A Purple Team exercise is a collaborative approach between offensive (Red) teams and defensive (Blue) teams.

Thursday, June 29, 2023 08:06

Purple Team exercises are included within the Cisco Talos Incident Response Retainer service and our experts can help your organization find security holes before the bad guys can.

As your trusted advisor, our purple team, which is a combination of both red and blue teams, emulates one joint attack scenario, executes the scenario, and records how your current incident response capabilities perform to evaluate your current gaps and inform future enhancements.

Can your organization’s current security incident response program withstand an emulated adversarial attack? Need to put your current TTPs detections to the test? Not sure where to start, what to test, or what gaps exist in your program? No fear, Talos IR can partner with you to provide Purple Team expertise and exercises, tailored for your organization to proactively test and enhance your prevention, detection and response capabilities.

During the Purple Team exercise, an external Red Team acts as an Advanced Persistence Threat (APT) actor while the Talos IR Blue Team, together with the organization’s defender team, is responsible for detecting those activities and responding to the attack in accordance with the existing security procedures.

If you want to learn more about Talos IR's Purple Team, tune into the next Talos IR On Air stream on July 27 at 12 p.m. ET. The stream will be available live on Talos' Twitter and LinkedIn, with a replay going up shortly after on our YouTube page.

Organizations of all sizes can benefit from the Purple Team exercises Cisco offers to proactively test your current cybersecurity risks and solidify your team’s TTPs and increase your overall security knowledge in advance of a cybersecurity incident.

**Purple Team value for joint teams**

Cisco can partner with you to provide Purple Team expertise and exercises, tailored for your organization, to proactively test and enhance your detection and response capabilities. A Purple Team exercise is a collaborative approach between offensive (Red) teams and defensive (Blue) teams. The Red Team emulates adversary TTPs, while the Blue Team, which consists of seasoned Talos IR responders, works side-by-side with your organization’s defenders to detect and respond to those attacks. During the exercise, the Blue Team is challenged to use the organization’s existing internal security TTPs policies and procedures and test available security tooling. This type of dynamic emulation helps proactively identify any gaps in training and resources and increases the organization’s security awareness and preparedness for the future.

These Purple Team exercises also help organizations optimize their security investments by identifying weaknesses in their current security toolsets. Once these gaps are identified and shared your organization has more insightful data to support future cybersecurity solutions investments. Making informed decisions about where to allocate resources will mitigate the risk of wasting resources on ineffective cybersecurity solutions and can ensure your financial investments are optimized to meet your needs today and tomorrow.

Purple Team exercises also offer a valuable opportunity for knowledge exchange between members of the Blue and Red Teams.

*   The Red Team learns more from the Blue Team about the different security controls that are in place and tries to identify new ways to circumvent these controls.
*   The Blue Team, on the other hand, gains insights into the specific techniques used by the adversaries to compromise the environment, including specific tools and attack scripts.

Internal defenders, employed by the organization, use the firsthand experience from the Purple Team to update and optimize their monitoring and detection capabilities and build new processes.

**Testing approach and steps**

Purple Team exercises have been designed around the MITRE ATT&CK Framework to provide common terminology for identifying and blocking commonly used adversarial TTPs.

During the engagement, Talos Red Team and Talos Incident Response teams work together with the customer’s team to exchange knowledge about common attacks and corresponding detection. The responders from Talos IR collaborated closely with the customer security teams to properly identify all techniques executed by Talos Red Team and verify the defense’s actions. The workshop-style Purple Team engagement increases team trust among members of the internal security team and creates a base to improve the overall organization’s resilience against active threats. With clearly defined steps Talos IR collaborates with your organization’s security teams to properly identify all techniques executed by Talos Red Team and verifies the recorded activity.

The Purple Team exercise starts with the customer and Cisco Talos jointly defining and testing attack scenarios based on the organization’s existing security capabilities. An important part of this process is an evaluation of the strengths and weaknesses across different deployed security capabilities and the identification of areas of concern.

The final scenario is uniquely crafted to meet the risk concerns of the organization in terms of protecting its environment and “crown jewel” assets. A document with scenario details is agreed upon with the organization’s representatives before launching the agreed attack. Throughout the active execution of the attack, the Cisco Talos team will document the response of the security team by collecting detailed notes on topics such as the coverage of the security capabilities, availability of telemetry to detect and analyze the TTPs and, finally, the overall organization.

Integrating threat intelligence into our exercises helps organizations better understand the threats that they face and identify potential vulnerabilities in their security defenses. The intelligence data from Cisco Talos is a key differentiator of our Purple Team capabilities. The Cisco Talos team incorporates threat intelligence data from historical threats related to your organization's unique industry vertical and geography, as well as information on current adversary activity to create your tailored attack scenario. To protect your organization, Cisco Talos offers publicly available Threat Assessment Reports, which are published quarterly and yearly, and are an integral component used to build scenarios based on the latest threat intelligence. The final scenario aims to emulate as closely as possible a specific real-life threat that was analyzed by Talos in the wild, often leveraging existing research on observed threats and direct emergency response experience.

The outcome of the Purple Team exercise heavily relies on visibility into the organization's environment. The Security Operations Team within your organization relies on the existence of sufficient logs and properly configured security tools to quickly identify threats targeting the environment and stop them at an early stage. Verification of detection capabilities and visibility gives the team insights about potential gaps and better preparation for incidents.

