Lawmakers are increasingly hellbent on punishing the popular social network while efforts to pass a broader privacy law have dwindled.

“We hope that Congress will explore solutions to their concerns about TikTok that won’t have the effect of censoring the voices of millions of Americans,” says TikTok spokesperson Brooke Oberwetter. “The swiftest and most thorough way to address national security concerns is for CFIUS to adopt the proposed agreement that we worked with them on for nearly two years. That plan includes layers of government and independent oversight to ensure that there are no backdoors into TikTok that could be used to access data or manipulate the platform. These measures go beyond what any peer company is doing today on security.”  

Over in the House, Rubio’s tough-on-tech allies just got new job titles and powers. Representatives Mike Gallagher of Wisconsin, a Republican, and Raja Krishnamoorthi of Illinois, a Democrat, are now the chair and ranking member, respectively, of the new House Select Committee on China established by Speaker Kevin McCarthy. While their new roles go beyond tech and TikTok, the two are eager to use their new perch to punish TikTok, in part, for stonewalling Congress.

“Part of the reason there’s not good data is \[that\] TikTok hasn’t responded to basic questions,” says Gallagher, who’s advocating for TikTok to be fully divested from ByteDance. “We’ve asked for transparency around their algorithms in general. There’s this question about how they intended to use their location tracking service that they would never really answer.”

Bipartisanship has been key to anti-TikTok efforts, but conservatives—and the GOP’s powerful messaging machine—have rallied around what, to them, is a glaring new national security threat. While US tech firms are now the punching bag for America’s right who accuse them of “censoring” them, most Republicans say this TikTok debate supersedes domestic political and corporate squabbles. They say there’s no comparing Silicon Valley to ByteDance.

“Can we just admit that the Chinese Communist Party is an adversary and Silicon Valley is not an actual adversary?” says senator Kevin Cramer of North Dakota, a Republican. “There are similar issues, but they’re not the exact same issues. The Chinese Communist Party is an adversary. Silicon Valley is an unruly child.”

Whether the fears are warranted or ungrounded, Congress isn’t even having the right debate, according to Senate Finance Committee chair Ron Wyden, a Democrat from Oregon. “Banning TikTok would be a godsend for sleazy rip-off data brokers,” the Oregon Democrat says. “TikTok is one piece of the puzzle, but don’t miss the overall challenge—because until you reign in these data brokers … you’re going to have all kinds of people’s personal data in America still on its way to China and hostile powers.”

Nevertheless, bipartisan anti-TikTok energy remains palpable in DC, especially because the app is so popular, with around 113 million users in the US, according to web analytics firm Statista. And with Beijing’s proven willingness to use technology to control its own citizens, US policymakers fear the CCP will soon distort the world for millions of unsuspecting Americans. 

“If you can dial these algorithms to say what kind of content \[people see\], it’s hugely problematic in terms of a propaganda tool,” Warner, the Senate Intelligence Committee chair, says.  

Warner supports reining TikTok in, but he remains skeptical of these new efforts to outright ban the app. He’s been left holding his tongue while awaiting more detailed information and a potential policy solution from the Justice Department. It’s not an either-or, though, according to privacy advocates in Congress. While they argue TikTok is the immediate concern, they also want to regulate Silicon Valley.

“I think there’s a need for both. We still need to get a big privacy bill,” Democratic senator Maria Cantwell of Washington says.

Cantwell chairs the Senate Commerce Committee, which is where many of these bipartisan efforts have died, in part because she’s demanded a higher federal privacy standard—or at least one that doesn’t supersede stout state laws, like California’s—than Republicans have been willing to accept. She says the reason the TikTok ban sailed through in December is that the government funding bill was “held hostage over it” by the GOP.

“With Big Data, there can be abuses, and we need to rein it in. Period,” Cantwell says. “There’s just a lot more work to be done, and my colleagues have to have the same bipartisan zeal to address those issues.”

Why the US Congress Wants to Ban TikTok

Despite increased threats, an uncertain economy, and increasing automation, your organization can still thrive.

When the vulnerability in Log4j happened, security teams sought the answer to a seemingly simple question: Am I vulnerable?

Answering that question led to a maelstrom of activity. Security groups requested information from vendors about their level of vulnerability and, in turn, had to respond to their customers about whether they were vulnerable. In many ways, the entire exercise seemed more about legal obligations than making people more secure.

The deluge of information — some of it useful, some of it useless — highlighted the need to rethink how we are doing security in the future.

We're living in a chaotic time. With a possible recession, technology companies trimming their ranks, and businesses pushing further into the cloud and adopting more automation and AI, security teams need to re-evaluate. Do they just follow the traditional playbook without thinking why? Or do they improve what they are doing to make security better?

Here are some focus areas to reduce chaos and increase overall security effectiveness.

**Simplify for Greater Visibility**

Gaining visibility into your applications and infrastructure is essential. Companies expanding their use of the cloud and converting applications to cloud-native infrastructure often see initial growing complexity because of a period of redundancy and hybrid infrastructure.

