Lower cybersecurity awareness coupled with vulnerable OT gear makes manufacturers tempting targets, but zero trust can blunt attackers’ advantages.

Everyone in information security knows ransomware actors target different industries for different reasons. Some are seen as flush with cash. Some have obvious reasons for needing to resume operations ASAP. Others are just widely recognized as poorly protected.

But did you know that manufacturers pay the highest ransoms of any vertical?

A recent report spelled it out in stark detail. Across all industries, the average ransom paid is a hefty $812,360. Yet for manufacturing, that average skyrockets to a stunning $2,036,189 — about two and a half times the average.

Attackers prefer easy, weak targets as a rule. So what is it about manufacturing that qualifies such organizations as easy or weak?

First, it’s worth asking whether manufacturers are targeted more often, or if they just happen to fall victim more frequently due to inherent factors like outdated tech or lack of cybersecurity awareness. The next interesting question is why they tend to shell out sums so egregiously above what organizations in other verticals do.

As a chief information security officer (CISO) with years of experience leading cybersecurity operations for a global manufacturer, I have some immediate explanations in mind. Here are some of the factors that inevitably contribute:

*   Manufacturers typically have slim profit margins and rely on steady productivity to compensate.
*   Manufacturers know they won’t make much profit on any one iteration of manufactured goods, so high volume is necessary to hit business targets over time. But high volume requires regular output, uninterrupted by slowdowns or complete outages.
*   While organizations in industries with fatter margins might be able to tolerate an extended outage, manufacturers typically can’t. The result is exceptional pressure on manufacturers to pay ransoms and pay them quickly. That’s why attackers, conscious of all this context and the leverage it gives them, may feel emboldened to charge higher ransoms than they would in other industries.

**Manufacturing Suffers From Low Cybersecurity Awareness**

Many factory workers don’t routinely use IT gear like desktop computers, laptops, or tablets. Some may not even have corporate-issued email addresses. Additionally, very few have received extensive training on current cyber threats, and as such, wouldn’t know how to recognize, react, or, report them to their IT team once they’re spotted.

Think of the most standard, low-hanging fruit of cybersecurity awareness training: the phishing simulation. Even if email addresses are provided (far from a given, especially in manufacturing facilities in the developing world), it’s simply unreasonable to expect employees to develop an understanding of the attack chain that may lead from a phishing email to a compromise by a ransomware actor.

These factors increase an organization’s total attack surface. They make the manufacturer more apparent to attackers and more likely to fall prey to attacks if they appear.

**Manufacturing Data Can Be Extraordinarily Valuable**

Imagine that a drywall manufacturer has a unique proprietary method for creating drywall that dries quickly and can be rapidly shipped on demand, yielding a competitive advantage. This type of intellectual property, once compromised, can easily be held for an exceptionally high ransom, because the entire business model would be in jeopardy if it were to leave the company.

Similar concerns can apply to data involved in market timing. Suppose a clothing manufacturer planned to release a new line in the spring based on a combination of colors its market research found would be in high demand. The company may have orchestrated its entire spring-season marketing and supply chain ordering on that basis. Attackers could hold such information for a substantial ransom, because if it were given to competitors, those competitors may get to market first with a competing product, raking in all the expected benefits.

Operational technology (OT) used by manufacturers typically involves many assets (pumps, generators, turbines, etc.) that are on the IT infrastructure — and thus accessible to attackers — yet difficult to patch or secure. Sometimes, even if an asset can be secured, only its manufacturer can secure it without voiding the asset’s warranty.

Being outdated and insecure doesn’t always make them less valuable to the organization, however. Many times, these are legacy systems are required for a basic function, with no adequate substitute available, so the organization continues using them. Attackers often take advantage in such cases to maximize their leverage in charging ransoms.

Suppose an attacker is interested in compromising a Fortune 500 bank. If that bank is a client of a manufacturer whose security is less sophisticated than the bank’s, attackers could use the manufacturer as a stepping stone.

Additionally, manufacturing organizations often simply don’t realize how many third parties (partners, clients, suppliers) can access their networks and data. They may grant network privileges too easily, and in many cases, those privileges give unrestricted access instead of being limited to just the assets required for business purposes.