Below is a list of standard tools that the Purple Team could use depending on the specific needs of the engagement:

*   Antivirus and Endpoint Detection and Response (EDR)
*   Traditional, Next-Generation and Web Application Firewall(s)
*   NetFlow and Network Telemetry
*   Email Server and Security Appliance Logs
*   DNS Security and Visibility Logs
*   Operating System and Application Logs
*   Auxiliary Operating System Logs
*   Proxy Network Logs
*   Application Logs
*   Data Loss Prevention Logs

**Attack scenario execution**

During the delivery of a Purple Team exercise, Talos IR team supports actively but non-intrusively the security team with detection and identification activities. As the Talos Red team executes step-by-step the pre-defined attack, compromising selected hosts or parts of the environment, Talos IR, in collaboration with the customer’s security team, works on detection across applicable security capabilities and cross-referencing logs to gain full identification of the attack.

For each TTP used by the attacker, the Talos IR team documents the following attributes of the security team’s response:

*   Logged, Alerted, and Mitigated
*   Logged and Alerted
*   Logged and Mitigated
*   Alerted and Mitigated
*   Not Detected

This type of detailed documentation builds up the foundation for the post-exercise report.

**Attack scenario results and reporting**

The Purple Team engagement concludes with a report and a debrief session. The report summarizes the overall activities during the exercise, the preparatory actions in the scenario-building phase, and the results of the detection and response verification. This engagement report serves as a foundation for future improvement of environment detection capabilities and paves the way for enhanced security resilience of the company.

Please contact your Cisco Account Team representatives or directly email Talos IR if you are interested or have questions regarding our new Purple Team service.

How Talos IR’s Purple Team can help you prepare for the worst-case scenario

A previously undocumented Windows-based information stealer called ThirdEye has been discovered in the wild with capabilities to harvest sensitive data from infected hosts.
Fortinet FortiGuard Labs, which made the discovery, said it found the malware in an executable that masqueraded as a PDF file with a Russian name "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK

A previously undocumented Windows-based information stealer called **ThirdEye** has been discovered in the wild with capabilities to harvest sensitive data from infected hosts.

Fortinet FortiGuard Labs, which made the discovery, said it found the malware in an executable that masqueraded as a PDF file with a Russian name "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK Rules for issuing sick leaves.pdf.exe."

The arrival vector for the malware is presently unknown, although the nature of the lure points to it being used in a phishing campaign. The very first ThirdEye sample was uploaded to VirusTotal on April 4, 2023, with relatively fewer features.

The evolving stealer, like other malware families of its kind, is equipped to gather system metadata, including BIOS release date and vendor, total/free disk space on the C drive, currently running processes, register usernames, and volume information. The amassed details are then transmitted to a command-and-control (C2) server.

A notable trait of the malware is that it uses the string "3rd\_eye" to beacon its presence to the C2 server.

There are no signs to suggest that ThirdEye has been utilized in the wild. That having said, given that a majority of the stealer artifacts were uploaded to VirusTotal from Russia, it's likely that the malicious activity is aimed at Russian-speaking organizations.

"While this malware is not considered sophisticated, it's designed to steal various information from compromised machines that can be used as stepping-stones for future attacks," Fortinet researchers said, adding the collected data is "valuable for understanding and narrowing down potential targets."

The development comes as trojanized installers for the popular Super Mario Bros video game franchise hosted on sketchy torrent sites are being used to propagate cryptocurrency miners and an open-source stealer written in C# called Umbral that exfiltrates data of interest using Discord Webhooks.

"The combination of mining and stealing activities leads to financial losses, a substantial decline in the victim's system performance, and the depletion of valuable system resources," Cyble said.

SeroXen infection chain

Video game users have also been targeted with Python-based ransomware and a remote access trojan dubbed SeroXen, which has been found to take advantage of a commercial batch file obfuscation engine known as ScrubCrypt (aka BatCloak) to evade detection. Evidence shows that actors associated with SeroXen's development have also contributed to the creation of ScrubCrypt.

The malware, which was advertised for sale on a clearnet website that was registered on March 27, 2023 prior to its shutdown in late May, has further been promoted on Discord, TikTok, Twitter, and YouTube. A cracked version of SeroXen has since found its way to criminal forums.

"Individuals are strongly advised to adopt a skeptical stance when encountering links and software packages associated with terms such as 'cheats,' 'hacks,' 'cracks,' and other pieces of software related to gaining a competitive edge," Trend Micro noted in a new analysis of SeroXen.

"The addition of SeroXen and BatCloak to the malware arsenal of malicious actors highlights the evolution of FUD obfuscators with a low barrier to entry. The almost-amateur approach of using social media for aggressive promotion, considering how it can be easily traced, makes these developers seem like novices by advanced threat actors' standards."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Newly Uncovered ThirdEye Windows-Based Malware Steals Sensitive Data

An unauthenticated attacker within BLE proximity can remotely connect to a 7-Eleven LED Message Cup, Hello Cup 1.3.1 for Android, and bypass the application's client-side chat censor filter.

\*\* 7-Eleven Bluetooth Smart Cup Jailbreak \*\*

****

In 2019 7-Eleven distributed a limited promotional item they generically named the 'Custom Message Cup’\*.

*   https://fccid.io/2AQNV-60961HC

Customers could personalize their cups with their own messages & slogans.

The cup consists of a plastic shell lined with an LED strip that communicates via BlueTooth Low Energy & allows users to send messages from their mobile device & is available for Android & iOs.

There is a word filter restriction on this promotional cup that displays filtered words using asterixis '\*'.

Searching the source via JADX-GUI revealed the de-facto list of vulgar words & the regex word filter accomplished via client-side filtering\* so I proceeded to edit that wordlist.

APK Easy Tool was effective in providing a turn-key solution to decompile, sign & recompile the 'Hello Cup'(v1.3.1) Application.

The first step was to retrieve the Smali resource files that is essentially specialized assembly language code that is used to represent the Dalvik bytecode of Android applications & specific to the Android runtime environment.

Because I quit ‘Pokemon GO’ only the string 'pogo' will be restricted & everything else previously banned such as 'ugly' (really?) will no longer be filtered.

As a result the message 'UGLY POGO STICK' previously rendered as '\*\*\*\* POGO STICK' will now display 'UGLY \*\*\*\* STICK'.

Although modifying the application was trivial, it served as an interesting illustration bypassing client-side filtering.

\*\* CWE-602: Client-Side Enforcement of Server-Side Security

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34761

CVE-2023-34761: GitHub - actuator/7-Eleven-Bluetooth-Smart-Cup-Jailbreak: 'Hacking' a 7-Eleven Bluetooth Smart Cup | CVE-2023-34761

Zip and RAR FileExtractor version 5.7 suffers from a cross site scripting vulnerability.

    # Exploit Title: Zip & RAR FileExtractor  v5.7 - Reflected XSS# Vendor Homepage: Penghui Zhao# Software Link: https://apps.apple.com/tr/app/zip-rar-file-extractor/id769409043?l=en# Date: 2023-06-20# Exploit Author: tmrswrr# Category : ios app# Version: v5.7# Tested on: Windows/Linux## Description:>> Go to Wi-Fi Transfer section in zip rar file extractor app>> It will be create link : 192.168.1.104:8080>> When open link your browser , write payload, xss payload execute page and see alert buttonUrl: http://192.168.1.104:8080/download?path=%22%3E%3Cscript%3Ealert(document.domain)%3C%2fscript%3EPayload: %22%3E%3Cscript%3Ealert(document.domain)%3C%2fscript%3E

Zip And RAR FileExtractor 5.7 Cross Site Scripting

By Waqas
For now, ThirdEye infostealer has demonstrated behavior that is highly malicious, albeit not-so-sophisticated in its patterns.
This is a post from HackRead.com Read the original post: Newly Surfaced ThirdEye Infostealer Targeting Windows Devices

**While the ThirdEye infostealer is now in town, researchers have already identified several of its variants, all aiming at victims’ data.**

FortiGuard Labs uncovered a not-so-sophisticated but highly malicious infostealer while analyzing suspicious files during a cursory review. They named this ThirdEye Infostealer. According to the report authored by Fred Gutierrez, James Slaughter, and Shunichi Imano, researchers became suspicious after spotting an archive file in Russian titled “Табель учета рабочего времени.zip“, which means “time sheet” in the English language.

This file contained two additional files, both with double extensions, including a .exe extension and another document-related extension. One of these files is titled “CMK Правила оформления больничных листов.pdf.exe.”

The title means “QMS Rules for issuing sick leave” in the English language. Further investigation revealed traits that researchers had previously seen in ThirdEye infostealer samples they had been detecting since early April 2023.

**Various Versions of ThirdEye ThirdEye Infostealer Discovered**

The earliest sample of ThirdEye infostealer was discovered on 3 April 2023 at 12:36:37 GMT. This sample collected client\_hash,  OS\_type, host\_name and user\_name and sent it to C2 server “(glovatickets(.)ru/ch3ckState)” with a custom web request header: Cookie: 3rd\_eye=. It was submitted to a file scanning service on 4 April 2023.

A few weeks later, researchers found a variant which had a compile timestamp of 26 April 09:56:55 GMT. This variant collected additional data, including the BIOS vendor and release date, RAM size, CPU core number, user’s desktop files list, list of registered users on the device, and network interface data. However, this version crashes in some virtual machines.

One day later, they found a new variant with just one change: it used a PDF icon. This variant used “(ohmycars(.)ru/ch3ckState)” as C2 communications.

Later, another variant was found which gathered additional data such as total and free disk space on the C drive, domain name, network ports list, list of programs and version numbers, systemUptime, CD-ROM, drive letters volume information, currently running processes list, and programs installed in the Program Files directory.

Another file in the archive WAS titled “Табель учета рабочего времени.xls.exe,” which is a ThirdEye infostealer variant capable of performing the same activities.

Credit: FortiGuard Labs

**Functionalities of ThirdEye Infostealer**

in their blog post, FortiGuard Labs’ researchers revealed that ThirdEye Infostealer can steal system data from infected devices, including BIOS and hardware information. In addition, it can enumerate folder files, running processes, and network data.

Upon execution, the infostealer quickly gathers the data and transmits it to a C2 server hosted at “shlalala(.)ru/ch3ckState.” Apart from this, ThirdEye Infostealer does not perform any other function.

While researching, an interesting feature was noted – a string named 3rd eye, from which they derived the name of this malware family. The malware decrypts this string and uses it with another hash value to identify the C2 server. ThirdEye infostealer isn’t too sophisticated; however, it is evolving fast. Some recently collected samples stole more system data than the previously discovered versions.

Moreover, researchers noted that the infostealer targets Windows-based systems with a medium severity level. There is currently no evidence that ThirdEye Infostealer has been used in attacks.

However, since it is designed to collect data from compromised devices and systems, it can come in handy for cybercriminals in launching attacks. Researchers believe that all previous and latest variants of ThirdEye Infostealer are named in Russian, so the attacker is probably eyeing Russian-speaking organizations to deploy malware.

