacy laws. Without federal legislation specific to deepfakes, agencies like the FTC and SEC are actively enforcing rules against deception, impersonation, and identity misuse. But the challenges of accountability, privacy, and recognition persist, leaving gaps that both individuals and organizations need to navigate. As regulatory frameworks evolve, proactive measures—such as AI governance policies and continuous monitoring—will be essential in mitigating risks and safeguarding trust in the digital landscape.

**About the Author**

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at \[email protected\].

Source

DARKReading