**Better Security Is Available Today**

I know from experience that manufacturers can significantly reduce their attack surface by adopting zero-trust principles. In turn, this makes it less likely that attackers opportunistically probing the open Internet for weaknesses will discover the organization.

If the organization is discovered, zero trust eliminates an adversary’s ability to move laterally across a network, where they could discover the sort of valuable data that would give them leverage over their target.

Adopting a zero trust approach helps an organization to:

*   Rigorously validate the identity of all participants in a network transaction

*   Obscure from the public Internet the true IP addresses of all assets at any manufacturing facility (or combination of them) via a buffering service

*   Segment the network and support application microtunneling, limiting any possible access by attackers

*   Apply identical policies to public clouds and remote workers, with the ability to scale automatically over time as the network topology changes

These and other techniques, once implemented, can help manufacturers reduce the risk of a breach, lessen their exposure should a breach occur, and minimize the business impact of any successful attack. Best of all, they will help manufacturers hang on to more of their hard-earned profits.

Read more _Partner Perspectives_ from Zscaler

Paying Ransom: Why Manufacturers Shell Out to Cybercriminals

This unique fairytale is available for free just before Christmas to enjoy with the entire family.

**MONTPELLIER, FRANCE, December 19, 2022 /****EINPresswire.com****/ --** Bfore.Ai, an AI-driven predictive cybersecurity solutions company, recently launched the very first cybersecurity book in the market. This book, geared towards children and security specialists alike and titled The King, The Knight & The Snowball, was downloaded over 100 times within the first hour of being available. This unique seasonal tale is available now and free for anyone to download and enjoy, just in time for Christmas.

This short fairytale targets cybersecurity professionals and aims to make predictive cybersecurity an understandable and relatable topic for all ages while promoting how important it is to be security conscious in a world where there are so many threats. While the book is designed to open the understanding of cybersecurity at an early age, it’s intended as a gift to the entire technology community and all age groups.

“In today’s world, security is a high-pressure, demanding field. It’s often hard to share a few quiet moments with those we love. We wanted to capture the spirit of sharing and caring that is essential to this time of year,” said Luciano Allegro, CMO at Bfore.Ai. “We felt the best way to do that was to create a book that gives an introduction to a new wave of cybersecurity technology — a predictive cybersecurity — wrapped in a fun story that anyone could enjoy.”

Developed with security professionals in mind, this book offers a great way to start the conversation about cybersecurity in general and predictive cybersecurity, specifically with anyone of any age. Any parent can use the accessible nature of the tale to share the importance of cybersecurity and even address how the nature of security can sometimes seem mystical. 

Bfore.ai created this fun fairytale adventure to help people of all ages learn about the technology that can prevent them or their companies from being victims of cyber threats without the sales pitch aspect that can turn the average person off. In keeping with their intention to promote sharing and moments of caring, this delightful tale is entirely free and ready for anyone to download to enjoy with the whole family. Please visit The King, The Knight & The Snowball.

About Bfore.Ai:

Headquartered in Montpellier, France, Bfore.AI launched in 2020 to deliver actionable intelligence insights to enterprises, focusing on predictive models that can see vulnerable vectors in enterprise cyber networks. For more information, please visit https://bfore.ai/ or contact Sonia Awan – PR for Bfore.Ai at \[email protected\]

Bfore.Ai Releases 'The King, The Knight & The Snowball' - Cybersecurity Book for Children

Security Service-backed Trident Ursa APT group shakes up tactics in its relentless cyberattacks against Ukraine.

Physical threats against a Ukrainian cybersecurity researcher and a failed attempt to breach a petroleum refinery inside a NATO-member nation are just the latest notable salvos in Russian state-backed APT group Trident Ursa's campaign against Ukraine.

Researchers at Palo Alto Network's Unit 42 reported on the APT group (also known as Gamaredon, Primitive Bear, Shuckworm, and UAC-0010) tactics over the past 10 months, noting the connection between Trident Ursa and the Russian Federal Security Service.

"As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer," the Unit 42 team explained. "Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NATO-Member Oil Refinery Targeted in Russian APT Blitz Against Ukraine

Searchlight Cyber announces rebrand that reflects its status as a fast-growing cybersecurity business.