**RELATED ARTICLES**

1.  Legion: SMS Hijacking Malware Sold on Telegram
2.  New Jupyter infostealer dropped through MSI installer
3.  Malicious ChatGPT Installers Distribute RedLine Stealer
4.  Infostealer Adrozek malware hits Firefox, Chrome browser
5.  New MacStealer Malware Targeting macOS Catalina Devices

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Newly Surfaced ThirdEye Infostealer Targeting Windows Devices

Scammers use a booking technicality, traveler confusion, and promises of dirt-cheap tickets to offer hot deals that are anything but.

How do you tell that your plane ticket is real? If it checks out on the airline’s website, you’re good to go, right? Don’t be sure. Fraudsters are abusing a little-known but decades-old technicality in how airline reservations work to con people out of their cash.

Mevonnie Ferguson, who lives in Kent in the UK, says she was scammed out of £994 ($1,267) by someone claiming to work at a travel agency called Infinity Global Travel. A single working mother of two daughters, Ferguson says she was sold what appeared to be a valid British Airways ticket from London to Kingston, Jamaica. When she looked up the reservation on BA’s website using the confirmation number and her last name, it showed up valid and fine. But about two weeks after purchasing this ticket from Infinity Global Travel, and just days before her scheduled departure date, the reservation disappeared from BA's website without a trace.

Ferguson, who also relayed her story to the UK's Channel 5, contacted the airline and explained her situation, but she was told there were no flights booked in her name. BA would not release information to Ferguson, as she was not the party who had directly booked the reservation with the airline, she says. After some persuasion, the BA representative ultimately told Ferguson that while the reservation code she provided was correct, there was no record of an e-ticket number.

Ferguson has since tried to get a refund from the supposed travel agent, who has neither returned her money nor responded to subsequent calls and emails. A BA spokesperson asked WIRED for additional details so they could investigate but did not otherwise respond to a request for comment.

This problem isn’t unique to British Airways or any one airline in particular. In fact, it’s an intentional part of the air travel industry's reservation process that scammers can abuse. 

Hold Up

Like many travelers, Ferguson did not understand the difference between a “confirmed” and a “ticketed” reservation, travel industry jargon terms that are not synonymous. The system makes it possible to create what appears to be a valid flight reservation, but which is actually a mere temporary reservation “hold.” 

Here’s how the con works: A scammer entices customers with cheap airline tickets through email, a website, or social media. Once they have a victim's details, the scammer purchases a reservation hold—not the actual plane ticket—via a travel agency. They then pass that hold on to the victim as a legitimate ticket. The victim can check the airline’s website and see that the reservation is in the system. But once the two weeks are up the hold disappears, and the scammer makes off with the money the victim thought they were spending on a real—albeit suspiciously cheap—plane ticket.

Most airlines will not let individual passengers hold a prolonged reservation directly. As an example, Qatar Airways lets anyone hold a flight for just 72 hours for a “minimum fee,” without paying the full fare up front. This means you’ll be provided a valid passenger name record (PNR) number, but your reservation will not be “ticketed”—meaning no e-ticket number—until the full fare is paid. By contrast, travel agencies have much more power and flexibility to hold a reservation, a weak point that gives scammers an in. 

Some legitimate travel agencies will let you pay as little as $15 to $20 to “hold” a flight ticket for a couple of weeks. And there are good use cases for this. When applying for a tourist visa, for example, embassies or consulates of a destination country may ask applicants to provide proof of return travel. Rather than purchase a full ticket, applicants may instead opt to pay a travel agent a small fee and get a valid flight booking, with a real PNR that can be verified by the visa officer on an airline’s website. Should their visa application be refused for any reason, applicants lose only the small fee paid to the travel agent—a better deal than hassling with an airline to modify or cancel a full ticket or failing to get a refund entirely.

Sites like Expedia and Skyscanner are, of course, the mainstream way people book air travel. But for anyone who needs a long hold, travel agencies are their only option. These agencies advertise inexpensive reservation holds as “flight itineraries for visa applications,” which are colloquially known as “dummy tickets” and are valid for two weeks. This time window is enough for a scammer to con someone.

Test Dummy

To test how a dummy ticket scam works, I purchased a Qatar Airways reservation for $20 via a legitimate third-party travel agency. For the two weeks after I made this booking, Qatar Airways’ website would show the confirmation number as valid. But no e-ticket number is listed anywhere on the reservation—indicative of this being a mere “hold”—meaning it's a reservation that’s “confirmed” but not ticketed. Scammers do exactly the same thing by booking the hold under their victim’s name.

Scams aside, the gap between reservation holds and ticketing can cause problems for travelers all by itself. In 2019 a traveler named Alexander told his story to The Points Guy of a mishap in which his flight to Spain was merely confirmed but never ticketed—which he didn’t find out until he arrived at the airport. In this case the problem had to do with the airline’s policy of not issuing e-tickets against bookings until an identity check was completed by the passenger—something Alexander missed because the ID verification email landed in his spam folder. But the mechanism behind his and Ferguson’s scenarios are identical.

Suffice it to say, it is best to book your flight tickets directly with an airline or via a trusted travel platform. If an offer sounds too good to be true, it may be a scam. And always verify with the airline if your “confirmed” reservation indeed has a real ticket to go along with it.

How Your Real Flight Reservation Can Be Used to Scam You

For too long the cybersecurity world focused exclusively on information technology (IT), leaving operational technology (OT) to fend for itself. Traditionally, few industrial enterprises had dedicated cybersecurity leaders. Any security decisions that arose fell to the plant and factory managers, who are highly skilled technical experts in other areas but often lack cybersecurity training or

For too long the cybersecurity world focused exclusively on information technology (IT), leaving operational technology (OT) to fend for itself. Traditionally, few industrial enterprises had dedicated cybersecurity leaders. Any security decisions that arose fell to the plant and factory managers, who are highly skilled technical experts in other areas but often lack cybersecurity training or knowledge.

In more recent years, an uptick in cyberattacks against industrial facilities and the trend of IT/OT convergence driven by Industry 4.0 have highlighted the vacuum of ownership around OT security. According to a new Fortinet report, most organizations are looking to Chief Information Security Officers (CISOs) to solve the problem.

Fortunately, CISOs are no strangers to change or difficult challenges. The position itself is less than 20 years old, yet in those two decades CISOs have navigated some of the most disruptive cybersecurity events that were truly watershed moments in technology.

Still, most CISOs have made their mark securing IT environments — and IT security strategies and tools rarely translate to an OT context. While the soft skills of collaboration and team-building will certainly help CISOs as they bring the factory floor into their realm of responsibility, they must also make a concentrated effort to understand the OT landscape's unique topography and distinctive security challenges.

**Safety over everything**

The CIA triad — Confidentiality, Integrity & Availability — is a key concept in cybersecurity. Critically, IT and OT prioritize the elements of the triad differently — although safety is always the common denominator.

Image 1: The CIA triad of IT security is reversed in the OT world, where availability is the highest priority.

*   **In IT, safety means that data is protected through confidentiality.** People get hurt when their sensitive, private data is compromised. For the enterprise, securing data saves them from breaches, fines, and reputational damage.
*   **In OT, safety means that cyber-physical systems are reliable and responsive.** People get hurt when a blast furnace or an industrial boiler does not function properly. For the enterprise, availability keeps systems running on time down to the millisecond, which ensures productivity and profitability.

Somewhat ironically, the AIC triad of the OT world has resulted in systems and tools that prioritize physical safety but often come with few or no cybersecurity features at all. It will be the CISO's responsibility to identify and implement security solutions that protect OT systems from cyberthreats without disrupting their operations.

Wondering how to protect your industrial operations from potential threats? This **comprehensive report on I-SRA** has the answers. Uncover the top challenges, including operational safety risks and Advanced Persistent Threats (APTs). **Download** the report today!

**Levels of segmentation**

In both OT and IT, segmentation limits the network's attack surface. In OT, the Purdue Model serves as a framework for how and why systems can and should communicate with each other.

In a highly simplified nutshell, the Purdue Model comprises five layers.

*   Levels 4 and 5 are the outermost layers that include web and email servers, IT infrastructure, and users firewalling in remotely.
*   Levels 2 and 3 are the operational layers that operate the software and applications that run OT environments.
*   Levels 0 and 1 hold the devices, sensors, programmable logic controllers (PLCs), and distributed control systems (DCS) that do the actual work and must be protected from outside interference.

The purpose of these layers is to create both logical and physical separation between process levels. The closer you get to the cyber-physical operation of industrial systems like injectors, robotic arms, and industrial presses, the more checks and balances are in place to protect them.

While the concept of segmentation will not be new to CISOs, they will need to understand that the separation of zones is much stricter in OT environments and must be enforced at all times. Industrial enterprises adhere to the Purdue model or other similar frameworks to ensure safety and security and to meet many regulatory compliance mandates.

**Downtime is not an option**

In IT, downtime for upgrades and patches is no big deal, especially in a Software-as-a-Service (SaaS) world where new updates are released practically in real time.

Whether for safety or profit, OT systems are always up and running. They cannot be stopped or paused to download a new operating system or apply even a critical patch. Any process that requires downtime is simply a non-starter for the vast majority of OT systems. For this reason, CISOs should not be surprised to discover decades-old systems (likely running on software that reached its end-of-life date long ago) that still serve as a crucial piece of the operation.

The challenge facing CISOs will be to identify security controls that will not interrupt or interfere with delicate OT processes. The right solutions will "wrap" the existing OT infrastructure in a layer of security that protects critical processes without changing, complicating, or crowding them.

**All access is "remote" access**

Traditionally, OT systems have been protected through isolation. Now that organizations are connecting these environments to capitalize on Industry 4.0 or to allow easier access for contractors, all access must be monitored, controlled, and recorded.

*   The IT environment is a digital place where business happens. Business users conduct their work and systems exchange data all within this space, day in and day out. To put it another way, humans are intended to actively participate in and make changes to the IT environment.
*   OT systems and environments are built to run without human intervention — "set it and forget it." Humans are meant to set them up and then let them run. Users do not remain logged into an OT environment all day the way business users would in an IT system.

In this context, anyone accessing the OT environment is effectively an outsider. Whether it is a vendor connecting remotely, a business user coming in through the IT network, or even an OT operator accessing the environment on-site, every connection comes from the outside. Recognizing this key point will help CISOs to understand that industrial secure remote access (I-SRA) tools should be used for all access scenarios, not only those that IT would consider to be "remote."

**IT tools do not (always) work for OT**

Tools designed for IT hardly ever translate to OT.

*   Basic functions like vulnerability scanning can interrupt OT processes and knock systems completely offline, and most devices do not have enough CPU/RAM to support endpoint security, anti-virus, or other agents.
*   Most IT tools route traffic through the cloud. In OT, this can compromise availability and cannot support the numerous unconnected components common to OT environments.
*   The life cycles of IT tools are typically much shorter than the life cycles of OT devices. Due to the always-up nature of OT environments, any tool that needs frequent patching, updates, or downtime is not applicable.

Forcing IT-designed tools into OT environments only adds complexity without addressing the fundamental security requirements and priorities of these environments. The sooner a CISO realizes that OT systems deserve security solutions designed for their distinctive needs, the faster they will be on their way to implementing the best tools and policies.

**Soft skills are the keys to CISO success**

Given that most cybersecurity leaders currently tend to come from IT security roles, it makes sense that many CISOs will have a (perhaps unconscious) bias toward IT philosophies, tools, and practices. To effectively secure OT environments, CISOs will need to become students again and lean on others to learn what they do not yet know.

The good news is that CISOs generally have a propensity to ask the right questions and seek support from the right experts while still pushing the envelope and demanding positive outcomes. At the end of the day, a CISO's job is to lead people and teams of experts to accomplish the greater goal of securing the enterprise and enabling the business. Those willing to bridge the OT security divide through strong leadership and a willingness to learn should quickly find themselves on the road to success.

To learn about a real-world solution that can help CISOs better secure their OT environment, discover Cyolo.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

5 Things CISOs Need to Know About Securing OT Environments

By Waqas
The research mainly aimed at examining VPNs, firewalls, access points, routers, and other remote server management appliances used by top government agencies in the United States.
This is a post from HackRead.com Read the original post: Exposed Interfaces in US Federal Networks: A Breach Waiting to Happen

**Cybersecurity researchers at Censys referred to publicly-accessible exposed interfaces as “low-hanging fruit” for cybercriminals, as they can easily gain unauthorized access to crucial assets.**

Researchers at Censys, an attack surface management company, have discovered hundreds of devices linked to federal networks that have remotely accessible management interfaces. These interfaces can allow for the controlling and configuring of federal agency networks through the public internet.

**Shocking Details Emerge about Federal Network Devices**

According to a blog post from the Censys Research Team, published on June 26, an examination of the attack surfaces of approximately fifty sub-organizations within the federal civilian executive branch (FCEB) revealed 13,000 different hosts spread across 100 autonomous systems.

Further probing uncovered that services running on a subset of 1,300 FCEB hosts, accessible through IPv4 addresses, had hundreds of devices with publicly accessible management interfaces. This revelation falls within the scope of CISA’s BOD 23-02 (Binding Operational Directive).

**What is BOD 23-02?**

CISA’s BOD 23-02 helps federal agencies eliminate risks associated with remotely accessible management interfaces. It requires federal civilian agencies to remove certain networked management interfaces from the internet and mandates them to implement Zero Trust Architecture capabilities to enforce access control to internet-exposed interfaces within fourteen days of discovery.

**What are the Dangers of Internet-Exposed Interfaces?**

Researchers at Censys referred to publicly-accessible interfaces as “low-hanging fruit” for cybercriminals, as they can easily gain unauthorized access to crucial assets. CISA notes that threat actors are taking a keen interest in targeting certain classes of devices, especially those supporting network infrastructures, as it helps them evade detection.

After compromising these devices, attackers can obtain full access to the network. Misconfigurations, insufficient or outdated security measures, and unpatched software make devices vulnerable to exploitation. If the device management interface is directly connected to or accessible from a public-facing internet, it will be far more damaging for the organization.

**Which Devices Are Impacted?**

Researchers mainly examined VPNs, firewalls, access points, routers, and other remote server management appliances. They found around 250 different web interfaces for hosts exposing network appliances, all using SSH and TELNET remote protocols.

Most of the impacted devices were Cisco network appliances with a publicly accessible Adaptive Security Device Manager interface, whereas they also discovered enterprise Cradlepoint router interfaces revealing wireless network details. Other impacted products include Fortinet FortiGuard, SonicWall, and other popular firewalls.

A screenshot shared by Censys shows a publicly accessible Cradlepoint router web interface belonging to a Federal Civilian Executive Branch (FCEB) organization.

In addition, researchers observed exposed remote access protocols, including NetBIOS, FTP, SNMP, and SMB, out-of-band remote server management devices like Lantronix SLC console server, physical Barracuda Email Security Gateway appliances, Nessus vulnerability scanning servers, HTTP services that exposed directory listings, managed file transfer protocols such as GoAnywhere, MOVEit, and SolarWinds Serv-U, and over 150 end-of-life software.

Fifteen of the remote access protocols, which already contain multiple known vulnerabilities exploitable by threat actors, were running on FCEB’s exposed hosts. The report highlights the need for federal agencies to be more proactive in safeguarding their digital assets and improving security mechanisms across all systems to make devices CISA’s BOD 23-02 compliant.

**RELATED ARTICLES**

1.  Avast found backdoor in US Federal Agency Network
2.  Fed Agency securing communication for Trump got hacked
3.  SolarWinds Hack – US Blames Russian Intel Agency Hackers
4.  Iranian Hackers Accessed Domain Controller of US Fed Network
5.  US and China Exposed Most Databases Among 308k Found in 2021

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Exposed Interfaces in US Federal Networks: A Breach Waiting to Happen

One ransomware attack can be devastating for a small or midsize business. Here are four solid survival tips to ensure it doesn't turn into a disaster.

If your organization is hit with a ransomware attack, it's going to cost you. According to Verizon's "2023 Data Breach Investigations Report"(DBIR), released earlier this month, the median loss to a ransomware attack has risen to $26,000 and can go as high as $2.25 million.

"\[T\]he overall costs of recovering from a ransomware incident are increasing, even as the ransom amounts are lower. This fact could be suggesting that the overall company size of ransomware victims is trending down," the DBIR team wrote.

Much of the expense comes from the loss of business and recovery time. The average ransomware attack has a life cycle of more than 300 days. That's nearly a full year in which the organization is tied up with discovery and remediation — and almost two months longer than other types of cyber incidents. And then there are other costs to factor, such as long-term damage to the corporate brand and reputation, as well as loss of institutional knowledge when the employees who are held responsible for the attack are let go.

The costs surrounding a ransomware attack could cripple small and midsize businesses (SMBs) and even cause one to shut down. But it doesn’t have to be that way. Even for SMBs with tight IT/security budgets and limited security expertise, ransomware protection and recovery boils down to planning ahead.

The best way to avoid the high costs of a ransomware attack is to avoid being a victim, but protection and detection tools also come with hefty price tags. How much a company will need to pay depends on the number of employees and devices it needs to protect, but even a company with as few as 50 people can spend five figures on ransomware protection. Cyber insurance to protect the business in case of an attack could add at least $1,500 per $1 million in coverage, depending on the deductible.

Note that getting cyber insurance for ransomware is not easy; many insurance agencies are limiting coverage because of the high payout costs.

Organizations also need to think about the cybersecurity approach they want to take. How cybersecurity teams approach ransomware defense has changed over the years, says PJ Kirner, CTO and co-founder of Illumio. Cybersecurity has shifted from perimeter defense (setting up a secure perimeter to keep the bad guys out), to rapid detection (detecting and stopping as quickly as possible), to containment (limiting the amount of damage the attackers can cause once they break in).

Which approach an SMB decides to take determines the type of tools and protective actions it will need. A company deciding to contain malware would make investments to beef up authentication and privilege management in order to validate all users and devices before granting access to any transaction. A company focused on perimeter defense would have very different investments, requiring firewalls and other methods to keep attackers out of the network.

While an organization can adopt any number of security systems and tools, SMBs should consider the following actions, regardless of their overall security approach.

**1\. Decrease the Attack Surface**

Applying the concept of least-privilege access can close the door against ransomware attacks. The fewer people with access to applications and databases, the lower the chances for cybercriminals to also gain access and get in. Audit your users' roles to make sure they have access only to the software and services they need, especially if the software processes sensitive data.

For example, explains Kirner, Remote Desktop Protocol (RDP) is a popular access point for threat actors to get into a Windows system and launch ransomware. But RDP is most often used for IT help desks and troubleshooting. Most employees across the business have no need to have RDP accounts, yet they might have RDP enabled on their machines. Kirner advises revoking access if employees have no reason to have those accounts.

"Remove all that attack surface from your environment," Kirner says. "This is something you can do proactively and reduce the impact of ransomware."

Also worth disabling — especially in a Windows environment — is PowerShell. Attackers are increasingly using PowerShell in malware-less attacks. The average user is never going to use it, so it's better to disable it when setting up the user machine. Similarly, keep track of what accounts have been created on the network or for cloud applications and services. If the employee no longer needs it or has left the company, remove that account entirely. Cloud access security broker software can help manage and monitor employees’ cloud activity and enforce security policies.

**2\. Shift the Costs to the Attackers**

Another way to make your organization less attractive to bad actors is to make launching an attack more costly for the cybercriminal. Something as simple as restricting access to unnecessary applications shifts the burden to the attacker. If the attacker can’t do much with the application despite having user credentials — maybe they can only view reports but can’t extract data — the attacker has a choice of moving on to easier victims or working harder. Similarly, requiring multifactor authentication adds another roadblock for threat actors because just stealing credentials is no longer enough. Many types of MFA can fit an SMB's budget and security expertise, including biometrics, hardware tokens, and even the employee’s phone.

Attackers are economic actors, just like any other business, Kirner points out. "When they run out of time, they'll go to an environment with less security controls," he says.

**3\. Improve Your Security Hygiene**

Good security hygiene is important, regardless of company size.

The first step is to build an internal security culture around cybersecurity awareness and guidance, explains Dave Gerry, CEO at Bugcrowd. That doesn’t just mean watching security videos and calling it a day. Encourage open communications and give employees the confidence to report anything that seems suspicious.

Explain which external services and resources are allowed and why there are restrictions. Make it easy for employees to go through an approval process for getting access to tools so that they aren’t just going off and creating their own accounts.

Use modern training materials. Security companies are now producing training videos that are episodic, like sitcoms, or use techniques from reality shows that entertain as well as educate.

Gamification, such as setting up contests or offering rewards when designated milestones are met, also creates an environment where employees want to improve their security practices. Human error is a top cause of cyberattacks. When employees are encouraged to take an active role in cybersecurity and understand the consequences when they don't, you add another cybersecurity tool at little cost.

**4\. Don't Fail to Plan**

Prevention is important, but every organization should have a plan in place to mitigate an attack when it happens. The company should know who will be involved in mitigation and recovery, as well as how to handle the negotiations.

For example, because of the possibility that a ransomware attack can lead to permanently shutting down an SMB, many plan to pay the ransom. That requires setting a budget on how much to pay. If the organization does not already have a cryptocurrency wallet or access to cryptocurrency, that will make payment a bit difficult. SMBs are already working with managed service providers, consultants, and contractors. It may be worth lining up a ransomware negotiator ahead of time, who can spring into action when needed. The same goes for a computer forensics team to help figure out what is happening on the network and how to remove the ransomware.

Priority No. 1 has to be a strategy, says Joseph Carson, chief security scientist at Delinea. A ransomware attack isn't a typical incident, he points out. It will make you unavailable to your customers and, in worst-case scenarios, put lives at risk. No matter how small your budget, it is essential to think about what ransomware defense should look like but to also plan out what is needed for a successful recovery.

Protecting Small Businesses From Ransomware on a Budget

Organizations are largely deluded about their own security postures, according to an analysis, with the average SIEM failing to detect a whopping 76% of attacker TTPs.

Despite enterprises' best efforts to shore up their security information and event management (SIEM) postures, most platform implementations have massive gaps in coverage, including missing more than three-quarters of the common techniques that threat actors use to use to deploy ransomware, steal sensitive data, and execute other cyberattacks.

Researchers from CardinalOps analyzed data from production SIEM platforms from companies such as Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic, and found that they have detections for just 24% of all MITRE ATT&CK techniques. That means that adversaries can execute about 150 different techniques that can bypass SIEM detection, while only about 50 techniques are spotted, the researchers said.

This is despite the fact that current SIEM systems actually do take in sufficient data to cover potentially 94% of all these techniques, CardinalOps revealed as part of the company's "Third Annual Report on the State of SIEM Detection Risk," released today.

Moreover, organizations are largely deluded about their own security postures and "are often unaware of the gap between the theoretical security they assume they have and the actual security they have in practice," the researchers wrote in the report. This creates "a false impression of their detection posture."

MITRE ATT&CK is a global knowledge base of adversary tactics and techniques based on real-world observations that's aimed at helping organizations detect and mitigate cyberattacks. The report's data is the result of analysis of more than 4,000 detection rules, nearly 1 million log sources and hundreds of unique log source types used in SIEM across a range of diverse industry verticals — including banking and financial services, insurance, manufacturing, energy, and media and telecommunications.

**A Lack of SIEM Fine-Tuning to Blame for Detection Fails**

The key issue contributing to the current state of SIEM efficacy (or lack thereof) seems to be that even though resources exist for organizations to use knowledge, automation, and other processes to detect adversaries and potential attacks on their environments, they still largely rely on manual and other "error-prone" processes for developing new detections, the researchers noted. This makes it difficult to reduce their backlogs and act quickly to fill gaps in detection.

Indeed, SIEMs themselves "are not magic" and rely on the organizations deploying them to do so correctly and efficiently, notes Mike Parkin, senior technical engineer at Vulcan Cyber, a security-as-a-service provider of enterprise cyber-risk remediation.

"Like most tools, they require fine-tuning to deliver the best results for the environment they’re deployed in," he says. "These report results imply that many organizations have gotten the basics working but haven’t done the fine-tuning necessary to take their detection, response, and risk management strategies to the next level."

In addition to the need to scale detection-engineering processes to develop more detections faster, one key issue that seems to be tripping up detection in enterprise SIEM deployments is that on average, they have 12% of rules that are broken, which means they will never file an alert when something is amiss, according to the report.

"This commonly occurs due to ongoing changes in the IT infrastructure, vendor log format changes, and logical or accidental errors in writing a rule," the researchers noted in the report. "Adversaries can exploit gaps created by broken detections to successfully breach organizations."

**Why MITRE ATT&CK Matters**

MITRE ATT&CK, created in 2013, has now "become the standard framework for understanding adversary playbooks and behavior," the researchers noted. And as threat intelligence has advanced, so has the wealth of knowledge the framework provides, currently describing more than 500 techniques and sub-techniques used by threat groups such as APT28, the Lazarus Group, FIN7, and Lapsus$.

"The biggest innovation introduced by MITRE ATT&CK is that it extends the traditional intrusion kill chain model to go beyond static indicators of compromise (like IP addresses, which attackers can change constantly) to catalog all known adversary playbooks and behaviors (TTPs)," the CardinalOps researchers wrote.

Organizations clearly see the value in using MITRE ATT&CK to help them in their security efforts, with 89% currently using the knowledge base to reduce risk for security-operations use cases — such as determining priorities for detection engineering, applying threat intelligence to alert triage, and gaining a better understanding of adversary TTPs, the researchers noted, citing Enterprise Strategy Group (ESG) research.

However, using the framework to support SIEM efforts and using it well appear to be two very different scenarios, the report found.

**Closing the SIEM Gap**

There are steps that organizations can take to help close the gap between what a SIEM is capable of in terms of cyberattack detection, and how they currently are using it, researchers and security experts said.

One key strategy would be to scale SIEM detection-engineering processes to develop more detections faster using automation, something that companies already use widely to great effect in "multiple areas of the SOC, such as anomaly detection and incident response," but not so much in detection, they noted in the report.

"The detection-engineering function remains stubbornly manual and typically dependent on 'ninjas' with specialized expertise," the researchers wrote.

Indeed, having a focus on automation is critical to achieving goals with limited human and financial resources, agrees one security expert.

"This includes expanding automated detection to include Internet of things (IoT) and operational technology (OT) attack vectors, as well as having plans already in place for automated threat remediation," says John Gallagher, vice president of Viakoo Labs at Viakoo.

One key challenge that organizations continue to face is that the current attack surface — which now includes large numbers of vulnerable network-connected devices as well as the typical enterprise network — has grown well past what the IT organization is currently capable of supporting or managing, Gallagher says.

"To defend and maintain the integrity of those assets requires IT working closely with other parts of the organization to ensure those assets are visible, operational, and secure," he says.

Indeed, Parkin observes, until organizations can get a clear picture of their threat surfaces, manage their risk, and prioritize events to focus on what matters most, there will be problems.

"We have the tools to make it happen," he says. "But it can be a challenge to get them deployed and configured for best effect."

Tag

#ios