PRESS RELEASE

SAN DIEGO, April 29, 2024/PRNewswire/ -- ESET, a global leader in cybersecurity solutions, today announced the launch of two new Managed Detection and Response (MDR) subscription tiers: ESET PROTECT MDR for small and medium businesses (SMBs) and ESET PROTECT MDR Ultimate for enterprises. These offerings are built on the foundation of ESET PROTECT Elite and ESET PROTECT Enterprise, offering businesses of all sizes the most comprehensive, AI-powered threat detection and response capabilities, in combination with expert human analysis and comprehensive threat intelligence.

ESET's MDR offerings are designed to cater to the specific needs of both SMBs and Enterprises. To that end, ESET PROTECT MDR delivers a comprehensive cybersecurity package, offering 24/7/365 superior protection that addresses the most common challenges of small and medium-sized businesses. This includes modern protection for endpoints, email, and cloud applications, vulnerability detection and patching, and managed threat monitoring, hunting, and response. It addresses the cybersecurity talent shortages and ensures compliance with cyber insurance and regulations, offering a remarkable 20-minute average time to detect and respond, a comprehensive MDR dedicated dashboard and regular reporting for complete peace of mind.

For enterprises, ESET PROTECT MDR Ultimate offers continuous proactive protection and enhanced visibility, coupled with customized threat hunting and remote digital forensic incident response assistance. This comprehensive service is designed to support overstretched SOC teams, providing them with 24/7 access to world-class cybersecurity expertise. It ensures enterprises stay one step ahead of all known and emerging threats, effectively closing the cybersecurity skills gap, and facilitating expert consultations for incident management and containment in a fully managed experience.

ESET also sets itself apart with its own telemetry and unique global coverage, leveraging its detections and ESET Research to gather unique data about attacks, a competitive edge not offered by many players in the market.

"With the update of our business offering, we want to make ESET products accessible to customers without the necessary skill set or resources to operate them, but to also empower organizations to navigate the digital landscape confidently, safeguarded by our expertise and continuous, comprehensive coverage," stated Michal Jankech, Vice President of SMB and MSP segment at ESET.

Enhancements to the ESET business portfolio

Additionally, all ESET PROTECT subscription tiers, starting from ESET PROTECT Advanced, are now enhanced with ESET Mobile Threat Defense (EMTD). This new value-added, standalone module extends attack vector coverage to an organization's entire mobile fleet, seamlessly integrating into the ESET PROTECT Platform for efficient management, ensuring comprehensive protection for mobile devices. EMTD also includes a Mobile Device Management (MDM) functionality, with added support for Microsoft Entra ID.

Moreover, ESET Server Security introduces a firewall specifically designed for Windows servers, and Vulnerability & Patch Management, offering manual patch management and a 60-second delay of application process kill.

Finally, ESET LiveGuard Advanced now also offers advanced behavioral reports for our detection and response customers, providing an in-depth look into how our cloud sandboxing technology analyzes suspicious files, offering better visibility and context for security operators like cybersecurity and threat analysts, security engineers, or threat responders.

"This significant launch underscores ESET's unwavering dedication to delivering superior protection and services, effectively responding to the dynamic challenges faced by customers to stay one step ahead of threats," added Michal Jankech, Vice President of SMB and MSP segment at ESET.

For more detailed information about ESET and its updated portfolio, please visit the dedicated offering pages for SMBs and Enterprises.

About ESET  
ESET provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyber threats — securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud or mobile protection, its AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multi-factor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and X.

ESET PROTECT Portfolio Now Includes New MDR Tiers and Features

The CVE-2024-27322 security vulnerability in R's deserialization process gives attackers a way to execute arbitrary code in target environments via specially crafted files.

Source: Billion Photos via Shutterstock

A high-severity vulnerability in an R programming language process could expose organizations using the popular open source language to attacks via the software supply chain.

The vulnerability, assigned CVE-2024-27322, has a CVSS vulnerability-severity score of 8.8 out of 10. It involves R's process for deserializing data, or converting objects encoded in formats such as JSON, XML, and binary, back to their original form for use in an application or program.

R is a relatively widely used language for statistical computing and graphics applications. It is popular among developers in sectors such as financial services, healthcare, research, government and in environments involving large datasets such as AI and machine learning. The Comprehensive R Archive Network (CRAN), which is the most popular R package repository, currently hosts more than 20,000 packages, while R-Forge, a site that provides R package development tools, has more than 15,800 registered members and hosts some 2,146 projects.

**Deserialization Issue**

Researchers at HiddenLayer found a weakness in R's process that gives attackers a way to execute arbitrary code in a victim environment via a specially crafted R Data Serialization (RDS) file. Programmers commonly use RDS files to store or save objects in R for future use or for sharing with others.

"This vulnerability can be exploited through the loading of RDS files or R packages, which are often shared between developers and data scientists," HiddenLayer researchers Kasimir Schulz and Kieran Evans said in a report this week. "An attacker can create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim’s target device upon interaction," according to the report.

The maintainers of R have addressed the issue in R version 4.4.0 after HiddenLayer informed them of the issue.

**A Lazy Promise Allows Tinkering**

The vulnerability in R that HiddenLayer discovered relates to two fundamental concepts in R, called "lazy evaluation" and "promise objects." Lazy evaluation is a programming technique where an R program does not evaluate an expression or variable until actually required to, or when directly accessed. The goal is to improve performance by avoiding computations for expressions that might end up not being needed. A promise object is closely related to lazy evaluation and represents the object that has been delayed for evaluation.

What the researchers at HiddenLayer discovered was a way to create a promise object with a payload that would run code of their choice when the object was accessed during RDS file deserialization.

"R packages leverage the RDS format to save and load data," according to HiddenLayer. Two files that facilitate this process are an .rdb file that contains all the serialized objects to be included in a package, and an .rdx file that contains metadata about each of the objects.

"When a package is loaded, the metadata stored in the RDS format within the .rdx file is used to locate the objects within the .rdb file," according to the analysis. The objects within the .rdb files are then deserialized.

"An attacker can exploit this by creating an RDS file that contains a specially crafted promise object embedded with arbitrary code," Schulz tells Dark Reading. "Due to the way R implements lazy evaluation, the embedded arbitrary code will be executed once a user has loaded the malicious file or package." An attacker can relatively easily add a weaponized package to an R repository such as CRAN and simply wait for an unwary user to load that package.

**Potentially Vast Attack Surface: Multiple Infection Sources**

There are literally dozens of major hubs, such as R-Forget and Bioconductor, that R developers use to share and download packages. Not only are these hubs providing developers with access to thousands of packages, some, like Bioconductor, with more than 42 million downloads are being used regularly, Schulz says. "Someone just needs to take advantage of the vulnerability and the massive open source space for R packages to affect thousands of downstream users in a potentially massive supply chain attack," he says.

Schulz recommends that organizations move to the latest version of R to mitigate risk: "In addition, organizations should ensure that users of R are made aware of current and potential future vulnerabilities of this nature and make it policy to only use known trusted files and packages."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

R Programming Bug Exposes Orgs to Vast Supply Chain Risk

Okta warns users that the attack requests are made through an anonymizing service like Tor or various commercial proxy networks.

Source: Ahmed Zaggoudi via Alamy Stock Photo

Credential-stuffing attacks targeting online services are spiking due to the accessibility of residential proxy services, stolen credentials, and scripting tools, Okta is warning its users.

From April 19 through April 26, Okta's researchers observed an increase in credential-stuffing attacks against Okta accounts.

Moussa Diallo and Brett Winterford, researchers at Okta Security, note that all recent attacks share a common denominator: The requests are made largely through an anonymizing device such as Tor. 

In addition to this, the researchers found that millions of requests were routed through various residential proxies such as NSOCKS, Luminati, and Datalmpulse. These residential proxies are "networks of legitimate user devices that route traffic on behalf of a paid subscriber." The researchers recently have observed a significant number of mobile devices used in proxy networks where the user has a downloaded app on their device using compromised software developer kits (SDKs).

"Effectively, the developers of these apps have consented to or have been tricked into using an SDK that enrolls the device of any user running the app in a residential proxy network," the researchers wrote. "The net sum of this activity is that most of the traffic in these credential-stuffing attacks appear to originate from the mobile devices and browsers of everyday users."

Okta has released a capability into the Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) that blocks requests from anonymizing services. This feature can be turned on in the settings of the Okta Admin Console. Organizations that want to block access from specific anonymizers must be licensed to use Dynamic Zones, an Adaptive MFA feature.

Okta also recommends that its users shore up best-practice defense measures to prevent account takeovers from credential-stuffing attacks.

"Defense in-depth measures, such as utilizing multifactor authentication on externally available employee access portals as well as sensitive internal systems, are needed here," said Thomas Richards, principal consultant at Synopsys Software Integrity Group, in an emailed statement to Dark Reading. "Additionally, there are anomalous behavior detection systems that can identify if a user is logging in at an unusual time, physical location, or source IP address."

**About the Author(s)**

Okta: Credential-Stuffing Attacks Spike via Proxy Networks

While other professions are making up ground, cybersecurity still lags behind in female representation, thanks to a lack of respect and inclusion.

Source: Valeriy Kachaev via Alamy Stock Photo

Right now, in 2024, at least three of every four cybersecurity professionals is male.

Cybersecurity is hardly the only male-dominated industry, but even in contrast to others — like law (53%), accounting (46%), and doctors of medicine (37%) — it lags behind.

According to new research from ISC2, women make up just 20% to 25% of the cybersecurity industry. And that figure, it noted, has remained relatively consistent for some years.

It stands out even more when compared with the racial makeup of the industry. While the majority of cyber pros over the age of 40 in the US, the UK, Canada, and Ireland are white, the majority under 40 are not. ISC2 found that over the past 12 months, a full two-thirds of new entrants to the industry from those countries have been non-white.

The takeaway? Cybersecurity is fixing its diversity problem, but only halfway.

**Gender Representation in Cyber, by the Numbers**

Just 4% of ISC2 survey respondents indicated that women make up a majority of their security teams. By contrast, 11% admitted they have no women on their teams at all.

There seems to be a mild networking effect at play, too. The average woman in security works with around 8% more women (30%) on average than men do (22%).

The problem is pretty much the same across industries, as the most-diverse sectors, like cloud services, automotive, and construction (all 28% female), don't far outpace the least-diverse (military and energy, each at 20%).

There are, however, some positive trends alongside the lagging ones.

Where only around 14% or 15% of cyber pros over age 40 are women, at least 25% under age 35 are (a relative improvement).

Most interestingly, the women who do make it into the cybersecurity field tend to rise up the corporate ladder at least as high as, if not higher than, their male counterparts. Women own executive titles at a similar clip to men. A greater percentage of them possess managerial-level roles, and a lesser percentage are ranked as individual contributors. And counterintuitive though it may sound, a greater percentage of women in security are involved in the hiring process than are men (33% to 24%).

That data, however, contrasts with other recent findings.

**The Root of the Problem: Exclusion**

In its "2023 State of Inclusion Benchmark in Cybersecurity" report, Women in Cybersecurity (WiCyS) tracked the ways in which women experience exclusion in the industry. "Respect" ranked as the worst issue on its list, but just behind respect was "career and growth opportunities."

"Women are experiencing a glass ceiling at around six years," reports Lynn Dohm, executive director at WiCyS. "You could imagine the journey for a woman in cybersecurity as they're advancing in their career, not necessarily getting the stretch assignments they're anticipating, perhaps their managers aren't taking initiative and identifying the trajectory of their career within the organization, they're getting passed up for promotions and experiencing that lack of respect with microaggressions, tokenism, comments. All of that leads up to the point where an individual would likely choose to step out of the career and move into other areas."

It's a self-fulfilling cycle: Too little female representation is leading more women to steer clear of security. As Dohm puts it: "Lack of diversity in the workforce is a symptom of the lack of inclusion."

Simply hiring more women doesn't solve the problem, either, since exclusion extends far deeper than any one person or organization can account for.

"The gender gap in cybersecurity begins long before women reach the workforce," explains Jessy McDermott, partner solution architect at Aqua Security. "I know firsthand as a former engineering student that this gap existed at the college level. For example, only four other women — out of an original 15, excluding myself — completed the engineering program alongside me at UMass Dartmouth. During those four years, I experienced an ongoing prejudice and doubt and saw how women were ultimately driven out of the field before they even graduated.

"This is only exacerbated as time goes on and women begin to see that careers in information technology or cybersecurity are 'male-dominated.' If you’re somehow able to get through college without being driven out of the field, you've just started the first leg of a never-ending journey. Ultimately, this can all lead to imposter syndrome, which myself and many female friends in the industry deal with. I have days where, even now, as a cybersecurity professional with years of experience under my belt, I still get challenged to show and, more importantly, prove my knowledge to others."

So, she adds, "I love how more companies are going out of their way to hire more women into the field, but to see a difference, women need internal support to feel confident and be successful in their roles."

**Non-Diversity Consequences to Companies**

Besides the obvious consequences for people, there are also consequences for uniformity for companies.

"When retention isn't there for female talent, it costs money, because it's pulling back out recruiting dollars. And it's also a reputational risk," Dohm notes.

"Broader than cybersecurity, there's a body of research that says the more perspectives you bring to the table, the better off you will be at problem solving," says Clar Rosso, CEO of ISC2. "In cybersecurity, which is a very complex, growing threat landscape, the more perspectives that we bring to the table to solve problems, the more likely we will be able to impact our cyber defense."

Dohm puts it tersely: "It's a security risk not having the diverse perspective that women bring to the cybersecurity workforce."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Cybersecurity Is Becoming More Diverse … Except by Gender

Tracking code used for keeping tabs on how members navigated through the healthcare giant's online and mobile sites was oversharing a concerning amount of information.

Source: Wirestock, Inc. via Alamy Stock Photo

Hard on the heels of a significant data theft at UnitedHealth, fellow healthcare behemoth Kaiser Permanente publicly announced a data breach affecting 13.4 million current and former insurance members.

Kaiser's systems inadvertently shared patient data with third-party advertisers, including Google, Microsoft, and social platform X, the company said, thanks to the presence of improperly implemented tracking code that Kaiser used to see how its members navigated through its Web and mobile sites.

"Certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors," the company said in a media statement.

The shared data included names, IP addresses, what pages people visited, whether they were actively signed in, and even the search terms they used when visiting the company's online health encyclopedia.

Kaiser has reportedly removed the tracking code from its sites, and while the incident wasn't a hacking event, the breach is still concerning from a security perspective, according to Narayana Pappu, CEO at Zendata.

"The presence of third-party trackers belonging to advertisers, and the oversharing of customer information with these trackers, is a pervasive problem in both health tech and government space," he explains. "Once shared, advertisers have used this information to target ads at users for complementary products (based on health data); this has happened multiple times in the past few years, including at Goodrx. Although this does not fit the traditional definition of a data breach, it essentially results in the same outcome — an entity and the use case the data was not intended for has access to it. There is usually no monitoring/auditing process to identify and prevent the issue."

**About the Author(s)**

13.4M Kaiser Insurance Members Affected by Data Leak to Online Advertisers

Likely China-linked adversary has blanketed the Internet with DNS mail requests over the past five years via open resolvers, furthering Great Firewall of China ambitions. But the exact nature of its activity is unclear.

Source: Mrinal Pal via Shutterstock

During an investigation into the activities of a threat group providing domain name system (DNS) infrastructure for illicit online gambling sites, threat researcher Renée Burton discovered something completely novel: Covert traffic immune to China's government-run firewall using open DNS resolvers and mail records to communicate.

The China-linked group — dubbed Muddling Meerkat — has demonstrated its ability to get specific DNS packets through the Great Firewall, one of the technologies separating China's Internet from the rest of the world, Burton, vice president of threat research at network security firm Infoblox, wrote in an analysis published this week.

While most requests for restricted domains return a seemingly random IP address, Muddling Meerkat is able to get DNS mail (MX) records with random-looking prefixes in response to certain requests, even when the domain has no mail service.

The goal of the capability remains unclear — most likely it's for reconnaissance or establishing the foundations of a DNS denial-of-service attack, Burton says — but the demonstrated expertise and ability to pierce the GFW deserves additional research, she says.

"We have a deliberate, very cunning use using very detailed knowledge of DNS — this is not your average cybercriminal; this is not your average teenager; these people are experts in DNS," Burton says. "So we have something that has been going on for four and a half years at this point, which isn't observable in any one location, but is deliberate and constant — and that combination of things, to me, is worrisome."

The threat research comes as the governments of the United States and other nations have warned that China's military has infiltrated critical infrastructure networks with a goal of pre-positioning their cyber operators for potential future conflicts. While many threat researchers have noted China-linked hacking groups' expertise in finding and exploiting zero-days in edge devices such as firewalls and virtual private network (VPN) appliances, the current research underscores their capabilities in utilizing the domain name system (DNS) for their own purposes.

**Great Chinese Firewall: "Operator on the Side"**

The Chinese Communist Party prevents its citizens from going to content that the government considers inappropriate or illegal — not by blocking the traffic, but by returning fake responses to DNS queries that prevent a user in China from connecting to the desired site. The approach, dubbed the Great Firewall (GFW), is not an inline traffic filter nor a platform that alters DNS responses on the fly, but rather an "operator on the side" that issues a response that competes with any packet from the original intended destination, says Burton.

While the Great Firewall does not intercept traffic, China does operate another system — often referred to as the Great Cannon (GC) — that takes the adversary-in-the-middle (AitM) approach, modifying packets en route to their destination, she wrote in the report.

"In combination, the GFW and GC create a lot of noise and misleading data that can hinder investigations into anomalous behavior in DNS," the report said. "Muddling Meerkat operations are complex and demonstrate that the actor has a strong understanding of DNS, as well as internet savvy."

Mail (MX) records from kb.com, even though the domain has no mail service. Source: Infoblox

Typically, researchers can see the Great Firewall in operation. When they send a DNS request to a domain considered to be out of bounds by the Chinese government, the GFW will return a seemingly random IP address. When they ask for a non-existent service for that domain, such as a mail (MX) record, the GFW still sends an IP address. However, Infoblox researchers and their industry partners instead saw mail records for domains that had no mail services, and each MX records had a seemingly random, albeit short, host name.

Kb.com, for example, has no MX records, but the researchers have seen a large number of mail responses, seemingly from the domain for servers with names such as "pq5bo\[.\]kb\[.\]com" and "uff0h\[.\]kb\[.\]com".

**Covert Widespread DNS Traffic**

The unexplained Internet traffic — which was initially detected as far back as Oct. 15, 2019 — could be some sort of reconnaissance that uses open resolvers and "super-aged" domains that foil many DNS block lists, says Burton.

"It's super under the radar, right? So that's kind of a recon-y looking thing," she says. "The other thing about it, though, is it has that DNS denial-of-service aspect. There are concerns that the Chinese are positioning themselves for operations against critical infrastructure, and here they've positioned themselves in DNS in a really weird way."

Combined with the recent announcement by the US Cybersecurity and Infrastructure Security Agency (CISA) that China is pre-positioning itself inside other organizations' infrastructures, Infoblox decide to go public with what the company and its anonymous partners had discovered.

Infoblox collaborated with other organizations, which the company declined to name due to worries of retribution and the potential loss of access to the DNS activity data. While the Muddling Meerkat operation appears similar to some "slow drip" DNS denial-of-service attacks, determining the purpose of the traffic will likely require more research participants, Burton says.

"I don't believe there's anyone who can see this operation in totality," she says. "Every single piece is seen individually, and then what we did was we brought a bunch of different pieces together, so we could see the whole thing. This is a complete mystery ... but it definitely is there."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

'Muddling Meerkat' Poses Nation-State DNS Mystery

By embracing a proactive approach to cyber-risk management, companies can better detect, prevent, and mitigate cyber threats while integrating the latest state-of-the-art technology.

Source: NicoElNino via Alamy Stock Photo

COMMENTARY

In today's fast-paced world, most businesses are racing to incorporate the latest technology and innovations to meet the demands of customers craving convenience and accessibility. After all, who doesn't love banking from their phone 24/7 or shopping from their couch?

To meet these demands, companies rush to implement new technology as quickly as it emerges, but while enhancing business operations is undeniably lucrative, it comes with a price: Risk. As we embrace all the luxuries of innovation, cybercriminals are poised to exploit the vulnerabilities that these changes expose. Industries like healthcare and financial services are especially attractive targets, due to the valuable data and assets they are entrusted to protect, but cybercrime poses a threat to all. As a result, taking a proactive approach to managing cyber-risk, which involves pre-emptive and continuous action to assess and address risks caused by innovation, is being emphasized as a strategic necessity.

Traditional cybersecurity practices are like playing a never-ending game of whack-a-mole, because just as soon as one risk or vulnerability is addressed, another one pops up, presenting a new challenge. This can be frustrating, time-consuming, and ineffective in the rapidly evolving threat landscape. This ever-changing complexity further highlights the dynamic landscape of cybersecurity. We know that risk is an inherent part of all change — whether opening a new physical location, merging with another company, or implementing an online bill pay system, any modifications open the door to new vulnerabilities. Sounds bleak, right? Yes, the warnings about risk are ominous, but there is a way for businesses to participate in innovation successfully and prepare for the inevitable risk … and it's all about embracing a new mindset.

In the latest annual Global CEO Survey by PwC, CEOs in the financial sector and capital markets reported a significant concern over the threat to profitability due to changing consumer demands and behaviors. As a way to tackle this possible problem, CEOs invest significantly in technology such as AI and cloud solutions by automating processes and systems to improve the customer experience — a proactive measure to mitigate a possible threat to their bottom line.

However, a lack of attention to cybersecurity during the implementation of these technology solutions poses a significant risk to organizations where trust is critical. Cybersecurity is often an afterthought as companies integrate new processes and, especially, new technologies. This mindset leaves your business and your customers vulnerable to threat actors, so it’s time to substantially shift how change, risk, and strategy are perceived.

**An Action Plan**

Integrating cybersecurity defenses in tandem with new technology — not as a reactive action because a threat suddenly popped up — is the most effective route. Put the mallet down and approach cyber-risk with real-time data so your company stays ahead of emerging threats, instead of standing poised and hoping your reaction is well-timed. The development of technologies should be designed and planned with possible exposure to risk at the forefront. This proactive method simultaneously addresses both challenges, improves their performance through technology, and bolsters security measures. To implement this approach, a cyber framework that integrates with new projects at every stage can be implemented, even if it means extending the development timeline. In that way, businesses can address both challenges in a complementary manner, enhancing performance through technology while becoming more cyber secure.

This approach not only protects against cyber threats but also improves customer experience, since customers often demand seamless, convenient, and secure services. By integrating cybersecurity in tandem with technology implementation, companies across all industries can improve their customer experience while retaining trust. 

It’s important for businesses to work with a trusted partner in cyber-risk management to evaluate new technology for risk as it is created, rather than reacting to the risk that the technology triggered. This approach allows your company to identify potential vulnerabilities in new technology early on and implement appropriate security measures to mitigate the risks rather than addressing them after your business and your customers are already at risk. This assessment can identify potential vulnerabilities in the technology and determine the level of risk associated with each vulnerability. Based on this assessment, a plan is developed to mitigate the risks and ensure the security of systems and data. The information can be leveraged to create and implement policies and procedures for managing and monitoring the new technology to ensure ongoing security.

These recommendations serve as a reminder that being proactive doesn't just involve addressing risk due to a new product or service offering. It also means being proactive in defining, adopting, and measuring the effectiveness of risk assessments, as well as implementing the best practices that can mitigate these risks before they occur.

By embracing a proactive approach to cyber-risk management as a whole, companies across all industries can better detect, prevent, and mitigate cyber threats while integrating the latest state-of-the-art technology. And the best part? You can put that mallet away, because your company will detect threats before they even have a chance to pop up.

**About the Author(s)**

CEO, DefenseStorm

Steve Soukup has served as Chief Executive Officer at DefenseStorm since 2020 and in that role is responsible for leading all aspects of the company’s business. He is passionate about building a community of trust among our teams and with our customers while also enabling our customers to do the same with their account holders. Steve joined DefenseStorm as Chief Revenue Officer in May 2017 with a charge to drive growth for the business while leveraging his extensive experience serving the banking vertical. He was promoted to President in October 2019 and then to CEO in April of 2020. Under his leadership, DefenseStorm has set the standard for enabling banks and credit unions to achieve cyber risk readiness. Steve is a graduate of Boston College and earned a Master of Business Administration degree from Boston University. A native of Cleveland, Ohio, Steve and his family have called the Atlanta area home for over 10 years.

Addressing Risk Caused by Innovation

Red teaming is a crucial part of proactive GenAI security that helps map and measure AI risks.

Source: josefotograf via Alamy

Generative artificial intelligence (GenAI) has emerged as a significant change-maker, enabling teams to innovate faster, automate existing workflows, and rethink the way we go to work. Today, more than 55% of companies are currently piloting or actively using GenAI solutions.

But for all its promise, GenAI also represents a significant risk factor. In an ISMG poll of business and cybersecurity professionals, respondents identified a number of concerns around GenAI implementation, including data security or leakage of sensitive data, privacy, hallucinations, misuse and fraud, and model or output bias.

For organizations looking to create additional safeguards around GenAI use, red teaming is one strategy they can deploy to proactively uncover risks in their GenAI systems. Here's how it works.

**Unique Considerations When Red Teaming GenAI**

GenAI red teaming is a complex, multistep process that differs significantly from red teaming classical AI systems or traditional software.

For starters, while traditional software or classical AI red teaming is primarily focused on identifying security failures, GenAI red teaming must account for responsible AI risks. These risks can vary widely, ranging from generating content with fairness issues to producing ungrounded or inaccurate information. GenAI red teaming has to explore potential security risks and responsible AI failures simultaneously.

Additionally, GenAI red teaming is more probabilistic than traditional red teaming. Executing the same attack path multiple times on traditional software systems is likely to yield similar results.

However, due to its multiple layers of nondeterminism, GenAI can provide different outputs for the same input. This can happen due to app-specific logic or the GenAI model itself. Sometimes the orchestrator that controls the output of the system can even engage different extensibility or plug-ins. Unlike traditional software systems with well-defined APIs and parameters, red teams must account for the probabilistic nature of GenAI systems when evaluating the technology.

Finally, system architectures vary widely between different types of GenAI tools. There are standalone applications, integrations with existing applications, and input and output modalities, like text, audio, images, and videos, for teams to consider.

These different system architectures make it incredibly difficult to conduct manual red-team probing. For example, to surface violent content generation risks on a browser-hosted chat interface, red teams would need to try different strategies multiple times to gather sufficient evidence of potential failures. Doing this manually for all types of harm, across all modalities and strategies, can be exceedingly tedious and slow.

**Best Practices for GenAI Red Teaming**

While manual red teaming can be a time-consuming, labor-intensive process, it's also one of the most effective ways to identify potential blind spots. Red teams can also scale certain aspects of probing through automation, particularly when it comes to automating routine tasks and helping identify potentially risky areas that require more attention.

At Microsoft, we use an open automation framework — known as the Python Risk Identification Tool for generative AI (PyRIT) — to red team GenAI systems. It is not intended to replace manual GenAI red teaming, but it can augment red teamers' existing domain expertise, automate tedious tasks, and create new efficiency gains by identifying hot spots for potential risks. This allows security professionals to control their GenAI red-teaming strategy and execution while PyRIT provides the automation code to generate potentially harmful prompts based on the initial dataset of harmful prompts provided by the security professional. PyRIT can also change tactics based on the GenAI system's response and generate its next input. 

Regardless of the method you use, sharing GenAI red-teaming resources like PyRIT across the industry raises all boats. Red teaming is a crucial part of proactive GenAI security, enabling red teamers to map AI risks, measure identified risks, and build out scoped mitigations to minimize their impact. In turn, this empowers organizations with the confidence and security they need to innovate responsibly with the latest AI advances.

— Read more Partner Perspectives from Microsoft Security

**About the Author(s)**

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

How to Red Team GenAI: Challenges, Best Practices, and Learnings

PRESS RELEASE

London, UK. 24th April 2024: Performanta, the multinational cybersecurity firm specialising in helping companies move beyond security to achieve cyber safety, has uncovered a trend in how developing countries are being targeted by nation state actors.

The firm’s analysis explored the origins and characteristics of Medusa, a ransomware-as-a-service targeting organisations globally. The patterns suggest that developing countries are hit first with a trend that shows a rising impact on developed countries. It implies that ransomware activities are not entirely random and a strategy is in place to focus on organisations within developing countries as their initial targets.

Guy Golan, CEO and Executive Chairman of Performanta, states: “Our analysis suggests that BRICS nations, and particularly the African continent, have become a testing ground for nation-state attacks. In order to achieve a more cyber safe environment for all organisations globally, we need to increase awareness of this growing issue. It is only through understanding the trends and patterns of geopolitical cyber warfare that will enable us to bring clarity to the global threat landscape.”

Performanta’s research has delved into precisely how attackers are using Africa, and the extent to which the region is under major threat.

In South Africa, a 10-year review of the cyber threat landscape found that the most prevalent perpetrators of attackers were trained hackers, and the top three most likely targeted industries on the continent are finance, manufacturing and energy. This poses a serious problem, with the average successful nation-state-backed cyber attack costing an average of $1.6 million per incident.

Performanta’s report also reveals a large increase in financial/banking trojans with a 59% increase in Kenya and a 32% increase in Nigeria across a single quarter.

Golan continues: “Attackers likely perceive attacking Africa to have fewer risks to themselves than directly attacking the West, and as a bridge to the Western world, it’s likely that methods are tried and tested in Africa first, before being deployed across developed countries later. As an emerging economy, Africa may have become an entry point for attackers aiming to access and disrupt Western assets indirectly. No matter the reasoning, the West and Africa must implement long-term collaborative efforts to build a strong defence against this threat.”

With a strong foothold in both South Africa and the UK, Performanta is uniquely positioned to bridge the gap between nations to form a cyber safe defence against nation-state enemies.

For more information or to read Performanta’s full report, download here.

About Performanta

Performanta is a multinational company that specialises in cyber safety. Founded in 2010, we have grown to over 180 security professionals. We provide risk and resilience consulting, managed detection and response, and continuous threat exposure management services, with a human touch. Our focus extends beyond your security controls, to your wellbeing. We work tirelessly with clients to manage the cyber security risks.

Performanta is a leading Microsoft Solutions Partner. We have been nominated by Microsoft to join its Intelligent Security Association (MISA), a worldwide group comprising 300 of its most proficient partners.

 Performanta is approved to design, develop and operate security solutions for on-premises and cloud service users. We specialise in Managed Extended Detection & Response (MXDR), Identity and Access Management, and Threat Protection.

We work with enterprises across many industry sectors, that require a cyber safety service. Operating from the UK, South Africa, North America and continental Europe, our teams deliver global services with a local feel.

New Research Suggests Africa Is Being Used As a 'Testing Ground' for Nation State Cyber Warfare

PRESS RELEASE

McLean, Va. & Bedford, Mass., April 25, 2024 — MITRE’s Cyber Resiliency Engineering Framework (CREF) NavigatorTM now incorporates the US Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) so cybersecurity engineers for the Defense Industrial Base (DIB) can strengthen supply chain resilience against sophisticated cybersecurity attacks. The CREF Navigator aligns with NIST SP 800-171, the National Institute of Standards and Technology’s (NIST) publication designed to safeguard Controlled Unclassified Information (CUI) and the subset of NIST SP 800-172 that aligns with the proposed CMMC Level 3 model which has 24 of the 34 security requirements that address more sophisticated cybersecurity attacks.

“Our national security depends on the security of our defense systems and the supply chains to enable that defense,” said Wen Masters, vice president, cyber technologies, MITRE. “All along the supply chain, you need accountability in following the appropriate security requirements to build a resilient system. Resilience in the face of a cyber-attack is not a quick fix. Resiliency must be engineered before an incident.”

MITRE in partnership with NIST created the original cyber resiliency framework, NIST SP 800-160, Volume 2 (Rev. 1). The CREF Navigator, which debuted in early 2023, makes that NIST framework searchable and visualized. With the tool, engineers can make educated and informed choices while designing resilient cyber solutions. Beyond pairing with CMMC, the CREF Navigator also aligns with the MITRE ATT&CK® knowledge base of tactics and techniques and Cyber Model-Based Systems Engineering (MBSE) for cyber threat modeling.

“To allow cyber engineers to customize the tool for their individual needs, we enhanced the CREF Navigator so users can create their own scenarios and apply different parameters of threats and techniques,” said Shane Steiger, principal cybersecurity engineer, MITRE. “Regardless of how you keep your security data, you can import your data into the CREF Navigator via a .csv file, and the visualization of the data can be exported back out to a .csv file. Later this year, we’ll add enhancements for Zero Trust Architectures.”

As with many of MITRE’s resources for cyber defenders that are developed in the public interest, the CREF Navigator is freely available to the greater cyber community. See the CREF Navigator in action at https://CREFNavigator.mitre.org.

About MITRE  
MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and as an operator of federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation. Learn more at mitre.org.

You May Also Like

Source

DARKReading