**Portsmouth,** **UK** **&** **Washington** **DC,** **US** **–** **December** **20** **2022** **\--** Searchlight Cyber, the dark web intelligence company, has announced its rebrand from Searchlight Security, aligning its legal entity in both the UK (Searchlight Cyber Ltd) and the US (Searchlight Cyber LLC). The name change is accompanied by the launch of a new visual identity including a new company logo, website, and an update to its product design.

Searchlight Cyber’s new website is designed to be a knowledge base for security professionals to learn more about the emerging field of dark web threat intelligence. Enterprises, law enforcement, and MSSPs can easily navigate and access resources on how to combat dark web threats including reports, webinars, videos, blogs, case studies and more.

“I am delighted to announce that we are capping off a very exciting year for the company with a rebrand,” says Ben Jones, CEO of Searchlight Cyber. “Since we launched five years ago we have been on a fast-growth trajectory, and this has never been more apparent than in 2022. In this year alone, our headcount has increased by more than 150 percent, we have grown our customer base in both the UK and US, and we’ve launched exciting capabilities in our products. This new brand reflects the maturity of the company and our mission to help protect society from dark web threats, with our new website in particular geared around the value and insight that we can deliver to our customers.”

Searchlight Cyber’s Ransomware Search and Insights - launched just last week \- is among the many product announcements the company has made this year. This enhancement to Searchlight’s Cerberus platform provides enterprises and law enforcement with a consolidated view of the dark web activity of ransomware groups, to help them better understand and protect themselves from one of the most persistent threats in cybersecurity. The product’s supporting threat intelligence report, Dark Web Profiles: The Most Prolific Ransomware Groups of 2022, is one of the many resources that can be accessed on the new Searchlight Cyber website. 

For more information on the rebrand, read the blog Introducing Searchlight Cyber from Ben Jones, CEO of Searchlight Cyber, on the rationale behind the company’s new website and visual identity. 

About Searchlight Cyber

Searchlight Cyber provides organizations with relevant and actionable dark web threat intelligence, to help them identify and prevent criminal activity. Founded in 2017 with a mission to stop criminals acting with impunity on the dark web, we have been involved in some of the world’s largest dark web investigations and have the most comprehensive dataset based on proprietary techniques and ground-breaking academic research. Today we help government and law enforcement, enterprises, and managed security services providers around the world to illuminate deep and dark web threats and prevent attacks. To find out more visit slcyber.io or follow Searchlight Cyber on LinkedIn and Twitter.

Searchlight Security Changes Name to Searchlight Cyber and Launches New Brand

When properly designed and trained, artificial intelligence and machine learning can help improve the accuracy of distributed denial-of-service detection and mitigation.

After early excitement about artificial intelligence (AI) in the late 1980s and early 1990s, followed by a couple of "AI winters" — periods of reduced funding, interest and even disillusionment — we now again see great enthusiasm about all things related to AI and machine learning (ML). It is no wonder that AI/ML is also being considered for network security, including distributed denial-of-service (DDoS) protection.

It's not that AI/ML algorithms have changed so radically — but they have matured. In network security, like in many other fields, the abundance of data and greater-than-ever processing power makes it feasible to implement new AI/ML algorithms in silicon or in the cloud, allowing us to teach machines to be more accurate and faster than humans are.

With DDoS security, the problem is distinguishing "good" from "bad" traffic and minimizing the mitigative actions to reduce the effect on "good" traffic. Apart from accuracy and speed, the percentage of false positives indicates how good your detection is — the lower, the better. Until recently, the industry-accepted rate of 5% to 10% false positives meant that neutralizing a 2Tbps-size DDoS attack could also block 100Gbps to 200Gbps of legitimate network traffic. This needs to improve by at least an order of magnitude.

**AI/ML for Better DDoS Detection**

AI/ML can help network security teams make more accurate and faster decisions about what constitutes a DDoS threat or is an ongoing attack. Knowing the larger Internet-security context is essential — a global perspective of traffic down to the IP address level, with prior history of traffic patterns and abuse — can help prevent making a snap decision about whether certain traffic flows are legitimate. It's like a credit card company tracking all transactions in order to decide which ones are fraudulent.

Big data collected from the network itself — in the form of telemetry from IP routers, enhanced with the larger security context — provides a great base for training AI/ML models to recognize DDoS patterns. Still, human intelligence is irreplaceable: People need to teach AI/ML what to look for. And there is a lot to be taught, from recognizing a botnet DDoS (coming from thousands of IoT devices as regular IP traffic) to understanding when seemingly separate network patterns are all parts of a larger, coordinated DDoS activity.

**Better Mitigation, Too**

Another important role for AI/ML is in defining DDoS mitigation strategies and driving real-time tactics based on changing network conditions and mitigation results.

DDoS detection is a big data problem with somewhat unconstrained resources, limited only by the processing platforms. DDoS mitigation, however, is a problem where resources are constrained. Mitigation capabilities, capacity, and scale can differ from product to product and from one network to another. The actual mitigative actions need to consider all of those details and more — preferences about the number of security filters applied on routers, whether NETCONF or Flowspec should be used, etc. All of these constraints can be passed to an AI/ML system to drive networkwide AI/ML-optimized mitigation.

Additionally, AI/ML algorithms could be used to calculate the efficiency (as measured by false-positive rates) of suggested mitigation scenarios and to test and evaluate different what-if scenarios offline to improve the mitigation further.

**Understanding Wider Context Is Key**

Big data platforms can efficiently sift through massive amounts of data, ingesting information about the Internet-wide security-related context and real-time network data about network flows, usage patterns, and other relevant metrics.

With the help of AI/ML algorithms, it is now possible to detect DDoS activity early and take immediate, targeted, and optimized mitigation measures to thwart such attacks.

By incorporating big data analytics and AI/ML into all stages of a comprehensive DDoS security strategy, we can guard our networks against malicious DDoS attacks, keep the services running, and protect users online.

How AI/ML Can Thwart DDoS Attacks

Startups are coalescing around effective data loss prevention, reducing data attack surfaces, and viable AI automation.

Investors in tech startups like to maintain communities of independent CISOs that entrepreneurs use to explore threats and unsolved problems and to pitch solutions to. In this incubation space, several technologies have begun to stand out: enterprise Web browsers, data posture management, and new takes on automation.

And here's what they have in common: They're innovations that reduce complexity. Consider the impossibility of deploying agents or security controls across heterogeneous devices. To achieve full coverage, they must span employees, third parties, and post-M&A workforces — including personal devices that hit the cloud.

RSA's 2022 Innovation Sandbox winner, Talon Cyber Security, and the startup Island, both believe the enterprise Web browser can solve this and become an external leg of the cloud security architecture.

User data travels in an encrypted connection between the cloud and the browser, the latter of which has been leaky. These new browsers are hardened to malware, contain data loss by blocking uploads, downloads, screen captures, or cut and paste. They also add a layer of privacy. As Ashland CISO Bob Schuetter notes, his secure browser masks Social Security numbers on the screen "so the service reps don't have to look at the actual numbers all day."

These browsers even allow recording sessions for visual playback during incident response. “In reality, what they are is a secure gateway for tracking who's using what SaaS resources,” says Dr. Shane Shook, a cybercrime consultant and expert witness.

Compartmentalized away from the rest of the endpoint, a secure browser sandboxes Web client code, contains the accessed cloud data, and secures traffic between device and cloud. Proponents believe it could become the new cloud perimeter and deliver some of the failed promises of data loss prevention.

**Automation Is Bigger Than SOAR**

2022’s upstarts are pushing automation beyond the security orchestration and automated response (SOAR) category. Many of them note that SOAR speaks to a past when security was dominated by incident response.

Cybersecurity is now under the CIO as much as the CISO. All this creates a huge divide between the CISO's organization that detect threats and the remediation plans which must span multiple departments, and often extend to partners.

There are a number of approaches here. SOAR startups Opus Security and Revelstoke push knowledge dissemination and best practices beyond the CISO. Torq, an Innovation Sandbox finalist, is being used to automate backlogs in IT account provisioning, a byproduct of identity attacks.

BrazenCloud envisions upgrading the plumbing beneath SOAR’s automation, which today mostly involves calling the APIs of other security applications. Yet scripting, open source, and one-off tools are popular in cybersecurity. This leads to the belief that cybersecurity's automation providers should be the ones to move and execute these tool’s binaries and return their outputs — even for the notoriously ephemeral cloud workloads.