Pushing beyond that stage provides both cost and security benefits. Limiting the use of third-party tools to capture and analyze data for security teams is important. There's really no reason to, say, pull NetFlow data off the cloud infrastructure, when that same data — and more — is natively available.

Explore your cloud service provider's tools. Major cloud providers will often provide you detailed data, and you can reduce the complexity of the infrastructure needed to analyze that data.

**Pay Attention to Even the "Small" Breaches**

When NASA astronauts start getting emails in French, it's time to investigate.

That's what happened to Gavin early in his security career. Turns out two students in France were using Telnet to get into the NASA server and using it to send email. The incident ended up driving a greater project around making sure NASA had a robust data classification system and better data isolation.

Weird anomalies can be signs of an attack, but they can also drive a security team to better understand their organization's infrastructure. Investigations are time consuming but also often worthwhile, so even the small stuff should be investigated.

**Threat Intelligence Can Help**

Usually, a security team's most precious commodity is time. The old method of analyzing every IT project (even as they are changing) and looking for security issues is untenable.

Threat intelligence can help cut through the noise. By using threat intelligence, your security team can take a priority-based approach to architecture based on real-world attack intelligence. At the same time, they can deprioritize other areas. Threat intelligence can also help refine your playbooks and increase the maturity of your security team.

**Thriving With Automation, Planning for Layoffs**

Security teams are facing other sorts of stress, with most economists expecting a recession. Security teams still need to be able to perform, despite stressors and even in the face of losing some of their headcount.

To focus on the most important aspects of security, even with fewer people, companies need to adopt more automation, machine learning, and artificial intelligence. Every team should be asking how to speed up manual tasks with automation. Automation, correctly applied, can free up staff to be working on the areas.

In the past, security teams have been considered a roadblock — a bump on the way to a company's core business of making money. Most teams have moved past the reflexive need to say no. We're here to make sure that the business is taking educated risks, but at the end of the day, just saying no to everything doesn't help anyone.

As every security manager surveys the horizon, they need to look at how they have traditionally approached problems. And they should consider whether now is time to say yes to something new.

Headwinds Don't Have to Be a Drag on Your Security Effectiveness

It's a banner year for attacks coming through traditional email as well as newer collaboration technologies, such as Slack and Microsoft Teams. What's next?

Phishing and other messaging-based attacks continue to be a pervasive threat, with 97% of companies seeing at least one email phishing attack in the past 12 months and three-quarters of firms expecting significant costs from an email-based attack.

That's according to the "State of Email Security" (SOES) report, based on a survey of 1,700 IT professionals published by Mimecast this week. The report also found that the most significant email-borne threats continue to be phishing, ransomware, and spoofing. 

Two-thirds of respondents acknowledged a successful ransomware attack, with companies in certain industries more likely to be a victim, including consumer services (87%), energy (83%), healthcare (80%) and the media and entertainment (86%) sectors. On the spoofing side, 91% of those surveyed had seen attempts to steal or use their email domain in an attack, according to the survey.

The increased concern about cyberattacks via email and collaboration platforms comes as companies have shifted to hybrid work environments, making tools like Slack and Microsoft Teams popular ways of exploitation by opportunistic cybercriminals. Nearly three-quarters of companies surveyed feel it is likely or extremely likely that their company will suffer an attack delivered through their collaboration tools, according to the study, which was conducted by market research firm Vanson Bourne.

"While email remains the primary attack vector for bad actors, collaboration tools provide a new threat surface for cybercriminals to infiltrate," the report stated. "And this, in turn, creates even more risk for CISOs and their teams to manage."

Though certainly not a new area, attacks on messaging and collaboration software are a growing source of compromise for companies. In its quarterly "Phishing Activity Trends Report," the Anti-Phishing Working Group (APWG) detected 1.3 million attacks in third quarter of 2022, up from 1.1 million phishing attacks in the second quarter of 2022. Attackers are also getting better at fooling defenses and sneaking into users' inboxes, with 19% of phishing attacks bypassing platform defenses, according to a report released in October.

With the ramped-up activity comes more awareness, at least. "More \[company\] leaders are increasingly aware of the dangerous ramifications cyberattacks pose against their business," says Thom Bailey, senior director of strategy at Mimecast. "However, organizations are still behind the curve in terms of security posture."

**Collaboration Tools Expand Quickly**

Collaboration tools represent an expanding attack surface area, according to the SOES survey. While the vast majority of professionals (90%) maintain that collaboration tools are essential to their company's workflow, keeping up with the installed base of tools is "overwhelming," according to those polled. Two-thirds of professionals (67%) are overwhelmed by the number of tools, and more than half (55%) have to attempt to detect and manage tools downloaded by workers without approval.

That said, whether the attacker uses email as their vector, or Slack or Teams, the end goal is the same, Bailey says.

"It’s important to remember that even though the attack vector is slightly different, the human end user is still the key target," he says. "The majority of attacks targeting collaboration channels leverage the human element, where an adversary makes a compelling appeal for a recipient to engage with the attacker."

On the email side, more companies are adopting email security specifications, such as Domain-based Message Authentication, Reporting and Conformance (DMARC) and Brand Indicators for Message Identification (BIMI) to prevent spoofing. To protect their domains, 88% of survey respondents would like to use the DMARC standard to make their email more resilient to spoofing attacks. Unfortunately, only a bit more than a quarter (27%) have actually deployed the features, according to the SOES survey.

**Can ChatGPT Help With Phishing as Well?**

While anti-spam engines are among the earliest applications of machine learning to cybersecurity, most professionals aim to go further, with 92% either using or planning to use artificial intelligence (AI) features and machine learning (ML) to bolster their current defenses. Doing so can help cybersecurity teams keep up with attackers, Bailey says.

"When combined with natural language processing tools such as auto-encoders or large language models, \[AI\] can help detect anomalies in the writing style and communication patterns of inbound emails, blocking messages and alerting employees accordingly," he says. "It also helps reduce human error ... further enabling strained IT teams ... to offset critical workforce challenges by automating repetitive tasks and streamlining workflows to drive higher levels of efficiency."

The SOES survey included professionals from companies of various sizes, including 15% with fewer than 500 employees, 76% with between 500 and 10,000 employees, and 9% with more than 10,000 employees. The top industry sectors represented by the survey professionals included financial services (14%), technology and telecommunications (13%), retail (13%), and healthcare (11%).

Phishing Fears Ramp Up on Email, Collaboration Platforms

Technology tuck-in enhances industry's broadest XDR security platform.

**DALLAS****,** **Feb. 22, 2023** **/PRNewswire/ --** Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, has announced the signing of a definitive agreement to acquire Anlyz, a leading provider of security operations center (SOC) technology. The acquisition will extend Trend's orchestration, automation and integration capabilities and will enable enterprises and Managed Security Service Providers (MSSPs) to improve operational efficiencies, cost effectiveness and security outcomes.

The deal encompasses intellectual property, industry expertise and more than 40 technical employees all focused on bolstering Trend's security platform strategy. With this acquisition, the company will expand its engineering team of over 3000, adding a new research & development center in Bangalore, India.

Managed Security Service Providers (MSSPs) will be empowered to grow their strategic SOC services while minimizing the complexity of the underlying security stack by reducing the number of technology vendors needed. Trend's enterprise customers will benefit from a comprehensive extended detection and response (XDR) and incident response orchestration platform that can maximize analyst productivity and help relieve resource constraints.

Gartner research stated, "As buyers, both end customers and service providers, continue to consolidate vendors/providers, buyers will seek best-of-suite and integrated solutions over best-of- breed point solutions. Preferred technology vendors will be those that ease integration with other IT and security technology and tools within the environment, supporting efforts toward use-case-based outcomes."\[1\]

"We are happy to welcome the Anlyz team into the Trend family – together we are increasing SOC effectiveness and reducing both the technology and resources burdens," said Kevin Simzer, Chief Operating Officer at Trend Micro. "Due to market pressure, we see organizations moving past security point-solution experiments in preference for platform breadth that allows for vendor consolidation, maximized return on investments and efficiencies."

Trend Micro and Anlyz have been technology alliance partners since 2021 and share more than 30 joint customers that are positioned to move forward quickly to capitalize on the opportunities ahead.

\[1\] Gartner®, Emerging Trends: Future of Security Services, Shawn Eftink, John Collins, November 2021 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Eventus TechSol is one of the many MSSPs powering joint customers delivering measurable "XDR Powered SOC" improvements for clients. "We have reduced the mean-time-to-detect and mean-time-to-respond ratio, down from weeks to hours for incidents," said Jay Thakker, Practice Head at the company. "We use playbooks for log enrichment and automated response as well as threat intelligence and threat hunting capabilities provided by the platform to proactively hunt for known and behavioral attacks."

Anlyz has primarily focused on security orchestration and case management delivering powerful SOAR capabilities for MSSPs to manage the incident response process across multiple clients. It also offers intelligent log aggregation enabling data ingestion and enrichment across a range of data sources and security solutions, using a high performance, scalable architecture. Trend will leverage Anlyz's SOAR solution and rich set of product connectors to broaden its platform and enable additional integration and automation options across customers' IT ecosystems.

Trend's MSSP channel customers will benefit from:

*   An anchor technology platform to manage the SOC function for their clients
*   A reduced requirement to architect individual custom solutions for their customers, thanks to an integrated core stack and multi-tenant view out of the box
*   Visibility, analysis, and automation across Trend, third-party products, and customer instances, making it easier to manage XDR across multiple customers
*   A scalable, flexible, and feature-rich platform to appeal to all types of customers no matter the size and complexity of their IT environment

**Notice Regarding Forward-Looking Statements**

Certain statements included in this press release that are not historical facts are forward-looking statements. Forward-looking statements are sometimes accompanied by words such as "believe," "may," "will," "estimate," "continue," "anticipate," "intend," "expect," "should," "would," "plan," "predict," "potential," "seem," "seek," "future," "outlook" and similar expressions that predict or indicate future events or trends or that are not statements of historical matters. These forward-looking statements include, but are not limited to, statements concerning the future plans or prospects for the acquisition. These statements are based on our current expectations and beliefs and are subject to a number of factors and uncertainties that could cause actual results to differ materially from those described in the forward-looking statements. Although we believe that the expectations reflected in our forward-looking statements are reasonable, we do not know whether our expectations will prove correct. You are cautioned not to place undue reliance on these forward-looking statements, which speak only as of the date hereof, even if subsequently made available by us on our website or otherwise. We do not undertake any obligation to update, amend or clarify these forward-looking statements, whether as a result of new information, future events or otherwise, except as may be required under applicable securities laws.

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.  

The Gartner Report(s) described herein, (the "Gartner Report(s)") represent(s) data, research opinion or viewpoints published, as part of a syndicated subscription service, by Gartner, Inc. ("Gartner"), and are not representations of fact. Each Gartner Report speaks as of its original publication date (and not as of the date of this Prospectus) and the opinions expressed in the Gartner Report(s) are subject to change without notice.

SOURCE Trend Micro Incorporated

Trend Micro Acquires SOC Technology Expert Anlyz

Attackers are now using multiple types of distributed denial-of-service (DDoS) attacks to take down sites. Here are some ways to defend and protect.

Distributed denial-of-service (DDoS) attacks occur when an individual device, known as a bot, or a network of devices, known as a botnet, is infected with malware. These bots or botnets flood websites with increased traffic volumes over a period of hours or even days in an attempt to take services offline. Recently, hacktivist groups have begun leveraging DDoS attacks to extort site owners for financial, competitive advantage, or political reasons. This can represent a serious threat for enterprise businesses.

Planning and preparation are key to developing an effective DDoS defense. But first you need to understand how these attacks work.

**DDoS Attack Types**

New DDoS attack vectors emerge every day thanks to innovative artificial intelligence (AI) technology and a growing cybercrime ecosystem. But in general, there are three main types of DDoS attacks, each of which encompasses a variety of cyberattacks. The first is known as a volumetric attack, which primarily focuses on bandwidth and is designed to overwhelm the network layer with traffic. For example, domain name server (DNS) amplification attacks leverage open DNS servers to flood a target with DNS response traffic.

Another type of DDoS is a protocol attack, which exploits weaknesses in Layers 3 and 4 of the protocol stack, targeting critical resources. For example, synchronization packet floods (SYN) will consume all available server resources as a way to make servers unavailable.

Finally, a resource layer attack disrupts data transmission between hosts by targeting web application packets. For example, SQL injection attacks will insert malicious code into strings. These strings are subsequently passed to a SQL server to be parsed and executed.

And while these categories can cover a broad range of DDoS attacks, security teams also need to be aware that cybercriminals can compromise their networks by using multiple attack types from different categories.

**Protecting Against, Responding to DDoS Attacks**

When websites or servers go down, companies risk losing sales and customers, incurring high recovery costs and damaging their reputations. In some regions and industry sectors, they may even be subject to penalties and fines. Here are four ways to respond to DDoS attacks.

**1\. Evaluate Your Risks and Make Sure You're Protected**

The first step is to identify the publicly exposed applications within your organization. Make sure you note typical application behavior patterns so you can identify anomalies and respond accordingly. Because DDoS attacks typically spike during peak business seasons, such as the holidays, organizations should look for scalable DDoS protection services with advanced mitigation capabilities. Specific service features include traffic monitoring; adaptive real-time tuning; DDoS protection telemetry, monitoring, and alerting; and access to a rapid response team.

**2\. Get Prepared With a DDoS Response Strategy**

One proactive measure that all companies should take is to develop a rapid response strategy. Start by forming a DDoS rapid response team that knows how to identify, mitigate, and monitor attacks. This team should also be able to work with internal stakeholders and customers.

**3\. Identify Potential Weaknesses**

Use attack simulations to understand how your services will respond in the event of an attack. These simulations should confirm that your services or applications will be able to function normally without disrupting users' experiences, and they should happen during off-business hours or within a staging environment to minimize business impact. When conducting an attack simulation, make sure you identify potential technology and process gaps to inform your DDoS response strategy.

**4\. Respond, Learn, Adapt In the Face of Attacks**

In the event of an actual DDoS attack, contact an established DDoS response team or other technical professionals to conduct your attack investigation and post-attack analysis. This retrospective analysis is especially critical as it can help to clarify whether service or user disruptions were due to a lack of scalable architecture. Focus your evaluation on which applications or services experienced the greatest disruptions, as well as the effectiveness of your DDoS response strategy.

Of course, DDoS attacks are just one type of emerging cyberthreat. For more information on ongoing cybersecurity developments and best practices, check out Microsoft Security Insider.

4 Tips to Guard Against DDoS Attacks

As Russia has accelerated its cyberattacks on its neighbor, it's barraged the country with an unprecedented volume of different data-destroying programs.

Despite that sheer volume of wiper malware, Russia's cyberattacks against Ukraine in 2022 have in some respects seemed relatively ineffective compared to previous years of its conflict there. Russia has launched repeated destructive cyberwarfare campaigns against Ukraine since the country's 2014 revolution, all seemingly designed to weaken Ukraine's resolve to fight, sow chaos, and make Ukraine appear to the international community to be a failed state. From 2014 to 2017, for instance, Russia's GRU military intelligence agency carried out a series of unprecedented cyberattacks: They disrupted and then attempted to spoof results for Ukraine's 2014 presidential election, caused the first-ever blackouts triggered by hackers, and finally unleashed NotPetya, a self-replicating piece of wiper malware that hit Ukraine, destroying hundreds of networks across government agencies, banks, hospitals, and airports before spreading globally to cause a still-unmatched $10 billion in damage.

But since early 2022, Russia's cyberattacks against Ukraine have shifted into a different gear. Instead of masterpieces of malevolent code that required months to create and deploy, as in Russia's earlier attack campaigns, the Kremlin's cyberattacks have accelerated into quick, dirty, relentless, repeated, and relatively simple acts of sabotage.

In fact, Russia appears, to some degree, to have swapped quality for quantity in its wiper code. Most of the dozen-plus wipers launched in Ukraine in 2022 have been relatively crude and straightforward in their data destruction, with none of the complex self-spreading mechanisms seen in older GRU wiper tools like NotPetya, BadRabbit, or Olympic Destroyer. In some cases, they even show signs of rushed coding jobs. HermeticWiper, one of the first wiping tools that hit Ukraine just ahead of the February 2022 invasion, used a stolen digital certificate to appear legitimate and avoid detection, a sign of sophisticated pre-invasion planning. But HermeticRansom, a variant in the same family of malware designed to appear as ransomware to its victims, included sloppy programming errors, according to ESET. HermeticWizard, an accompanying tool designed to spread HermeticWiper from system to system, was also bizarrely half-baked. It was designed to infect new machines by attempting to log in to them with hardcoded credentials, but it only tried eight usernames and just three passwords: 123, Qaz123, and Qwerty123.

Perhaps the most impactful of all of Russia's wiper malware attacks on Ukraine in 2022 was AcidRain, a piece of data-destroying code that targeted Viasat satellite modems. That attack knocked out a portion of Ukraine's military communications and even spread to satellite modems outside the country, disrupting the ability to monitor data from thousands of wind turbines in Germany. The customized coding needed to target the form of Linux used on those modems suggests, like the stolen certificate used in HermeticWiper, that the GRU hackers who launched AcidRain had carefully prepared it ahead of Russia's invasion.

But as the war has progressed—and as Russia has increasingly appeared unprepared for the longer-term conflict it mired itself in—its hackers have switched to shorter-term attacks, perhaps in an effort to match the pace of a physical war with constantly changing front lines. By May and June, the GRU had come to increasingly favor the repeated use of the data-destruction tool CaddyWiper, one of its simplest wiper specimens. According to Mandiant, the GRU deployed CaddyWiper five times in those two months and four more times in October, changing its code only enough to avoid detection by antivirus tools.

Even then, however, the explosion of new wiper variants has only continued: ESET, for instance, lists Prestige, NikoWiper, Somnia, RansomBoggs, BidSwipe, ZeroWipe, and SwiftSlicer all as new forms of destructive malware—often posing as ransomware—that have appeared in Ukraine since just October.

But ESET doesn't see that flood of wipers as a kind of intelligent evolution, so much as a kind of brute-force approach. Russia appears to be throwing every possible destructive tool at Ukraine in an effort to stay ahead of its defenders and inflict whatever additional chaos it can in the midst of a grinding physical conflict. 

“You can’t say their technical sophistication is increasing or decreasing, but I would say they’re experimenting with all these different approaches,” says Robert Lipovsky, ESET's principal threat intelligence researcher. “They're all in, and they're trying to wreak havoc and cause disruption.”

Ukraine Suffered More Wiper Malware in 2022 Than Anywhere, Ever

If you Google "third-party data breaches" you will find many recent reports of data breaches that were either caused by an attack at a third party or sensitive information stored at a third-party location was exposed. Third-party data breaches don't discriminate by industry because almost every company is operating with some sort of vendor relationship – whether it be a business partner,

If you Google "third-party data breaches" you will find many recent reports of data breaches that were either caused by an attack at a third party or sensitive information stored at a third-party location was exposed. Third-party data breaches don't discriminate by industry because almost every company is operating with some sort of vendor relationship – whether it be a business partner, contractor or reseller, or the use of IT software or platform, or another service provider. Organizations are now sharing data with an average of 730 third-party vendors, according to a report by Osano, and with the acceleration of digital transformation, that number will only grow.

****The Importance of Third-Party Risk Management****

With more organizations sharing data with more third-party vendors, it shouldn't be surprising that more than 50% of security incidents in the past two years have stemmed from a third-party with access privileges, according to a CyberRisk Alliance report.

Unfortunately, while most security teams agree that supply chain visibility is a priority, the same report notes that only 41% of organizations have visibility into their most critical vendors and only 23% have visibility into their entire third-party ecosystem.

The reasons for the lack of investment into Third Party Risk Management (TPRM) are the same that we consistently hear – lack of time, lack of money and resources, and it's a business need to work with the vendor. So, how can we make it easier to overcome the barriers to managing third-party cyber risk? Automation.

****The Benefits of Automation****

Automation empowers organizations to do more with less. From a security perspective, here are just some of the benefits automation provides, as highlighted by Graphus:

*   76 % of IT executives in a cybersecurity survey said that automation maximizes the efficiency of security staff.
*   Security automation can save more than 80% over the cost of manual security.
*   42% of companies cited security automation as a major factor in their success at improving their cybersecurity posture.

With regards to TPRM, automation can transform your program by:

****Step 1 - Assess your vendors with Continuous Threat Exposure Management (CTEM)****

Continuous threat exposure assessments include comprehensive assessments that incorporate the following:

*   Automated asset discovery
*   External infrastructure/Network Assessments
*   Web application security assessment
*   Threat intelligence informed analysis
*   Dark web findings
*   More accurate security rating

This is a more comprehensive analysis of third parties compared to just sending questionnaires. A manual questionnaire process can take between 8-40 hours per vendor, provided that the vendor responds quickly and accurately. But this approach doesn't allow the ability to see vulnerabilities or validate the effectiveness of the required controls in a questionnaire.

Incorporating an automated threat exposure assessment capability and integrating it with questionnaires can reduce the time to review vendors, and we've found that the combination can reduce the time to assess and onboard new vendors by 33%.

****Step 2 – Use a Questionnaire Exchange****

Organizations that manage many questionnaires, or vendors that respond to many questionnaires, should consider using a questionnaire exchange. Simply stated, it's a hosted repository of completed standard or custom questionnaires that can be shared with other interested parties upon approval.

If you select a platform that performs the automation described above, both parties get a verified and automated approach to the most recent questionnaires that are auto-validated by continuous assessments. Again, this can save your team time by requesting access to existing questionnaires or scaling their time in the response of a new questionnaire that can be reused upon request.

****Step 3 - Continuously combine threat exposure findings with the questionnaire exchange****

Security ratings alone don't work. Using questionnaires alone to assess third parties doesn't work. Threat exposure management, which incorporates accurate security ratings from the direct assessments, combined with validated questionnaires - where the questionnaire is querying the assessment and updating the security rating - provides you with a powerful solution for continuous Third-Party Risk Management. Platforms that use active and passive assessments, and don't solely rely on historical OSINT data, provide the most accurate attack surface visibility – since it's of a third-party at that time.

This information can be leveraged to auto-validate the applicable controls in the questionnaire for security and compliance framework requirements and flag any discrepancy between the client answer and the technology assessment finding. This gives organizations a real "trust but verify" approach toward third-party reviews. Since this can be done quickly, you can be notified when third parties become non-compliant with specific technical controls.

Organizations looking to maximize the efficiency of their third-party cyber risk management program should look to add automation to their processes. In more difficult macro-economic environments companies can turn to automation to reduce the toil that their team performs, while still achieving progress and results, in exchange for team members being able to focus on other initiatives.

**Note:** Victor Gamra, CISSP, a former CISO, has authored and provided this article. He is also the Founder and CEO of FortifyData, an industry-leading Continuous Threat Exposure Management (CTEM) firm. FortifyData empowers businesses to manage cyber risk at the organizational level by incorporating automated attack surface assessments, asset classification, risk-based vulnerability management, security ratings, and third-party risk management into an all-in-one cyber risk management platform. To learn more, please visit www.fortifydata.com.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

3 Steps to Automate Your Third-Party Risk Management Program

Shipping companies and medical laboratories in Asia have been the subject of a suspected espionage campaign carried out by a never-before-seen threat actor dubbed Hydrochasma.
The activity, which has been ongoing since October 2022, "relies exclusively on publicly available and living-off-the-land tools," Symantec, by Broadcom Software, said in a report shared with The Hacker News.
There is no

Cyber Espionage / Cyber Attack

Shipping companies and medical laboratories in Asia have been the subject of a suspected espionage campaign carried out by a never-before-seen threat actor dubbed **Hydrochasma**.

The activity, which has been ongoing since October 2022, "relies exclusively on publicly available and living-off-the-land tools," Symantec, by Broadcom Software, said in a report shared with The Hacker News.

There is no evidence available as yet to determine its origin or affiliation with known threat actors, but the cybersecurity company said the group may be having an interest in industry verticals that are involved in COVID-19-related treatments or vaccines.

The standout aspects of the campaign is the absence of data exfiltration and custom malware, with the threat actor employing open source tools for intelligence gathering. By using already available tools, the goal, it appears, is to not only confuse attribution efforts. but also to make the attacks stealthier.

The start of the infection chain is most likely a phishing message containing a resume-themed lure document that, when launched, grants initial access to the machine.

From there, the attackers have been observed deploying a trove of tools like Fast Reverse Proxy (FRP), Meterpreter, Cobalt Strike Beacon, Fscan, BrowserGhost, and Gost proxy.

"The tools deployed by Hydrochasma indicate a desire to achieve persistent and stealthy access to victim machines, as well as an effort to escalate privileges and spread laterally across victim networks," the researchers said.

The abuse of FRP by hacking groups is well-documented. In October 2021, Positive Technologies disclosed attacks mounted by ChamelGang that involved using the tool to control compromised hosts.

Then last September, AhnLab Security Emergency response Center (ASEC) uncovered attacks targeting South Korean companies that leveraged FRP to establish remote access from already compromised servers in order to conceal the adversary's origins.

Hydrochasma is not the only threat actor in recent months to completely eschew bespoke malware. This includes a cybercrime group dubbed OPERA1ER (aka Bluebottle) that makes extensive use of living-off-the-land, dual use tools and commodity malware in intrusions aimed at Francophone countries in Africa.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hydrochasma: New Threat Actor Targets Shipping Companies and Medical Labs in Asia

Which of the myriad, extant cyberthreats should your business be paying the most attention to in 2023? 



(Read more...)




The post The 5 most dangerous cyberthreats facing businesses this year appeared first on Malwarebytes Labs.

Which of the myriad, extant cyberthreats should your business be paying the most attention to in 2023? 

That’s the question we set out to answer in this year’s annual State of Malware report, and the answers might surprise you. To understand why, you need to know what makes this year’s report so different from previous ones.

Unquestionably, over the last five years, the most serious cybersecurity task facing businesses has changed from defending against waves of malicious, email-borne malware to stopping seasoned criminals armed with Ransomware-as-a-Service (RaaS).

RaaS attacks can be extraordinarily severe. They can bring entire organizations to a halt, come with ruinous ransoms, and may take months of dedicated effort to recover from. They represent an existential threat to businesses.

The worst-of-the-worst is LockBit, the first on our list of the most dangerous threats you face. LockBit’s largest known ransom demand in 2022 was $50 million, although multiple sources report even higher demands were made. Its victims included businesses of all sizes, from local law firms with a handful of employees to multi-national enterprises.

LockBit was the most widely used RaaS in 2022, by far. It accounted for almost a third of all known RaaS attacks, and more than three times as many as its closest competitor, ALPHV.

Known attacks by the top 5 RaaS groups in 2022

And yet, if you were to create a list of the most detected malware from last year, you wouldn’t see LockBit on it. In fact, you wouldn’t see any RaaS on it. In cybersecurity, what’s common and what’s serious have diverged markedly.

For that reason, lists of the most detected malware are gone from this year’s report. In their place, we asked our experts—our threat intelligence analysts, and the threat hunters in our Managed Detection and Response (MDR) team: What essential information do resource-constrained organizations need to know?

They came up with a list of the five worst-in-class malware threats spanning Windows, Android and macOS. The report explains what these threats do and why, what it takes to detect them, and what it takes to recover from an attack. Each of our five is an archetype, so if you prepare to stop them, you’re well prepared for anything, on any of your devices.

Compiling our report like this also led us to an important insight: The most dangerous attacks you will face are not from the strangest new malware, the most sophisticated, the most eye-catching, or the most prevalent.

Instead, the most dangerous threats come from a set of known, mature tools and tactics that an entire ecosystem of cybercriminals rely upon to take in billions of dollars a year. Criminals have come to rely upon these attack types and their vectors because they work, and they work because they are hard to defend against and difficult to remove.

The 2023 State of Malware report explains what they are, how they find their victims, and how to avoid becoming one of them.

To learn more about LockBit and how to defend against it, and to discover the four other threats you should prepare for this year, download the 2023 State of Malware report. In it you will also learn:

*   What it takes to stop what Europol called the “world’s most dangerous malware.”
*   Why there was a 300% increase in some new malware delivery methods.
*   How to catch the emerging, hard-to-detect attacks that don’t rely on malware.
*   Why security people are as important as security software.

Get the 2023 State of Malware report

The 5 most dangerous cyberthreats facing businesses this year

At the beginning of January, Gcore faced an incident involving several L3/L4 DDoS attacks with a peak volume of 650 Gbps. Attackers exploited over 2000 servers belonging to one of the top three cloud providers worldwide and targeted a client who was using a free CDN plan. However, due to Gcore’s distribution of infrastructure and a large number of peering partners, the attacks were mitigated,

Server Security / DDoS Attack

At the beginning of January, Gcore faced an incident involving several L3/L4 DDoS attacks with a peak volume of 650 Gbps. Attackers exploited over 2000 servers belonging to one of the top three cloud providers worldwide and targeted a client who was using a free CDN plan. However, due to Gcore's distribution of infrastructure and a large number of peering partners, the attacks were mitigated, and the client's web application remained available.

****Why was mitigating these attacks so significant?****

**1\. These attacks were significant because they exceeded the average bandwidth of similar attacks by 60×.** The performed attacks relate to volume-based attacks targeted to saturate the attacked application's bandwidth in order to overflow it. Measuring total volume (bps)—rather than the number of requests—is the way these attacks are usually tabulated.

The average bandwidth of this attack type is generally in the tens of Gbps (about 10 Gbps). Therefore, the specified attacks (at 650 Gbps) exceeded the average value by 60 times. Attacks of this volume are rare and are of particular interest to security experts.

Additionally, this value (650 Gbps) is comparable to the record DDoS attack on the largest Minecraft server (2.4 Tbps), only one-fourth as massive.

**2\. The client being attacked was using a CDN plan without additional DDoS protection.** When clients use Gcore's CDN (as part of the Edge Network), the malicious traffic of the L3/L4 attacks directly affects only its infrastructure (it serves as a filter), not the targeted clients' servers. The negative impact falls on the capacity and connectivity of the infrastructure When a CDN is powerful enough, it can protect clients against L3/L4 attacks—even when accessed using a free plan.

****What were the technical specifications of the attacks?****

The duration of the incident was 15 minutes, and at its peak, it reached over 650 Gbps. A possible reason why the incident took so long is that the attackers weighed the ineffectiveness of the attacks (the client application kept running) against their high cost.

The incident consisted of three attacks with different vectors. They are marked with traffic peaks on the diagram below:

1.  **UDP flood attack (~650 Gbps).** Hundreds of millions of UDP packets were sent to the target server to consume the bandwidth of the application and cause its unavailability. Attacks of this vector use a lack of requirements of UDP connection establishment: the attackers can send packets with any data (it increases the volume) and use spoofed IP addresses (it makes it difficult to find the sender).
2.  **TCP ACK flood attack (~600 Gbps).** A large number of packets with the ACK flag were sent to the target server to overflow it. Attacks of this vector are based on the fact that the junk TCP packets do not include a payload, but the server is forced to process them, and it may not have enough resources to handle requests from real end users. A CDN's protection system is capable of filtering packets and not forwarding them to the server if they do not contain payloads and are not bound to an open TCP session.
3.  **A mix of TCP and UDP (~600 Gbps).** A custom variation of the previous two types of attacks.

The distinctiveness of the incident was that the attacks were performed from multiple non-spoofed IP addresses. This allowed specialists to identify that the attackers used 2,143 servers in 44 different regions, and all of the servers belonged to a single public cloud provider. Utilizing Anycast allowed Gcore to absorb the attack 100% over peering connections with this provider.

Sankey diagram showing the source and flow of the attack. Names of the locations from the first column are associated with one of the top 3 cloud providers.

****Why did the attacks not affect the client?****

**1\. Gcore's connectivity through peering with many locations played a key role in mitigating the attacks.** Gcore has over 11,000 peering partners (ISPs), and these partners connect their networks using cables and provide each other with access to traffic originating from their networks. These connections allow for bypassing the public internet and directly absorbing traffic from the peering partners. Additionally, this traffic is either free of charge or costs much less than traffic on the public internet. This low cost makes it possible to protect customer traffic on a free plan.

In the context of the DDoS attack that occurred, the level of connectivity greatly benefited the efficacy of mitigation. Gcore and the cloud provider used to launch the attack are peering partners, so while the attack was happening, Gcore was able to ingest most of the traffic over the cloud provider's private network. This greatly reduced the amount of traffic that needed to be handled by the public internet.

Private peering also enables more accurate filtering and better attack visibility, which leads to more efficient attack mitigation.

**2\. Gcore's large capacity, due to the placement of servers in many data centers, also played a role.** Gcore's edge servers are present in over 140 points of presence and are based on high-performance 3rd generation Intel® Xeon® Scalable processors.

The overall network capacity is over 110 Tbps. With over 500 servers located in data centers worldwide, the company is able to withstand large-scale DDoS attacks. So, the 650 Gbps of traffic could be distributed across the network, and each particular server would only receive 1-2 Gbps, which is an insignificant load.

****Security trends****

According to Gcore's experience, DDoS attacks will continue to grow year over year. In 2021, the attacks reached 300 Gbps, and by 2022, they had increased to 700 Gbps. Therefore, even small and medium-sized businesses need to use distributed content delivery networks such as the CDN and Cloud to protect against DDoS attacks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel