Relatively few organizations have the resources for security programs and security professionals, so the US cyber agency is putting programs in place to help them, while striving to understand the scope of the problem itself.

Every day, attackers are targeting US small businesses, election offices, local government agencies, hospitals, and K–12 school systems, but most such organizations do not have the funding — or the dedicated resources — to defend themselves or even to know whether they are being attacked. 

The US Cybersecurity and Infrastructure Security Agency (CISA) aims to help these "cyber poor" places both to shore up their defenses and respond more quickly to attacks, Jen Easterly, director of CISA, told attendees at the sixth annual Hack the Capitol event in McLean, Va. on May 10. While the agency continues to work with government, large companies, and technology vendors on improving security, CISA aims to see how much it can help smaller organization fend off cyber threats as well.

The goal is to understand their needs, what they need to be able to invest in security, and where CISA can help them defend their capabilities, Easterly said. 

"How do we help a school district, can we help a small hospital, or help a water facility using ... free services, using assessments, using things like our cyber hygiene, \[and\] vulnerability scanning?" she said. "Can we help them reduce threats? So we're trying to spend a whole year doing this, and at the end of the year, we will see if we have been able to make any difference."

The focus on smaller organizations acknowledges that often SMBs, local government agencies, and schools have been overlooked and not included in the push to create more resilient organizations. The government's efforts to create public-private partnerships have typically focused on large companies and critical industries, but attackers — especially ransomware gangs — have hunted for smaller groups who do not have deep cybersecurity resources. Those groups are numerous — 99% of all businesses in the US have 250 employees or less, according to US Census data.

"We really tried to shift the paradigm from decades of public-private partnerships, which, frankly, were episodic and unidirectional and not necessarily the right type of mechanism that we needed to defend the country," Easterly said. The idea is that "the private sector, with international partners, with state and local partners, should come together to create a tapestry of visibility that would allow us to better understand the threats and take down risks to the nation."

**Time for a Simpler, Easier Cybersecurity Framework**

While the Cybersecurity Framework published by the National Institute of Standards and Technology (NIST) is considered the gold standard for creating a cybersecurity plan for a business, the document is hard to understand and implementation is difficult, Easterly said. CISA has thus introduced Cybersecurity Performance Goals (CPGs), which aim to be lower cost and lower effort goals that organizations can take to improve the cybersecurity posture.

"You don't know how to use the NIST Cybersecurity Framework and so \[if\] you want a much simpler guide, you can actually take the CPGs in a checklist format, and then characterize them by cost complexity and speed," she said. "CPGs have really helped in terms of, again, an easier, simpler metric that these entities can use to help drive down risks."

Ransomware is a particular focus, since many small organizations have been hit by ransomware in the past five years. CISA has already created a vulnerability-warning pilot that enables the agency to scan private systems and provide the owner with information on the vulnerabilities in those systems. 

"We get those tips and we ... let them know, 'Hey ... you've got this ransomware, you got this bad stuff on your network,'" she said. "'You need to do something about it ASAP.'"

**True Threats Still Cloudy**

Overall, what's the level of the threat to the cyber poor? Perhaps, surprisingly, the government does not have the answer. The balkanized structure of the Internet — a mishmash of private, educational, and government networks — means that visibility is limited, and no one has a complete picture, Easterly said. 

"The big question is how do you actually measure reduction of risk, which is hard because ... we don't understand the universe of how many events there are," she said. "It's all anecdotal — whatever numbers are out there, whatever studies are out there, whatever vendor — it's all really just a guess."

As we rush into a world where artificial intelligence is used as a way to consume and filter data, the level of information could get worse, because of AI hallucinations — statements made by machine-learning systems, such as large language models (LLMs) and ChatGPT, which sound authoritative, but are wrong.

Easterly pointed out that the design of the Internet never accounted for most of the threats that we have today, and that our approach to AI needs to be better.

"So you had an Internet full of viruses, you had social media full of disinformation, and now we have AI, which is sort of like an infantry lieutenant — frequently wrong, never in doubt," she said. "So I think we need to be very, very mindful of making some of the mistakes with artificial intelligence that we've made with other technology."

CISA Addresses 'Cyber Poor' Small Biz, Local Government

Supplementing staff by hiring hackers to seek holes in a company's defense makes economic sense in a downturn. Could they be cybersecurity's unlikely heroes in a recession?

For 30 years, Silicon Valley Bank (SVB) helped technology clients transform the region, and the world, growing to hold more than $200 billion in total assets and $175 billion in deposits. And then — spectacularly, and seemingly overnight — collapsing. While the Federal Reserve's bailout might have helped to staunch the bleeding for now, those who witnessed the events of early March firsthand will not forget what those first few frantic, uncertain days were like. The psyches of the investor class and tech sector may not recover for some time to come.

This could manifest as skittishness among the investor class, impacting tech of all focuses, but I'm particularly concerned about cybersecurity startups. A downturn in cybersecurity funding threatens not just the sector itself, but all who rely on cybersecurity innovation to keep threat actors at bay.

A recent article makes interrelated points to this effect. One: SVB has long been central to the banking needs of the cybersecurity community in the US and abroad, with public reports that roughly 500 cybersecurity vendors banked with them. Two: investors spooked by the collapse of SVB will likely be "re-evaluating practices" in the short term. Already, cybersecurity funding in 2023 had dipped to 2020 numbers. The collapse of SVB serves to intensify that trend.

One approach that has helped organizations shore up their defenses and continue innovating since the heyday of investment will be critical in this tumultuous time. Ethical hackers have always been one of the best solutions to rising rates of cybercrime. These hackers replicate the strategies of bad actors to penetrate systems and inform organizations about vulnerabilities. At this precarious economic moment, with funding collapsing and companies slashing security budgets, they're an especially viable alternative.

A downturn in funding for innovative solutions such as hackers against a perpetually intensifying cyberthreat landscape could be disastrous for both private and federal security needs. But, before explaining exactly why hackers are so important, it's worth sketching out our current threat and economic landscape in greater detail.

**Cybercrime and the Economy**

There's no shortage of statistics illustrating the challenging state of our current cybersecurity landscape. One report says cyberattacks on industrial firms increased by 87% in 2022. Meanwhile, another report shows cyberattacks against governments jumped by 95% in the second half of 2022. According to another study, the global cyberattack volume surged by 38% last year. The financial impact is significant; according to IBM, the average total cost of a data breach has risen to $4.35 million.

In many IT departments, keeping on top of their attack surface is an ongoing, hour-to-hour struggle.

The looming economic downturn will make these problems worse. Economic turbulence and spikes in cybercrime go hand in hand. In the aftermath of the 2009 recession, cybercrime rose an average of 40% over the following two years. It was clear again when Interpol and others noted a surge in cybercrime during the COVID-19 pandemic.

In other words: Economic turbulence means less investment in cybersecurity _and_ a surge in cybercrime. Put simply, it's a recipe for disaster.

**Why Hackers Are the Answer**

You can see why reduced funding for cybersecurity startups is a major problem. Any reduction in funding will be compounded by yet _another_ problem: individual companies cutting back on cybersecurity spending.

I believe that hackers represent the most viable solution to mounting budget concerns. It's not just that hackers are as inventive as the criminals they're trying to combat — prone to exactly the kind of left-of-field, unconventional thinking that routinely allows criminals to infiltrate well-fortified organizations. It's that — in a word — they're _affordable_. And what could matter more in times of economic stress?

Companies can access a diverse range of expertise and knowledge by using hackers, who bring a different mindset to your system's defenses and let you know quickly where your vulnerabilities are and how you might remediate them. Many organizations now routinely incentivize hackers to bring vulnerabilities to their attention through vulnerability reward programs such as bug bounty. That being said, such programs aren't meant to replace your very important cybersecurity teams. They're meant to supplement them, reduce internal burnout, and overall make your organization more successful.

Hackers have been largely mainstreamed by now, but a not-insignificant number of organizations remain resistant to the concept, on the logic that inviting hackers of any kind or motivation into one's internal systems may prove risky. But this is an outdated way of thinking. For proof, look no further than the US government, which is not usually known to take radical risks in the cybersecurity department. And yet: in 2017, the Department of Defense (DoD) launched Hack the Pentagon, and since then, hackers have alerted the DoD to more than 45,000 vulnerabilities. The US isn't alone in this: Insights generated by hackers are now a routine part of government security in countries all over the world, including Singapore and the UK.

A few years from now, we'll have a clearer picture of how precisely the collapse of SVB impacted the tech sector and the larger economy. In the here and now, though, all organizations need to stay on high alert. It would be a shame to weather an economic downturn just to lose it all from a major breach. The latter scenario, at least, is preventable — and hackers can help.

Why Economic Downturns Put Innovation at Risk & Threaten Cyber Safety

Attackers compromised the personal email of a new employee and, when the initial attack failed, attempted through socially engineered messages to get the company to pay them off.

One might argue that security companies should be more prepared than most organizations to defend against a cyberattack. That was the case at Dragos recently, when a known ransomware group attempted, but failed, to extort money from the security vendor in a socially engineered attack that occurred after it compromised a new employee's personal email account.

The attack occurred May 8, with attackers gaining access to SharePoint and the Dragos contract management system by compromising the personal email address of a new sales employee prior to the person's start date, the company revealed in a blog post on May 10. The attacker then used stolen personal information from the hack to impersonate the employee and accomplish initial steps in Dragos' employee-onboarding process.

Dragos' swift response prevented the threat group from achieving its objective — the deployment of ransomware — or to engage in further activity, such as lateral movement, escalating privileges, establishing persistent access, or making changes to any Dragos infrastructure, the company said.

"No Dragos systems were breached, including anything related to the Dragos Platform," according to the post.

However, the attackers didn't stop there. Once the group's initial compromise and ransomware strategy was unsuccessful, it quickly "pivoted to attempting to extort Dragos to avoid public disclosure," the company said. Attackers did this by sending a flurry of messages to Dragos executives that threatened to reveal the attack publicly if they weren't paid off.

In a creepy twist, the group even went so far as to get personal in the messages, making references to the family members and personal contacts of Dragos employees, as well as sending emails to the personal accounts of senior Dragos employees to elicit a response.

The company ultimately decided that "the best response was to not engage with the criminals," and managed to contain the incident, according to the post.

Still, Dragos acknowledged a data loss that will likely result in a public leak of information because the company chose not to pay a ransom, which is "regrettable." However, the company sticks by its decision not to engage or negotiate with cybercriminals, it said.

**Promoting Cyber Transparency**

It's not often that security companies reveal attacks that they experience, but Dragos said that it decided to do so as an example of how to defuse a security breach before it causes significant damage. Also, it wanted to "help de-stigmatize security events," the company wrote in the post.

Indeed, as security incidents have proven time and again, no company — not even ones that seem firmly locked down — is safe from attack, particularly with the current level of attackers' cleverness and sophistication when using social engineering tactics, according to one security expert.

In fact, the Dragos narrative "is one of the rare stories where you hear about a truly crafted social engineering attempt and a quick discovery which led to minimal damage," Roger Grimes, data-driven defense evangelist at security firm KnowBe4, wrote in an emailed statement.

The incident should drive awareness to "the very active social-engineering scams that are happening in the hiring space" in particular, he wrote. In fact, not every company is so lucky, nor defends itself so well, Grimes noted.

"There are also many stories of employers hiring fake employees who existed only to steal and scam from their employer, fake employees who actually didn't know their job and just collected paychecks until they were fired, and scams the other way where legitimate job seekers were scammed while seeking employment," he says.

**Response & Internal Mitigation Is Key During a Cyberattack**

While an investigation into the incident is ongoing, Dragos was able to prevent a more serious attack due to swift response and a layered security approach by the company, which should provide a blueprint for others, according to the post.

The company investigated alerts in its corporate security information and event management (SIEM) and blocked the compromised account, as well as activated its incident response retainer with a service provider, and engaged a third-party monitoring, detection and response (MDR) provider to manage incident-response efforts.

"Verbose system activity logs enabled the rapid triage and containment of this security event," the company said.

To avoid similar attacks in the future, the company said it has added an additional verification step to further harden its new-employee onboarding process to ensure that the technique used in the attack won't be repeated.

Moreover, since every thwarted access attempt was due to multistep access approval, Dragos also is evaluating the expansion of this strategy to other systems based on how critical they are.

**Cyber-Resilience Advice for Other Organizations**

Dragos also made some recommendations for other organizations to help avoid a similar attack scenario. The company advised that the hardening of identity and access management infrastructure and processes is ultimately a baseline linchpin for every organization looking for cyber resilience. And it's a good idea to implement separation of duties across the enterprise so no one person has full run of the environment.

Organizations also should apply the principle of least privilege to all systems and services, and implement multifactor authentication wherever possible, the company said.

Other steps for avoiding a similar employee compromise like Dragos suffered include applying explicit blocks for known bad IP addresses, and scrutinizing incoming emails for typical phishing triggers, including the email address, URL, and spelling.

Finally, organizations overall should ensure that continuous security monitoring is in place, with tested incident response playbooks ready in case an attack does occur, according to Dragos.

Dragos Employee Hacked, Revealing Ransomware, Extortion Scheme

The 2023 AT&T Cybersecurity Insights Report examines how edge use cases are evolving, how organizations are changing to deliver better business outcomes through digital first experiences, and how an integrated ecosystem can work together to put security at the core of edge computing.

Each year, we look forward to the publication of the "AT&T Cybersecurity InsightsTM Report: Edge Ecosystem," a vendor-neutral and forward-looking report. It helps us gauge where the market is going, what lies ahead, and evolving business solutions — while understanding how cybersecurity connects to the ecosystem.

**Research Methodology**

This report is a vendor-neutral thought leadership piece offering a quantitative analysis of 1,418 global professionals in security, IT, application development, and line-of-business. It includes a qualitative analysis of cybersecurity subject matter experts.

The report includes common edge use cases in seven verticals — healthcare; retail; finance; manufacturing; energy; transportation; and US state, local, and higher education (SLED) — and presents actionable advice for securing and connecting an edge ecosystem. Finally, it looks at cybersecurity and the broader edge ecosystem of networking, service providers, and top use cases.

**Embracing the Edge Computing Ecosystem**

We asked our respondents to help us define the key characteristics of edge computing. These characteristics define this new democratized version of computing with IoT devices (that are also evolving) that will process and deliver a previously unseen velocity, volume, and variety of data.

*   Edge computing relies on a distributed model of management, intelligence, and networks.
*   Applications, workloads, and hosting are closer to where data is generated and consumed.
*   It's software-defined, which can mean the dominant use of private, public, or hybrid cloud environments. This doesn't rule out on-premises environments.

**Business Is Realizing the Value of Edge Deployments**

Edge deployments and use cases are increasing because business recognizes their value. In 2023, the primary use case in each industry evolved from the previous year.     

Fifty-seven percent of survey respondents are in proof of concept, partial, or full implementation phases with their edge computing use cases.

One of the most pleasantly surprising findings is how organizations are investing in security for edge. We asked survey participants how they allocated their budgets for the primary edge use cases across four areas: strategy and planning, network, security, and applications.

The results show that security is an integral part of edge computing. This balanced investment strategy prioritizes much-needed security for ephemeral edge applications as a key component of strategic planning. Edge project budgets are nearly balanced across four key areas: 30% network, 23% overall strategy and planning, 22% security, and 22% applications.

**A Robust Partner Ecosystem Supports Edge Complexity**

Across all industries, external trusted advisers are being called upon as critical extensions of the team. During the edge project planning phase, 64% use an external partner. During the production phase, that same number increases to 71%. These findings demonstrate that organizations are seeking help because the complexity of edge demands more than a do-it-yourself approach.

A surprise finding comes in the form of the changing attack surface and changing attack sophistication. Our data shows that distributed denial-of-service (DDoS) attacks are now the top concern (when examining the data in the aggregate vs. by industry). Surprisingly, ransomware dropped to eighth place out of eight in attack type.

The qualitative analysis points to an abundance of organizational spending on ransomware prevention over the past 24 months and enthusiasm for ransomware containment. However, ransomware criminals and their attacks are relentless. Additional qualitative analysis suggests cyber adversaries may be cycling different types of attacks. This is a worthwhile issue to discuss in your organization.

**Building Resilience Is Critical for Successful Edge Integration**

Resilience is about adapting quickly to a changing situation. Together, resilience and security address risk, support business needs, and drive operational efficiency at each stage of the journey. As use cases evolve, resilience gains importance, and the competitive advantage that edge applications provide can be fine-tuned. Future evolution will involve more IoT devices, faster connectivity and networks, and holistic security tailored to hybrid environments.

Our research finds that organizations are fortifying and future-proofing their edge architectures and adding cyber resilience as a core pillar. Empirically, our research shows that as the number of edge use cases in production grows, there is a strong need and desire to increase protection for endpoints and data. For example, the use of endpoint detection and response grows by 12% as use cases go from ideation to full implementation.

**Key Takeaways**

You may not realize you've already encountered edge computing — whether through telemedicine, finding available parking places, or working in a smart building. Edge brings us to a digital-first world rich with new and exciting possibilities.

By embracing edge computing, you'll help your organization gain important and often competitive business advantages. This report is designed to help you start and further the conversation. Use it to develop a strategic plan that includes these key development areas.

*   Start developing your edge computing profile.
*   Develop an investment strategy.
*   Align resources with emerging security priorities.
*   Prepare for ongoing, dynamic response.

Download the newly released "AT&T Cybersecurity Insights Report: Edge Ecosystem" here.

**About the Author**

    

Theresa Lanowitz is a proven global influencer and speaks on trends and emerging technology poised to help today’s enterprise organizations flourish. Theresa is currently the head of cybersecurity evangelism at AT&T Business.

Prior to joining AT&T, Theresa was an industry analyst with boutique analyst firm Voke and Gartner. While at Gartner, Theresa spearheaded the application quality ecosystem, championed application security technology, and created the successful Application Development conference.

As a product manager at Borland International Software, Theresa launched the iconic Java integrated development environment, JBuilder. While at Sun Microsystems, Theresa led strategic marketing for the Jini project, a precursor to IoT (Internet of Things).

Theresa's professional career began with McDonnell Douglas where she was a software developer on the C-17 military transport plane and held a US Department of Defense Top Secret security clearance.

Theresa holds a Bachelor of Science in Computer Science from the University of Pittsburgh.

2023 AT&T Cybersecurity Insights Report: Edge Ecosystem

Two years ago, a popular ransomware-as-a-service group's source code got leaked. Now other ransomware groups are using it for their own purposes.

Over the past year, 10 different ransomware families have utilized leaked Babuk source code to develop lockers for VMware ESXi hypervisors.

Hypervisors are programs used to run multiple virtual machines (VMs) on a single server. By targeting ESXi, hackers may be able to infect multiple VMs in an enterprise environment more directly than they could through conventional means.

A few of the Babuk-based ESXi ransomwares are associated with major threat actors like Conti and REvil. And according to Alex Delamotte, senior threat researcher at SentinelOne, a majority of them have been utilized in real-world attacks in recent months.

"It looks like it's an effective model," says Delamotte, who published the new research this week. "As long as they stay profitable, hackers are going to keep using these lockers. And it does seem like they work."

**How We Got Here**

Babuk was a popular though imperfect ransomware-as-a-service (RaaS) offering, first circulated in early 2021.

In September 2021, its business model was interrupted when one of the original creators had a moment of reckoning. "One of the developers for Babuk ransomware group, a 17 year old person from Russia, has been diagnosed with Stage-4 Lung Cancer," vx-underground, a repository for malware source code, wrote in a tweet. "He has decided to leaked the ENTIRE Babuk source code for Windows, ESXI, NAS."

**Babuk As a Baseline**

Since then, threat actors have been using Babuk's various leaked tools as a baseline for crafting new malicious payloads.

For instance, in their report published May 4, researchers from Sentinel Labs identified significant overlaps between the Babuk ESXi ransomware builder and ten other ransomware families: Cylance, Dataf Locker, Lock4, Mario, Play, Rorschach, RTM Locker, XVGV, RHKRC — closely associated with the REvil group's Revix locker — and "Conti POC" — a proof of concept from the notorious and now largely defunct ransomware group.

Delamotte says Mario, Rorschach, XVGV, and Conti POC have all been utilized in attacks already, and users on Bleeping Computer forums have reported being victim to Dataf Locker and Lock4.

**Why Hackers Target ESXi**

VMware ESXi, a "bare metal" hypervisor, uses no operating system as a buffer ("bare metal"), instead interfacing directly with logic hardware. It's installed directly onto a physical server with unfettered access and control over the machine's underlying resources.

All of this is what makes ESXi a powerful platform for IT administrators and, by the same token, hackers. Bad actors can aim to hit multiple VMs running on a single virtual server, utilizing "built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files," Delamotte explained in the report.

Enterprises running VMware's ESXi need to be cautious, though the fix is straightforward.

"The most important thing is to ensure that any access — especially management access, to something like an ESXi hypervisor — is very limited," Delamotte advises. "You want to have good role-based access controls and definitely MFA wherever possible on any service account."

Strict, effective access controls should be enough to insulate the vulnerable. "I don't really see any situation," she says, "where somebody can move on to this kind of server without having admin privileges."

Multiple Ransomware Groups Adapt Babuk Code to Target ESXi VMs

Awarded individuals and companies are trailblazers in third-party risk management.

**DENVER--(****BUSINESS WIRE****) --** CyberGRX, provider of the world's first and largest global risk exchange, today announced the winners of the inaugural Cyber Risk Nation Awards. These awards honor leaders who have taken control of their corporate third-party risk management (TPRM) programs, proving that it is possible to overcome the limitations of traditional risk management.

The cyber threat landscape is constantly changing, impacting risk levels and priorities at a company level and within the broader ecosystem. These honorees have implemented malleable risk management strategies that adjust to the positive—and negative—changes in cyber risk that ultimately impact business continuity, reputation, and profitability. Because of the work of these forward-thinking leaders, risk management is solidifying its position as a core business function, serving as a catalyst for new business deals, technology integrations, regulatory compliance requirements, and more.

CyberGRX is proud to recognize the following individuals and their companies for elevating their TPRM programs. The success realized as a result of their endeavors is widely recognized amongst their peers:

*   **Exchange Champion:** Jacob Luna, Director of Client Security Advocacy at ADP
*   **Modern Risk Management Leader:** Joanna Soles, Senior Director, Information Security Corp & Global Functions BISO, Third-Party Risk, PCI at PepsiCo
*   **Innovator of Data:** Nimesh Patel, Global Head of Third Party Assurance, Third Party Risk Management and Cyber Assurance Expert at Barclays
*   **Partner of the Year:** Genevieve White, Head of Security Sales at Telstra
*   **VRM Solution of the Year:** Akhila Managoli, Senior Partner Solution Architect at ServiceNow
*   **TPRM Market Mover:** Rani Urbas, Global Head of Enterprise Trust at Google Cloud
*   **Thought Leader of the Year:** David Wilson, Director, Compliance Assurance at ACI Worldwide

"The winners of the inaugural Cyber Risk Nation Awards have each challenged the status quo to explore new risk management tactics, spearheading dialogue with both internal and external stakeholders to bring innovation into their environments," said Fred Kneip, CEO, CyberGRX. "We are proud to witness the work being done by these individuals and the contributions they have made to their organizations' security programs and the larger community."

As leaders mature their risk management programs, they are increasingly leveraging cyber risk intelligence and insights into emerging threats to pinpoint control gaps where third-parties are not meeting quality standards in their own risk posture. This allows the organizations themselves to assess and take steps to ensure proper cyber defenses. Additionally, by making a standardized assessment available early on in the audit process, organizations can eliminate the need to complete over 70% of incoming security questionnaires and accelerate the sales cycle for their business. As a result, the majority of organizations realize ROI within the first year of maturing their vendor risk management program with CyberGRX.

Genevieve White, Head of Security Sales at Telstra said "Our relationship with CyberGRX helps make us a stronger business partner, through enabling us to assess and mitigate risk, and helps to deliver our customers an approach to third party risk management from procurement and onboarding to engagement."

In the coming weeks, CyberGRX will be hosting podcasts with the winners, discussing in depth the way they tackle third-party risk management at their organizations. To learn more, visit https://www.cybergrx.com/cyberrisknation.

**About CyberGRX**

CyberGRX is the world’s first and largest third-party risk Exchange, equipping organizations with unparalleled cyber risk intelligence. Powered by 13,000 attested assessments, 250,000 company profiles, data on 425 of the 500 most commonly requested vendors, and 100% standardized data, only CyberGRX provides third-party threat intelligence, predictive risk insights, outside-in scanning and scoring, and a portfolio-wide view of security gaps. As a result, cybersecurity professionals can plan appropriately, make decisions confidently, and sleep soundly. CyberGRX is trusted by leading brands around the globe and was designed with partners including Aetna, Blackstone, and MassMutual. Learn more at CyberGRX.com.

CyberGRX Announces Winners of the Inaugural Cyber Risk Nation Awards

Law enforcement will likely find it much harder to take down criminal activities on the "deepverse."

RSA CONFERENCE 2023 – San Francisco – As the metaverse takes shape over the coming years, many of the security issues afflicting cyberspace will begin to spill over into virtual space as well.

One of the biggest of these threats will be the emergence of a new "darkverse," where criminals will be able to operate with greater impunity and more dangerously than they are able to do now on the Dark Web, two researchers from Trend Micro said at an RSA Conference 2023 session in San Francisco, April 26.

The metaverse is a somewhat loosely used term to describe a virtual space where people can interact with other individuals and organizations in a computer-generated version of the physical world. Just like how massive multiplayer online games allow individuals to create digital avatars of themselves and interact with other gamers in fantasy worlds, a full-fledged metaverse will allow individuals to shop, work, socialize and do other activities in a virtual replica of the physical world.

The same phenomenon will happen in the cybercrime underground, the researchers warned. Just like the Dark Web exists on an unindexed deep Web, the darkverse will operate within an unindexed "deepverse" that law enforcement will find hard to penetrate, they noted: The space will offer a safe haven for criminal spaces, extremist spaces, purveyors of child pornography, and those seeking to harass others.

Numaan Huq and Philippe Lin, senior threat researchers at Trend Micro, were two authors of a report last year on how security and privacy threats will likely emerge and evolve in the metaverse as more people begin to use it. Among the threats they identified in the report were amplified versions of some existing issues such as social engineering, financial fraud, and privacy risks, and some new ones such as risks related to NFTs, cyber-physical threats, and more.

**A Nearly Impenetrable 'Darkverse'**

The threats are a distance away from materializing, Huq and Linn said in a conversation with Dark Reading before their talk. "But the bad guys are already talking about how to make a profit in the metaverse," cautions Lin. "If \[organizations\] just ignore the threat and don't invest in trying to address them soon, they could lose more in future," he notes.

Trend Micro itself describes the metaverse as a "cloud distributed, multi-vendor, immersive, interactive operating environment that users can access through different categories of connected device." The metaverse will leverage Web 2.0 and Web 3.0 technologies to provide an interactive layer on top of the current Internet. "As proposed, it's an open platform for working and playing inside an extended reality environment, and it will also be a communications layer for smart city devices," according to Trend Micro.

The darkverse is a space that will exist within this world that, like today's Dark Web, will offer a safe space for free speech and expression against oppressive entities and governments. It will equally be a place for illegal and criminal activities with marketplaces that cater to a wide criminal audience. 

What will make the darkverse a distinctly more dangerous place is the difficulty law enforcement entities will have in trying to infiltrate the criminal activities taking place on it, Huq says. He expects criminals will use authentication tokens to control access to their spaces on the metaverse. They could make it almost impossible for defenders to get these tokens by requiring that users be inside a designated physical location in a specific time frame to receive a token. 

Criminals could also implement location based and proximity-based restrictions for accessing metaverse spaces. Such measures could make it significantly harder for law-enforcement authorities to take these activities down, compared to sinkholing a server or blocking URLs, Huq says.

**New Technologies & Protocols Introduce New Threats**

The darkverse will be a major threat, but not the only one that organizations will need to deal with in the metaverse. Huq and Lin expect that companies over the next several years will begin leveraging the metaverse for different use cases. As one example, Huq points to an operator of critical infrastructure that might create a digital twin of an OT or ICS environment. This would allow an engineer working for that company in New York to troubleshoot and address support issues at an ICS facility in Arizona almost like that engineer was physically present at that facility, he says. Similarly, a retailer could create digital stores where customers could shop in an immersive manner like they were at a physical location.

As such use cases proliferate, so too will the threats. Huq and Lin expect that attackers will look for and find ways to infiltrate and poison these environments to spy, steal, and create other havoc. They expect some of the attacks to target the servers, endpoints, and infrastructure on which the metaverse will run, while others will target metaverse-specific elements like the headsets people will use to access the virtual world, or the objects that exist within.

Huq and Lin, like other researchers also are concerned about the massive harvesting of personal data that is almost inevitably going to happen as more people begin using the metaverse in their personal and work lives.

"The metaverse will introduce in a very short span of time, a lot of new technologies," Huq says. Users will find themselves having to constantly interact with digital objects from a Facebook metaverse, a Google metaverse, a Microsoft metaverse, and other multiple other metaverses. That means having to deal with code being transported from one environment to the other in a very fluid manner. "When you execute a radical new technology, you are definitely going to start having security issues whether cyber, or procedural."

Metaverse Version of the Dark Web Could be Nearly Impenetrable

Despite some success in limiting damage from Hive, there's no time to relax security vigilance.

The government prioritizes the takedown of certain malicious groups based on a variety of factors, including access to a threat actor's computer network(s), and the level of threat they pose to national security and public safety.

Earlier this year, the FBI announced it had taken down the infamous Hive ransomware group. This ransomware group is considered dangerous because of its attempts to extort hundreds of millions of dollars from its victims. The group was also responsible for over 80 attacks on critical infrastructure organizations in 2022, according to the FBI's "2022 Internet Crime Report."

Now with time to reflect on the details of Hive's dismantlement, what are some takeaways security professionals should know? Let's dive in:

**Learning From RaaS Groups**

By taking the time to study criminal ransomware groups' behaviors, organizations can extract information on how to avoid becoming a victim. For example, by obtaining the decryption keys of a ransomware-as-a-service (RaaS) group, the government could potentially gain insight into its operations and infrastructure — including information on funding sources, recruitment methods, and the individuals behind the group. This detail can be used to disrupt and dismantle the group's operations, as well as to identify and indict the individuals involved in the group.

To help organizations learn more about these groups and related threats, the government might consider passing some details to companies by redacting sensitive information, or by sharing information strictly on a need-to-know basis. If information is provided in a general format that doesn't reveal specific details about the group, the government could work with companies to develop and implement security measures that could protect from similar RaaS attacks in the future.

Criminal organizations and lone-wolf cybercriminals often adapt to evade detection and continue their illegal activities. There's always a possibility that the individuals behind the Hive operations eventually will reappear under a different name with alternative methods. The FBI has been seeking to identify key members of the group, disrupt their funding sources, and seize assets that would make it difficult to continue their operations. It's important to note that the fight against cybercrime is an ongoing process, and it's not always possible to eliminate a group or organization. Therefore, it's crucial for law enforcement to remain vigilant.

**Tackling the Organized Cybercriminal Requires a Multidisciplinary Approach**

But just as technologies have evolved to address specific concerns and tactics, adversaries also have evolved.

The proliferation of cloud computing and a dramatic increase in remote working means that security can't be viewed as a "nice-to-have." It's a necessary tool for protecting business interests and securing growth regardless of an organization's size.

However, even with the growing investments in cybersecurity, organizations are still falling victim to breaches via one of the most common methods: compromised credentials. Some 90% of security professionals are still struggling to detect when credentials are compromised. As a result, minimizing the risks associated with compromised credentials should be top of mind for all security leaders. Using tools such as behavioral analytics to create a baseline of normal user behavior can detect compromised credentials before professional-level cybercriminals or an amateur hacker has the chance to cause damage. Solutions with behavioral analytics baked-in also create a holistic view of incidents to uncover anomalies faster and have more accurate and repeatable steps to detect future threats.

It's important to remember that technology is only one piece of the security puzzle. Employee training is also essential, along with a meticulously curated and tested incident-response plan. This response plan should include communication with law enforcement and customers or partner organizations that could be affected by a threat actor. The partnership between private sector organizations and law enforcement was likely a key factor in the Hive takedown.

In the past few years, ransomware has frequently been in the headlines because of security teams and organizations failing to take the appropriate steps to build a formidable defense for their network. To defend against ransomware attacks, companies should invest in modern security solutions and implement advanced security awareness training programs for employees. These solutions can help them understand how to identify a suspicious link, email, or message. With a plan in place, leaders and security professionals have a step-by-step playbook to help them address incidents.

Ransomware gangs are like weeds. When one is taken down, others pop up in its place., the biggest takeaways that security professionals should learn from the government's initiatives to stop Hive are that collaboration, with the right security tools, training, and incident-response plans, are key. By taking the time to learn from RaaS groups and making the right security investments, security teams will be able to have the upper hand.

Effects of the Hive Ransomware Group Takedown

Last year, 71% of enterprise breaches were pulled off quietly, with legitimate tools, research shows.

RSA CONFERENCE 2023 – San Francisco – With little more than smart reconnaissance and existing tools, adversaries are increasingly capable of compromising an enterprise network without making any noise or leaving a trace behind.

In fact, according to CrowdStrike CEO Jeff Hurtz and president Michael Sentonas, 71% of enterprise cyberattacks in calendar year 2022 were done without malware.

At this year's RSA Conference, Hurtz and Sentonas returned to the keynote stage to walk the audience through a case study of just how easily a threat actor can not just penetrate a network but also move laterally and persist without making a ripple, illustrating in stark terms the kind of challenge cybersecurity teams face trying to detect, much less mitigate, malwareless compromises.

The legendary cybersecurity duo profiled the "Spider" cybercrime group from the stage as a perfect example of the phenomenon.

"They're very well prepared, and they are very well resourced," Sentonas explained. "And they really like to leverage existing tools; there's no need to get fancy if you can just blend in."

**Spider: Anatomy of a Malwareless Attack**

First, Spider initiates an in-depth intelligence gathering effort. Hurtz said his team was able to establish the threat actor spent more than an hour on the phone with the victim company's help desk trying to get any insights that could fuel the next phase of social engineering. 

Once they had a specific user in their sights, Spider initiates a voice call informing the user their credentials had been compromised. Victims are then sent a malicious link and prompted to enter in not just their login details, but also their multifactor authentication (MFA) data. Once the user is tricked into handing those over, Spider is off and running.

"We call that the layer A problem," Hurtz joked, about the user handing over the goods. "It's between the chair and the keyboard."

Spider then uses the Tails operating system and Evilginx2 to compromise the user's credentials to set up an AnyDesk account controlled by the cyberattackers. AnyDesk remains a popular remote desktop tool among threat actors, Hurtz added.

Spider also uses dedicated machines that hide their identity, and run their code on hardware as much as possible to avoid detection. "It could be from anywhere," Sentonas said. "It blends in because its not going to come from some crazy domain."

Other tools, like DigitalOcean Droplet, used as a virtual machine, fill out the attack chain. Ultimately, Hurtz and Sentonas explained, the Spider attack ends with the persistent actor set up with their own users on the network, free and able to exfiltrate data at will. And importantly, Sentonas noted, if the threat actor can get into the on-premises network, the cloud is likely going to sync and become compromised as well.

Importantly, Sentonas and Hurtz wanted to disabuse the audience of the notion that threat actors need full admin access to set up new users. They don't, and Sentonas showed exactly how just delegated permissions could allow him to move freely about the company's customer relationship management system, as well as add themselves as a SQL server admin.

In the past couple of quarters, CrowdStrike has been dealing with about one enterprise per week reeling from this type of malware-free cyberattack, Sentonas said.

**How to Defend Against Malware-Free Cyberattacks**

When it comes to defending the enterprise, endpoint detection and response (EDR) and other malware detection tools aren't terribly useful against malware-free cyberattacks. There's simply no malicious code to detect.

Instead, Hurtz and Sentonas urged enterprises to focus on gathering as much telemetry as possible from the endpoint to the cloud and managing identity down to the tiniest details.

But gathering all that telemetry and identity data leaves teams with vast oceans of information that's not particularly useable for threat hunting. That's where artificial intelligence (AI) and machine learning (ML) can be meaningfully deployed to look for anomalous activity, like added user accounts, to detect malicious activity, without malicious code.

It's also important to protect the enterprise MFA service from compromise, they added.

"Maintain good identity store hygiene, Sentonas said. "And protect the services you use for MFA."

Malware-Free Cyberattacks Are On the Rise; Here's How to Detect Them

The Data Security Maturity Model ditches application, network, and device silos when it comes to architecting a data security strategy.

RSA CONFERENCE 2023 – San Francisco – The coalition behind the Data Security Maturity Model has issued a second iteration of the framework, aimed at making it easier for businesses to protect data from leaks.

The coalition, created by Cyberhaven last summer, is led by Sounil Yu, CISO at JupiterOne and includes a range of security leaders from a range of companies, including Boston Scientific, Caterpillar Financial, Fleet, Flexport, Motorola Mobility, Twilio, VillageMD, and others.

During a panel at RSA Conference 2023, entitled Comprehensive Cyber Capabilities Framework: A Tech Tree for Cybersecurity, coalition members laid out a vision for the next generation of data security.

"The ability to protect any type of data across devices, applications, and cloud assets is essential if organizations are to take advantage of the power of modern collaboration and digital transformation without exposing their data to external threats, insider threats, or simple mistakes by well-intentioned users," the coalition said in a statement.

The DSMM aligns to the NIST Cybersecurity Framework and the Cyber Defense Matrix, and to enable a data-centric view, it defines five key functions:

*   **Identify & Classify:** Find and classify all data covered by the data security program.
*   **Protect:** Minimize the exposure of sensitive data by controlling how it is accessed, used, and retained.
*   **Detect:** Collect and analyze data risk to identify data-related security events or policy violations that were not stopped by the "Protect" function.
*   **Respond:** Establish immediate, short-term actions to be taken upon detection of a potential incident.
*   **Recover & Improve**: Determine actions needed to not only restore normal operations (as they pertain specifically to data), but also to build back stronger.

In its second iteration released this week, the maturity model refines each of these pillars to take into account more granular context, such as what server infrastructure is being used, how much is in the cloud, privacy regulations, how employees and others use the data, and how applications, APIs, and non-human endpoints use it, and more — in order to gain a fuller picture of an organization's data footprint.

**The Data & Digital Transformation Problem**

Richard Rushing, panelist and CISO of Motorola Mobility, tells Dark Reading that a new framework approach was needed given that, in the age of digital transformation, getting arms around all of the data being generated at any given point within an organization simply can't be accomplished by looking at protection in a siloed way. The old concept of seeing data in the context of devices, applications, or the network, needed to be traded for a focus on the data itself, wherever it goes within an organization.

"If you think about what security is enabling, it's the use of data, and ubiquitous access to it," he says. "It's necessary to connect to the network to use the data that's in the network to make better decisions for the business or make better decisions for your customers. But data is found in different places, sometimes it's at rest, and sometimes it's in transit."

He adds that the problem is — quite literally — growing, also necessitating a rethink of protection architecture.

"Data is on a logarithmic curve; for every amount of data that I have next year, it's probably 2.5 times more than the amount of data I had this year," he says. "We're data hoarders, for lack of a better term; no one wants to get rid of people's information who have signed up to websites and forums and everything else, so we have this enormous data sprawl. That, in turn, leaves behind security blind spots."

Further adding to the challenge is the fact that some data is of course more sensitive than other information, and some information doesn't need protecting at all, Rushing points out. And there's dynamism in terms of defining appropriate security levels as data ages.

He uses a product launch to illustrate his point. "With a product release, we start off with a situation where no one knows about it, everything's embargoed, and you're protecting this important intellectual property," he explains. "And the next thing you know, it's released for public consumption. And it's suddenly not top secret anymore, in fact, you want the whole world to know about it."

Rushing says that the framework is meant to tame some of this chaos, and that it can be tailored to large enterprises and small-to-midsized businesses alike. It allows organizations to focus in on a number of practice areas, too — including risk-based decision prioritization, collaboration, continuous education, risk management for vendors and third parties, compliance, being transparent, and incident response and how to recover data.

"I don't want to say it's one size fits all, but it's very close to one size fits all," he explains. "The controls are going to be different depending on the environments, but the approach is meant to be flexible enough to accommodate that."

He says that the framework is a living architecture that the coalition plans to refine and evolve over time. However, the time to make the switch to thinking about things in a data-centric kind of way should start now.

"If you don't start \[or\] you don't think about this, you're going to get hit in the next 6, 12, 18 months in some way, shape, or form," he warns. "It's not like the Internet is becoming a safer neighborhood and data is the new oil that's going to drive business and attackers alike."

Source

DARKReading