**Making Data Security Cloud Native**

On-premises data security was never that good at answering what data we have, where it's located, and who's accessing it. Now, this deficiency is getting addressed as data and metadata become increasingly distributed across multiple clouds.

Analysts are calling it data security posture management (DSPM), which unfortunately sounds like an older cloud security posture management (CSPM) category that Gartner split after ballooning out of control.

The more focused data posture management products integrate with cloud APIs, and map data and its usage. They aspire to relieve the ransomware threat with oversight into backups and to reduce the attack surface by sunsetting old data.

Despite the mind numbing acronyms, this new data-focused category is hot in 2022, with Concentric AI, Laminar, and Eureka Security receiving investments.

The sudden interest here is more than faddish copycatting. Cloud computing requires a higher bar for data security. Not being behind a well-defined perimeter, the cloud is public by default and thus hackers are one authentication hop from accessing the crown jewels.

**Will AI Finally Deliver Cybersecurity Real Value?**

Cybersecurity's buzzword merchants have undermined artificial intelligence and machine learning, turning theminto gratuitous boxes to check. Yet a new generation of practitioners educated in AI and ML see routine success using facial and voice recognition. AI’s success outside cybersecurity, such as facial recognition, has come from tackling narrow problems where sophisticated examples exist to model or train against.

The startup community has begun wielding AI’s strengths to take the small stuff off the hands of practitioners. Some believe advanced virtual assistants (AVAs), similar to Siri or the writing-aide Grammarly, are an aspect of AI that can succeed in cybersecurity.

StrikeReady delivers the detection and response tools a practitioner would use, along with an AVA trained to handle certain security operations center (SOC) logistics. Another unnamed startup, still in stealth mode, is beta testing AVAs that curb the risky behaviors of end users.

Within startup incubation spaces, enterprise Web browsers, virtual assistants, DSPM, and new automation may prove to be the new disruptors. Or they could just end up as a venture capitalist's write-off. Either way, it's the market — and security practitioners in the SOC — who will be the final arbiters of what’s useful and innovative.

Coming to a SOC Near You: New Browsers, 'Posture' Management, Virtual Assistants

VMRay announces the closing of a Series B led by global alternative asset manager Tikehau Capital, which will fuel further expansion of the product portfolio to target a broader set of market segments.

**BOCHUM, GERMANY (PRWEB)** **DECEMBER 20, 2022 --** VMRay, a global player in advanced threat detection and analysis that offers solutions for enterprises, governmental organizations, and MDRs to detect and analyze the most challenging malware and phishing threats, announces the closing of a Series B led by global alternative asset manager Tikehau Capital, through its subsidiary Tikehau Ace Capital and its European Cybersecurity Growth fund alongside new investors NRW.BANK and Gründerfonds Ruhr. Previous investors eCAPITAL and High-Tech Gründerfonds also participated in the round. The new investment will fuel further expansion of the product portfolio to target a broader set of market segments.

VMRay was founded to overcome a big vulnerability in cybersecurity: new, unknown, and sophisticated threats and targeted attacks. The company started its journey by developing a unique, hypervisor-based approach to sandboxing, and kept adding cutting-edge technologies, including its own Machine Learning models, to address emerging and evolving challenges. The solutions aim at improving the efficiency of SOC teams with accurate verdicts, noise-free output, and seamless integrations with major EDR, XDR, SOAR, and Threat Intelligence Platform vendors. The company is now working with 4 of the world’s top 5 technology companies, 37 leading financial institutions and 56 governmental organizations around the world.

“The cyber threat landscape is going through a profound change, and with the increasing volume and complexity of new threats, our customers face new challenges,” said Dr. Carsten Willems, co-founder and CEO of VMRay. “The latest investment has been a collaboration with a strategic scope, enabling VMRay to make its product suitable for a wider range of market segments and use cases including threat intelligence, security automation and MSSPs.” 

“In our role as cybersecurity-focused experts, we were impressed with VMRay's unique value proposition: building more effective detection tools integrated or interfaced with larger cybersecurity solutions. VMRay's ability to automate detection is a clear differentiator, positioning it as the tip of the spear in the global effort to elevate cybersecurity standards globally," said Augustin Blanchard, Executive Director at Tikehau Capital. "We firmly believe the company will sustain scalable, explosive growth in the coming years, driven by skilled leadership and powerful market tailwinds.”

“VMRay has managed to uniquely position themselves in the market, complementing existing solutions as the extra layer of security that is needed to combat advanced and unknown threats,” said Dr. Ulrich Schmitt from High-Tech Gründerfonds. “Having built a strong foundation for further international growth, the company is set to become the global leader in advanced threat detection, and we are excited to support the VMRay team in the years to come.”

Willi Mannheims, Managing Partner at eCAPITAL added, “We’re delighted to be partnering with a syndicate of top investors to continue fueling VMRay’s success and support the company’s experienced management team in driving growth.”

About VMRay  
At VMRay, our purpose is to liberate the world from undetectable digital threats.Led by reputable cyber security pioneers, we develop best-of-breed technologies to detect and analyze unknown threats that others miss. Thus, we empower organizations to augment and automate security operations by providing the world’s best threat detection and analysis platform. We help organizations build and grow their products, services, operations, and relationships on secure ground that allows them to focus on what matters with ultimate peace of mind. This, for us, is the foundation stone of digital transformation.

Cybersecurity Company VMRay Extends Series B Investment to a Total of $34M USD to Drive Growth into New Markets

A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than intended. If an access policy which has label selector restrictions also has been granted access to all tenants in the system, the label selector restrictions will not be applied when using this policy with the affected versions of the software. This issue affects: Grafana Labs Grafana Enterprise Metrics GEM 1.X versions prior to 1.7.1 on AMD64; GEM 2.X versions prior to 2.3.1 on AMD64.

CVE-2022-44643: Downloads |  Grafana Enterprise Metrics documentation

The Russia-linked Gamaredon group attempted to unsuccessfully break into a large petroleum refining company within a NATO member state earlier this year amid the ongoing Russo-Ukrainian war.
The attack, which took place on August 30, 2022, is just one of multiple attacks orchestrated by the advanced persistent threat (APT) that's attributed to Russia's Federal Security Service (FSB).
Gamaredon,

The Russia-linked Gamaredon group attempted to unsuccessfully break into a large petroleum refining company within a NATO member state earlier this year amid the ongoing Russo-Ukrainian war.

The attack, which took place on August 30, 2022, is just one of multiple attacks orchestrated by the advanced persistent threat (APT) that's attributed to Russia's Federal Security Service (FSB).

Gamaredon, also known by the monikers Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, has a history of primarily going after Ukrainian entities and, to a lesser extent, NATO allies to harvest sensitive data.

"As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer," Palo Alto Networks Unit 42 said in a report shared with The Hacker News. "Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine."

Unit 42's continued monitoring of the group's activities has uncovered more than 500 new domains, 200 malware samples, and multiple shifts in its tactics over the past 10 months in response to ever-changing and expanding priorities.

Beyond cyberattacks, the larger security community is said to have been at the receiving end of threatening tweets from a purported Gamaredon associate, highlighting the intimidation techniques adopted by the adversary.

Other noteworthy methods include the use of Telegram pages to look up command-and-control (C2) servers and fast flux DNS to rotate through many IP addresses in a short span of time to make IP-based denylisting and takedown efforts harder.

The attacks themselves entail the delivery of weaponized attachments embedded within spear-phishing emails to deploy a VBScript backdoor on the compromised host that's capable of establishing persistence and executing additional VBScript code supplied by the C2 server.

Gamaredon infection chains have also been observed leveraging geoblocking to limit the attacks to specific locations along with utilizing dropper executables to launch next-stage VBScript payloads, which subsequently connect to the C2 server to execute further commands.

The geoblocking mechanism functions as a security blindspot as it reduces the visibility of the threat actor's attacks outside of the targeted countries and makes its activities more difficult to track.

