AI-generated spam comments on Amazon, the latest on the 3CX supply chain attack and more security headlines from the past week.

Thursday, April 27, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

I’m writing this earlier in the week as I get ready for some personal travel (everyone is lucky I passed on writing another Cybersecurity Mock Draft), so apologies if I miss anything major that happens at RSA.

But Cisco beat everyone to the punch Monday morning anyway, making a slew of major announcements on RSA travel day. By the time you’re reading this, it’s still not too late to track down someone from our team if you want to learn more. (Read last week’s newsletter for more on that.)

Cisco Duo announced that all paid customers of its service can now use Trusted Endpoints to block access from unknown devices.

Duo is also re-introducing three editions of the product: Duo Essentials, Duo Advantage and Duo Premier. Even with the added security features announced Monday, the price-per-user is not rising, giving customers strong security at an unmatched value.

Cisco also announced its new extended detection and response (XDR) platform – Cisco XDR. This new offering combines users’ endpoint, network and application telemetry with customized detection based on their environment. This platform will detect threats in an environment that many other point products can’t see on their own.

Hazel Burton from Talos has a new episode of ThreatWise TV out this week discussing XDR, including an interview with a current enterprise XDR user. Nick Biasini, Talos’ head of outreach, is also on that episode to discuss how Cisco XDR is adapting to current attacker tactics, techniques and procedures.

**The one big thing**

More information and research is still coming out around the 3CX supply chain attack. A new report indicates that it was actually two supply chain attacks linked together. The adversaries involved in the 3CX compromise first backdoored another application, which it then used to infiltrate 3CX and send out a malicious, fake update there. Additional reporting indicates that these same state-sponsored actors also infiltrated several critical infrastructure networks with a backdoor during this same campaign.

**Why do I care?**

This news further highlights why it’s so important to plan for and defend against supply chain attacks. These are increasingly popular attacks that state-sponsored, well-funded adversaries are clearly using in the wild to target multiple sectors and industries.

**So now what?**

I already outlined several important steps to take that any organization can take to prepare for a supply chain attack. This recent Talos Takes episode with Craig Jackson of Cisco Talos Incident Response also provides valuable advice for organizations of all sizes.

**Top security headlines of the week**

**AI-generated spam is already hitting email inboxes, Amazon reviews and social media posts.** Security researchers and reporters have already spotted several instances where AI chat bots like ChatGPT are used to write fake reviews for popular Amazon products or even post tweets. Many of these reviews have a dead giveaway because they include the phrase “I cannot generate inappropriate content,” a message ChatGPT usually sends back when explicitly asked to generate spam or something with hateful content. Other AI models are learning to scan targets’ social media profiles to quickly learn and assume things such as political affiliation and employment status to create hyper-targeted spam and phishing. Experts warn this could lead to the further proliferation of fake news, misinformation and scams. (Vice, Gizmodo)

**Exploit code for a 9.8-severity vulnerability in the PaperCut printer management software went online this week,** potentially increasing the likelihood that attackers will try to exploit it in the wild. Although Cut disclosed this vulnerability and released a patch in March, many instances remain unpatched. CVE-2023-27350 is an improper access control issue in the SetupCompleted class of PaperCut MF/NG. An adversary could exploit this vulnerability to bypass authentication and execute arbitrary code with System-level privileges. Security researchers found attackers using this vulnerability to install two pieces of malicious remote management software. PaperCut users should ensure they are using PaperCut MF and NG versions 20.1.7, 21.2.11, and 22.0.9. (Ars Technica, SecurityWeek)

**U.S. law enforcement and intelligence agencies are increasingly prioritizing disrupting dark web networks** and forums versus arresting admins and users. U.S. Deputy Attorney General Lisa Monaco said during a talk at the RSA conference this week that prosecutors and investigators are being directed to have a “bias toward action to disrupt and prevent, to minimize that harm if it’s ongoing” and to “take that action to prevent that next victim.” That being said, the recent seizure of Genesis Market, a popular dark web forum, highlights how law enforcement is becoming better at unmasking many of these sites’ creators and making users’ activities less anonymous. (CyberScoop, SC Media)

**Can’t get enough Talos?**

*   Beers with Talos Ep. #133: The one where they talk a lot about wireless routers
*   Talos Takes Ep. #135: What does the future of MFA look like?
*   Cisco urges users to keep its network hardware up-to-date
*   Threat Roundup for April 14 - 21
*   Vulnerability Spotlight: Vulnerabilities in IBM AIX could lead to command injection with elevated privileges

**Upcoming events where you can find Talos**

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** 4ad8893f8c7cab6396e187a5d5156f04d80220dd386b0b6941251188104b2e53  
**MD5:** cdd331078279960a1073b03e0bb6fce4  
**Typical Filename:** mediaget.exe  
**Claimed Product:** MediaGet  
**Detection Name:** W32.DFC.MalParent

Threat Source newsletter (April 27, 2023) — New Cisco Secure offerings and extra security from Duo

The security issues raised by ChatGPT and similar tech are just beginning to emerge, but Rob Joyce says it’s time to prepare for what comes next.

At the RSA security conference in San Francisco this week, there's been a feeling of inevitability in the air. At talks and panels across the sprawling Moscone convention center, at every vendor booth on the show floor, and in casual conversations in the halls, you just know that someone is going to bring up generative AI and its potential impact on digital security and malicious hacking. NSA cybersecurity director Rob Joyce has been feeling it too. 

“You can’t walk around RSA without talking about AI and malware,” he said on Wednesday afternoon during his now annual “State of the Hack” presentation. “I think we’ve all seen the explosion. I won’t say it’s delivered yet, but this truly is some game-changing technology."

In recent months, chatbots powered by large language models, like OpenAI's ChatGPT, have made years of machine-learning development and research feel more concrete and accessible to people all over the world. But there are practical questions about how these novel tools will be manipulated and abused by bad actors to develop and spread malware, fuel the creation of misinformation and inauthentic content, and expand attackers' abilities to automate their hacks. At the same time, the security community is eager to harness generative AI to defend systems and gain a protective edge. In these early days, though, it's difficult to break down exactly what will happen next.

