Incident response playbooks and frameworks are leaving defenders ill-equipped to recover from the increasing number of successful cyberattacks. Developments in AI offer a new way for stretched teams to manage security incidents and heal swiftly.

The number of successful cyberattacks impacting organizations continues to increase, with recent high-profile breaches such as UK outsourcing firm and government contractor Capita incurring recovery costs of up to £20 million.

Generative AI is allowing attackers to innovate and escalate their approach. Darktrace researchers observed a 135% increase in "novel social engineering attacks" across thousands of active customers from January to February 2023 (based on the average change in email attacks detected across Darktrace customers' email deployments). With that in mind, organizations should focus more than ever on their cyber resilience — namely, their ability to withstand, adapt, and recover from cyberattacks that have achieved initial access. Yet the gap between the growing numbers of successful attacks and effective approaches to recovery continues to widen.

Within this context, security teams need help to prepare, recover, and adapt confidently to cyber incidents, and new developments in AI are offering promising signs that they can do so.

**Evaluating the Current Picture**

With a growing skills shortage in the industry, it has become more and more difficult for humans to keep up with incident management techniques and frameworks. Additionally, the costs associated with tabletop exercises, red/purple team activities, maintaining playbooks, and testing recovery stacks have become increasingly untenable.

Incident response playbooks outline the steps an organization should take to respond to and recover from a particular type of attack and are widely accepted as best practice. These are typically based on predefined, static views of an organization that quickly become outdated and are challenging to maintain and execute in a real-world incident.

Published frameworks are another standard part of the cyber resilience toolkit. These templates and flowcharts tend to lay out discrete linear processes — often lengthy steps designed to occur one after the other, with no concept of the frequent need to shift and adapt as new information arises. Dealing with the complexity gap between the necessarily concise framework and the variety and complexity of real incidents is left to human responders.

Similarly, tabletop exercises, in which stakeholders come together to test incident response plans, can be a useful way of developing experience in decision making. But they are time-intensive and will not test many of the technical tools and processes used in a real-world response.

**Moving From a Reactive to an Adaptive Approach**

Introducing self-learning artificial intelligence (AI) into incident management can allow teams to engage an incident in more detail and at an earlier stage than they currently can, minimizing disruption to the business.

One of the more challenging security tasks is dedicating time to continuously evaluate readiness to handle an incident, which could occur at any time. AI can add value here by combining a deep understanding of every internal asset and continuous evaluation of coverage and functionality of the recovery stack to assess: _How prepared are you for defeating a cyberattack?_

During an incident, especially if on a larger scale, AI-powered systems offer full visibility into the scope and details of the compromise, creating a more informed basis on which to manage it. By holding this complex understanding within the software, it can go further by automating much of recovery management. It can automatically adapt planned recovery steps to precise incident details. It can also prioritize assets for remediation based on its deep understanding of that asset's function and role within the incident and the business.

But AI assistance doesn't have to mean relinquishing human control. Rather, AI should augment human teams by presenting simple choices and recommendations based on real-time developments and simplify and automate technical steps where possible. Working together, AI can shorten the time-consuming recovery processes while providing human teams with relevant and timely context to support faster decision making when it counts.

Time savings from AI can extend to record keeping during and after the incident. By collecting forensic evidence automatically and keeping a record of all defensive actions taken, AI can create incident reports at any time. These reports enable teams to communicate clearly to stakeholders what has happened, what they've done about it, and what further actions they are planning to take.

Critically, incident management needs to interact with detection, immediate response, and preventative measures across the rest of the cybersecurity ecosystem. In a landscape where vendor consolidation is top of mind for CISOs and CFOs, incident recovery products that can integrate with these other capabilities provide a compelling case for a single dashboard approach to cyber resilience.

The reality is that cyber incidents are a question of _when_ and not _if_, so organizations that look to move beyond static incident playbooks and standard frameworks will remain ahead of the game. Leveraging AI and automation to deliver bespoke recovery plans that adapt in real time will allow these companies to achieve new levels of cyber resilience in a fast-moving threat landscape.

**About the Author**

    

Matt Bovbjerg joined Darktrace in 2015, specializing in strategic customer deployment architecture and operationalizing Darktrace within large security stacks, before becoming the Vice President of Integrations Architecture. Matt works closely with Darktrace R&D, Technology Alliance Partners, and customers to develop use case-driven third-party integrations, ensuring organizations get the most out of their security investments. Matt holds a Bachelor’s degree in Industrial and Operations Engineering from the University of Michigan.

How AI Can Help Organizations Adapt and Recover From Cyberattacks

Any new cybersecurity technology should be not just a neutral addition to a security stack but a benefit to the other technologies or people managing them.

The cybersecurity technology field is, shall we politely say, crowded. I recently returned from attending RSA, one of the biggest conferences in the industry. Trying to describe just how many new technologies and solutions I saw there feels a lot like trying to describe how big space is: Our brains can't actually process that kind of scale. 