"Trident Ursa remains an agile and adaptive APT that does not use overly sophisticated or complex techniques in its operations," the researchers said. "In most cases, they rely on publicly available tools and scripts – along with a significant amount of obfuscation – as well as routine phishing attempts to successfully execute their operations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Targeted Petroleum Refinery in NATO Country During Ukraine War

It's no secret that keeping software up to date is one of the key best practices in cybersecurity. Software vulnerabilities are being discovered almost weekly these days. The longer it takes IT teams to apply updates issued by developers to patch these security flaws, the more time attackers have to exploit the underlying vulnerability. Once threat actors gain access to corporate IT ecosystems,

Patch Management / Endpoint Security

It's no secret that keeping software up to date is one of the key best practices in cybersecurity. Software vulnerabilities are being discovered almost weekly these days. The longer it takes IT teams to apply updates issued by developers to patch these security flaws, the more time attackers have to exploit the underlying vulnerability. Once threat actors gain access to corporate IT ecosystems, they can steal or encrypt sensitive data, deploy ransomware, damage systems, and more. When there's a known exploit for a critical vulnerability, the need to deploy patches becomes critical.

At the same time, while IT teams race to keep their operating systems, business applications, and web browsers up to date and fully patched, they have to exercise caution, since applying patches without proper testing can introduce more problems than it solves.

The reality is, many organizations are struggling to maintain the upper hand against threats. According to Action1's 2021 Remote IT Management Challenges Report, 78% of organizations admit that they failed to patch critical vulnerabilities in a timely manner during the past year, and 62% said they suffered a breach due to a known vulnerability for which patch was available but not yet applied.

Fortunately, effective and continuous patch management is within reach. This article explains the challenges and the key best practices for overcoming them.

**Why is it challenging for IT teams to manage security updates?****Wide range of software to be kept updated**

Organizations often focus on keeping their operating systems patched. While OS patching is certainly critical, third-party software is also subject to vulnerabilities that need to be addressed. Indeed, organizations use a wide range of third-party applications, from databases to web browsers, which need to be constantly patched, too.

**Infrastructure specifics**

While small offices may have only a few workstations and servers to worry about, large organizations often have a huge number of devices to keep patched. And it's not just the sheer volume that's a problem — each device might have its own hardware configuration and installed software, which adds a great deal of complexity to the patch management process.

**Remote work**

Moreover, the move to a work-from-anywhere format means IT teams often do not have direct access to the IT assets they need to update, which makes it even more harder to keep all corporate machines up to date with the latest security updates. Indeed, on-premises patch management tools have become outdated in the modern era of remote and hybrid work.

**Lack of effective processes and tools**

The Action1 study found that 38% of IT teams cannot get information about all updates in one place and prioritize them effectively, and nearly as many (37%) say they have to use too many non-integrated tools to track and deploy updates. Moreover, some patch management solutions are often so complicated that they require a dedicated specialist to use.

**What are the best practices for managing security updates?**

To establish an effective patch management process, consider the following best practices:

*   **Inventory your systems and software** — You can't fix what you don't know about. Scan your environment for assets and installed software, and keep track of your inventory.
*   **Group your assets —** Categorize your endpoints based on their installed operating systems, services, and applications, so you can deploy patches to all affected assets simultaneously.
*   **Prioritize risks —** Determine which of your assets are most critical from both a security perspective and a business continuity standpoint. Key questions to answer include:

*   Which assets must be patched immediately?
*   What types of patches need to be deployed promptly?
*   What constraints are there around patching certain assets during working hours? If an update must be applied right away, how can you mitigate the impact on the business?

*   **Test patches before deploying them organization-wide** — Before rolling out a patch across all your endpoints, test it on small control group.
*   **Apply patches promptly** — Don't give attackers extra time to exploit known vulnerabilities. In particular, patches that address critical flaws should be applied without undue delay.
*   **Stay on top of known vulnerabilities** — If you not aware of a threat, you can't mitigate it. While it can be quite cumbersome to review all CVEs, at least get into the habit of regularly reviewing news in media as well as vulnerability digests from patch management software vendors.
*   **Automate** — No one can manage the modern flood of patches effectively using a manual approach. A solid patch management software will save you time and ensure far more reliable results by streamlining the patching process.
*   **Cover all your devices** — Be sure that your patch management process and solution cover not just in-office machines but all your remote endpoints as well.

**What solutions can help?**

The Action1 cloud-native patch management platform supports all of the best practices detailed above. It relieves IT teams from the strain of manual patching by providing them with intelligent automation capabilities and empowering them to enforce continuous patch compliance for their remote and in-office machines. Even better, you can cover your first 100 endpoints completely free.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel