Dark Reading's special report on SecOps data analytics looks at the elements needed to set up a proper data foundation — because getting the data right when collecting, aggregating, and analyzing it is essential.

If there's something all security operations (SecOps) teams need, but few get right, it is the ability to use security data analytics effectively. After all, an effective SecOps data analytics program enables SecOps teams to continuously monitor their environments for signs of compromise and stop potential attacks before they can cause serious damage. Also, good data makes collaboration among SecOps teams and IT more effective.

"There are a lot of different ways to do aggregation and analysis. But there's no way to answer the question, 'Tell me the biggest threat to the business' if you're not doing systematic aggregation and analysis of your data," says Mike Rothman, general manager at Techstrong Research. "In many cases, you'll have a hard time answering it anyway. But if you're not even doing the basics, you have no shot."

Dark Reading's special report "The Secrets of Successful SecOps Data Analytics" digs into important decisions enterprises must make to effectively collect, analyze, and manage their security data so that SecOps teams can make the best decisions possible.

Paradoxically, security teams don't suffer from too little security data or too few security data sources — rather, they have too many data sources and too much data to sift through. This overabundance can make finding the most pressing threats daunting.

"SecOps teams are drowning under the weight of multiple security tools, alert fatigue, and manual operations," says Anton Chuvakin, security adviser at the office of the CISO, Google Cloud. "Analyzing large — the meaning of 'large,' of course, changing dramatically in 20 years — amounts of data at scale and speed have never been more important, but it remains tricky when this data is coming from so many disparate sources."

Getting the data right, however, when it comes to collecting, aggregating, and analyzing is essential. SecOps teams need data to be effective, and security teams can be only as effective as the information they've based their decisions and actions on. The better-quality data SecOps teams get, and the better they can analyze that data for swift decisions, the more effectively they can respond to the actions of the threat actors targeting them.

Read Dark Reading's "The Secrets of Successful SecOps Data Analytics" to understand how to keep and manage data connections across on-premises and cloud systems and help SecOps teams make decisions about how best to disrupt attacks before the threat actors manage to succeed in inflicting damage to the organization.

Tips for a Successful SecOps Game Plan

The Israelis are building a cyber defense system that will use ChatGPT-like generative AI platforms to parse threat intelligence.

Israel is rapidly developing a cyber defense system to address emerging digital threats and protect its critical infrastructure.

Modeled on Israel's Iron Dome defense air defense system, the Cyber Dome has been developed to include generative AI platforms to help filter out genuine threats from the sea of threat intelligence and cyberattack claims that the country parses every day.

According to media reports, it will be staffed by practitioners from various governmental departments, including the Israel Defense Forces (IDF) intelligence Unit 8200, the J6 and Cyber Defense Directorate within the IDF, cyber units of Mossad and Shin Bet, and the Israeli Ministry of Defense.

Gaby Portnoy, director general of the Israel National Cyber Directorate, told The Week that the various departments will work with the Israel National Cyber Directorate, with the latter doing "the internal work." Private companies and research organizations will also participate.

Plans were originally announced in summer 2022, but Cyber Dome development is now being advanced in light of the Gaza conflict, Portnoy said. No specific details regarding the mechanisms and tools of the cyber defense system have yet been provided to the public.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

AI-Powered Israeli 'Cyber Dome' Defense Operation Comes to Life

Without the proper context, organizations waste time mitigating software flaws that won't likely affect their systems.

**Question: The CVSS severity rating seems to lack real-world context. How can a company prioritize fixes in such a situation?**

**Shachar Menashe, Senior Director, JFrog Security Research:** Security teams and developers are wasting their precious remediation resources by relying on an incomplete method to determine whether a vulnerability is exploitable.

One of the most popular resources organizations use today is the Common Vulnerability Scoring System (CVSS), a standard framework for assessing the severity of vulnerabilities. It assigns each CVE a vulnerability severity score, ranging from 0 (no severity) to 10 (most critical), which reflects how hard the vulnerability is to exploit and how much damage it can cause if exploited. Most developers and security teams use the CVSS score as a guide for their vulnerability remediation programs.

The problem is that the CVSS severity ratings of most CVEs today are overinflated, so continuing to rely solely on this rating scale is misguided.

That's because the current CVSS scoring system is based on a complex set of factors that don't adequately incorporate the real-world impact of each vulnerability. Earlier this year, JFrog undertook an analysis of the 10 most prevalent open source software vulnerabilities from 2022 and found that, when looking at real-world impact, most flaws were harder to exploit than reported, and their high severity rating was deceiving. Specifically, 64% of the top 50 CVEs received a lower JFrog Security Research severity rating compared with the CVSS.

In that study, many of the more critical CVEs required complex configuration scenarios or very specific conditions for an attack to be successful, which was not reflected in the CVSS score. Without the proper context, organizations waste valuable resources mitigating software flaws that are unlikely to have any impact on their systems.

**The Real Metric: Exploitability**

Analyzing the context of a CVE requires considering real-world factors, such as:

*   Whether the vulnerability is exploitable in a service's default configuration or only under very contrived configurations.
*   Whether a reachable path to the vulnerable code exists.
*   Whether the software library vulnerability has a code precondition (meaning someone must use the library in a vulnerable manner).
*   The likelihood that a vulnerable API will parse untrusted data.
*   How potentially vulnerable software is deployed.
*   The network environment and overall security mechanisms applied to the vulnerable software.

While CVSS scoring provides some context through its impact metrics (confidentiality, integrity and availability), these metrics are rated according to a theoretical "face value" without considering the actual impact the attack has on real-world systems. For example:

*   A denial-of-service (DoS) attack that crashes a forked client process is much less severe than a DoS that crashes an important daemon, but they will both receive a high availability impact CVSS rating.
*   A buffer overflow that doesn't overwrite any meaningful variable has no security impact, but it will still receive a high integrity impact CVSS rating.

A good example of the latter is the OpenSSL CVE-2022-3602, identified in November 2022. The vulnerability was widely feared at first, but technical details revealed the vulnerability had no real-world impact. Nevertheless, CVE-2022-3602 is still rated with a high impact rating.

**CVSS 4.0 Doesn't Solve This**

While CVSS 4.0 will include an "attack requirement" metric to reflect the conditions needed for an attack to succeed, it is still not detailed enough. (It can only be set to "none" or "present," which does not account for the rarity of the attack requirements.) For example, a remote code execution (RCE) vulnerability that is exploitable only under extremely rare configurations or conditions and might not even be fully exploitable in any real-world scenario would have "attack requirements" marked as "present" — which would change the score slightly from 9.3 to 9.2. Organizations will still continue to receive 9.2 (critical) scores for theoretical RCE remote vulnerabilities that are exceedingly unlikely to happen. This needs to change.

**Advice: Add Context**

While the CVSS system is improving, using other resources in tandem can help provide a more accurate assessment of CVE criticality. When looking at nvd.nist.gov, pay special attention to the CVSS rating of the CNA, not just NVD's CVSS rating. Distro-specific severity scores, such as the Ubuntu and Red Hat Linux distributions, and project-specific severity scores, such as Apache Web Server, Curl, and OpenSSL, will usually have a more accurate severity rating.

Also consider ways to integrate context into your remediation process. Research indicates few vulnerabilities are exploitable without highly specific preconditions. Combine real-world exploitability, CVE applicability, and contextual analysis to guide your prioritization and remediation efforts. Instead of asking developers to "fix everything," arm them with the information they need to address the vulnerabilities that matter most.

Why Do We Need Real-World Context to Prioritize CVEs?

Amid the burgeoning war, Israel's tech sector is focused on resilience. Ofer Schreiber, senior partner at YL Ventures, weighs in on the conflict, funding for cybersecurity startups, overblown valuations, and what the future holds.

Israel has a strong start-up legacy of incubating cybersecurity vendors who have gone on to expand to global success. Investors have invested billions of dollars into these companies, and Tel Aviv last year was named one of the world's best technology ecosystems.

One of the more active investment firms in the region is YL Ventures, which funds early-stage Israeli cybersecurity start-ups. Its senior partner and head of the Israeli office is Ofer Schreiber, who oversees the firm's investment processes and due diligence, portfolio companies management, and value-add initiatives — and he has seen companies emerge from some challenging times recent years.

Dark Reading sat down with Schreiber to discuss the current state of investment in Israel's tech community, and how the events of the Israel-Hamas war could affect the start-up sector's outlook.

_**Dark Reading: How has the Israeli cybersecurity market been in the past few years, and are new companies still emerging?**_

_**Ofer Schreiber:**_ Cybersecurity innovation coming out of Israel is not stopping, but I think it's much harder today to build a new cybersecurity company compared to the last few years. One of the positive

    

Ofer Schreiber, senior partner at YL Ventures. Source: YL Ventures

things here is that from our perspective, the amount of entrepreneurial theory in Tel Aviv and Israel who are passionate about starting a new company to disrupt some of the industry's categories is not decreasing. There are great teams working on interesting ideas and the entrepreneurial spirit is as strong as in the past few years, that's for sure.

_**DR: What do you think the increasing challenges have been in the past few years?**_

_**OS:**_ The environment has changed, and it's harder to raise capital with good valuations compared to the past couple of years. You still see quite a lot of security startups that found themselves with very high valuations, and raised a lot of capital, but with not a lot of market traction to show for it.

We will start seeing more and more M&A activity during the next six or 12 months. The consolidation wave has already begun, and there's increased pressure on the entire industry from customers who are more interested in consolidation; they're interested in working with fewer vendors. They're expecting their big players to have wider suite of products and services, but \[users\] are drawn more to young and innovative startups, so that adds more pressure on younger vendors.

_**DR: How is the current Israel-Hamas conflict affecting the technology scene?**_

_**OS:**_ What is certain is that Israel is probably experiencing its biggest crisis in its short history. There is an analogy that we use about the Israeli tech ecosystem and its resilience, agility, and innovation. You can just see it across the entire country: we have been hit hard, but we are coping and we are regrouping.

There are so many initiatives from both the government and private sectors to support civilians that got hurt, and support the troops. The tech ecosystem is no different, everybody's doing something. A lot of the entrepreneurs and employees of our portfolio companies are in reserve duties in the intelligence core, and the ones who have not been recruited are spending a lot of time in private civilian initiatives. Everybody's using their skills.

There's always this cliche about the Israeli people, that we're constantly fighting with each other. But whenever there's an adversary, or whenever there is a crisis, we all put all our differences aside and we unite.

_**DR: What about from an investment point of view, does the conflict change the way businesses operate?**_

_**OS:**_ It would be foolish to say that it has no effect, just for the basic fact that a lot of people are \[busy\] in reserve duty or other civilian initiatives. If you think about Israeli startups, some of them have non-Israeli operations as well. Many are actually headquartered in the US, or they have departments outside of Israel, so those departments are almost unaffected.

For almost 100% of Israeli tech companies, they are definitely affected to some degree. What I can stay for certain, as with any other crisis that has happened in Israel, is that I think it's a very short-term impact on our industry. Like with every other bad thing that happened in Israel, we got hurt, but we show a lot of resilience, and I'm pretty sure that like any other negative event that happened in Israel, we will come out of it even stronger and more united as a country, and as a business ecosystem.

If I try to be an optimist, I'll say that it will have even a positive impact as we will get out of it stronger and more resourceful, and more united.

_**DR: Back to the valuation conversation — Do you see a lot of companies who literally launched with the view to being acquired within three years**__?_

_**OS:**_ I don't think that's the original intent of the vast majority of entrepreneurs. Entrepreneurs are optimistic in nature, that's why they're entrepreneurs, so they always have to be extremely visionary, but you have to be quite pragmatic at one point \[in\] the journey.

Most entrepreneurs aim to become a category leader, in whatever category they choose, and to build a sustainable business. Most of them will not succeed in doing that because that's just the reality of the start-up world in general, and definitely in cybersecurity, which is just a very big market with a lot of problems to be solved.

_**DR: Was there more investment after the COVID-19 pandemic started to slow down?**_

_**OS:**_ There were companies that raised ridiculous amounts of capital with ridiculous valuations, and investors who paid massive premiums just to invest and be a shareholder of a hot startup, and this basically pushed the valuations up.

I used to say that we were partying for two years, and now we're in the hangover stage. During 2021, the party was massive, and now we don't feel so well. So we have a headache but it will go away, it's a temporary situation. We need to realize that.

If you focused on building sustainable companies \[with\] sustainable growth, and focused on solving real problems and growing your area responsibly, you'll be fine.

Q&A: The Outlook for Israeli Cyber Startups, As War Clouds Gather

State-sponsored cyber espionage actors from Russia and China continue to target WinRAR users with various info-stealing and backdoor malware, as a patching lag plagues the software's footprint.

State-sponsored threat actors from Russia and China continue to throttle the remote code execution (RCE) WinRAR vulnerability in unpatched systems to deliver malware to targets.

Researchers at Google's Threat Analysis Group (TAG) have been tracking attacks in recent weeks that exploit CVE-2023-38831 to deliver infostealers and backdoor malware, particularly to organizations in Ukraine and Papua New Guinea. The flaw is a known and patched vulnerability in RarLab's popular WinRAR file archiver tool for Windows, but systems that haven't been updated remain vulnerable.

"TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations," Kate Morgan from Google TAG wrote in a blog post.

Russia-backed advanced persistent threat (APT) groups are the primary perpetrators of the latest attacks on WinRAR, according to Google TAG. On Sept. 6, Sandworm launched an email campaign impersonating a Ukrainian drone warfare training school using an invitation to join the school as a lure.

The infamous APT28 (aka Frozenlake, Fancy Bear, Strontium, or Sednit), another Russia-backed group, also used the flaw to deliver malware, which was targeting energy infrastructure in Ukraine via a phishing campaign that used a decoy document inviting targets to an event hosted by Razumkov Center, a public policy think tank in Ukraine.

Meanwhile, a phishing campaign from China-backed group IslandDreams (APT40) delivered infostealers to users in Papua New Guinea.

RarLab issued a beta patch for the issue on July 20 and an updated version of WinRAR (version 6.23) on Aug. 2, but many systems remain vulnerable and thus ripe for exploitation, Morgan noted. "After a vulnerability has been patched, malicious actors will continue to rely on n-days and use slow patching rates to their advantage," she wrote.

**Exploiting the WinRAR Flaw**

Group-IB discovered CVE-2023-38831 — a logical vulnerability within WinRAR — in July. However, APT groups already had been exploiting the flaw as a zero-day bug since April — including one by the Russia-backed threat group Evilnum that used weaponized ZIP files to target cryptocurrency traders.

The potential to exploit the flaw comes when the temporary file expansion, during archive processing, is combined with a quirk in the implementation of Windows ShellExecute when attempting to open a file with an extension containing spaces, according to Google TAG.

"The vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file (such as an ordinary PNG file) within a ZIP archive," Morgan wrote.

Later, mere hours after Group-IB posted its blog post outlining its discovery and analysis of the flaw, proof-of-concept exploits (PoCs) — including fake ones — and exploit generators appeared on public GitHub repositories. These fueled further and ongoing attacks on vulnerable systems.

**Latest WinRAR Targeting**

In the Sandworm attack, the messages included a link to an anonymous file-sharing service, fex\[.\]net, which, in turn, delivered a benign decoy PDF document with a drone operator training curriculum and a malicious ZIP file exploiting CVE-2023-38831. The file's payload was Rhadamanthys, a commodity infostealer that can exfiltrate, among other things, browser credentials and session information. Google TAG noted that use of commodity malware is not typical of Sandworm.

Meanwhile, Google TAG observed APT28 using a free hosting provider to serve an initial page that redirected users to a mockbin site to perform browser checks, and then yet again to another stage, which would ensure the visitor was coming from an IPv4 address in Ukraine. At this point the user would be prompted to download a file containing a CVE-2023-38831 exploit.

In late July and early August, the researchers also observed an APT28 attack that dropped the PowerShell script IronJaw, which steals browser login data and local state directories. The attack vector — which drops a BAT file that opens a decoy PDF file and creates a reverse SSH shell to an attacker-controlled IP address — was a new addition to the APT's toolkit, according to Google TAG.

Google TAG has linked a fourth recent WinRAR attack to China-backed IslandDreams — which also is tracked as Bronze Mohawk, GreenCrash, Kryptonite Panda, Periscope, and Mudcarp — through a phishing campaign in late August that targeted users in Papua New Guinea. The phishing emails included a Dropbox link to a ZIP archive containing a CVE-2023-38831 exploit in the form of a password-protected decoy PDF and an LNK file, which led to a next-stage payload known as Islandstager.

The Islandstager payload executes and decodes several layers of shellcode, the last of which loads and executes the final payload, BOXRAT, a .NET backdoor that uses Dropbox API as a command-and-control mechanism.

**Problematic Patching Delays**

Google TAG included indicators of compromise (IOCs) for the various attack scenarios to help users identify if their system is being exploited.

In the meantime, WinRAR users are urged to update their systems if they haven't already, as the campaigns highlight yet again the importance of timely patching — something that still seems to be a global challenge for software users, Morgan noted.

"These recent campaigns exploiting the WinRAR bug underscore the importance of patching and that there is still work to be done to make it easy for users to keep their software secure and up-to-date," she wrote.

Patch Now: APTs Continue to Pummel WinRAR Bug

The state-sponsored threat actors (aka APT34, Crambus, Helix Kitten, or OilRig) spent months seemingly taking whatever government data they wished, using never-before-seen tools.

The Iranian state-aligned advanced persistent threat (APT) known as MuddyWater used an arsenal of new custom malware tools to spy on an unnamed Middle Eastern government for eight months, in just the latest of its many campaigns in the region.

That's according to Symantec, which describes a, at times, daily effort to steal sensitive government data by MuddyWater, which Symantec tracks as "Crambus." The group is also known variously as APT34, Helix Kitten, and OilRig. 

Despite penetrating a dozen computers, deploying half a dozen different hacking tools, and stealing passwords and files, the campaign managed to stay under the radar, lasting from February until September before being disrupted.

"They accessed quite a broad range of computers on the network, so it seems to be a more general attack, rather than going after anything specific," assesses Dick O'Brien, principal intelligence analyst for Symantec.

**MuddyWater's Malware Arsenal**

MuddyWater's latest campaign began on Feb. 1, when an unknown PowerShell script was executed from a suspicious directory on a targeted machine.

In the months that followed, the group deployed four custom malware tools, three previously unknown to the cybersecurity community.

First there's Backdoor.Tokel, for downloading files and executing arbitrary PowerShell commands. Trojan.Dirps is also used for PowerShell commands, and enumerating files in a directory. Infostealer.Clipog is, as the name would suggest, infostealer malware capable of keylogging, logging processes where keystrokes are entered, and copying clipboard data.

Finally there's Backdoor.PowerExchange, discovered but not specifically attributed to MuddyWater back in May. The PowerShell-based tool logs into Microsoft Exchange Servers with hardcoded credentials, using them for command-and-control (C2), and monitoring for emails sent by the attackers. Mail with "@@" in the subject line conceal instructions for writing and stealing files, or executing arbitrary PowerShell commands.

Alongside its own weaponry, MuddyWater also utilized two popular open source hacking tools: Mimikatz for credential dumping, and Plink for remote shell capabilities.

According to O'Brien, the group's months long staying power can be attributed to its choice of weaponry:

"If you introduce new tools, and if you're using legitimate tools, there are no automatic red flags. \[As an analyst\] you kind of have to wait until there's a notification of potentially malicious activity, and start pulling the threads from there."

**MuddyWater Is Back**

MuddyWater has been around since at least 2014, according to Mandiant. A few years back, though, it was written off. "Crambus was one of those groups that we thought might go away because they were heavily exposed in a leak, seemingly by a former contractor or team member," O'Brien points out.

Now, he adds, "they're definitely back."

Over the years, its spying campaigns have spread throughout most of the Middle East – Saudi Arabia, Israel, Turkey, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, and the United Arab Emirates (as well as the United States) – touching the financial, energy, telecommunications, chemical, government, and critical infrastructure sectors. The APT has been the subject of US sanctions for its cyber espionage activity; and most recently, that activity has included cyberattacks on Saudi Arabia that featured another fresh malware, known as Menorah; and a supply chain attack on the UAE.

Iran-Linked 'MuddyWater' Spies on Mideast Gov't for 8 Months

It's time to build a culture of privacy, one that businesses uphold.

We live in an exposed world — particularly when dealing with our digital presence. People have become desensitized to the transactional nature of exchanging pieces of themselves for access.

Availability to new accounts, social media platforms, educational opportunities, professional forums, and nearly every need and want that exists on the Internet demands an exchange of personal data.

Big data has discovered the keys to the kingdom, and they come in the form of your personal information.

**A Sense of Powerlessness When It Comes to Preserving Privacy**

The data trade has grown into a multibillion-dollar industry. It's a juggernaut that is constantly hurtling toward new profit margins, often at the expense of personal privacy. And one of the most disconcerting aspects of this concept is the public's often lackadaisical response.

What we've discovered is that it's not that people don't care; it's simply that they're existing in a state of information overload that lends itself to decision paralysis. They know that their privacy is being violated, but feel powerless in the face of well-oiled data brokers. The ability to take back control of their information seems just out of reach, especially with new ways to harvest data taking shape with such frequency.

After conducting a 2,000-person consumer privacy survey, we discovered that 50% of respondents would take more privacy action if they had better tools and 44% if they had a better understanding of what happens to their data once it is shared. The survey also revealed the extreme responsibility individuals feel to maintain their privacy, with 81% saying that they hold themselves most accountable to protect their personal information even after it has been shared.

These insights help us understand that to change the privacy landscape as we currently know it, we must unite in aggressive consumer education and advocacy to support actions that can drive new approaches to privacy.

**Education Requires a Collaborative Effort**

As generations of people begin growing up with constant access to the Internet, we're seeing more of the consequences associated with data sharing. Much like new medications that often don't initially display side-effects, we're starting to clearly feel the side-effects of the public presence of our personal information.

Data breaches feel commonplace — because they are. Nearly 422 million (more than the population of the United States) people were impacted by some form of breach in 2022. Yet, the response within the US is usually to wait and see what happens, maybe put a freeze on credit, or sign up for an activity-monitoring program.

**Personal, Organizational, and Systemic Advocacy Is Needed**

There's a certain culture of reactiveness rather than proactiveness when it comes to a violation of our personal privacy.

To activate change, there must be a collaborative effort between consumers, government agencies, and companies. New legislation has been moving forward, and the public has seen companies like Meta being held accountable for data violations. However, the missing piece is a culture of privacy that is founded and upheld by both established and emerging businesses.

People can take control over what they share, but as long as it comes at the cost of access, they'll continue to feel pressured to provide personal information. With this system of exchange still in place, consumers will have a difficult time advocating for themselves in meaningful ways.

Privacy as a human right is a social movement that all entities need to embrace and support through action. Only in doing this can we truly empower people to take control of their data in a lasting and meaningful way.

The Trifecta of Consumer Data Privacy: Education, Advocacy & Accountability

Should CISOs include only known information in the SEC filings for a material security incident, or is there room to include details that may change during the investigation?

As enterprises continue to weigh which security incidents constitute something material enough to be reported under the Securities and Exchange Commission's (SEC) new rules, CISOs face the challenge of deciding which details to report and, far more critically, which ones to omit.

"This \[SEC\] rule puts CISOs in a very delicate position, and they are not being given a lot of guidance or direction," says Merritt Maxim, a Forrester VP and research director. "You know you've been compromised, but you don't have all the facts on day one."

In the case of a material incident, the CISO, along with the security operations center, would have to prepare a memo with all of the incident details and send it to investor relations and legal. Once those departments have reviewed it, the memo would be used to prepare the filing for the SEC.

Although the new SEC rules take effect Dec. 18, CISOs can already look at the disclosures from three enterprises — Caesars, MGM, and two filings from Clorox — to get an idea of how to comply.:

Since the filings deal with very different incidents, it makes sense that the details contained are also very different. However, the filings are consistent in that they focus on what is known and avoid speculations and predictions. The filings do not share any details that are likely to change either.

**Competing Obligations**

CISOs are simultaneously juggling three competing objectives:

*   **Report as much as you can.** Legally, the goal is to share as much information as possible with investors and potential investors.
*   **Report as little as you can.** From a cybersecurity perspective, the goal is to tell potential attackers as little about your threat landscape and your defenses as possible, especially when the attack has not yet been fully contained.
*   **Report only what you are confident about.** Most initial details are wrong, and reports are repeatedly updated as the days, weeks, and months go by. That raises a thorny question: Is the enterprise obligated to disclose information that they consider to be — initially, at least — of very low reliability?

"Only report what you know by 80% to 90% certainty," says Dirk Hodgson, CISO of NTT Australia. "A few days into an incident, you are simply not going to know a great deal. You still are likely not even close to the point of having surveyed your entire global environment."

Douglas Brush, a special master with the US federal courts and the chief visionary officer for Accel Consulting, stresses that choosing which security incident details are material can be challenging. It's one thing to conclude that the incident is material, he says, but selecting which specific details are relevant and meaningful for the investing public is quite different.

"Most enterprises have no idea what impact cyber operations will eventually have on their businesses," Brush says.

Clorox's SEC filings illustrate the "report what you are confident about" point well, says Phil Neray, vice president of cyber defense strategy at Gem Security. The organization "properly walked a fine line between saying what they knew and making basic estimates about how long it would take to restore operations," he says.

Disclosures should be kept simple and to the facts, agrees Rex Booth, CISO of SailPoint.

"Keep it at a super summary level \[to\] things that are tangible and measurable: which operations were interrupted, which systems were compromised," he says. "Talk about observed impact and not causation. And say that 'we will continue to investigate with outside entities.'"

**What You Don't Have to Say**

Another important element is whether the information is truly going to be of any actionable value to shareholders and potential investors. The value of revealing a specific vulnerability needs to be balanced with the potential of providing attackers with more information that they can use against you, Booth advises.

CISOs must also be aware of what details are already public. In the Caesars and MGM incidents, for example, more information was available via social media than from the filings, such as the fact that guests staying at the two casinos were unable to get into their rooms. That's the kind of detail you can't keep secret, even if you want to.

While it makes sense to report only confirmed details, that advice may not necessarily always be the right call. "On the one hand, you do have to make a judgment on the material of the information," says Naj Adib, a risk and financial principal for cyber and strategic risk at Deloitte. "But your obligation is to disclose."

CISOs should separate what happened from what the organization is going to do about it, Adib says. "There is no requirement to go out and discuss remediation," he adds.

**Higher Profile for Breaches**

From a practical perspective, nothing has changed regarding what has to be reported; the SEC has always required every publicly held company to report anything material to the SEC. The change is about timing — within four days — and the emphasis being placed on the disclosures. The fact that the SEC now has a document dedicated just to reporting cybersecurity incidents will bring incidents front and center with every board of directors and, therefore, with every CEO and CFO.

"This will lead to far more internal attention. This is no longer a line buried in hundreds of thousands of lines in a 10K," Booth says.

CISOs should also bring corporate counsel or outside legal advisers into the disclosure discussions and decisions, says Accel's Brush. This action brings necessary legal advice into the discussion and protects the conversations from being legally discoverable due to attorney-client privilege.

"The CISO's communications with the inside security team are all potentially discoverable," Brush says. With a lawyer present and thus protected, he adds, "As you are preparing your final statement, you can have open and frank discussions."

What CISOs Should Exclude From SEC Cybersecurity Filings

The router specialist says the attacker's claims to have heisted millions and millions of records are significantly overblown. But an incident did happen, stemming from a successful phish.

Taiwan-based network equipment vendor D-Link this week confirmed that it was the victim of a recent data breach, but dismissed the seeming perpetrator's claims about the severity of the incident as inaccurate and exaggerated.

On Oct. 1, an individual using the handle "succumb" claimed on the BreachForums online community for cybercriminals about having breached the internal network of D-Link in Taiwan. The individual claimed to have exfiltrated some 3 million lines of customer information and source code pertaining to D-Link's D-View network management software.

The self-proclaimed hacker's post identified the stolen data as including names, emails and physical addresses, phone number, and company information on D-Link's customers. 

"This does include the information of MANY government officials in Taiwan, as well as the CEOs and employees of the company," the hacker's BreachForum post went on to add.

**Nowhere Near in Scale As Hacker's Claims?**

According to D-Link, an investigation of the incident that it conducted with its internal team and with experts from Trend Micro showed that while a breach happened, it was nowhere near the scale the hacker portrayed on BreachForums.

For one thing, D-Link said the data that the hacker obtained was outdated, and did not contain any personally identifiable information (PII) or financial data. The number of records that the attacker appeared to have accessed was also just 700 or so — not remotely near the 3 million records the hacker claimed.

Available evidence suggests that the intruder most likely exfiltrated "archaic" registration related data from a D-View system that reached end of life in 2015, D-Link claimed. None of the records that the hacker obtained appear to be currently active. "However, some low-sensitivity and semi-public information, such as contact names or office email addresses, were indicated," D-Link said.

D-Link said it believes the attacker gained access to the "long-unused and outdated data" via a successful phishing attack on one of its employees." 

Following the incident D-Link noted that it has reviewed its access control mechanisms and will implement additional controls as necessary to mitigate against similar threats. "D-Link believes current customers are unlikely to be affected by this incident. However, please get in touch with local customer service for more information if anyone has concerns," the company advised.

**Signal Breach Claims: A Similar Incident in Recent Days**

The incident is the second in recent days where a company has been forced to initiate a review of its security measures, after a breach claim that turned out to be false of exaggerated. 

Earlier this week, the security team at Signal had to respond to rumors about an alleged zero-day vulnerability in the secure messaging service that allowed for full device takeover. After what the company described as a "responsible investigation" of the claims, it determined the claim was just a viral rumor. 

"We have no evidence that suggests this vulnerability is real nor has any additional info been shared via our official reporting channels," Signal said on X (formerly known as Twitter). As part of its verification efforts, Signal said it checked with people across the US government to see if anyone had encountered issues with the service.

In D-Link's case, the hacker's claims prompted an immediate shut down of servers that its security team thought might be relevant. 

"We blocked user accounts on the live systems, retaining only two maintenance accounts to investigate any signs of intrusion further," the company said. The company also scoured its software test lab systems to determine if any sensitive data had leaked into the environment. During the process, D-Link's security team disconnected the test lab from the company's corporate network.

D-Link Confirms Breach, Rebuts Hacker's Claims About Scope

The sensitive nature of medical records, combined with providers' focus on patient care, make small doctor's offices ideal targets for  cyber extortion.

Cybercriminals are stealing medical records from plastic surgery offices to extort doctors and patients.

On Oct. 17, the FBI published a rather bespoke public service announcement aimed at plastic surgery providers, indicating that hackers have been targeting their industry specifically. Their idea, it seems, is to capitalize on the sensitive nature of these procedures, threatening to publish personal information and explicit photographs in order to get both providers and their patients to pay up.

In the last several months, plastic surgery providers have reported data breaches in California and South Dakota. The trend extends beyond US borders, as plastic surgeons in Brazil and the UK have been hit in recent years with ransomware extortion as well.

It's only the latest evidence of a much broader, deeper issue in healthcare cybersecurity.

"There was a time when malicious actors would 'take it easy' on healthcare providers," says Shawn Surber, senior director of technical account management at Tanium. "However, in the last couple of years, that type of behavior has changed and more healthcare accounts are coming under full attack."

**Plastic Surgery Cyberattacks**

As Surber points out, "targeting plastic surgeons and their patients makes a lot of financial sense. Plastic surgery is a lucrative and largely pay upfront business. This means that both the surgeon and patients generally have significant disposable income and are interested in protecting their privacy more against embarrassment than concerns about identity theft."

Then, there are the issues that plague any independent practice. "They're small offices with limited, usually contracted IT support, and they often partner with private surgery centers who have similar limitations. This means that the physician and the surgery center are also potentially communicating outside of traditionally secure channels — like using personal or Web-based email, for example — creating further opportunities for malicious actors to intercept data, credentials, and intelligence."

Hackers are taking advantage of all of these security shortcomings, with what the FBI is characterizing as three-phase attacks.

First, the attackers conduct phishing attacks, deploying malware for the purposes of harvesting sensitive patient information and photos.

Next, they "enhance" the data they've collected by pulling more information about patients from social media, or via further social engineering.

With everything they need in-hand, the attackers contact both patients and their providers, requesting payment in exchange for not sharing the harvested data online. This is where the data "enhancement" comes into play. Beyond publishing the data to a public-facing website to exert extra pressure on victims, the attackers share some of the data with family, friends, and colleagues, promising to stop only once they've been paid.

**How Doctors and Patients Can Defend Themselves**

In its advisory, the FBI offered a few security tips for patients, including practicing good password hygiene, monitoring for suspicious bank account activity, and applying strict privacy settings on social media accounts, to prevent unknown individuals from learning more about you or even posting to your page.

For providers, on the other hand, a few helpful tips won't be sufficient.

"Unfortunately, their infrastructure remains weaker and less cohesive than that of other industries. Add to that the accelerating mergers and acquisitions process in order to keep health systems afloat, and it's become the perfect hunting ground for malicious attackers," Surber laments.

And as bad as extortion is, cyberattackers with the same kind of access to health systems can also do far worse, putting lives at risk by infecting critical devices or otherwise shutting down entire systems.

In lieu of better protections, more stringent regulations, or more funding, Surber offers one potential direction for the industry to pursue.

"I'm of the opinion that healthcare providers need to be more organized into a critical infrastructure working group, with standards of security and group pricing available to them in a managed service model," he suggests. "It certainly won't be a cheap solution, as there are tens of thousands of providers in the US alone. But perhaps if they were all working together effectively, we could see our way to a future where they're not alone and vulnerable. A future where their systems are maintained and updated continuously, and they're alerted as things happen rather than when they get an extortion demand."

Source

DARKReading