I imagined being a chief information security officer (CISO) at this event, trying to make decisions on what products or technologies would solve their particular organization's security weaknesses. It was, in trying to maintain my earlier commitment to being polite, overwhelming. There _must_ be a better way to quickly figure out if a security technology is worth evaluating. 

This ecosystem we have found ourselves in, of slapping new technologies into our security stacks, isn't working. Security staffs everywhere are pulled too thin trying to manage every new technology, and threat actors are continuously breaking through our protection technologies. 

So, how do we break this cycle? When looking for security technologies, we start assessing how much value the technology provides — not just whether it can do what it promises to do, but also if it provides a net positive for the entire security stack and management teams. 

We are moving into a new era of cybersecurity, and every investment must be prudent. In order to make these decisions, companies must start asking some fundamental questions about these technologies in order to understand the true value — or cost — of a security solution. These questions of proactivity, intelligence, autonomy, scalability, and benefit to the stack as a whole can help you find the most value in every security technology.

Importantly, these questions can also help you evaluate your existing technologies, as you now know in real life how they are (or are not) serving your network and your teams. The answers might surprise you. 

**Question 1: Is the technology proactive or reactive? **

While almost any cybersecurity technology will be quick to use the word "proactive," we first should define what the term really means. A truly proactive technology is one sitting "left of boom," or, more simply, before a successful breach. Recently, almost all cybersecurity technology sits "right of boom," responding to and mitigating the effects of breaches that have already happened. 

In modern security frameworks and stacks such as MITRE/NIST/zero trust, often the only left-of-boom technology in place is the firewall/next-generation firewall (NGFW). These decades-old technologies have been tasked with more and more, and yet they remain standard. We have to help the rest of the security stack by investing in more proactive technologies. 

**Question 2: How much cyber intelligence can the technology leverage? **

It has become increasingly clear that the word of our time is "intelligence" — be it artificial, human, or, more in my world, cyber. The value of intelligence and data has never been higher, and this has proven especially true in the war against cybercriminals. 

The future is intelligence driven, and the more intelligence a cybersecurity technology can act on, the better. Any cybersecurity technology must be informed by as much cyber/threat intelligence as possible. Without the data to make informed decisions about enforcement, threat actors automatically have an upper hand. 

**Question 3: Is the technology (truly) autonomous? **

I cannot think of a cybersecurity technology that doesn't claim it is "autonomous." This has become so common in our industry that the word itself has almost lost meaning. However, with a cybersecurity staffing shortage that does not look to be going away any time soon, it's critical we evaluate what we mean by "autonomous" when thinking about a technology.

How many hours of an employee's day (on average) does this technology require? Does this technology require another full-time employee to manage the alerts or logs? Does this technology automatically update? (And what are the down times like for them?) The answers to these questions should be: zero, no, and yes. Anything else is not an autonomous technology. 

**Question 4: How does the technology scale? **

Threat actors have shown themselves to be nimble, inventive, and persistent in their attacks. The technologies we implement must be able to grow and adapt to these realities. Can they adapt to higher volumes, deeper obfuscations, and yet-unknown attack vectors? Knowing your technologies can grow with your network _and_ adapt to an ever-changing threat landscape is vital in any security technology investment. 

**Question 5: Can the technology work easily with existing technologies? **

One of the biggest drivers of cybersecurity professionals is what's known as "alert fatigue." This is caused by too many technologies that are extremely sensitive in finding threats or breaches, yet are unable to communicate with each other easily, throwing multiple alerts for the same malicious traffic. The cybersecurity teams are then forced to sift through multiple erroneous/duplicate alerts, and are more prone to errors due to the large volume of traffic networks are receiving day and night. Sadly, this is just one example of how multiple technologies that aren't sharing information can impact a network's cybersecurity posture. 

Any new cybersecurity technology you consider should be not just a neutral addition to the security stack, but rather a benefit to the other technologies or people managing them. Some questions to ask in this arena might be: Can it feed intelligence easily to other implemented technologies? Does it ease a pain point of another technology? Can it ingest information from other implemented technologies? 

Rarely will a technology be able to adequately answer for more than one of these questions. For instance, a technology might be able to use lots of intelligence but isn't proactive and needs constant monitoring by employees. These are the challenges security teams face every time they make a decision about a new or existing security technology, but figuring out how much value each technology adds — or doesn't — is the best start.

5 Questions to Ask When Evaluating a New Cybersecurity Technology

Companies are starting to address the misuse of artificial intelligence (AI). At Google I/O, for example, executives promised its AI has safety measures.

GOOGLE I/O 2023, MOUNTAIN VIEW, CALIF. — Sandwiched between major announcements at Google I/O, company executives discussed guardrails to its new artificial intelligence (AI) products to ensure they are used responsibly and not misused. They included Google CEO Sundar Pichai, who noted some of the security concerns associated with advanced AI technologies coming out of the labs.

The spread of misinformation, deepfakes, and abusive text or imagery generated by AI would be hugely detrimental if Google were responsible for the model that created this content, said James Sanders, principal analyst at CCS Insight.

"Safety, in the context of AI, concerns the impact of artificial intelligence on society," he said. "Google's interests in responsible AI are motivated, at least in part, by reputation protection and discouraging intervention by regulators."

For example, Universal Translator is a video AI offshoot of Google Translate that can take footage of a person speaking and translate the speech into another language. The app could potentially expand the video's audience to include those who don't speak the original language.

But the technology could also erode trust in the source material, since the AI modifies the lip movement to make it seem as if the person were speaking in the translated language, said James Manyika, Google's senior vice president charged with responsible development of AI, who demonstrated the application on stage.

"There's an inherent tension here," Manyika said. "You can see how this can be incredibly beneficial, but some of the same underlying technology can be misused by bad actors to create deepfakes. We built the service around guardrails to help prevent misuse and to make it accessible only to authorized partners."

**Setting up Custom Guardrails**

Different companies have different approaches to AI guardrails. Google is focused on controlling the output generated by artificial intelligence tools and limiting who can actually use the technologies. Universal Translators are available to fewer than 10 partners, for example. ChatGPT has been programmed to say it can't answer certain types of questions if the question or answer could cause harm.

Nvidia has NeMo Guardrails, an open source tool to ensure responses fit within specific parameters. The technology also prevents the AI from hallucinating, the term for giving a confident response that is not justified by its training data. If the Nvidia program detects that the answer isn't relevant within specific parameters, it can decline to answer the question or send the information to another system to find more relevant answers.

Google shared its research on safeguards in its new PaLM-2 large-language model, which was also announced at Google I/O. That Palm-2 technical paper explains that there are some questions in certain categories the AI engine will not touch.

"Google relies on automated adversarial testing to identify and reduce these outputs. Google's Perspective API, created for this purpose, is used by academic researchers to test models from OpenAI and Anthropic, among others," CCS Insight's Sanders said.

**Kicking the Tires at DEF CON**

Manyika's comments fit into the narrative of responsible use of AI, which took on more urgency following concerns about bad actors misusing technologies like ChatGPT to craft phishing approaches or generate malicious code to break into systems.

AI was already being used for deepfake videos and voices. AI company Graphika, which counts the Department of Defense as a client, recently identified instances of AI-generated footage in use to influence public opinion.

"We believe the use of commercially available AI products will allow IO actors to create increasingly high-quality deceptive content at greater scale and speed," the Graphika team wrote in its deepfakes report.

The White House has chimed in with a call for guardrails to mitigate misuse of AI technology. Earlier this month, the Biden administration secured the commitment of companies including Google, Microsoft, Nvidia, OpenAI, and Stability AI to allow participants to publicly evaluate their AI systems during DEF CON 31, which will be held in August in Las Vegas. The models will be red-teamed using an evaluation platform developed by Scale AI.

"This independent exercise will provide critical information to researchers and the public about the impacts of these models, and will enable AI companies and developers to take steps to fix issues found in those models," the White House statement said.

Google Adds Guardrails to Keep AI in Check

Secure email gateways and end users alike are being fooled by a cyberattack campaign that's enjoying skyrocketing volumes against businesses in every industry, globally.

A high-volume credential-harvesting campaign is using a legitimate email newsletter program named SuperMailer to blast out a significant number of phishing emails designed to evade secure email gateway (SEG) protections.

According to a report from Cofense on May 23, the campaign has snowballed so much that SuperMailer-created emails account for a significant 5% of all credential phishes within the firm's telemetry in the month of May so far. The threat seems to be exponentially growing: The monthly volume of the activity overall has more than doubled in three out of the past four months — notable even in a landscape where credential phishing is growing overall.

"Combining SuperMailer's customization features and sending capabilities with evasion tactics, the threat actors behind the campaign have delivered tailored, legitimate-looking emails to inboxes spanning every industry," explained Brad Haas, cyber threat intelligence analyst at Cofense and author of the research.

And indeed, Cofense reports that the threat actors behind the activity are casting a wide net, hoping to haul in victims in a varied sea of industries, including construction, consumer goods, energy, financial services, food service, government, healthcare, information and analytics, insurance, manufacturing, media, mining, professional services, retail, technology, transportation, and utilities.

**Supersized Phishing With SuperMailer**

What makes the numbers even more interesting is the fact that SuperMailer is a somewhat obscure German-based newsletter product that has nowhere near the scale of more well-known email generators such as ExpertSender or SendGrid, Hass tells Dark Reading — yet it's still behind wide swathes of malicious emails.

"SuperMailer is desktop software that can be downloaded for free or for a nominal fee from a number of sites that may be completely unassociated with the developer," he says. "A free version of SuperMailer was released on CNET in 2019, and since that point has had approximately 1,700 downloads. This number is low in comparison to many popular software downloads, but we do not have any other information on the number of legitimate organizational users."

SuperMailer did not immediately respond to Dark Reading's request for comment. But since the clients are propagated via third-party websites and have no server or cloud component, Haas notes that SuperMailer's metaphorical hands are tied when it comes to rooting out the activity.

"In the past, we've seen large, cloud-based services abused to send phishing emails or create unique URL redirects pointing to phishing pages, but those services often catch and combat the activity after a period of time," he says. "We do not know the extent to which the SuperMailer developer is capable of fighting this abuse."

That in of itself makes SuperMailer attractive to cybercriminals. But the other reason is that it offers an attractive disguise for getting past SEGs and ultimately end users, thanks to some unique features.

**Evading Email Security With Ease**

"This is another example of threat actors abusing tools that were designed for legitimate purposes," Haas notes, adding that features that legitimate users find helpful will also appeal to crooks. "This already happens in the penetration testing arena, where open source penetration testing tools are regularly abused by threat actors to conduct actual threat activity," he says.

In this case, SuperMailer offers compatibility with several email systems, which allows threat actors to spread their sending operation across multiple services — this decreases the risk that a SEG or upstream email server will classify emails as unwanted due to reputation.

"The threat actors likely have access to a variety of compromised accounts, and they use SuperMailer's sending features to rotate through them," Haas wrote in his report on the threat.

The SuperMailer-generated campaigns also take advantage of template customization features, like the ability to automatically populate a recipient's name, email, organization name, email reply chains, and more — all of which boosts the legitimacy of the email for targets.

The software also doesn't flag open redirects — legitimate Web pages that automatically redirect to any URL included as a parameter. That allows bad actors to use completely legitimate URLs as first-stage phishing links.

"If a SEG does not follow the redirect, it will only check the content or reputation of the legitimate website," Haas said in the report. "Although open redirects are generally considered to be a weakness, they can often be found even on high-profile sites. For example, the campaigns we analyzed used an open redirect on YouTube."

**Defending Against the SuperMailer Threat**

Cofense has been able to track the SuperMailer activity thanks to a coding mistake that the attackers made while crafting the email templates: The emails have all included a unique string showing that they were produced by SuperMailer. However, parsing messages for that string or more broadly blocking entire legitimate mailing services isn't the answer.

"We haven't yet uncovered any default characteristics that would allow us to broadly block emails generated by SuperMailer," Haas says. "In this case, the identifiable characteristics were discoverable only due to a mistake by the threat actor. Without the mistake, it wouldn't be feasible, as those characteristics are not visible in every SuperMailer email."

However, he notes that there are other characteristics that would identify the emails as potential security threats, even without knowing their origin — including their content. An example would be non-target-specific email reply chains appended to the messages.

This is especially important given that Cofense has discovered that the SuperMailer phishes are part of a larger set of activity that has accounted for a full 14% of phishing emails landing in inboxes in May in the Cofense telemetry. Haas explained that all of the emails — SuperMailer-sent and the others — share certain indicators that tie them all together, such as the use of URL randomization.

"Human intuition is often much better at recognizing these differences," Haas says "so training employees to be vigilant against phishing threats is a critical element of good cyber defense."

SuperMailer Abuse Bypasses Email Security for Super-Sized Credential Theft

Widespread cyber incidents will happen, but unlike natural disasters, specific security controls can help prevent a catastrophe.

Risk aggregation is not a new phenomenon. The insurance industry, for example, has long examined how shared assets and similarities between organizations in their books bundle potential risk. Risk aggregation is the grouping of compounded risks together to understand the overall risk to an organization, a region, an industry, and more. For example, if a hurricane hit a specific region, the potential property damage could result in a cluster of insurance claims; this is considered an aggregate risk.

Insurance providers have to consider both the implications of aggregate risk and those risks compounding to create a singular, catastrophic event that affects a large number of policyholders. Think of this like an insurer choosing to sell home insurance to everyone in a city, then a hurricane destroys every house in that city — it would lead to massive volumes of claims.

We haven't seen such an event in cyber _yet_, but the worry is that one massive cyber incident could result in an unmanageable chain of technological events that becomes catastrophic for businesses, even economies, around the world. And as cybercriminals get bolder, the possibility of compounding cyber-risk factors becomes a more significant concern.

However, aggregate risk plays out a little differently in cyber. During a hurricane, you cannot move the houses in the path of a hurricane to a different location to avoid damage. But organizations _can_ implement specific security controls to help prevent a catastrophe during a cyber incident. Whether that's implementing defensive measures against distributed denial-of-service attacks, patching the latest severe vulnerability, or deploying applications to multicloud or regional clouds, there are many ways to reduce aggregate risk — and even avoid a catastrophe — in cyber.

When considering aggregate cyber-risk, security professionals shouldn't get caught up in clickbait headlines. They need to understand two things in order to proactively secure their organizations: One, cyber-risk is constantly changing, and two, when informed by data-driven insights, aggregate cyber-risk does not need to become catastrophic.

**Cyber-Risk Is Volatile and Dynamic, But So Is Technology**

Cyber-risk is ever-changing because new vulnerabilities crop up daily, making it especially hard to predict how risk will evolve. Case in point: Coalition estimates that the number of Common Vulnerabilities and Exposures (CVEs) will increase by 13% from 2022 to 2023. This number will likely continue to grow year-over-year as more researchers enter the field and more technology is introduced.

However, the rising number of CVEs should not scare security professionals into thinking all hope is lost. There is still a ceiling for the number of organizations that attackers can target and the volume of vulnerabilities they can exploit. The dynamics of the growing risk landscape parallel mitigation: Detection speeds are also increasing, and software updates and patches are getting released more quickly to resolve newly detected issues. Basically, we're getting smarter along with our attackers.

Instead, it would serve the industry to think about risk aggregation at a more personal, granular level: Address the most significant risk areas specific to your organization or industry first because that's often where the most pain can be inflicted.

Security professionals may also need to change how they typically discuss risk to make it a broader C-suite conversation. For example, communicating about risk in terms of dollar signs — not vulnerability severity scores — can help a CFO decide how much insurance coverage they should purchase.

**A Data-Driven Approach to Modeling Cyber-Risk**

The truth is that cybersecurity is manageable and can be properly underwritten, given the right data and technical expertise. Ironically, more data exists about cyber-risk than any other risk in the world. Using this massive amount of data to our advantage can help dramatically impact aggregate cyber-risk’s impact on organizations.

In a Coalition simulation modeled against a sampling of 5,000 top-growth US companies, we discovered that a cyber event with a one-in-250-year likelihood could cost more than $370 million in losses. When extrapolated across the entire US economy, a catastrophic cyber event could cost $30 billion in total losses.

But our model also uncovered that a catastrophic event is far more likely to be localized. Looking at aggregation technologies and vendors — the shared technology infrastructure on which aggregate cyber-risk is built — we can see that cyber-risks aren't as interconnected as you'd think. Assets aren't all located in the same homogeneous physical locations or virtual environments.

For example, if a cloud services provider were to go out, it's highly improbable that this would happen globally; it would more likely impact only a specific segment. While cloud computing providers operate hundreds of thousands of physical servers and millions of virtual machines around the globe, their infrastructure and operations are highly segmented, which would prevent the failure of any one element from spilling over to another.

**It's Not About Eliminating Risk, but Managing It**

We can't prevent a catastrophic cyber event or know the extent to which risk aggregation could be catastrophic, especially because there are no historical examples to guide the way. Cyber is a dynamic and complex type of risk, and insurance providers can't treat it with the same typical aggregation techniques used in the past.

Understanding cyber-risk starts with being comfortable with change and using the right skills and mindset to chip away at the unknowns. Cyber-risk is knowable and quantifiable, even if it will likely be unpredictable.

What Security Professionals Need to Know About Aggregate Cyber-Risk

Victims of the cybercrime schemes are coerced to participate through violence and having their belongings taken away.

The FBI is warning US citizens that are traveling to or living abroad in Southeast Asia of false advertisements leading to labor trafficking, where individuals are intimidated and forced to involve themselves in international cryptocurrency investment fraud schemes.

Criminal actors, primarily belonging to Chinese crime groups, post fake job advertisements on employment sites and social media, offering jobs such as call center customer service representatives and beauty salon technicians. These fake advertisements reach potential victims on a global scale, including those from countries like Bangladesh, Brazil, China, Ethiopia, Hong Kong, India, Japan, Russia, Vietnam, Zimbabwe, as well as the US.

By reeling in their victims' interest with promises of competitive salaries and a wide range of supposed benefits, criminal actors manage to convince these individuals to travel to the "job location" where they are ultimately coerced to commit criminal cryptocurrency acts, by confiscating their personal items and threatening them with violence.

"This activity continues to expand at an alarming rate, with thousands of new victims trafficked every month, while industrial sized scam and money laundering operations expand far beyond the pace of any response," Jason Tower, Myanmar country director at the United States Institute of Peace and cyber trafficking expert, said in a column.

The FBI is encouraging people to do their research on any company and job opportunity before accepting a position, to be careful when the benefits and salary do not align with a job offer, and to share their contact information and employment details with those close to them.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

FBI: Human Trafficking Rings Force Job Seekers Into Cryptojacking Schemes

Changes in the way risk is viewed are leading to changes in the way training is conducted.

Cybersecurity awareness training has always, at one level, been about risk. Whether you subscribe to the notion that employees are your first line of defense (they're not) or that employees are your last line of defense (there you go), it really can't be argued that employee behavior plays no role in the risk facing an organization. This statement is true whether we're talking about cybersecurity or construction site safety, but the last year has seen a dramatic change in the ways that companies talk about, think about, and act on the connection between risk and employee training.

One of the strongest drivers of this change has been the role of cyber-insurance providers in the cybersecurity industry. Cyber insurance is now seen as a product as necessary as property and casualty insurance for most companies. And since cyber-insurance companies charge for their product — a product based on risk — the cost of that product, and therefore the cost of risk, has bubbled to the top of the business conversation topic list.

**A New Goal**

Today, the goal of cybersecurity awareness training is less about creating an educated workforce and more about reducing the risk of an uneducated workforce. Those might seem to be two sides of the same coin, but there is a critical difference: how success is demonstrated. If the goal is to produce an educated workforce, then assessing training success can come through tests that ask questions about the lesson just taught. The key is finding out whether the student gained information from the lesson.

If, on the other hand, the goal is to reduce the risk of an uneducated workforce, then assessing training success must come through a demonstration of changed behavior. The issue is not whether the student acquired information but whether the student puts that information to use to behave in a way that is less risky for the organization. Put simply, it's not what the employees _know_ but what they _do_ that matters.

**The New/Old Training**

Cybersecurity awareness training has always been a two-part educational service. The first part is knowledge transfer, while the second part is changed behavior. The new goals and new conversations don't change that fundamental makeup, but they do change the emphasis of the process and how it is thought of throughout the organization.

With the emphasis shifting to reduced risk, the spotlight is on changed employee behavior. Customers, then, will force training providers to discuss how they change behavior (and measure that change) rather than how they engage employees or keep employees' interest over the length of a training course. Many companies will frankly not care how a training product works as long as it produces the desired, measurable change in risk.

Some training providers are beginning to recognize the shift and more change is on the way. During the training evolution, it is likely that the industry will see muddied messages, new ways of describing the product and new ways of measuring training success. Customers who make the most of the changing reality will be those who remember that the two primary pieces of cybersecurity awareness training haven't changed — the training providers who have produced the best results in the past are likely to have a solid starting advantage as we move into the future.

A New Look for Risk in Awareness Training

Threat actors are circumventing geo-location-based security detections, using a combination of cybercrime-as-a-service platforms and the purchasing of local IP addresses.

Attackers have found a new way to avoid detection in business email compromise (BEC) and account takeover attacks by buying locally generated IP addresses to mask the origin of their login attempts, thus circumventing the common "impossible travel" security detection, Microsoft is warning.

An impossible travel flag occurs when a task is performed at two locations in a shorter amount of time than would be required to travel from one location to the other — for instance, if Employee A always logs on from Boston at 9 a.m., then a login attempt an hour later from Singapore would raise a red flag. However, masking the actual origin IP address from which a malicious task is coming provides "the ability and opportunity for cybercriminals to gather large volumes of compromised credentials and access accounts" from anywhere, Microsoft researchers wrote in a blog post.

Threat actors are using a combination of platforms such as BulletProftLink, a service for creating industrial-scale malicious email campaigns, and residential IP services to help them evade the flag, Microsoft Security researchers revealed. 

BulletProftLink sells an end-to-end service, including templates, hosting, and automated services for committing BEC — essentially providing cybercrime-as-a-service (CaaS). The abuse of residential IP addresses meanwhile allows for higher volumes of BEC attacks, the researchers warned. One IP service provider, for example, has 100 million IP addresses that can be rotated or changed every second.

"Now, armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent 'impossible travel' flags, and open a gateway to conduct further attacks," according to Microsoft, which added that threat actors in Asia and Eastern Europe are the ones most frequently deploying this tactic.

**A Growing Tide of Business Email Compromise**

The warning comes against a backdrop of escalating numbers of BEC campaigns. Indeed, the FBI reported that in 2022, it logged more than 21,000 BEC complaints, amounting to adjusted losses of more than $2.7 billion. Microsoft said that nearly all forms of BEC attacks are on the rise, with the top lures among the socially engineered campaigns including payroll topics, invoices, gift cards, and business information.

"Instead of exploiting vulnerabilities in unpatched devices, BEC operators seek to exploit the daily sea of email traffic and other messages to lure victims into providing financial information, or taking a direct action like unknowingly sending funds to money mule accounts, which help criminals perform fraudulent money transfers," the researchers wrote in the post.

Top targets for BEC cybercriminals are executives and other senior leaders, finance managers, and human resources staff with access to employee records like Social Security numbers, tax statements, or other personally identifiable information, the company said.

Attackers also like to target new employees who may be less likely to verify unknown sender email addresses, the researchers said. Indeed, attackers successfully breached security vendor Dragos by targeting a new employee with a socially engineered attack, allowing them to log into the company's employee-onboarding process.

**Protection & Mitigation Against Local IP Tactics**

While "masquerading behind different IPs/proxies" has been in use by threat actors for more than a decade, its increased use in BEC attacks should serve as a reminder to organizations that they need to practice more vigilance in flagging suspicious network activity, notes one security expert.

In particular, organizations need to use more than geo-location to evaluate the authenticity of an attempt to access a network, says Roy Akerman, co-founder and CEO of cloud and SaaS security firm Rezonate. Instead, full behavioral analysis is the way to go.

"Additional behavioral information on the browser details, actions taken, pattern of usage, and others should be taken into account to limit the usage and stealing of identities," he says in an email to Dark Reading.

There are also other steps that enterprises can take to stop BEC campaigns that attempt to circumvent the impossible travel flag, Microsoft said. The company suggested that enterprises configure mail systems to flag messages sent from external parties, as well as enable DMARC and notifications for when email senders are not verified.

Organizations also should block senders with identities that they cannot independently confirm and report their mails as phishing or spam in email apps, the researchers said.

Setting up strong authentication policies, such as multifactor authentication (MFA), can also help thwart BEC campaigns, making accounts **"**more resistant to the risk of compromised credentials and brute-force login attempts, regardless of address space attackers use," the researchers also noted.

Employee training in how to spot fraudulent and malicious emails should be commonplace among organizations at this point given the frequency with which attackers use BEC and phishing to compromise accounts, as well as their continued success rate and the cost associated with these attacks, the researchers said.

Microsoft: BEC Attackers Evade 'Impossible Travel' Flags With Residential IP Addresses

A February 2022 attack knocked the giant tire maker's North American operations offline for several days.

As a CISO that helped his company navigate through the aftermath of a crippling ransomware attack last year, Bridgestone Americas' Tom Corridon says his biggest advice for other organizations is to designate key decision-makers for handling such crises before they happen.

Not having a clear-cut line of action at the executive level in advance can exacerbate the consequences of a cyberattack and allow the attacker an opportunity to create more damage, Corridon said in an interview at Accenture's third annual virtual OT cybersecurity summit last week..

"When you want to pull a lever, when you want to make a decision about disconnecting networks, or paying a ransom, who makes those decisions?" Corridon said. "To know that going in is really, really important because then you are not caught flatfooted. You are not caught looking around the room going, 'is that you, or is that me?'"

The February 2022 ransomware attack on Bridgestone led to the tire giant to shut down its networks at manufacturing and retreading facilities in North America and Latin America for several days. The well-known ransomware group LockBit 2.0 later claimed credit for the attack and announced plans to publicly leak data accessed from Bridgestone's systems if the company did not comply with the group's ransomware demand.

Bridgestone later disclosed that the cyberattackers had accessed business records as well as files containing Social Security numbers, bank information, and other sensitive data on some of its customers. But the company has released no other details of the attack since then, including whether it paid the LockBit gang a ransom or not. 

The attack was one of several last year that affected operating technology (OT) networks at industrial and manufacturing companies in the US and elsewhere. A second-quarter 2022 analysis of ransomware attacks from Dragos showed most attacks (68%) on industrial organizations targeted the manufacturing sector.

**Tabletop Exercises for Executives**

Corridon's interview at the Accenture virtual event steered clear of the details of the attack, the damage it had caused, and the recovery effort. However, it focused on several lessons the company was able to take away from the attack. The biggest, according to Corridon, is knowing who makes crucial decisions during an unfolding crisis, and how.

Corridon advocates that organizations that do tabletop exercises for their technical team need to have a parallel scenario-based exercise that involves key executives and decision-makers. Just like incident management processes have two threads — one technical and one for executives — so, too, should tabletop exercises.

Another key consideration is that the executives in charge of making critical decisions during a ransomware attack need to be comfortable making them without a lot of data. 

"They need to be comfortable making decisions in the moment that are going to feel like gut decisions or rash decisions," Corridon noted. "But we need to be prepared for that because the longer you sit on a decision and you analyze it and think it through and wait for that perfect decision to land in your lap, the more time the threat actor has to go further into your environment and do more damage."

**Never Let a Good Crisis Go to Waste**

According to Corridon, who was interim CISO at Bridgestone when the attack happened, one silver lining with major security events is the heightened awareness and willingness to change that it can foster. In the year since the attack, Bridgestone has implemented security changes that would otherwise have taken years to convince executives of, push through, and enable, he said.

He advised that security teams take a never-let-a-good-crisis-go-to waste approach to push through change, if they are unfortunate enough to experience a major security breach. 

"In an incident, your executives have a front-row seat to the action," Corridon said. "So, they are walking away with a better understanding of terms they never wanted to understand or wanted to know." 

That heightened awareness and understanding often means they are more prepared to give security teams the money and resources they need to implement a stronger security posture moving forward. "They are prepared for change \[because\] they have a taste in their mouth of a bad experience," he says.

Similar change can be harder to achieve in the lower echelons, where concerns over everyday jobs and goals can quickly relegate security concerns to the backburner once an immediate crisis has passed, Corridon acknowledged. Therefore, it's important to always keep cybersecurity a relevant and top of mind topic for employees. In much the same way that OT environments emphasize physical safety precautions, organizations need to make cybersecurity a part of the daily routine for employees.

One way to begin getting stakeholders to think differently about cyber resilience is to stop describing breaches and attacks as security incidents. "An incident is when you trip and fall or somebody unplugs something by accident," he said. A ransomware attack, on the other hand, is a criminal act against the company. 

"Having that reframing of thought can go a long way," Corridon said. "The words you use as you are going through the event and actually recognizing it as a crime against the organization is a first step."

Bridgestone CISO: Lessons From Ransomware Attack Include Acting, Not Thinking

Shorter certificate lifespans are beneficial, but they require a rethink of how to properly manage them.

On March 3, Google (via The Chromium Projects, which it controls) proposed a plan to drastically shorten the lifespan of Transport Layer Security (TLS) digital certificates, from 398 days to 90 days. This will spur significant changes in how organizations manage their certificates, particularly regarding automated processes.

The proposal by the open source body behind the Google Chrome browser and Chrome OS, included in a road map called "Moving Forward, Together," is a positive step toward ensuring more reliable, robust Web operations. But it will require companies and other organizations to significantly transform their certificate processes.

The lifespan of digital certificates has fallen steadily over the past decade, from five years in 2012 to a little more than two years in 2018 to 13 months, or 398 days, in July 2020. The shorter lifespans help ensure the accuracy of digital identities, especially in a cloud-based computing environment where websites and services are constantly being spun up or down to accommodate changing demands and priorities.

Google said the proposed changes would allow for faster adoption of improvements, such as best practices and new security capabilities, and encourage organizations to move away from time-consuming and error-prone manual processes. The resulting move toward automation would also better prepare organizations for the advent of post-quantum cryptography.

**A Wake-up Call for Certificate Monitoring**

If adopted, the Chromium Projects' proposal to the CA/Browser Forum — a consortium of certification authorities (CA), browser makers, and others — would most likely take effect by the end of 2024. And although the changes are not set in stone, the prospects of a considerably shorter lifespan should serve as a wake-up call for organizations. They need to get greater control and visibility over their public keys and certificates, because the proposal is a sure sign that the game has changed.

The five-year life of certificates from a decade ago reflected a different time, when teams could get a certificate for, say, a Web server and then pretty much forget about it. They never developed a routine for checking to see if certificates were about to expire or for renewing them, which could lead to certificate-related outages. The eventual shortening of certificate life to 398 days helped put teams on a schedule they could get comfortable with, checking regularly for expirations.

As organizations expand in the cloud, visibility of TLS (also known as Secure Sockets Layer, or SSL) certificates is critical. And the layered, increasingly complex environments in the cloud are beyond the ability of teams to keep track of manually. Now, with the proposed new validity period, it's about automating the process.

Currently, organizations dedicate their resources to the people and processes necessary for installing certificates. In the near future, they'll need people and resources for automating the process, which will involve programming and maintaining new software. The focus will shift somewhat from knowledge of public key infrastructure (PKI) — which is at the core of TLS — to internal infrastructure knowledge.

**Centralized Monitoring Is Critical**

To manage the certificate workload, organizations will need to centralize certificate monitoring in order to easily identify certificates that are about to expire. Without a centralized view, it's still possible to spin up a server, get a certificate for it, and then forget about it, which can lead to disaster. A 2022 Ponemon Institute study found that half of respondents had suffered at least one certificate-related attack in the previous two years, and that 58% of them described the financial consequences as "severe."

Centralized monitoring also involves more than checking expiration dates on certificates. Organizations also will need to monitor how certificates are being used on their servers. It's not uncommon for certificates to be deployed to the wrong servers, leaving some servers without the certificates they need for their workloads. In a small company with a handful of employees, everyone may know what's running where. But in a 5,000-person enterprise, it can be impossible to keep track of it all without a centralized view.

The interconnected nature of business operations may also require that TLS visibility extend to supply chains, because a compromise of even a small system within a connected environment can have a huge impact on operations. Organizations may want to consider the advantage of outside monitoring services, rather than keeping everything in-house.

**Looking Ahead**

The full impact of the Chromium Projects' proposal has yet to be determined. There seems to be a couple of gray areas, such as whether it might apply to Internet of Things devices such as, for example, security cameras that also use certificates, or if it's limited to just Web servers.

But no matter what happens with the proposal, it reflects the reality of today's environment. Shorter certificate lifespans are beneficial, but organizations will certainly need to rethink how they can properly manage them.

Source

DARKReading