Joyce said the National Security Agency expects generative AI to fuel already effective scams like phishing. Such attacks rely on convincing and compelling content to trick victims into unwittingly helping attackers, so generative AI has obvious uses for quickly creating tailored communications and materials.

“That Russian-native hacker who doesn’t speak English well is no longer going to craft a crappy email to your employees,” Joyce said. “It’s going to be native-language English, it’s going to make sense, it’s going to pass the sniff test … So that right there is here today, and we are seeing adversaries, both nation-state and criminals, starting to experiment with the ChatGPT-type generation to give them English language opportunities.”

Meanwhile, although AI chatbots may not be able to develop perfectly weaponized novel malware from scratch, Joyce noted that attackers can use the coding skills the platforms do have to make smaller changes that could have a big effect. The idea would be to modify existing malware with generative AI to change its characteristics and behavior enough that scanning tools like antivirus software may not recognize and flag the new iteration.

“It is going to help rewrite code and make it in ways that will change the signature and the attributes of it,” Joyce said. “That \[is\] going to be challenging for us in the near term.”

In terms of defense, Joyce seemed hopeful about the potential for generative AI to aid in big data analysis and automation. He cited three areas where the technology is “showing real promise” as an “accelerant for defense”: scanning digital logs, finding patterns in vulnerability exploitation, and helping organizations prioritize security issues. He cautioned, though, that before defenders and communities more broadly come to depend on these tools in daily life, they must first study how generative AI systems can be manipulated and exploited.

Mostly, Joyce emphasized the murky and unpredictable nature of the current moment for AI and security, cautioning the security community to “buckle up” for what's likely yet to come.

“I don’t expect some magical technical capability that is AI-generated that will exploit all the things,” he said. But “next year, if we’re here talking a similar year in review, I think we’ll have a bunch of examples of where it’s been weaponized, where it’s been used, and where it’s succeeded.”

NSA Cybersecurity Director Says ‘Buckle Up’ for Generative AI

Law enforcement will likely find it much harder to take down criminal activities on the "deepverse."

RSA CONFERENCE 2023 – San Francisco – As the metaverse takes shape over the coming years, many of the security issues afflicting cyberspace will begin to spill over into virtual space as well.

One of the biggest of these threats will be the emergence of a new "darkverse," where criminals will be able to operate with greater impunity and more dangerously than they are able to do now on the Dark Web, two researchers from Trend Micro said at an RSA Conference 2023 session in San Francisco, April 26.

The metaverse is a somewhat loosely used term to describe a virtual space where people can interact with other individuals and organizations in a computer-generated version of the physical world. Just like how massive multiplayer online games allow individuals to create digital avatars of themselves and interact with other gamers in fantasy worlds, a full-fledged metaverse will allow individuals to shop, work, socialize and do other activities in a virtual replica of the physical world.

The same phenomenon will happen in the cybercrime underground, the researchers warned. Just like the Dark Web exists on an unindexed deep Web, the darkverse will operate within an unindexed "deepverse" that law enforcement will find hard to penetrate, they noted: The space will offer a safe haven for criminal spaces, extremist spaces, purveyors of child pornography, and those seeking to harass others.

Numaan Huq and Philippe Lin, senior threat researchers at Trend Micro, were two authors of a report last year on how security and privacy threats will likely emerge and evolve in the metaverse as more people begin to use it. Among the threats they identified in the report were amplified versions of some existing issues such as social engineering, financial fraud, and privacy risks, and some new ones such as risks related to NFTs, cyber-physical threats, and more.

**A Nearly Impenetrable 'Darkverse'**

The threats are a distance away from materializing, Huq and Linn said in a conversation with Dark Reading before their talk. "But the bad guys are already talking about how to make a profit in the metaverse," cautions Lin. "If \[organizations\] just ignore the threat and don't invest in trying to address them soon, they could lose more in future," he notes.

Trend Micro itself describes the metaverse as a "cloud distributed, multi-vendor, immersive, interactive operating environment that users can access through different categories of connected device." The metaverse will leverage Web 2.0 and Web 3.0 technologies to provide an interactive layer on top of the current Internet. "As proposed, it's an open platform for working and playing inside an extended reality environment, and it will also be a communications layer for smart city devices," according to Trend Micro.

The darkverse is a space that will exist within this world that, like today's Dark Web, will offer a safe space for free speech and expression against oppressive entities and governments. It will equally be a place for illegal and criminal activities with marketplaces that cater to a wide criminal audience. 

What will make the darkverse a distinctly more dangerous place is the difficulty law enforcement entities will have in trying to infiltrate the criminal activities taking place on it, Huq says. He expects criminals will use authentication tokens to control access to their spaces on the metaverse. They could make it almost impossible for defenders to get these tokens by requiring that users be inside a designated physical location in a specific time frame to receive a token. 

Criminals could also implement location based and proximity-based restrictions for accessing metaverse spaces. Such measures could make it significantly harder for law-enforcement authorities to take these activities down, compared to sinkholing a server or blocking URLs, Huq says.

**New Technologies & Protocols Introduce New Threats**

The darkverse will be a major threat, but not the only one that organizations will need to deal with in the metaverse. Huq and Lin expect that companies over the next several years will begin leveraging the metaverse for different use cases. As one example, Huq points to an operator of critical infrastructure that might create a digital twin of an OT or ICS environment. This would allow an engineer working for that company in New York to troubleshoot and address support issues at an ICS facility in Arizona almost like that engineer was physically present at that facility, he says. Similarly, a retailer could create digital stores where customers could shop in an immersive manner like they were at a physical location.

As such use cases proliferate, so too will the threats. Huq and Lin expect that attackers will look for and find ways to infiltrate and poison these environments to spy, steal, and create other havoc. They expect some of the attacks to target the servers, endpoints, and infrastructure on which the metaverse will run, while others will target metaverse-specific elements like the headsets people will use to access the virtual world, or the objects that exist within.

Huq and Lin, like other researchers also are concerned about the massive harvesting of personal data that is almost inevitably going to happen as more people begin using the metaverse in their personal and work lives.

"The metaverse will introduce in a very short span of time, a lot of new technologies," Huq says. Users will find themselves having to constantly interact with digital objects from a Facebook metaverse, a Google metaverse, a Microsoft metaverse, and other multiple other metaverses. That means having to deal with code being transported from one environment to the other in a very fluid manner. "When you execute a radical new technology, you are definitely going to start having security issues whether cyber, or procedural."

Metaverse Version of the Dark Web Could be Nearly Impenetrable

Last year, 71% of enterprise breaches were pulled off quietly, with legitimate tools, research shows.

RSA CONFERENCE 2023 – San Francisco – With little more than smart reconnaissance and existing tools, adversaries are increasingly capable of compromising an enterprise network without making any noise or leaving a trace behind.

In fact, according to CrowdStrike CEO Jeff Hurtz and president Michael Sentonas, 71% of enterprise cyberattacks in calendar year 2022 were done without malware.

At this year's RSA Conference, Hurtz and Sentonas returned to the keynote stage to walk the audience through a case study of just how easily a threat actor can not just penetrate a network but also move laterally and persist without making a ripple, illustrating in stark terms the kind of challenge cybersecurity teams face trying to detect, much less mitigate, malwareless compromises.

The legendary cybersecurity duo profiled the "Spider" cybercrime group from the stage as a perfect example of the phenomenon.

"They're very well prepared, and they are very well resourced," Sentonas explained. "And they really like to leverage existing tools; there's no need to get fancy if you can just blend in."

**Spider: Anatomy of a Malwareless Attack**

First, Spider initiates an in-depth intelligence gathering effort. Hurtz said his team was able to establish the threat actor spent more than an hour on the phone with the victim company's help desk trying to get any insights that could fuel the next phase of social engineering. 

Once they had a specific user in their sights, Spider initiates a voice call informing the user their credentials had been compromised. Victims are then sent a malicious link and prompted to enter in not just their login details, but also their multifactor authentication (MFA) data. Once the user is tricked into handing those over, Spider is off and running.

"We call that the layer A problem," Hurtz joked, about the user handing over the goods. "It's between the chair and the keyboard."

Spider then uses the Tails operating system and Evilginx2 to compromise the user's credentials to set up an AnyDesk account controlled by the cyberattackers. AnyDesk remains a popular remote desktop tool among threat actors, Hurtz added.

Spider also uses dedicated machines that hide their identity, and run their code on hardware as much as possible to avoid detection. "It could be from anywhere," Sentonas said. "It blends in because its not going to come from some crazy domain."

Other tools, like DigitalOcean Droplet, used as a virtual machine, fill out the attack chain. Ultimately, Hurtz and Sentonas explained, the Spider attack ends with the persistent actor set up with their own users on the network, free and able to exfiltrate data at will. And importantly, Sentonas noted, if the threat actor can get into the on-premises network, the cloud is likely going to sync and become compromised as well.

Importantly, Sentonas and Hurtz wanted to disabuse the audience of the notion that threat actors need full admin access to set up new users. They don't, and Sentonas showed exactly how just delegated permissions could allow him to move freely about the company's customer relationship management system, as well as add themselves as a SQL server admin.

In the past couple of quarters, CrowdStrike has been dealing with about one enterprise per week reeling from this type of malware-free cyberattack, Sentonas said.

**How to Defend Against Malware-Free Cyberattacks**

When it comes to defending the enterprise, endpoint detection and response (EDR) and other malware detection tools aren't terribly useful against malware-free cyberattacks. There's simply no malicious code to detect.

Instead, Hurtz and Sentonas urged enterprises to focus on gathering as much telemetry as possible from the endpoint to the cloud and managing identity down to the tiniest details.

But gathering all that telemetry and identity data leaves teams with vast oceans of information that's not particularly useable for threat hunting. That's where artificial intelligence (AI) and machine learning (ML) can be meaningfully deployed to look for anomalous activity, like added user accounts, to detect malicious activity, without malicious code.

It's also important to protect the enterprise MFA service from compromise, they added.

"Maintain good identity store hygiene, Sentonas said. "And protect the services you use for MFA."

Malware-Free Cyberattacks Are On the Rise; Here's How to Detect Them

In 45 percent of engagements, attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter.

Wednesday, April 26, 2023 08:04

**Web shell usage spikes in Q1 compared to previous quarters, correlating with higher instances of exploitation of public-facing applications.**

In a novel increase compared to previous quarters, Cisco Talos Incident Response (Talos IR) reports that web shells were the most-observed threat in the first quarter of 2023, comprising nearly a fourth of the incidents Talos IR engaged in. The functionality of these web shells and the specific vulnerabilities and weaknesses in the platforms they targeted varied. Although each web shell had its own sets of basic functions, when there were multiple web shells present in a single engagement, threat actors chained them together to provide a more flexible toolkit for spreading access across the network. This demonstrates the skills actors have in combining multiple means of accesses and tools and increases the liklihood that they will be able to deploy additional malware or obtain sensitive and private information.

Ransomware made up a smaller portion of threats observed this quarter than in the past, from 20% to around 10%. Given that Talos IR observed a recent surge of ransomware incidents at the end of the quarter that did not close off, this decrease does not necessarily signify a decline in general ransomware activity as much as it is a reflection of activity seen against Talos IR’s customer base. However, ransomware and pre-ransomware incidents combined made up more than 20 percent of threats observed. While it can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place, many of the pre-ransomware engagements featured activity associated with prominent ransomware groups, such as Vice Society. We note that in this quarter, particularly in an aforementioned Vice Society engagement, swift action from defenders at victim organizations as well as Talos IR helped mitigate malicious activity before encryption could occur.

This quarter also featured previously seen commodity loaders, such as Qakbot. In engagements this quarter, Qakbot leveraged malicious OneNote documents, consistent with an uptick in various malware distributing weaponized Microsoft Office OneNote attachments. This is evidence of an ongoing trend of threat actors experimenting with file types that do not rely on macros to deliver malicious payloads following Microsoft’s move to start disabling macros by default in its applications in July 2022.

In 45 percent of engagements, attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter. In many of these engagements, web shell usage contributed to this uptick where adversaries were attempting to compromise web-based servers exposed to the internet.

**Targeting**

Health care and public health was the most targeted vertical this quarter, closely followed by the retail and trade, real estate and food services/accommodation sectors, including hospitality.

**Web shell usage spike, featuring activity from FIN13**

Since January 2023, Talos IR observed an increase in web shell usage from 6% of all threats last quarter to now comprising nearly 25% of all threats. Web shells are malicious scripts that enable threat actors to compromise web-based servers exposed to the internet. This quarter, Talos observed threat actors using publicly available or modified web shells coded in various languages, including PHP, ASP.NET and Perl. After leveraging web shells to establish a foothold and gain persistent access to a system, adversaries remotely executed arbitrary code or commands, moved laterally within the network, or delivered additional malicious payloads. In many of these web shell incidents, adversaries relied heavily on web shell code sourced from publicly available GitHub repositories. This finding is also in line with a trend observed from Talos IR engagements from July to September 2022 (Q3 2022), where adversaries used a variety of open-source tools and scripts hosted on GitHub repositories to support operations across multiple stages of the attack lifecycle.

In one cluster of web shell activity, Talos observed targeting patterns and tactics, techniques and procedures (TTPs) potentially associated with the FIN13 cybercriminal threat actor, a significant finding in Talos IR engagements given FIN13’s targeted behavior. The web shells with known FIN13 TTPs have varying levels of functionality which include allowing queries to Microsoft SQL (MS-SQL) instances, creating reverse shell connection(s) to external IP addresses, and executing PHP scripts which can be used as a proxy to connect to other services. Consistent with public reporting on FIN13, Talos IR observed a PHP-based web shell (“404.php”) that took an IP or DNS entry and a port and attempted to create a proxy connection. The second web shell (“ms3.aspx”) was Windows-based and allowed SQL connections to an internal server and, if successful, results would be rendered in the browser. The third was another PHP-based web shell (“re.php”) that conducted port scans and created an outbound socket to respond/exfiltrate data to the attacker. This specific web shell contained a hardcoded IP address which resolved to cloud service provider DigitalOcean. The final web shell (“tx.asp”) was a Windows-based web shell that used “wscript.shell” and exec() to run commands rendered to the screen via an HTML document. While each web shell on its own had basic functionality, by chaining them together, the actor created a flexible toolkit for spreading their access across the network, while providing a proxy for exfiltrating sensitive data.

While the exact reason for this quarter’s increased appearance of web shells is unknown, their recent increased popularity may potentially be related to the ease of obtaining their code through open-source repositories. The availability of and easy access to open-source web shell code, paired with systems that may be publicly exposed or have poorly managed patching, make the use of web shells a lucrative option.

**Ransomware**

Ransomware made up a much smaller portion of threats this quarter, from 20% of threats to 10%. Looking ahead, there was a recent spike in ransomware engagements which we expect to level out again next quarter. Combined, ransomware and pre-ransomware incidents made up over 20 percent of threats observed.

In a Phobos ransomware engagement, a threat that Talos IR has responded to since 2020, the initial access likely involved remote desktop protocol (RDP). The adversary deployed a file named “mimidrv.sys," which is a signed Windows kernel mode software driver meant to be used with the Mimikatz executable. Talos IR also identified seven startup items that included downloading the ransomware executable, “Fast.exe.” This is a common persistence technique that followed activity where the adversary made modifications to the registry on the customer’s Amazon Relational Database Service (RDS) server. Upon encryption, attackers encrypted the files, appending them with the “.faust” extension and dropped a ransom note on the targeted systems.

This quarter also featured the Daixin ransomware, a newer ransomware-as-a-service (RaaS) family that Talos IR had never seen before in an engagement. Daixin, which first emerged in June 2022, typically involves affiliates gaining access to victim systems through virtual private networks (VPN) servers or by exploiting unpatched vulnerabilities, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In a Daixin ransomware engagement, the affiliate modified registry values, mapped network shares, and ran randomly named BAT files as services on the system. Talos IR also identified the Impacket toolset, a collection of Python classes for working with different network protocols, and a PowerShell script loading a Cobalt Strike payload which subsequently launched a Cobalt Strike shellcode listening on port 4444.

We assess that the recent law enforcement efforts to disrupt ransomware actors will create space for new groups to emerge, consistent with a pattern that has been ongoing for years. In January 2023, the U.S. Department of Justice announced a months-long disruption campaign against the Hive ransomware group. The FBI, along with foreign law enforcement partners, seized Hive servers after entering its networks and capturing keys to decrypt its software, effectively disrupting operations. We have not observed Hive ransomware in Talos IR engagements since August 2022, a likely indication that Hive operations have ceased while former members possibly look to join other groups or rebrand under new names.

**Malicious OneNote documents continue to be leveraged in engagements this quarter**

The Qakbot commodity loader was observed across engagements this quarter leveraging ZIP files containing malicious OneNote documents, consistent with endpoint telemetry and public reporting on threats leveraging OneNote documents in phishing emails starting at the end of 2022 and early 2023. In one Qakbot engagement, a ZIP file ("Inv\_02\_02\_#3.zip") was detected as Qakbot and contained a malicious OneNote document which attempted to lure a user to click “open” containing a malicious embedded URL.

While Talos IR did not respond to any Emotet incidents this quarter, Emotet reemerged in March 2023, resuming its spam operations after a months-long hiatus. In a relatively short period, Emotet modified its infection chain several times to maximize the likelihood of successfully infecting victims. By mid-March, Emotet had switched to distributing malicious OneNote documents, highlighting the ways in which threat actors will continue to identify and quickly implement updated delivery methods to infect victims.

**Initial vectors**

This quarter featured 45 percent of engagements where attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter. In many of these engagements, web shell usage contributed to this uptick where adversaries were attempting to compromise web-based servers exposed to the internet. Valid accounts and/or accounts with weak passwords or single-factor authentication also helped facilitate initial access where an adversary was leveraging compromised credentials.

Several known vulnerabilities contributed to adversaries gaining initial access via exploiting public-facing applications. In one incident, Talos IR identified activity consistent with exploitation of the WordPress vulnerability, tracked as CVE-2021-24867, in AccessPress Plugin and Theme. As a result, Talos IR identified approximately 20 different web shells and/or website defacements, likely from multiple threat actors identifying and exploiting this older flaw.

In another web shell engagement, Talos IR identified a vulnerable version of Magento (Adobe Commerce) version 2.4.2 that was operating in the Kubernetes deployment at the time of exploitation. Talos IR identified a total of nine known vulnerabilities for this version of the software, not including extensions. Talos IR recommends upgrading all instances of Magento to the latest available version, and routinely checking for vulnerable outdated extension versions that need patching or removed completely to reduce the available attack surface.

**Security weaknesses**

The lack of multi-factor authentication (MFA) remains one of the biggest impediments for enterprise security. Nearly 30 percent of engagements involved organizations that either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection response (EDR) solutions or VPNs. To help minimize initial access vectors, Talos IR recommends disabling VPN access for all accounts that are not using MFA.

The increase in web shell engagements highlights the need for more vigilance in helping to prevent web shells. Talos provides the following recommendations:

*   Routinely update and patch all software and operating systems to identify and remediate vulnerabilities or misconfigurations in web applications and web servers.
*   In addition to patching, perform general system hardening, including removing services or protocols where they are unnecessary and being aware of all systems exposed directly to the internet.
*   Disable unnecessary php functions in your “php.ini”, such as eval(), exec(), peopen(), proc\_open() and passthru().
*   Frequently audit and review logs from web servers for unusual or anomalous activity.

**Top-observed MITRE ATT&CK techniques**

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note, this is not an exhaustive list.

Key findings from the MITRE ATT&CK framework include:

*   Exploitation of public-facing applications was the top observed initial access technique, with the increased web shell activity likely contributing to this significant observation.
*   PowerShell is routinely used by adversaries to support a multitude of threats. We continued to observe high usage of PowerShell, in addition to a number of other scripting languages, including Python, Unix shell, and Windows command shell, which enabled web shell execution.
*   The open source red-teaming security toolkit Mimikatz was used to support nearly 60 percent of ransomware and pre-ransomware engagements this quarter. Consistently observed across previous quarters, Mimikatz is a widely used post-exploitation tool used to steal login IDs, passwords, and authentication tokens from compromised Windows systems.

Tactic 

Technique 

Example 

Initial Access (TA0001) 

T1190 Exploit Public-Facing Application  

Attackers successfully exploited a vulnerable application that was publicly exposed to the internet 

Reconnaissance (TA0043) 

T1592 Gather Victim Host Information 

Text file contains details about host 

Persistence (TA0003) 

T1505.003 Server Software Component: Web Shell  

Adversaries deployed web shells against web-based servers 

Execution (TA0002) 

T1059.001 Command and Scripting Interpreter: PowerShell  

Executes PowerShell code to retrieve information about the client's Active Directory environment 

Discovery (TA0007) 

T1046 Network Service Scanning   

Use a network or port scanner utility  

Credential Access (TA0006) 

T1003 OS Credential Dumping 

Deploy Mimikatz and publicly available password lookup utilities 

Privilege Escalation (TA0004)  

1484 Domain Policy Modification

Modify GPOs to execute malicious files  

Lateral Movement (TA0008) 

T1021.001 Remote Desktop Protocol  

Adversary made attempts to move laterally using Windows Remote Desktop 

Defense Evasion (TA0005) 

T1027 Obfuscated Files or Information 

Use base64-encoded PowerShell scripts 

Command and Control (TA0011) 

T1105 Ingress Tool Transfer  

Adversaries transfer/download tools from an external system 

Impact (TA0040) 

T1486 Data Encrypted for Impact  

Deploy Hive ransomware and encrypt critical systems 

Exfiltration (TA0010) 

T1567 Exfiltration Over Web Service 

Use legitimate external web service to  system information  

Collection (TA0009) 

T1560.001 Archive Collected Data 

Adversary leveraged xcopy on Windows to copy files  

Software/Tool 

S0002 Mimikatz 

Use Mimikatz to obtain account logins and passwords

Quarterly Report: Incident Response Trends in Q1 2023

The Data Security Maturity Model ditches application, network, and device silos when it comes to architecting a data security strategy.

RSA CONFERENCE 2023 – San Francisco – The coalition behind the Data Security Maturity Model has issued a second iteration of the framework, aimed at making it easier for businesses to protect data from leaks.

The coalition, created by Cyberhaven last summer, is led by Sounil Yu, CISO at JupiterOne and includes a range of security leaders from a range of companies, including Boston Scientific, Caterpillar Financial, Fleet, Flexport, Motorola Mobility, Twilio, VillageMD, and others.

During a panel at RSA Conference 2023, entitled Comprehensive Cyber Capabilities Framework: A Tech Tree for Cybersecurity, coalition members laid out a vision for the next generation of data security.

"The ability to protect any type of data across devices, applications, and cloud assets is essential if organizations are to take advantage of the power of modern collaboration and digital transformation without exposing their data to external threats, insider threats, or simple mistakes by well-intentioned users," the coalition said in a statement.

The DSMM aligns to the NIST Cybersecurity Framework and the Cyber Defense Matrix, and to enable a data-centric view, it defines five key functions:

*   **Identify & Classify:** Find and classify all data covered by the data security program.
*   **Protect:** Minimize the exposure of sensitive data by controlling how it is accessed, used, and retained.
*   **Detect:** Collect and analyze data risk to identify data-related security events or policy violations that were not stopped by the "Protect" function.
*   **Respond:** Establish immediate, short-term actions to be taken upon detection of a potential incident.
*   **Recover & Improve**: Determine actions needed to not only restore normal operations (as they pertain specifically to data), but also to build back stronger.

In its second iteration released this week, the maturity model refines each of these pillars to take into account more granular context, such as what server infrastructure is being used, how much is in the cloud, privacy regulations, how employees and others use the data, and how applications, APIs, and non-human endpoints use it, and more — in order to gain a fuller picture of an organization's data footprint.

**The Data & Digital Transformation Problem**

Richard Rushing, panelist and CISO of Motorola Mobility, tells Dark Reading that a new framework approach was needed given that, in the age of digital transformation, getting arms around all of the data being generated at any given point within an organization simply can't be accomplished by looking at protection in a siloed way. The old concept of seeing data in the context of devices, applications, or the network, needed to be traded for a focus on the data itself, wherever it goes within an organization.

"If you think about what security is enabling, it's the use of data, and ubiquitous access to it," he says. "It's necessary to connect to the network to use the data that's in the network to make better decisions for the business or make better decisions for your customers. But data is found in different places, sometimes it's at rest, and sometimes it's in transit."

He adds that the problem is — quite literally — growing, also necessitating a rethink of protection architecture.

"Data is on a logarithmic curve; for every amount of data that I have next year, it's probably 2.5 times more than the amount of data I had this year," he says. "We're data hoarders, for lack of a better term; no one wants to get rid of people's information who have signed up to websites and forums and everything else, so we have this enormous data sprawl. That, in turn, leaves behind security blind spots."

Further adding to the challenge is the fact that some data is of course more sensitive than other information, and some information doesn't need protecting at all, Rushing points out. And there's dynamism in terms of defining appropriate security levels as data ages.

He uses a product launch to illustrate his point. "With a product release, we start off with a situation where no one knows about it, everything's embargoed, and you're protecting this important intellectual property," he explains. "And the next thing you know, it's released for public consumption. And it's suddenly not top secret anymore, in fact, you want the whole world to know about it."

Rushing says that the framework is meant to tame some of this chaos, and that it can be tailored to large enterprises and small-to-midsized businesses alike. It allows organizations to focus in on a number of practice areas, too — including risk-based decision prioritization, collaboration, continuous education, risk management for vendors and third parties, compliance, being transparent, and incident response and how to recover data.

"I don't want to say it's one size fits all, but it's very close to one size fits all," he explains. "The controls are going to be different depending on the environments, but the approach is meant to be flexible enough to accommodate that."

He says that the framework is a living architecture that the coalition plans to refine and evolve over time. However, the time to make the switch to thinking about things in a data-centric kind of way should start now.

"If you don't start \[or\] you don't think about this, you're going to get hit in the next 6, 12, 18 months in some way, shape, or form," he warns. "It's not like the Internet is becoming a safer neighborhood and data is the new oil that's going to drive business and attackers alike."

CISOs Rethink Data Security With Info-Centric Framework

New CrowdStrike Falcon platform integration delivers multi-cloud visibility and protection of data assets with layered malware detection and file scanning to stop modern attacks.

**TEL AVIV, Israel****,** **April 25, 2023** **/PRNewswire/ --** Dig, the cloud data security leader, today announced its new technology integration with CrowdStrike, a leader in cloud-delivered protection of endpoints, cloud workloads, identity, and data. The Dig Data Security Platform integrates with the CrowdStrike Falcon platform to deliver real-time visibility and control of cloud data assets for accurate discovery of sensitive data and security posture gaps. Dig is the first-in-the-market Data Security Posture Management (DSPM) solution combining malware detection with Data Leak Prevention (DLP) and real-time Data Detection and Response (DDR) for securing data assets across storage services in the cloud.

"Organizations rely on the ability to upload large amounts of data to the cloud. But it is too easy for them to lose track of what they have. Unmonitored and unsecured data is too easily infected by malware. Unless detected, it evolves into a ticking time bomb that threatens business processes and operations," said Dan Benjamin, CEO and Co-Founder of Dig Security. "The Dig integration with CrowdStrike's malware detection and file scanning capabilities across cloud data stores helps customers benefit from comprehensive data asset visibility and security across all enterprise cloud stacks."

Legacy point malware detection solutions only scan cloud storage buckets and fall short of comprehensive protection. The integration protects cloud data assets from malicious content with complete malware scanning from the CrowdStrike Falcon platform across: all cloud storage buckets, such as Amazon Simple Storage Service (Amazon S3), Azure Blob Storage, and Google Buckets; FileStores and other unstructured data stores that live in the cloud; and other IaaS, PaaS, and DBaaS providers, including Databricks, Oracle Cloud, and Snowflake.

The Dig Data Security Platform is recognized as the industry's first and only solution to combine data security posture management (DSPM), data loss prevention (DLP), and data detection and response (DDR) capabilities into a single platform. It is easy to implement, cloud-scalable, and highly efficient for today's security teams. Dig enables enterprise cloud and security teams to produce immediate insights using its agentless cloud native solution that delivers a short setup time, zero maintenance, and comprehensive, automated response at scale.

The new integration builds on an existing partnership between CrowdStrike and Dig, who is a CrowdStrike Falcon Fund portfolio company. A cross-stage investment fund, the CrowdStrike Falcon Fund is the largest corporate venture arm in the cybersecurity industry. The program is designed to build an ecosystem of next-generation security leaders that share a common mission through a unique combination of investment and deep technical integrations.

"As more and more companies are moving to the cloud, there is a natural increase in cloud exploitations and compromise of critical cloud infrastructure. As a result, we have deepened our partnership with Dig Security, an innovative Falcon Fund leader in data security and DDR, to address this challenge," said Gur Talpaz, vice president of corporate development and head of Falcon Fund at CrowdStrike. "In our mission to stop breaches and make cloud data inherently secure, it's critical we continue collaborating with companies like Dig to provide customers with real-time data visibility, protection and control across all clouds and all data stores."

For more information about Dig and CrowdStrike's integration, visit here, meet with Dig at RSA, or stop by the Dig booth (#5273) in the North Expo during RSAC 2023 from April 24-27, 2023, at the Moscone Center in San Francisco, CA.

**About Dig Security**

Dig Security helps organizations discover, classify, protect, and govern their cloud data.

With organizations shifting to complex environments with dozens of database types across clouds, monitoring and detecting data exfiltration and policy violations has become a complex problem with limited fragmented solutions. Dig's cloud-native and completely agentless approach re-invents cloud DLP with DDR (Data Detection & Response) capabilities to help organizations better cope with cloud data sprawl. Dig was founded by three cyber security veterans from Microsoft and Google and is backed by Team8, SignalFire, Felicis, CrowdStrike, Okta Ventures, CyberArk Ventures, and Merlin Ventures. Visit us at https://www.dig.security/.

SOURCE Dig Security

Dig Security Announces New Integration With CrowdStrike

**SAN FRANCISCO****,** **April 25, 2023** **/PRNewswire/ --** BlackBerry Limited (NYSE: BB; TSX: BB) and Solutions Granted today announced an extended partnership, naming the leading cybersecurity services provider a Master Managed Security Services Provider (MSSP), enabling it to better scale and meet the growing demand for cybersecurity services among small and medium-sized businesses (SMBs).

"Solutions Granted has been honored as BlackBerry MSSP Partner of the Year for North America for five consecutive years and we're excited to take our partnership to the next level by crowning them as our top Master MSSP," said Adam Enterkin, Chief Revenue Officer, Americas, BlackBerry Cybersecurity. "BlackBerry is dedicated to increasing its focus on MSSP partners to ensure they're set up for success. Endpoints are proliferating, and so are the cyberattacks against them. Our extended partnership with Solutions Granted will help hundreds of small and mid-size businesses continuously adapt to an ever-changing threat landscape."

As a 'Master MSSP', Solutions Granted will be better positioned to help its own partners to deliver Managed Detection and Response (MDR) and other Managed Security Services to their mid-market and SMB clients.  In partnership with BlackBerry and heavily leveraging the Cylance® AI-powered portfolio, Solutions Granted helps thousands of clients secure their environments and prevent attacks. By working with Solutions Granted, MSSPs and managed service providers (MSPs) can offer industry leading managed security, without making the significant investment of building out their own security operations center (SOC).

CylanceENDPOINT™ is among the solutions it helps managed service providers (MSPs) deploy to clients, either as individual managed services or integrated into a SOC-as-a-service offering.

"BlackBerry's support for our business model provides the flexibility we need to continue to meet customer demand and provide the best possible product support for their business needs," said Michael E. Crean, Chief Executive Officer, Solutions Granted. "We value the investment BlackBerry is making in our partnership and know this will go a long way in setting up our customers for success."

To learn more about BlackBerry MSSP Partners, visit blackberry.com/us/en/partners/mssp-partners.

**About BlackBerry**

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world.  The company secures more than 500M endpoints including over 215M vehicles.  Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety and data privacy solutions, and is a leader in the areas of endpoint management, endpoint security, encryption, and embedded systems.  BlackBerry's vision is clear - to secure a connected future you can trust.

BlackBerry. Intelligent Security. Everywhere. 

For more information, visit BlackBerry.com and follow @BlackBerry.

_Trademarks, including but not limited to BLACKBERRY and EMBLEM Design are the trademarks or registered trademarks of BlackBerry Limited, and the exclusive rights to such trademarks are expressly reserved.  All other trademarks are the property of their respective owners.  BlackBerry is not responsible for any third-party products or services._

**About Solutions Granted Inc.**

Solutions Granted is a Master Managed Security Services Provider (Master MSSP). They offer cybersecurity solutions to North American MSPs and MSSPs and are committed to delivering solutions without requiring minimums, commitments, or long-term contracts. They proudly offer many security layers as well as a 24x7 U.S.-based Security Operations Center (SOC). Over the past several years, Solutions Granted has emerged as a clear leader in the channel, by winning countless awards including the CRN Security 100 list, Top 100 MSSP List, Top Global MSSP List, and BlackBerry MSSP Partner of the Year. Learn more at https://www.SolutionsGranted.com.

BlackBerry Extends Partnership With Managed Security Services Provider (MSSP) to Ensure SMBs are Set Up for Cyber Success

CISOs and cybersecurity teams will play a key role in hardening artificial intelligence and machine learning systems.

RSA CONFERENCE 2023 – San Francisco – As enterprises and government agencies increasingly weave artificial intelligence (AI) and machine learning (ML) into their broader set of systems, they'll need to account for a range of risk resilience issues that start with cybersecurity concerns but spread far beyond those. 

A panel on April 24 at RSA Conference 2023 composed of distinguished AI and security researchers examined the problem space of AI resilience, which includes weighty issues like adversarial AI attacks, AI bias, and ethical application of AI modeling.

Cybersecurity professionals need to start to tackling these issues both within their organizations and as collaborators with government and industry groups, panelists noted.

"Many organizations will look to integrate AI/ML capabilities of their core business functions, but in doing so will increase their own attack surface," explained panel moderator Bryan Vorndran, assistant director at the FBI Cyber Division. "Attacks can occur in every stage of the AI and ML development and deployment cycle, models, training data, and APIs can be targeted."

The good news is that there is time to ramp up into these efforts if the community begins work now.

"We have a really unique opportunity here as a community," said Neil Serebryany, CEO of CalypsoAI. "We're aware of the fact that there is a threat, we're seeing early incidents of this threat, and the threat is not full-blown yet."

The 'yet' is the operative word, he emphasized, and his fellow panelists agree. The field of risk management is in a place with AI similar to where cybersecurity was with the Internet in the 1980s, said Bob Lawton, chief of missions capabilities for the Office of the Director of National Intelligence Science and Technology Group.

"Imagine if it's 1985 and you knew the challenges that we were going to face in the cyber domain now, what would we as a community, as an industry do differently 35 years ago, and that's exactly where we're at with AI right now," said Lawton. "We have the time and space to get it right."

Specifically when it comes to direct attacks against AI systems by adversaries, the threats are still very rudimentary, but that's only because the attackers are only putting the work they need to in order to achieve their objectives right now, said Christina Liaghati, AI strategy execution and operations manager for MITRE Corporation.

"I think we're going to see many more of the malicious actors having a higher level of sophistication of these attacks, but right now they don't have to, which I think is what's really interesting about this space," she told the audience.

Nevertheless, she warned that organizations can't treat the risks lightly. The interest of threat actors to increase their sophistication and knowledge of AI models will only keep growing as it is embedded into systems they can profitably attack. And this is just as true of smaller organizations using simple ML models in financial systems as it would be for government agencies using it in an intelligence capacity.

**Everyone Is at Risk**

"If you're deploying AI in any environment where any actor might want to misuse or evade or attack that system, your system is vulnerable," she said. "So, it's not just super advanced tech giants or anybody that's deploying AI in a massive way. If your system is in any kind of consequential environment and then you incorporate AI and machine learning into that broader system of systems context, you could be exposing it in new ways that you're probably not thinking about or necessarily prepared for."

The challenge with AI for many cybersecurity executives is that addressing these risks will require they and their teams gain a whole new set of knowledge and parlance around AI and data science.

"I don't think that AI assurance at its core is a traditional infosec problem," Serebryany said. "It's a machine learning problem that we're trying to figure out how to translate into the infosec community."

For example, hardening the models requires understanding of key data science metrics like recall precision accuracy and F1 scores, he said.

"So I think it's kind of incumbent upon us to be able to figure out how to take these underlying ML concepts and research and translate the parlance, the concepts and the standard operating procedures within a soft context that makes sense within the infosec community," he said.

At the same time, Liaghati said to not discount the security basics as AI/ML models and systems will be deployed in the context of other systems for which security teams have decades of experience managing risk. The principles of data security, application security, and network security are still extremely relevant, as are standard risk management and OpSec best practices.

"So many of those are just good practices. It's not just a big, fancy adversarial layer or being able to patch a data set. It's not necessarily that complicated," she says. "Many of the ways that you can mitigate these threats are just thinking about the amount of information that you're putting out within public domain on what models you're using, what data you're using, where it's coming from, \[and\] what the broader system context looks like around that AI system.

AI Experts: Account for AI/ML Resilience & Risk While There's Still Time

**AUSTIN, Texas – April 25, 2023 –** Global security leader Forcepoint today extended the depth and breadth of its Data-first SASE (Secure Access Service Edge) offering with the launch of Forcepoint Data Security Everywhere. Forcepoint is simplifying enterprise DLP management across cloud, web and private apps and streamlining compliance wherever hybrid workers store, access and use confidential information.

The company is also bringing to market Forcepoint ONE Insights thatenables users to quickly visualize and quantify the financial value of security efficacy delivered by Forcepoint solutions. Forcepoint ONE Insights’ visualization console presents key performance indicators such as adoption, data and threat protection, policy violations, performance, and risk.

“Data isn’t the new oil; it is the new air. Literally everything runs on data today and our lives and livelihoods depend on it. Before today, securing data required a mishmash of point solutions. Forcepoint is taking the lead in solving this problem with Forcepoint Data Security Everywhere,” said Manny Rivelo, CEO of Forcepoint. “We’re deliveringenterprise-wide data security plus the power and flexibility of Forcepoint ONE SSE to keep data safe at all times, even after it is accessed.Comprehensive data security is a critical capability within our Data-first SASE solution, providing the visibility and control organizations need to protect their data and simplify Zero Trust security.”

In two years, humanity's collective data will reach 175 billion terabytes -- the number 175 followed by 21 zeros. This data includes everything that powers business and consumers’ day-to-day lives. It is accessed and used by hybrid workforces on corporate endpoints and personal devices such as phones and tablets to do their jobs. Forcepoint Data Security Everywhere is a direct response to the reality that business productivity depends upon people having the ability to safely and efficiently use data anywhere.

By connecting Forcepoint Enterprise DLP to the Forcepoint ONE Security Service Edge (SSE) platform, customers can extend a new or existing enterprise DLP policy, including its advanced classifiers, data fingerprinting, and enforcement settings, to the web and cloud. A unified security policy from Forcepoint protects sensitive data across all channels, including endpoints, websites, cloud services, networks, email and private apps.Forcepoint’s data-first approach goes far beyond basic data protection that is often built into SASE solutions. By classifying data and organizing it into different groups rather than relying on hardcoded patterns, Forcepoint data security policies can be written once and enforced everywhere to automatically handle new instances and types of sensitive data.This end-to-end enforcement is ideal for organizations with cloud-based applications or distributed workforces.

**Key Benefits of Enforcing Data Security Everywhere**

*   Adds Forcepoint ONE SSE channels to Forcepoint Enterprise DLP, protecting data across any website, cloud application, and web-based private applications. 
*   Applies new or existing DLP policies across CASB, SWG, and ZTNA channels. 
*   Simplifies DLP management by leveraging over 1,600 out-of-the-box classifiers, policies and templates enabling granular enforcement for files.
*   Gives security operations center (SOC) and IT teams complete incident reporting and forensic information from a single management console.

Forcepoint Data Security Everywhere is immediately available direct from Forcepoint and through the company’s global network of channel partners.

**AI-powered Data Visualization with Forcepoint ONE Insights**

Further extending the value-added capabilities of Forcepoint ONE, in late Q2 2023 the company will unveil Forcepoint ONE Insights, formerly code-named Symphony, which provides economic value and advanced security analytics for real-time insights into an organization's security status.

Forcepoint ONE Insights technology, included with all Forcepoint ONE subscriptions, uses machine learning and artificial intelligence to analyze security data from multiple sources, such as network traffic, endpoint devices, and cloud applications. Using the at-a-glance visualization, security teams can identify potential threats more quickly, reducing the risk of data breaches. They can also see in real-time dashboards showing the economic value and ROI of their use of Forcepoint ONE.

**Meet Forcepoint Experts at RSA 2023**

During the week of RSA, April 25-27, the company will provide hands-on opportunities with Forcepoint Data Security Everywhere and Forcepoint ONE Insights at the Forcepoint Experience Center on the fourth floor of the St. Regis San Francisco. Organizations that want to learn more and get demos can request a meeting.

**Additional information**

*   Read the Data Security Everywhere blog \[link\]
*   Read the Forcepoint Insights blog \[link\]
*   Learn about Data-first SASE
*   Learn about Forcepoint ONE, FlexEdge Secure SD-WAN

**About Forcepoint**

Forcepoint simplifies security for global businesses and governments. Forcepoint’s all-in-one, truly cloud-native platform makes it easy to adopt Zero Trust and prevent the theft or loss of sensitive data and intellectual property no matter where people are working. Based in Austin, Texas, Forcepoint creates safe, trusted environments for customers and their employees in more than 150 countries. Engage with Forcepoint on www.forcepoint.com, Twitter, and LinkedIn.

Tag

#cisco