Prioritizing security and user experience will help you build a robust and reliable authentication system for your business.

Source: Tomasz Zajda via Alamy Stock Photo

Authentication protocols serve as the backbone of online security, enabling users to confirm their identities securely and access protected information and services. They define how claimants (users trying to access a digital service) and verifiers (the entities authenticating them) communicate. The protocols exchange information to verify the validity of the authentication service and confirm that the claimant possesses the appropriate token to authenticate their identity.

With myriad authentication protocols available, however, selecting the appropriate one for your organization can be daunting. Following are the key authentication protocols, along with insights into choosing the right one for your business needs.

Each authentication protocol offers unique features tailored to specific use cases and security requirements. If you're trying to figure out which one is best for your business, consider these four authentication protocols and their potential use cases.

OAuth/OpenID Connect (OIDC): OAuth, primarily designed for authorization, allows users to grant third-party applications limited access to their private resources without revealing their credentials. You might consider using OAuth from providers such as Google and GitHub to prioritize quick user registrations while getting validated information.

OpenID Connect (OIDC) is an open standard that builds on OAuth by providing authentication capabilities using an ID token to verify user identity securely. OIDC suits scenarios in which interoperability and user authentication across multiple systems are crucial, such as in federated identity management systems.

Both OAuth and OpenID Connect are widely adopted, allowing for interoperability between different systems, and they let users authenticate once to use the same credentials across multiple services. OAuth and OpenID Connect are, however, susceptible to phishing attacks and token theft if not implemented securely.

Security Assertion Markup Language (SAML): SAML is an XML-based standard for exchanging identity information between the user, the identity provider (IdP), and the service provider (SP). SAML offloads authentication responsibilities to specialized IdPs, reducing the burden on SPs and enhancing security. SAML works best for single sign-on (SSO) authentication in enterprise environments, where centralized authentication and access control are essential.

SAML supports use cases like identity federation, but SAML configurations can be complex and require careful management. SAML's reliance on XML may also introduce complexity owing to it being an older format than more modern ones, like JSON.

FIDO2/WebAuthn: FIDO2 is an open standard for passwordless authentication that relies on registered devices or hardware security keys to verify user identities. WebAuthn, a component of FIDO2, enables passwordless authentication through possession-based and biometric methods. You may want to consider WebAuthn for consumer-facing applications and mobile-first experiences, leveraging native device capabilities for seamless and secure authentication.

Passkeys, which are cross-device credentials based on the WebAuthn standards, have been implemented in several large organizations like Google, Apple, Shopify, Best Buy, TikTok, and GitHub over the past few years. Success stories from early adopters and increased awareness among end users are sure to continue driving adoption in the years to come.

FIDO2 and WebAuthn provide strong security against phishing and other attacks — because they don't rely on shared secrets like passwords — and a user-friendly experience, because users don't need to remember complex passwords. That said, FIDO2 and WebAuthn aren't compatible with all devices and browsers; current support gaps might make these protocols cumbersome for some users.

Time-Based One-Time Password (TOTP): TOTP generates single-use passcodes based on a shared secret key and the current time, often providing an additional layer of security in multifactor authentication (MFA) setups. TOTP supports both hardware tokens and software-based authenticator applications. You should consider TOTP for various authentication scenarios that require enhanced security.

TOTP provides an additional layer of security beyond a password, as the code changes frequently and is tied to the specific device generating it. TOTP does, however, require the user to have a separate device to generate the codes, and it doesn't protect against phishing if the user is tricked into handing the code over to the attacker.

**Factors in Selecting an Authentication Protocol**

It's easy to generalize which of the above four protocols you should use. Business applications targeting enterprises should use SAML because of its robust SSO capabilities and centralized authentication management. Consumer and mobile applications should pick WebAuthn/passkeys to provide a seamless and secure authentication experience that leverages native device features, like biometrics.

That said, each business has unique requirements, and it's not always best to generalize. Here are some factors to keep in mind when choosing an authentication protocol:

1.  Security levels: Prioritize protocols that offer robust security measures to safeguard user data and prevent unauthorized access.
    
2.  Integration: Choose protocols that seamlessly integrate with your existing infrastructure to streamline implementation and maintenance processes.
    
3.  Scalability: Ensure that the selected protocol can accommodate your organization's growth and an increasing user base without compromising performance or security.
    
4.  Authentication method: Consider the authentication methods your users prefer and select protocols that align with their expectations and UX preferences.
    

Choosing the right authentication protocol is critical for maintaining the security and trust of your users. By understanding the features and use cases of different protocols and considering factors such as security, integration, scalability, and user experience, you can select the most suitable protocol for your organization's needs.

**About the Author(s)**

Meir Wahnon is a co-founder at Descope, a drag-and-drop customer authentication and identity management platform. Before Descope, Meir served as senior director of engineering at Palo Alto Networks after the acquisition of Demisto, where he was part of the founding team. Meir is passionate about open source, no-code / low-code platforms, and ML. In his spare time, Meir likes to try out new Michelin-star restaurants around the world.

Selecting the Right Authentication Protocol for Your Business

Agency encourages broader use of encryption, data-loss prevention, as well as data rights management to safeguard data, networks, and users.

Source: Brain Light via Alamy Stock Photo

The National Security Agency has published its latest guidance for organizations interested in moving toward a zero-trust cybersecurity framework, with a particular focus on stopping unauthorized access to data both in transit and in storage.

NSA recommendations include the use of encryption, tagging, labeling, data-loss prevention strategies, and data rights management tools. The NSA suggestions are intentionally aligned with zero-trust frameworks to help government agencies and enterprises defend against increasingly sophisticated cyberattacks.

"Malicious cyber actors continuously increase their ability to infiltrate networks and gain access to sensitive data," Dave Luber, the NSA's director of cybersecurity, said in a statement about the latest round of NSA zero-trust advisories. "Assuming that breaches will occur, implementing the pillars of the zero-trust framework is how we combat that activity."

This focus on what the NSA in its report calls the "data pillar" is the continuation of the agency's development of zero-trust best practices, begun when it first released "Embracing a Zero Trust Security Model" in February 2021.

Just last month, the NSA updated its guidelines for implementing zero trust, which drew a distinction between macro- and microsegmentation of networks. Macrosegmentation is intended for workgroups and departments; micro-segmentation separates traffic even further so that not all users have the same access rights — a bid to reduce an organization's attack surface.

**About the Author(s)**

NSA Updates Zero-Trust Advice to Reduce Attack Surfaces

It's finally happening: Rather than just for productivity and research, threat actors are using LLMs to write malware. But companies need not worry just yet.

Source: Ole.CNX via Shutterstock

Researchers from Proofpoint recently observed a malicious campaign targeting dozens of organizations across various industries in Germany. One part of the attack chain stood out in particular: an otherwise ordinary malware dropper whose code had clearly been generated by artificial intelligence (AI).

What the researchers discovered: Initial access broker (IAB) TA547 is using the AI-generated dropper in phishing attacks.

Though it may be a harbinger of more to come, it's no cause for panic. Defending against malware is the same no matter who or what writes it, and AI malware isn't likely to take over the world just yet.

"For the next few years, I don't see malware coming out of LLMs being more sophisticated than something a human is going to be able to write," says Daniel Blackford, senior manager of threat research at Proofpoint. After all, AI aside, "We've got very talented software engineers who are adversarially working against us."

TA547 has a long history of financially motivated cyberattacks. It came to prominence trafficking Trickbot, but has cycled through handfuls of other popular cybercrime tools, including Gozi/Ursnif, Lumma stealer, NetSupport RAT, StealC, ZLoader, and more.

"We're seeing — not just with TA547, but with other groups as well — much faster iteration through development cycles, adoption of other malware, trying new techniques to see what will stick," Blackford explains. And TA547's latest evolution seems to have been with AI.

Its attacks began with brief impersonation emails — for example, masquerading as the German retail company Metro AG. The emails contained password-protected ZIP files couching compressed LNK files. The LNK files, when executed, triggered a Powershell script that dropped the Rhadamanthys infostealer.

Sounds simple enough, but the Powershell script that dropped Rhadamanthys had one strange characteristic. Within the code, above each and every component, was a hashtag followed by hyper-specific comments about what the component achieved.

A snippet of the TA547 dropper. Source: Proofpoint

As Proofpoint noted, this is characteristic of LLM-generated code, indicating that the group — or whoever originally wrote the dropper — used some sort of chatbot to write it.

**Is Worse AI Malware to Come?**

Like the rest of us, cyberattackers have been experimenting with how AI chatbots can help them achieve their goals more easily, expeditiously, and effectively.

Some have figured out little ways to use AI to enhance their day-to-day operations, for example by aiding research into targets and emerging vulnerabilities. But aside from proofs-of-concept and the odd novelty tool, there hasn't been much evidence that hackers are writing useful malware with the help of AI.

That, Blackford says, is because humans are still far better than robots at writing malicious code. Plus, AI developers have taken steps to prevent the misuse of their software.

At least for now, he says, "the ways that these groups are going to leverage AI to scale up their operations is more of an interesting problem than the idea that they're going to create some new super malware with it."

And even once they do autogenerate super malware, the job of defending against it will remain the same. As Proofpoint concluded in its post, "In the same way LLM-generated phishing emails to conduct business email compromise (BEC) use the same characteristics of human-generated content and are caught by automated detections, malware or scripts that incorporate machine-generated code will still run the same way in a sandbox (or on a host), triggering the same automated defenses."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

TA547 Uses an LLM-Generated Dropper to Infect German Orgs

Though a municipal agency assures the public that few are affected, hundreds have their data held ransom for $100,000 by the ransomware gang.

Source: dbtravel via Alamy Stock Photo

The Medusa ransomware gang claimed responsibility earlier this week for a March cyberattack on Tarrant County Appraisal District and is threatening to leak 218GB of stolen data with a six-day deadline if the $100,000 ransom is not paid.

Tarrant County Appraisal District determines property values in Fort Worth, Texas, and released an update informing the public that the personal information of roughly 300 individuals was affected.

"On March 21, 2024, Tarrant County Appraisal District experienced a network disruption. In response to the discovery, we took steps to secure our network and are working with leading independent cybersecurity experts to assist with the investigation, response, and restoration process," said Jon Don Bobbitt, chief appraiser in Tarrant Appraisal District, in a statement.

Affected individuals will be contacted to assist them with the protection of their personal information, but it is recommended that any suspicious activity should be reported as soon as possible.

The attack was reported to the FBI, and work is underway to restore operations, though the county offered no update regarding whether the ransom will be paid.

**About the Author(s)**

Medusa Gang Strikes Again, Hits Nearly 300 Fort Worth Property Owners

In a cyberattack more reminiscent of the 2010s, a seemingly lone hacker fleeced a major corporation for millions of open customer records.

Source: Jade Kelly via Alamy Stock Photo

A hacker with no known history has leaked personal information belonging to millions of customers of boAt, a consumer electronics company in India.

The company is India's leading manufacturer of wireless audio and wearables; boAt controlled around 26% of the wearables market as of 2023, according to data from IDC. It sells nearly 40% of all earbuds in the country — more than five times its nearest competitor — according to 2022 data from Counterpoint Research.

The threat actors, operating under the nom de guerre "ShopifyGUY," on April 5 published 2GB worth of files onto the Dark Web, according to reports. The files contained around 7.5 million entries' worth of personally identifiable information (PII) relating to boAt customers, including names, addresses, phone numbers, emails, and more.

The entire lot of it was listed for around only $2, potentially raising suspicion about the data's authenticity. However, multiple news outlets have since contacted samples of affected customers, confirming that their information is correct.

Dark Reading has reached out to boAt's security team to confirm the details of the attack but has not yet received a response.

**Preventing Customer Data Leaks**

To prevent falling victim to such an attack, Darren Williams, CEO and founder of BlackFog, suggests that companies invest in anti-exfiltration tools.

"Anti-data exfiltration is about looking for data leaving the network, and then running AI over the top of all of it to look for if it's a legitimate request," he explains. Programs trained to do this job run on dozens of contextual and behavioral parameters to distinguish legitimate from illegitimate traffic.

With that said, he adds, there are even simpler and lower-tech steps companies can take to make simple leaks more complicated.

"In a mature organization," he explains, "a basic requirement of security is data encryption at rest. That way, if somebody's accessing your database, it doesn't matter, because they can't decrypt it anyway. So it fascinates me that, in this day and age, people don't do the very basic step of encrypting their database.

"It's not hard — it takes 30 seconds, you just have to press the On button. It makes me think \[boAt\] was asleep at the wheel."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Attack on Consumer Electronics Manufacturer boAt Leaks Data on 7.5M Customers

Various anti-detection features, including the use of the ScrubCrypt antivirus-evasion tool, fuel an attack that aims to take over Microsoft Windows machines.

Source: Shane in Sweden via Shutterstock

A newly exposed corporate phishing campaign targeting Microsoft Windows users is delivering a flurry of remote access Trojans (RATs) and other malware under the cover of multiple detection-evasion techniques.

The attackers behind the campaign try to lure users into clicking on an attachment that ultimately employs the tool ScrubCrypt to deliver primarily the VenomRAT version 6, although various other oft-used malware also are associated with the campaign, researchers from Fortinet's FortiGuard Labs Threat Research revealed in a blog post.

While the RAT maintains a connection with attackers' command-and-control (C2) server, the attack drops plug-ins including Remcos RAT, XWorm, NanoCore RAT, and a stealer designed for specific crypto wallets, according to the researchers.

Ultimately the campaign is aimed at stealing critical data from targeted systems — ostensibly to be used in future attacks — as well achieving persistence on a victim's network, according to the post.

"The attackers employ a variety of methods, including phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, to infiltrate and compromise victim systems," wrote Cara Lin, senior antivirus analyst at Fortinet. "Furthermore, deploying plugins through different payloads highlights the versatility and adaptability of the attack campaign."

VenomRAT is a tool used previously by the 8220 Gang, a cybercriminal group that uses a powerful botnet as its weapon of choice. ScrubCrypt, meanwhile, converts executables into undetectable batch files, providing "several options to manipulate malware, making it more challenging for antivirus products to detect," Lin noted.

**Phony Invoice Phish**

The campaign typically starts with a phishing email stating that a shipment has been delivered with an attached "invoice" that is actually an SVG file named "INV0ICE\_#TBSBVS0Y3BDSMMX.svg" and contains embedded base64-encoded data.

If a targeted user opens the SVG file, the ECMAScript creates a new blob and utilizes "window.URL.createObjectURL" to drop the decoded data as a ZIP file named "INV0ICE\_#TBSBVS0Y3BDSMMX.zip." The decompressed file reveals an obfuscated batch file with an embedded payload that appears to be created by the BatCloak tool, which distributes malware while effectively evading detection by antivirus program, Lin explained.

The embedded script initially copies a PowerShell execution file to "C:\\Users\\Public\\xkn.exe" and utilizes the copied file in later commands, using parameters that conceal its activity. It then decodes the malicious data and saves it as "pointer.png," which is later executed as "pointer.cmd" and deletes all the previously executed files.

**ScrubCrypt Delivers VenomRAT**

The "pointer.cmd" file serves as the ScrubCrypt batch file, and it's "deliberately cluttered with numerous junk strings to obscure readability," Lin wrote. The file incorporates two payloads, the first of which serves two primary purposes: establishing persistence and loading the targeted malware, VenomRAT. The second payload from the ScrubCrypt batch file is for AMSI bypass and ETW bypass, she noted.

VenomRAT was first identified in 2020 and uses a modified version of the well-known Quasar RAT. It allows attackers to gain unauthorized access and control over targeted systems. "As with other RATs, VenomRAT enables attackers to manipulate compromised devices remotely, allowing them to execute various malicious activities without the victim's knowledge or consent," Lin wrote.

Once deployed, VenomRAT initiates communication with its C2 server to send information about the victim, such as hardware specifications, username, operating system details, camera availability, execution path, foreground window name, and the name of the antivirus product installed. It then maintains communication channels with the C2 server to acquire the aforementioned additional plugins for related and other malicious activities as the attack continues from there, Lin wrote.

Notable among those plugins are three RATs often used for various nefarious purposes, including the Remcos RAT, which gives attackers complete system control to capture keystrokes, screenshots, credentials, and other sensitive information; NanoCore RAT, which can remotely access and control a victim's computer; and Xworm, which can load ransomware or act as a persistent backdoor.

**Vigilance Required**

Because this cyberattack campaign uses multiple layers of obfuscation and evasion techniques, it's important for enterprises to stay vigilant.

"The attackers' ability to persist in the system, evade detection, and execute malicious payloads underscores the importance of robust cybersecurity measures and vigilant monitoring to mitigate such threats effectively," Lin noted.

Organizations should educate users about the hallmark signs of phishing campaigns and encourage them to report suspicious activity to IT departments, as well as avoid downloading files or clicking on links from untrusted sources.

Despite its evasive tactics, a strong antivirus-detection system should pick up the malware entering a network, and one that includes a content disarm-and-reconstruction service also is helpful to disable the malicious macros in the document before they can do any harm, Lin wrote.

Fortiguard included a list of indicators of compromise for the specific VenomRAT campaign in the post, including associated C2 domains, URLs associated with the attack, and files the attack distributes.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cagey Phishing Campaign Delivers Multiple RATs to Steal Windows Data

Global organizations and geopolitical entities must adopt new strategies to combat the growing sophistication in attacks that parallel the complexities of our new geopolitical reality.

Source: Dragon Claws via Alamy Stock Photo

COMMENTARY

Today, it's rare for a month to pass without reports of new distributed denial-of-service (DDoS) attacks driven by geopolitical instability. Now, a single attack can include numerous countries and networks. While the war between Russia and Ukraine and elections in NATO countries like Poland drive geopolitically focused DDoS attacks, it's important to understand that these threats were present long before these conflicts, and will be around long after. But why are these attacks against governmental institutions so prominent, and why do they impact all of us in the first place? 

That is partially because changes in political leadership often correlate directly with a spike in DDoS attacks. For example, in Poland, DDoS attack volume increased fourfold within days of its new government being sworn into office. These spikes often result from hacktivist groups (e.g., KillNet, Noname057, Anonymous Sudan) opposing the viewpoints of newly elected officials. They impact the rest of us because DDoS attacks must cross multiple Internet service providers (ISPs) to reach the intended victim. 

Unfortunately, even an attack that is effectively mitigated will use up valuable resources on any ISP network it reaches. We refer to this as the "DDoS tax," which increases the cost of network operation, making it more expensive for everyone. In fact, global ISPs reported a 500% global increase in HTTP/S application layer attacks since 2019, and 17% growth in DNS reflection/amplification volumes in the first half of 2023. Furthermore, it is alarming that carpet-bombing attacks, a technique that simultaneously targets entire IP address ranges, increased by 110% from the first to the second half of 2022, with most attacks occurring against ISP networks.

The bottom line is that there is no escape from DDoS attacks on governmental institutions, and threat intelligence needs to be taken more seriously because of how universal the threat can be when it comes to compromising global ISP networks and additional IT infrastructure. Therefore, it is key for governmental entities to suppress DDoS attacks before they can begin.

**Comprehensive and Adaptive Defenses for Evolving DDoS Attacks**

With nation-states, bad actors often directly target Internet infrastructure to take out critical communications, ecommerce, and other vital infrastructure dependent on Internet connectivity. That means attackers target ISP networks to purposefully degrade Internet connectivity. Further, these bad actors typically have vastly more resources at their disposal than other attackers. They constantly innovate and explore new and more powerful DDoS attack vectors, evidenced by the creation of new ones every year, such as DNS Water Torture and Carpet Bombing. All the while, as DDoS defenses become more effective, bad actors continue to sidestep these defenses with new DDoS attack vectors and methodologies. These advanced techniques invariably find their way into the hands of criminal gangs and even individual hackers, who turn them against any entity from whom they can profit.

With the increased persistence of cybercriminals and the growth in complexity of DDoS attacks, the foundation for a comprehensive DDoS protection solution should identify and stop all types of DDoS attacks before they impact the availability of business-critical services. With today's growing frequency and complexity of DDoS attacks, a multilayer defense strategy is now no longer nice to have, but a requirement. New techniques such as adaptive DDoS strategies, which change vectors based on the defense that is presented, reinforce the need for better agility and efficiency when it comes to managing these increasingly complex attacks.

In the end, threat actors will continue using DDoS attacks as a way to further disrupt and inflame sociopolitical tensions around the world. Security professionals need to consider both local and international conflicts when assessing the DDoS risk factors associated with nation-state attacks. The unfortunate reality is that bad actors continue to find new ways to orchestrate attacks through evolving methodologies. As such, global organizations and geopolitical entities must adopt new strategies right now, such as advanced DDoS defense and suppression, to combat this growing sophistication in attacks that parallel the complexities of our new geopolitical reality.

**About the Author(s)**

Director, Security Solutions, Netscout

Gary is an industry veteran, bringing over 20 years of broad technology experience including routing and switching, wireless, mobility, collaboration, and cloud but always with a focus on security. His previous roles include solutions architect, security SME, sales engineering, consultancy, product management, IT and customer support. Prior to joining Netscout in 2012, he spent 12 years at Cisco Systems and held positions with Avaya and Cable & Wireless.

How Nation-State DDoS Attacks Impact Us All

A cheat sheet for all of the most common techniques hackers use, and general principles for stopping them.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Of the hundreds of documented MITRE ATT&CK techniques, two dominate the field: command and scripting interpreters (T1059) and phishing (T1566).

In a report published on April 10, D3 Security analyzed more than 75,000 recent cybersecurity incidents. Its goal was to determine which methods of attack were most common.

The results paint a stark picture: those two techniques outpaced all others by orders of magnitude, with the top technique outpacing the runner-up by a factor of three.

For defenders looking to allocate limited attention and resources, here are just some of the most common ATT&CK techniques, and how to defend against them.

**Execution: Command and Scripting Interpreter (Used in 52.22% of Attacks)**

What it is: Attackers write scripts in popular languages like PowerShell and Python for two primary purposes. Most commonly, they're used to automate malicious tasks such as harvesting data or downloading and extracting a payload. They're also useful for evading detection — bypassing antivirus solutions, extended detection and response (XDR), and the like.

That these scripts are far and away No. 1 on this list is extra surprising to Adrianna Chen, D3's vice president of product and service. "Since Command and Scripting Interpreter (T1059) falls under the Execution tactic, it is in the middle stage of the MITRE ATT&CK kill chain," she says. "So, it is fair to assume that other techniques from earlier tactics have already gone undetected by the time that it's detected by the EDR tool. Given that this one technique was so prominent in our data set, it underscores the importance of having processes to trace back to the origin of an incident."

How to defend against it: Because malicious scripts are diverse and multifaceted, dealing with them requires a thorough incident response plan that combines detection of potentially malicious behaviors with strict watch over privileges and script execution policies.

**Initial Access: Phishing (15.44%)**

What it is: Phishing and its subcategory, spear-phishing (T1566.001-004), are the first and third most common ways attackers gain access to targeted systems and networks. Using the first in general campaigns and the second when aiming for specific individuals or organizations, the goal is to coerce victims into divulging crucial information that will allow a foothold into sensitive accounts and devices.

How to defend against it: Even the smartest and most educated among us fall for sophisticated social engineering. Frequent education and awareness campaigns can go some ways toward protecting employees from themselves and the companies they provide a window into.

**Initial Access: Valid Accounts (3.47%)**

What it is: Often, successful phishing allows attackers access to legitimate accounts. These accounts provide keys to otherwise locked doors, and cover for their various misdeeds.

How to defend against it: When employees inevitably click on that malicious PDF or URL, robust multifactor authentication (MFA) can, if nothing else, act as more hoops for attackers to jump through. Anomaly detection tools can also help if, for example, a strange user connects from a faraway IP address, or simply does something they aren't expected to do.

**Credential Access: Brute Force (2.05%)**

What it is: A more popular option back in the olden days, brute force attacks have stuck around thanks to the ubiquity of weak, reused, and unchanged passwords. Here, attackers use scripts that automatically run through username and password combinations — such as in a dictionary attack — to gain access to desired accounts.

How to defend against it: No item on this list is as easily and wholly preventable as brute-force attacks. Using strong enough passwords fixes the problem on its own, full stop. Other little mechanisms, like locking out a user after repeated login attempts, also do the trick.

**Persistence: Account Manipulation (1.34%)**

What it is: Once an attacker has used phishing, brute force, or some other means to access a privileged account, they can then leverage that account to cement their position in a targeted system. For example, they can change the account's credentials to lock out its original owner, or possibly adjust permissions in order to access even more privileged resources than they already have.

How to defend against it: To mitigate the damage from an account compromise, D3 recommends organizations implement stringent restrictions for accessing sensitive resources, and follow the principle of least privileged access: granting no more than the minimum level of access necessary for any user to perform his or her job.

Besides that, it offers a number of recommendations that can apply to this and other MITRE techniques, including:

*   Maintaining vigilance through continuous monitoring of logs to detect and respond to any suspicious account activities
    
*   Operating under the assumption that the network has already been compromised and adopting proactive measures to mitigate potential damage
    
*   Streamlining response efforts by automating countermeasures upon detection of confirmed security breaches, ensuring swift and effective mitigation
    

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Top MITRE ATT&amp;CK Techniques and How to Defend Against Them

Google has integrated Mandiant's security offerings into its AI platform to detect, stop, and remediate cybersecurity attacks as quickly as possible.

Source: Klaus Ohlenschlaeger via Alamy Stock Photo

Gemini now has security capabilities: Google has integrated Mandiant's security offerings into its artificial intelligence (AI) platform, the company announced during its Google Cloud Next conference in Las Vegas.

The new capabilities are automated security agents that use generative AI to detect, stop, and remediate cybersecurity attacks as quickly as possible and to to analyze code to find security problems. The agents will assist security operations teams by increasing the speed of investigations.

"Security agents will help you in every stage of the security life cycle, from prevention, detection and response," said Google Cloud CEO Thomas Kurian during a keynote speech at the event.

The security offerings are built around Google's Gemini large language model, which is also being used to summarize documents and generate images. The new security features use generative AI to analyze code to find security problems. Security analysts can run deep queries to get to the root cause of problems and seek answers. The technology will also better explain findings so companies can take action to neutralize threats.

Google is betting its future on AI products such as Gemini, which it introduced earlier this year. Gemini is already being integrated into search and productivity applications. Mandiant's offerings include threat detection and security operations, and Gemini adds AI capabilities to cover detection, analysis, and prevention.

**Using AI to Understand Attacks**

One of the new products, Gemini in Threat Intelligence, uses natural language prompts to get deep insight about malicious behavior.

"We're able to take the experience and intelligence we gather from protecting Google's own services, combine it with Mandiant's leading, frontline insight from their work in incident response to show emerging threats, the severity, and risk factors," Kurian said.

The intelligent threat offers ties into the next product, Gemini in Security Operations, which relies on AI to improve the speed to address threats from malicious behavior. It can also be used to summarize and explain findings, recommend next steps, and put remediation playbooks in action.

Gemini can recommend actions based on factors such as detection rules, and provide recommendations for faster response times.

"Analysts can now ask Gemini for the latest threat intelligence from Mandiant directly in-line — including any indicators of compromise found in their environment — and Gemini will navigate users to the most relevant pages in the integrated platform for deeper investigation," Google wrote in a blog post.

The offering uses Gemini 1.5 Pro's AI capabilities to analyze large samples of potential malicious code or malware, the interaction between modules, and to reveal their true malicious intent, Kurian said.

The final product announced was Gemini in Security Command Center, which evaluates a security posture, provides findings, and summarizes attack paths, which helps companies remediate cloud risks.

"We've leveraged tremendous amounts of machine learning, precision AI, generative AI, to make sure our customers are able to detect, stop, and remediate all cybersecurity attacks as quickly as possible," Kurian said.

AI tools such as Gemini and OpenAI's ChatGPT are improving productivity, but hallucinations and other shortcomings are raising concerns about the technology being used irresponsibly. The White House late last month issued an executive order on responsible use and development of AI development, which also recommends monitoring AI systems to prevent misuse.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Google Gives Gemini a Security Boost

The device management company introduced a Fleet Hardening Score and Privilege Escalation (the good kind) to its endpoint security platform for Apple devices.

Source: baosheng feng via Alamy Stock Photo

Enterprise IT teams responsible for managing Macs and iOS devices are getting new compliance and security tools, device management company Jamf said during its Spring Event. A new capability in Jamf Connect allows the granting of temporary administrative privileges to a local Mac user. That activity data feeds Jamf Protect, which has added a compliance dashboard that presents overall fleet compliance and drills down to individual devices.

Jamf Connect creates a cloud-based identity for each user that, when authenticated, allows them to set up access to the tools and applications they need via VPN. The new feature, Privilege Escalation, temporarily grants end users elevated administrator privileges to perform tasks such as updating device drivers, installing printers, and adding software that's not managed by Self-Service. Once the time IT set for the escalated privileges expires, the user automatically defaults back to the standard user role.

Jamf has also added a compliance dashboard to Jamf Protect, which provides anti-malware tools, threat defense, and metrics for a fleet of macOS and iOS devices. From the dashboard, an administrator can view which devices fall out of compliance with guidelines; update any software, including the OS version, that needs it; and quarantine suspect files automatically. The new Fleet Hardening Score in Jamf Protect is an aggregate baseline score quantifying the organization's overall endpoint security posture. Administrators can drill down to individual devices to understand and remediate issues.

The integration between Jamf Connect and Jamf Protect provides administrators with detailed telemetry about the privileged tasks being performed on the device. Administrators can use the telemetry to audit endpoints and as part of intrusion detection and response.

Apple devices have long established their presence in business. Enterprise-level tools like Jamf's help ensure that those devices stay compliant with expectations for corporate standards in security.

**About the Author(s)**

Source

DARKReading