Enables enterprises to operationalize MITRE ATT&CK and build a multi-layered, threat-informed defense to eliminate gaps based on organizational risk and priorities.

**TEL-AVIV, Israel** **and** **BOSTON****,** **April 4, 2023** **/PRNewswire/ --** CardinalOps, the detection posture management company, today announced a new approach for measuring detection posture and identifying gaps using the MITRE ATT&CK framework.

As the standard framework for understanding adversary playbooks and behavior, MITRE ATT&CK now describes more than 500 techniques and sub-techniques used by threat groups such as APT28, the Lazarus Group, FIN7, and LAPSUS$.

According to ESG research, 89% of organizations currently use MITRE ATT&CK to reduce risk for security operations use cases such as determining priorities for detection engineering, applying threat intelligence to alert triage, and gaining a better understanding of adversary tactics, techniques, and procedures (TTPs).

**Why a New Coverage Metric Is Required**

Traditional MITRE ATT&CK coverage metrics and heat maps are too simplistic because they only add up the total number of detections aligned to a given technique – without measuring how much of the attack surface in your infrastructure is actually covered by all your detections.

Developed by CardinalOps, MITRE ATT&CK Security Layers dramatically extends the concept of ATT&CK coverage by measuring the "depth" of detection coverage for the first time. It does this by mapping each detection to a specific security layer – such as endpoint, network, email, cloud, containers, and IAM – and then enumerating the number of distinct layers covered for a given technique.

This enables SecOps teams to ensure they have "detection-in-depth" at multiple layers for the techniques that matter most to them.

Additionally, Security Layers enable organizations to link their coverage to desired business outcomes by immediately identifying blind spots related to crown-jewel assets such as their most sensitive applications and data. It also reveals missing telemetry and data sources that can be incorporated into their detection strategy to increase depth of coverage.

Coverage tracking using Security Layers is built into the CardinalOps automation platform, which continuously audits the rule set of existing SIEM/XDRs and groups them into their respective layers for each ATT&CK technique. The platform integrates natively with major SIEMs including Splunk, Microsoft Sentinel, IBM QRadar, Google Chronicle SIEM, CrowdStrike Falcon LogScale, and Sumo Logic.

"Security layers add context and detail to the MITRE ATT&CK framework and associated detection rules," said Jon Oltsik, distinguished analyst and fellow at the Enterprise Strategy Group. "In this way, CardinalOps can help organizations further focus their attention on detecting the tactics, techniques, and procedures (TTPs) of adversaries most likely to target their organizations. This can help reinforce security defenses in critical areas – especially for understaffed organizations lacking advanced cybersecurity skills and resources."

CardinalOps has contributed to the MITRE ATT&CK community in the past by providing new sub-techniques that were subsequently incorporated into the standard ATT&CK framework.

**How Automation Helps Operationalize MITRE ATT&CK**

Until recently, many organizations have struggled with operationalizing MITRE ATT&CK in their day-to-day operations because they had to rely on manual approaches like spreadsheets and open source tools to measure their coverage and identify blind spots.

Using automation and specialized analytics, the CardinalOps platform helps organizations continuously measure and visualize their detection posture using MITRE ATT&CK Security Layers. Coverage can be filtered based on organizational priorities such as Security Layers as well as by other key risk parameters such as APT groups or specific Tactics and Techniques.

The platform further helps eliminate coverage gaps by providing high-fidelity detections and recommendations to address missing, broken, and noisy detections.

"SecOps teams are looking for a more precise and holistic approach to measure their MITRE ATT&CK detection posture and identify gaps based on organizational priorities and desired business outcomes," said Michael Mumcuoglu, CEO and co-founder of CardinalOps. "We're proud to be helping the ATT&CK community find new and innovative ways to ensure organizations always have the right detections in place to defend against their most relevant adversaries."

**About CardinalOps**

Most security vendors pitch you on replacing your stack or adding new monitoring tools to it. CardinalOps has a more practical approach.

Founded by security experts with nation-state expertise and led by executives from leaders such as Palo Alto Networks, Microsoft Security, and IBM Security, CardinalOps is focused on maximizing the effectiveness and efficiency of your _existing_ security stack.

Using automation and MITRE ATT&CK, the CardinalOps platform continuously assesses your detection posture and eliminates coverage gaps in your existing SIEM/XDR — Splunk, Microsoft Sentinel, IBM QRadar, Google Chronicle SIEM, CrowdStrike Falcon LogScale, Sumo Logic — so you can easily implement a threat-informed defense.

What's more, it drives cost savings and greater efficiencies by recommending new ways to tune noisy and inefficient queries, reduce logging volume, and eliminate underused tools in your stack. 

Learn more at cardinalops.com.

CardinalOps Launches MITRE ATT&CK Security Layers for Measuring Detection Posture

Enhanced API defenses, granular machine learning capabilities, and new managed service offerings provide comprehensive protection across distributed environments.

**SEATTLE –** F5 (NASDAQ: FFIV) today announced new security capabilities to give customers comprehensive protection and control in managing apps and APIs across on-premises, cloud, and edge locations. Specifically, new machine learning enhancements provide F5’s cloud security portfolio with advanced API endpoint discovery, anomaly detection, telemetry, and behavioral analysis. As more transactions and customer engagements occur through digital channels such as web and mobile apps, organizations are seeking better solutions to provide secure experiences for their end users and maintain their trust. With APIs as the building blocks of modern web and mobile experiences, protecting these assets is the cornerstone of securing digital services.

F5 customers can now strengthen their security posture with a continuously improving analysis engine and unified policy enforcement. These capabilities enable secure app-to-app communications through validated and monitored APIs, thereby reducing the time security teams spend correcting false positives and accelerating time-to-deployment for new services. The enhancements, as well as new managed service offerings for enterprises and service providers, accelerate the momentum of F5 Distributed Cloud Services, introduced in 2022 and bolstered by the recent launch of multi-cloud networking solutions.

Modern organizations continue to demonstrate a clear preference for hybrid solutions. According to F5's 2023 State of Application Strategy (SOAS) Report, 85% of respondents have deployed apps and APIs in distributed environments spanning multiple public clouds, as well as on-premises and edge locations. More than 20% of respondents are deploying apps and APIs in six different environments. At the same time, security teams struggle to provide consistent protection and visibility for a rapidly expanding attack surface area. This is primarily because many contemporary Web application and API protection (WAAP) solutions rely on point products or offerings based on (and provided by) CDN vendor technologies that cannot adequately scale beyond cloud-based apps and lack the ability to be deployed on premises, in public clouds, or in other edge locations.

"Applications and APIs are the building blocks of the digital experiences through which we all work, bank, shop, access healthcare, travel, and play," said Kara Sprague, EVP and Chief Product Officer, F5. "And those experiences are only as secure as the most vulnerable app or API. With greater efficacy achieved via sophisticated profiling techniques and deployment options that span SaaS, packaged software, hardware appliances, and managed services, F5's app and API security solutions are unmatched. Today’s announcement continues our mission to radically simplify app and API security, empowering customers to accelerate digital innovation with the confidence of comprehensive protection no matter how their apps are built or where they live."

F5 offers a full suite of capabilities to provide robust protection for apps and APIs across on-premises, cloud, and edge locations. Moreover, F5's end-to-end approach to security means that threat data can be gathered and analyzed across all deployed locations, including ongoing and emerging attack campaigns detected by the F5 Threat Campaigns service. As part of a larger hardware, software, SaaS, and managed services portfolio that also provides best-in-class application delivery capabilities, F5 security solutions protect a diverse mix of distributed apps and APIs in any environment without adding further operational complexity.

****Enhanced API Security Provides Greater Protection for Modern Apps****

F5 offerings are firmly in step with organizations’ desire to deploy security capabilities in the public cloud and as-a-service. Unlike API-only point product security providers, F5 delivers API auto-discovery, policy enforcement, and anomaly detection as part of a unified WAAP service, simplifying operations and enforcement through a single console for both app and API protection. Since static signature-based controls are insufficient for protecting API endpoints due to their dynamic, evolving nature, F5 Distributed Cloud API Security utilizes optimized machine learning for automatic API discovery, threat detection, and schema enforcement. By observing normal behavior patterns across all endpoints, F5’s advanced analysis engine helps users detect anomalies and refine API schemas to improve their overall security posture. Additionally, F5 supports token identification to detect anomalous behavior accessing JWT tokens and prevent unauthorized usage.

****AI as an Essential Element of App Security****

According to F5's SOAS Report, nearly two-thirds of organizations are prioritizing the use of AI/machine learning, with security as a top use case. CISOs view such capabilities as a means to reduce the time between detection and response without compromising efficacy or requiring additional security staff. In addition to AI-based enhancements for Distributed Cloud API Security, F5 is introducing AI-driven Web application firewall (WAF) capabilities, including unique malicious user detection and mitigation capabilities that create a per-user threat score based on behavioral analysis that determines intent. This enables security operations to choose between alerting or automatic blocking to mitigate an attack that would otherwise go undetected by static signatures. With F5, all traffic is monitored and proactive defenses are applied based on malicious user behavior that can be correlated across Distributed Cloud WAAP deployments. New functionality also provides false positive suppression, making it easier to block bad traffic without accidentally blocking legitimate users, and streamlines operations by reducing the time necessary to enable specific app protections.

****Simplifying App Security through Managed Service Offerings****

Given organizations’ growing challenges in deploying consistent security across increasingly distributed infrastructures—as well as finding available personnel with the required security skillsets—F5 is expanding its managed service offerings:

*   **Distributed Cloud WAAP Managed Services** enable F5 customers to access the experience and expertise of the F5 SOC to manage WAF, bot defense, and DDoS protection. Through a shared console, customers have the ability to seamlessly move between a self-service or managed service model as the needs of their apps and approach to app security change.
*   **Distributed Cloud Managed Service Portal** enables F5 service provider partners to build and tailor their own managed service offerings based on the leading security capabilities of F5 Distributed Cloud WAAP. This approach lets partners manage Distributed Cloud WAAP on behalf of their customers without sacrificing visibility, resulting in new revenue sources and value-added services while extending the overall reach of the solution.

"The beauty of F5 is that they understand each application and provide a solution for that application," said Mhd Wail Wajih Khachfa, Chief Information Security Officer, The Department of Digital Ajman. "For us, F5 is not just a technology provider. They are a strategic partner in our journey to provide the best performance, availability, and security to our customers."

"Just as every business has different risk factors, app security will never be one size fits all," said Chris Steffen, Managing Research Director, Enterprise Management Associates. "Today's leading vendors recognize that a better approach is to provide integrated capabilities that can take advantage of unified security policies—and enhanced machine learning—across data center, cloud, hybrid, and edge deployments. F5 solutions give customers the flexibility to scale their apps and infrastructure in concert while offering leading security in any deployment context."

****Additional Resources****

*   F5's 2023 State of Application Strategy Report
*   F5 Distributed Cloud Services

****About F5****

F5 is a multi-cloud application services and security company committed to bringing a better digital world to life.​​​​​​​ F5 partners with the world’s largest, most advanced organizations to secure and optimize every app and API anywhere—on premises, in the cloud, or at the edge. F5 enables organizations to provide exceptional, secure digital experiences for their customers and continuously stay ahead of threats. For more information, go to f5.com. (NASDAQ: FFIV)

You can also follow @F5 on Twitter or visit us on LinkedIn and Facebook for more information about F5, its partners, and technologies. F5 is a trademark, service mark, or tradename of F5, Inc., in the U.S. and other countries. All other product and company names herein may be trademarks of their respective owners.

F5 Safeguards Digital Services With New AI-Powered App and API Security Capabilities

Uber gave sensitive data on drivers to a law firm representing the company in legal actions, but the data appears to not have had adequate security protections.

A law firm representing Uber Technologies has notified an unknown number of its drivers that sensitive data, including their names and Social Security numbers, has been stolen by cyberattackers.

It's the third data breach in six months for the ride-share giant.

Law firm Genova Burns LLC, based in Newark, NJ, first noticed suspicious activity at the end of January, and — after an investigation by outside specialists — discovered that its systems had been compromised and data on an undisclosed number of Uber drivers had been stolen, according to a letter published online on April 4. Uber sent the information to the law firm in connection with its legal representation, the letter stated.

Genova Burns did not explain why the law firm needed drivers' personally identifiable information (PII) and did not respond to multiple requests for comment.

"Upon learning of the event, we investigated to determine the nature and scope of the incident and secured the environment by changing all system passwords," the law firm said in the letter sent to Uber drivers. "We also notified law enforcement and are cooperating with its investigation. We will be taking additional steps to improve security and better help protect against similar incidents in the future."

Some major breaches have targeted legal firms, which typically hold very sensitive data and often do not have a dedicated information-security director. In January and February, two cybercriminal campaigns — GootLoader and SocGholish — hit six different law firms with cyberattacks. Notably, the cyberattackers behind GootLoader used search terms that refer to contracts, agreements, and other legal forms as bait in a drive-by download campaign.

By using malicious search engine optimization techniques, the attackers in that case lured potential victims to malicious sites, which then attempt to compromise the user's machine with their malware, says Keith Jarvis, a senior security researcher at Secureworks' Counter Threat Unit (CTU), who adds that it's unclear if the Uber data was specifically targeted or just caught up in such an effort.

"We do not know if this targeting is intentional or incidental, but it has been effective at ensnaring organizations in legal services," he says.

**Hackers Love to Hate Uber**

Uber has been a frequent target of hackers. The ride-sharing service provider had previously leaked information on 50,000 drivers and their license plates in May 2014, followed by a more serious breach in October 2016, when cybercriminals gained access to the private data of 57 million Uber users. In 2022, two more attacks — one through a third-party cloud provider — successfully captured sensitive data, and one resulted in the company's CISO resigning.

In the latest attack, Uber confirmed the breach, but directed questions back to its law firm.

"These drivers have been notified that their Social Security number and/or tax identification number have been potentially impacted and \[were\] offered complimentary credit monitoring and identity protection services," Uber said in a statement. "Genova Burns indicates that they are not aware of any actual or attempted misuse of the information, and confirmed that they are taking additional steps to improve security and better protect against similar incidents in the future."

The law firm first detected the attack on Jan. 31, and, following an investigation by an unnamed third-party forensics and data-security specialist, discovered that its data had been accessed and exfiltrated during the week prior to discovery.

"On March 1, 2023, we determined that information related to you \[the Uber drivers\] was contained in an impacted file, after which we notified Uber," Genova Burns stated in the letter, published by The Register. "At this time, we are unaware of any actual or attempted misuse of your information as a result of this incident."

**Legal Linchpins to Information**

Genova Burns joins a growing group of law firms that have become victims of cyberattackers. In 2021, attackers accessed systems at Campbell Conroy & O'Neill, a law firm with hundreds of major corporate clients, that included names, birthdates, driver's license numbers, Social Security numbers, passport numbers, and even medical information.

While most cybercriminals are opportunistic attackers, law firms often attract unwanted scrutiny, says Secureworks' Jarvis.

"For the minority of cybercriminal attacks where a victim is targeted, organizations with access to large amounts of third-party data, such as law firms, present a valuable target," he says. "Law firms also frequently fit the profile of small to midsized organizations with a sizable IT footprint but no dedicated security resources."

Over the past few years, nation-state groups have targeted law firms to uncover information on their clients' intellectual property and technologies in development.

Law Firm for Uber Loses Drivers' Data to Hackers in Yet Another Breach

In the height of tax-return season, a popular tax prep software service leaves a malicious JavaScript file online for weeks.

An IRS-approved software service for filing taxes electronically, eFile.com, was found to be delivering JavaScript malware just at the height of tax-return season.

eFile.com, which was used as a conduit for filing more than 66 million tax returns in 2022, was flagged by users and researchers alike. The malicious file existed on the website for weeks — named "popper.js," it was being loaded by nearly every page on the website.

Suspicions of a "hijacking" of the website first began on March 17 when a Reddit thread raised awareness of the site redirecting users to a fake "Network Error" page. Ultimately, these Reddit users were correct in their suspicions, as researchers found another file named "update.js" that had a fake SSL error message, prompting "users to download next stage payload."

The incident serves as a warning regarding the safety of tax filing services and their cybersecurity due to the highly sensitive information it involves, as well as the fact that the website was compromised for an extended period of time without being resolved.

"Tax filing services and their customers are prime targets for cybercriminals in the peak of their busiest season of the year," said Zane Bond, head of product at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software, in an emailed statement. "What should you do when you're up against the deadline to get your taxes filed? Remain cautious and don't make rushed clicks. If you are concerned about the security of any tax filing software you're using, consider using a certified professional or the federal government's e-file site to file your taxes."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

eFile Tax Return Software Found Serving Up Malware

Customers have increased access to Akamai security experts to help protect from sophisticated cyberattacks.

**CAMBRIDGE, Mass.****,** **April 4, 2023** **/PRNewswire/ --** Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, today introduced an updated managed security service program and premium service offerings. The new capabilities are intended to help customers protect their businesses 24x7 from the most sophisticated attacks with proactive monitoring and rapid response in the event of a cyberattack. Customers can take advantage of access to more Akamai security experts, reduced pricing, and more direct assistance. In addition, a premium version of the service is available for customers seeking personalized support and prioritized escalation paths.

An ever-widening attack surface is challenging organizations with credential stuffing and distributed denial of service (DDoS) attacks that can disrupt and take down business services. Financial services is one of the most-targeted sectors according to a recent Akamai State of the Internet report, Enemy at the Gates. The industry has seen a 257% increase in web applications and API attacks, an 81% increase in bot activity that could lead to credential stuffing, and a 22% increase in DDoS targets year-over-year.

"Businesses everywhere are struggling to defend against sophisticated cyber adversaries who are determined to create chaos and hinder business continuity. Our customers have asked for higher levels of service, which is what we're delivering with Akamai's managed security service and premium offerings," said Roger Barranco, Vice President of Support Services at Akamai. "We're partnering with our customers in a way that augments the availability of highly skilled proactive cybersecurity professionals."

**Updates to Akamai Managed Security Services**

Akamai Managed Security Services  help customers realize new benefits including:

*   **Access to** **more Akamai Experts:** Technical advisory hours with engagement managers and support delivery managers is included with no overage charges
*   **Same Price. More Value:** The basic package price of Akamai's Managed Security Service remains the same. Pricing per any additional App & API Protector with Advanced Security Management (AAP/ASM) managed policy, Bot Manager Premier (BMP) managed endpoint, and price per managed Page Integrity (PI) configuration have all been reduced
*   **More Assistance:** Off-hours configuration assistance, Akamai University seats, and quarterly customer business reviews included

More information about Akamai Managed Security Services is available on the product page.

**Security Operations Control Center (SOCC) Premium Service Features**

Akamai's premium service is designed to provide a customer-specific support experience and prioritized path to escalation. Premium service features include:

*   **Named Resources:** Customers will have 24/7 access to SOCC experts with customer-specific information to drive better outcomes and alignment
*   **Increased Communication:** Proactive communication from SOCC subject matter experts
*   **Reviews:** Regular reviews with Akamai SOCC experts to collaborate and exchange information
*   **Superior Monitoring:** Customers will have access to enhanced site monitoring and a customer-specific Security Incident and Event Management (SIEM) view in the SOCC dashboard
*   **Faster Escalations:** Customers will have immediate access to Akamai subject matter experts and a quicker escalation path to SOCC management

Akamai's SOCC Premium Service will be available for customers starting on April 6, 2023.

**About Akamai**

Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away. Learn more about Akamai's security, compute, and delivery solutions at akamai.com and akamai.com/blog, or follow Akamai Technologies on Twitter and LinkedIn.

Akamai Launches Managed Security Service Updates and New Premium Offering

The malware is one of the most sophisticated ransomwares ever seen in the wild, and marks a leap ahead for cybercrime.

What might be the fastest-ever ransomware encryption binary has been spotted in the wild, locking up systems at nearly twice the speed of the notorious LockBit 3.0 malware.

According to speed tests by Check Point Research (CPR), the new baddie on the scene, dubbed "Rorschach," can encrypt 220,000 local drive files in just four and a half minutes. For comparison, LockBit 3.0 accomplished the task in seven minutes, and it's far, far faster than the median encryption time determined in testing last year.

"What's even more noteworthy is that the Rorschach ransomware is highly customizable. By adjusting the number of encryption threads via the command line argument, it can achieve even faster times," according to CPR research issued April 4.

**A Patchwork of the Best Ransomware Techniques**

Aside from its concerning efficiency, Rorschach is notable because it contains publicly known elements cribbed from leaked source code from other ransomware strains. And interestingly, the operators behind Rorschach don't employ an alias, nor do they brand their wares — very uncommon to see in ransomware gangland where reputation matters and self-promotion is rife.

The result is a malware strain that is open to interpretation in terms of who its operators are and where it fits in the ecosystem — hence the name.

“Just as a psychological Rorschach test looks different to each person, this new type of ransomware has high levels technically distinct features taken from different ransomware families — making it special and different from other ransomware families," says Sergey Shykevich, threat intelligence group manager at CPR.

The Frankenstein aspects present in the malware include:

*   Autonomously carrying out tasks that are usually manual in ransomware strains, such as creating a domain group policy (LockBit 2.0);
*   A hybrid-cryptography scheme that is the basis of its encryption speed (Babuk);
*   Ransom notes that borrow heavily from previous ransomware families (DarkSide and Yanluowang);
*   The list of services to be stopped in Rorschach's configuration (Babuk);
*   The list of languages used to halt the malware (LockBit 2.0);
*   And, the I/O Completion Ports method of thread (LockBit 2.0).

**Rorschach's Unique Coding Elements**

However, while it's a borrower, Rorschach also adds its own special sauce to the proceedings. For instance, CPR spotted it being deployed in the US using DLL side-loading and an older version of Palo Alto Networks' (PAN) Cortex XDR Dump Service Tool — something that PAN verified.

"Palo Alto Networks has verified that Cortex XDR 7.7, and newer versions, with content update version 240, and later content updates, detect and block the ransomware," according to an advisory PAN issued in tandem with CPR's research.

It also makes use of direct syscalls to silently inject malicious code into other processes, which CPR researchers called "startling," since the technique is extremely rare in the ransomware ecosystem.

"This technique is commonly used to evade behavioral detection by advanced and sophisticated malware, and is not commonly observed in ransomware," explains Shykevich. "Implementation of such mechanisms makes it much more difficult to detect the ransomware."

Also notable: It's partially autonomous, meaning that it can worm its way through an environment without user interaction.

"It spreads itself automatically when executed on a Domain Controller (DC), while it clears the event logs of the affected machines," according to the analysis. "In addition, it’s extremely flexible, operating not only based on a built-in configuration but also on numerous optional arguments which allow it to change its behavior according to the operator’s needs."

In all, Rorschach "raises the bar for ransom attacks," according to CPR researchers.

"This is the fastest and one of the most sophisticated ransomware we’ve seen so far," Shykevich says. "It speaks to the rapidly changing nature of cyberattacks and to the need for companies to deploy a prevention-first solution that can stop Rorschach from encrypting their data.”

Mysterious 'Rorschach' Ransomware Doubles Known Encryption Speeds

Scans of the Internet find that millions of computers, virtual machines, and containers are vulnerable to one or more of the hundreds of cyberattacks currently used in the wild, despite being patchable.

More than 15 million instances of Internet-connected applications, services, and devices are vulnerable to software flaws that the US government has confirmed are being exploited by attackers in the wild.

More than 190,000 systems, for example, appear to still be vulnerable to the 8-year-old Heartbleed vulnerability (CVE-2014-0160), while nearly 6.5 million devices are vulnerable to a medium-severity flaw (CVE-2021-40438) that could be used to redirect traffic to another server. In all, millions of applications, services, and operating systems are exposed to more than 200 remotely detectable vulnerabilities from the Known Exploitable Vulnerabilities (KEV) Catalog, researchers from cybersecurity firm Rezilion stated in a report published on March 30.

The takeaway? There is a concerning lack of patching of systems known to be vulnerable to in-the-wild attacks, says Yotam Perkal, director of vulnerability research at Rezilion.

"While only a fraction of the vulnerabilities discovered end up being exploited, the vulnerabilities on the KEV Catalog _are_ being exploited, continuously, by sophisticated threat actors as well as advanced persistent threat (APT) groups," he says. "Not taking action is an invitation to get hit."

He adds, "Companies should do whatever they can to prioritize patching these vulnerabilities."

To boot, those estimates of just how many things are vulnerable out there are conservative, Perkal says, as the services affected by more than one vulnerability were counted only once.

"Given this conservative calculation approach, added to the fact that there are many CISA KEV vulnerabilities that can’t be identified with a high level of certainty (if at all) using Shodan, it is safe to assume that the actual number of vulnerable instances is much higher," he says.  

    

Vulnerabilities exploited by year of disclosure. Source: Rezilion

Typically, only a small fraction of vulnerabilities are exploited every year. In 2022, for example, more than 25,100 vulnerabilities were disclosed and assigned a Common Vulnerabilities and Exposures (CVE) identifier, according to the National Vulnerability Database. Yet only 107 of those issues are known to have been exploited, according to the Known Exploited Vulnerabilities Catalog, a list of more than 900 vulnerabilities maintained by the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA).

However, many of the KEV bugs are highly dangerous, such as the recently added vulnerability in IBM's popular Aspera Faspex file transfer stack and a bug in the ZK Java Web Framework.

**The Long Tail of Exploitation**

Using data gleaned from the KEV and information about the vulnerabilities contained in entries in the CVE databases, Rezilion researchers scanned the Internet using Shodan. They found 15 million services vulnerable to at least one exploit on the list.

Nearly 6.5 million instances of Apache HTTP Server were running a version still vulnerable to a critical sever-side request forgery (CVE-2021-40438) flaw. Another 2.1 million versions of the server were vulnerable to a separate flaw (CVE-2019-0211) that allows an attacker to escalate their privileges on the system. Despite its age, the Heartbleed flaw (CVE-2014-0160) ranked fifth on the list of most common vulnerabilities from the KEV Catalog, and the BlueKeep vulnerability from 2019 ranked ninth, with almost 52,000 instances discovered through the researchers' scans of the Internet. BlueKeep (CVE-2019-0708) is a critical remote code execution bug in the Remote Desktop Services Protocol in older and legacy versions of Windows.

Using data from threat intelligence service GreyNoise, the researchers discovered hundreds of scans on the part of threat actors searching for KEV vulnerabilities every day, making the threat very real, the company stated in its advisory.

"Failing to address these actively exploitable vulnerabilities poses a significant risk," the advisory stated. "While patching a vulnerability you know about, which is actively exploited in the wild and has a publicly available patch should be the easy part, the reality is that millions of systems remain exposed to these vulnerabilities — some even years after the vulnerability was discovered and a patch was made available."

**More Vulnerable Under the Surface**

In addition, companies are more vulnerable once an attacker gets past the perimeter. Shodan scans are limited to Internet-facing systems. Many of the flaws on the KEV list are generally only exploitable from inside a network, Perkal says.

"Some of the vulnerabilities on the CISA KEV Catalog are not vulnerabilities that exist in internet-facing applications," he says. "For example, local privilege escalation vulnerabilities are not vulnerabilities that Shodan will be able to identify."

Companies should first find which software components are affected entries on the KEV list and validate that the actual vulnerable code is part of running software. Since applications often do not use every function in an imported software library, the vulnerable code may never run. Rezilion security researcher Ofri Ouzan estimates that 85% of code with vulnerabilities is never actually run.

After that, companies can use the CISA KEV list to prioritize patching of issues. Beyond using the KEV list, other efforts are aiming to predict the likelihood of exploitation, which could help companies prioritize their effort.

15M+ Services & Apps Remain Sitting Ducks for Known Exploits

When runtime application self-protection is held to a higher standard, it can secure thousands of applications and prevent burnout in security teams.

In recent years, the application security world has seen the rise of runtime application self-protection (RASP) technology. As described by Gartner, RASP is a security technology that is integrated into an application or its runtime environment, capable of controlling and preventing real-time attacks. Unfortunately, many Web application firewall (WAF) companies saw an opportunity to leverage the term. They introduced "RASP-like" agents at the network layer, which isn't fully embracing the definition of RASP technology.

In contrast, genuine RASP technology operates at the application layer, where it has full context of the user, application logic, and domain information. This context allows a RASP to make informed decisions about the application's security and to prevent exploits before they can cause harm. As a result, a true RASP should have zero false positives and reduced latency, providing an immediate boost in performance. True RASP requires a list of immutable rules that use context to understand when a new vulnerability is introduced and act accordingly. This immutability is possible when rules are baked into the code base at the application layer and does not require any changes once deployed.

**Three Areas Where RASP Went Wrong**

**1\. The Barking Dog Problem: Most Alerts Are False Positives**

The issue with WAFs is that they work at the network layer, a lagging indicator of application execution. The resulting lack of context leads to high false-positive rates, long wait times, and poor performance, as WAFs can only guess about the nature of a vulnerability based on what they previously have been exposed to.

Imagine a guard dog in the yard barking whenever it hears a noise beyond the fence. These noises may be the approach of an intruder, but they could also be cars passing by. The guard dog cannot accurately gauge the difference, so the severity of any given noise is lost, making it impossible for the people inside the house to know which alerts are genuine and which are false positives. This scenario is essentially the capability of the standard RASP offering.

**2\. The 999 Bad Guys Problem: Only Capable of Testing a Sample**

Believe it or not, some vendors tell you to only run their security solution in production environments if you protect only a sample size. That means it pulls a sample — perhaps one in every 1,000 requests — and tests that sample while catching what happens for the next 999. Meaning, if you're a good actor, your signature will check out. But regardless of whether or not the following 999 actors have bad intentions, they will get through. This lack of consistency is all because WAF-based RASPs can't handle the performance requirements of having to test every request.

**3\. The "It Takes Too Long" Problem: Latency Affects Performance**

Any time you have a WAF-based RASP, you experience increased latency, since it cannot influence the application's code base in any way. Meanwhile, widely available RASPs have to send entire text payloads to their Web analyzer and then wait for it to be sent back, which can take a long time. And if your customers are waiting on payments to go through, they might give up and seek out your competitors instead.

Improving this process is similar to code optimization. When creating a list, developers set it up to add new items to the beginning of a list instead of the end. This optimization prevents the VM from rebuilding the entire list each time a new item is added, preventing increasing latency as the list grows. Compiler engineers addressed these issues by implementing just-in-time (JIT) compiling in the early 2000s, which automatically optimizes code based on the nuances of the given language.

**Why Has the Definition of RASP Been So Watered Down?**

Developing RASP technology requires a combination of security engineering and software engineering skills. To be effective, the RASP developer must deeply understand the application's architecture and the nuances of the programming language being used. This requires domain expertise that is rare among security professionals.

**True RASP Optimizes Code for Performance as Well as Security**

Because most RASP platforms behave like WAFs, there's a massive overhead involved, which requires running them in sample mode. In contrast, a genuine RASP performs the actual protection in the runtime.

These operations exist in memory, which is very efficient, and because this exists in the same space as your applications, they're very performant. By performing the protection in the runtime, there's no need to rate limit or perform protection in sample sizes because the actual operation takes just a few milliseconds.

Regardless of any changes made to the application, high-performance security remains constant. This philosophy aligns with the philosophy of infrastructure-as-code, in which you define the desired state of your infrastructure, and no matter what happens in the environment, the state of the infrastructure remains the same.

RASP, by definition, parallels many principles of infrastructure-as-code. This parallel is possible due to the deep contextual awareness of the application and the language in which it's built. Like infrastructure-as-code, a genuine approach to RASP can and should make use of immutability to ensure that rules are applied regardless of changes to the codebase.

Immutability is possible by performing a check on the output of a function the first time it's called and switching out any unhealthy functionality with protected functionality, ensuring that the application is always healthy as it runs.

This approach allows security to be deployment agnostic and doesn't require code changes to the application code, tuning, or waiting for deployment windows.

By performing protection in the runtime, patching results with immediate protection on all running instances of the application, one eliminates the need for constant false positives and removes the risk of future exploits.

**RASP Can and Should Be Held to a Higher Standard**

In short, RASP should be held to a higher standard. When done so, it's possible to secure thousands of applications, lowering the total cost of ownership of your WAFs and helping prevent burnout in your security teams.

What RASP Should Have Been

Cybersecurity startups face pressure during this economic uncertainty, but strategic investors can help them succeed in providing tech that defends against cyberattacks.

Economic uncertainty puts enormous pressure on cybersecurity startups already struggling to break into a crowded market. It's bad news for both these nascent companies and their potential customers: As cyberattacks grow more prevalent, the need for innovative solutions from startups is greater than ever.

How can these up-and-coming businesses navigate the storm?

**Doing More With Less**

Tough economic times force nearly all organizations to tighten budgets and do more with less, and cybersecurity isn't immune to these pressures. However, with pressure comes opportunity — the opportunity to partner with strategic investors, which can build value that will serve as the foundation for your startup's future success. A strategic investor, usually a larger company in the same industry, will choose a partnership because of their strategic interest in that business. Beyond capital, they provide guidance on how the startup can grow and evolve in the cybersecurity market.

This guidance comes from subject matter experts who have been through their own business challenges and downturns in the security space, and can share advice based on their experiences in unfavorable market conditions. Strategic investors may also provide go-to-market enablement and/or validate a security startup's capabilities at a time when customers are generally more risk-averse. Cybersecurity startups with low-friction deployment models can capitalize on the real estate of strategic investors to expand their sales pipeline, as direct sales opportunities become sparser in a tough economic climate.

**Seeking the Right Strategic Investor**

The capital and guidance of a strategic investor can make a substantial difference in growing a cybersecurity startup. However, it's imperative you choose the right strategic investor that aligns with your company's values and goals. Where does your business need help? Which strategic investors have the resources and expertise to provide it? What vision do you have for your technology and how it will help solve customers' problems in today's evolving threat landscape?

Education is the first step in this process. Strategic investors have a wealth of public information available that can help startups develop their pitch. You should evaluate the materials provided across investor relations pages, security product briefs, conference presentations, partnership and marketplace pages, and security industry analyst coverage. These resources can help ascertain whether a strategic investor will be a good fit.

**Questions to Evaluate Best Fit**

To help evaluate candidates, ask yourself the following questions:

*   Is this strategic investor a cybersecurity market leader?
*   Do they have the customer base, mindshare within the ideal buyer persona, and technology to warrant investment in a deep partnership?
*   Where is this strategic investor going? Does my startup's product complement theirs, or is it likely to be competitive in the near term?
*   Who else are they working with? Are they strategically aligned with my company's competitors in the security space?
*   Do they have any experience working or partnering with other cybersecurity companies?
*   Does this strategic investor have a gap in their security platform that my company's product is uniquely positioned to help them solve?
*   How is their platform built? Do they have the right architecture to enable seamless integration?
*   Does my company have shared customers that could validate the impact of an integration in the near future?
*   Who has this company invested in previously? Is there a healthy cadence of partnerships or are they more "one-off" in nature? Is there market evidence indicating value that goes beyond a press release?

**Is a Good Strategic Investor Also a Good Strategic Partner?**

Partnering with a strategic investor is different from working with a venture capital firm or angel investor. It's important you not only find the right strategic investor but the right technology partner for your cybersecurity business.

With the information you've collected and your answers to the above questions, you're well-prepared for a conversation with a potential strategic investor to review the technical aspects of your partnership. During this time, you can discuss integration hypotheses and seek feedback. Consider asking these questions:

*   How long does an integration typically take to build and go live?
*   How can we announce the partnership and maximize market impact?
*   What resources do you have in place to help accelerate go-to-market?

If their feedback is positive and there is a clear strategic fit, most strategic investors can provide non-production access to their platform with prepopulated data and documentation to scope potential integration anchor points. From here, you can evolve the partnership pitch and ask to be connected with the company's product management team to get buy-in from the correct stakeholders.

As part of this process, you may consider providing incentives to drive go-to-market prioritization. Determine the typical revenue share structure within your partnership agreements, and see if there's an opportunity to provide a more competitive revenue share based on your gross margin structure and the number of potential customers through the strategic investor.

**Strive for Mutually Beneficial Goals**

The value of your strategic partnership will depend on efforts from both your company and the strategic investor. Bi-directional effort fuels long-term stability. You should work with your partner to create 6-to-12-month, integration, and go-to-market plans, and establish mutually beneficial goals at the outset of the investment. Prioritize your relationship, meet regularly, and monitor your progress toward these goals.

Economic uncertainty is tough for cybersecurity startups, but you don't have to weather the storm alone. Strategic investors are invaluable for helping these startups succeed and provide much-needed technology to organizations defending against cyberattacks.

How Strategic Investors Can Help Cybersecurity Startups

Have you ever wondered how they design blue team exercises? One ransomware and cyber extortion simulation demonstrates the best practices.

It's Monday morning, 8 a.m. You walk into the office and, on your computer screen, you witness something you've only ever experienced in your nightmares.

"Boom! Your organization is hit with a ransomware attack," Sherri Davidoff, CEO of LMG Security, says in a first-look for Dark Reading of a planned tabletop exercise at the upcoming RSA Conference 2023. "All systems are down. What do you do?"

Hopefully, you know what to do thanks to practice runs for such scenarios, in the form of tabletop exercises that workshop incident response for various scenarios.

Creating such an exercise is an undertaking, but it's worthwhile to prepare security professionals for the challenges they'll one day inevitably face. "It's just like Red Cross CPR classes," Davidoff says. "Training your first responders matters."

On April 24, from 8:30 to 10:30 a.m. PT, Davidoff and Matt Durrin, director of training and research for LMG Security, will be hosting a tabletop exercise on ransomware and cyber extortion at RSA Conference 2023. The event will throw participants into a maelstrom inspired by real-life ransomware attacks and challenge them to evade the traps endemic to enterprise incident response.

**Designing a Tabletop Exercise**

"The big thing that we want to shoot for in these tabletops is as much realism as we can possibly get," Durrin says.

But realism is difficult to simulate. Davidoff jokes about how "we tried using ChatGPT to run a tabletop exercise," and it didn't turn out so well. "It's like: 'I am the facilitator,' and starts walking you through the steps. But it's very boring. It doesn't give you any curveballs."

Simulating realism, ironically, requires a good deal of showmanship: storytelling, audio and visual materials, and a certain creativity to generate the chaos and unpredictability you'd find in a cyberattack in real life. But little of this theater is completely made-up.

"We try to leverage the experience that we've gained over the years of actually dealing with these attacks in the wild," Durrin notes, "so we have elements that are in line with what a modern ransomware attack would look like."

For RSAC 2023, they chose to model their simulation after a classic LockBit attack. "First thing in the morning on a Monday morning you walk in and your network is completely offline," Durrin explains. "There are ransom notes on your desktop. They're telling you that your files have been encrypted. They might have broken into your printer and exhausted every piece of paper that you have, printing off copies of the ransom note."

All local data is encrypted and internal systems unrecoverable. The price to recover is $2.5 million, which will double after 48 hours.

Source: Trend Micro

Panic sets in. "How do we identify where we need to look for additional malware?" Durrin continues. "How do we figure out how long they've been in the network? And then what kind of changes do we need to make to our plan?" Participants perform triage, distribute tasks among group members, and gather evidence, in a scramble to contain the damage.

Any sense of control is erased, though, when more bad news arrives: The hackers have already exfiltrated data. A double extortion, one of a few curveballs the hackers will lob over the fence by the end of the campaign.

"This is where things get kind of scary, especially for the more executive audiences," Durrin says. "When we start talking about public exposure and reputational damage, that really gets them on the hook, and it leads to a good discussion between the technical and nontechnical people. There's so much interplay between those two groups during an attack."

**Do Tabletop Exercises Actually Help IRL Security?**

Multiple extortions may be a lot to fit into a two-hour event. But Davidoff and Durrin emphasize how a full 80% of ransomware victims experience double dipping, 68% within a month of their first breach.

Remarkably, 40% of ransomware victims pay two times, 10% pay _three_ times, and 1% actually pay _four ransoms_ to their attackers.

"That's part of why a tabletop is so important," Davidoff says. "You're actually walking through these issues, and everyone from frontline responders to executives are learning. Because a lot of times your frontline responders will be getting pressure from executives to restore as soon as possible, so they skip steps, and then the attackers get back in, and you have a worse problem. And they usually charge a higher amount the second time."

Enterprises that run these kinds of simulations tend to avoid those mistakes. "We've actually been able to see how those changes that we've made and tested inside of an incident response plan have benefited organizations in a very tangible and real sense," Durrin says, "in the speed of recovery, the quality of recovery and how the organization is actually able to get back on their feet after suffering from an incident."

The difference can be found in the bottom line. According to the IBM Cost of a Data Breach Report 2022, organizations with rigorously tested incident response plans save an average of more than $2.5 million over those without plans. So tabletop exercises aren't just a fun team-building activity.

"Those first few minutes and hours after an incident are absolutely critical," Davidoff says. "Everyone should make sure they're prepared."

Source

DARKReading