The company behind digital storage brand SanDisk says its systems were compromised on March 26.

Business operations for Western Digital, a data storage hardware provider, have been disrupted due to a recent systems breach that the company said occurred on March 26.

Western Digital Corporation is behind the personal and professional-grade data storage brands SanDisk, WD, and WD\_Black, which collectively offer a range of devices, including external drives, internal hard drives, flash drives, and more.

Western Digital has released a statement announcing that an unauthorized third party was able to compromise its systems, that the incident is ongoing, and the internal investigations are being coordinated with law enforcement.

The company added that some system data was compromised, but assessments about exactly what was accessed are underway, the Western Digital breach disclosure statement explained.

"Western Digital is actively working to restore impacted infrastructure and services," the statement read. "Based on the investigation to date, the company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Data Breach Strikes Western Digital

Whether protecting a financial institution or a hospital, everyone needs an effective strategy for fending off slippery threats like those that hide in memory.

Advanced threats are now more accessible than ever. On the Dark Web you can buy or rent zero-day attacks, fileless malware, supply chain compromises, and malware that targets device memory processes.

In 2021, memory compromise was the most common of the top five MITRE attack techniques, and the number of fileless attacks increased by over 900%. The number of zero-days seen in the wild more than doubled from 2020, according to Google's Project Zero. In 2022 data breaches were just 60 short of the all-time record of 1,862 breaches, set in 2021. There was a notable dip in data breach volumes during the first half of 2022, likely because Russia-based cybercriminals were too distracted or preoccupied by the invasion of Ukraine, along with volatility in the cryptocurrency market.

Advanced cyberattacks against well-defended networks have resulted in crippled oil pipelines, school systems, and even entire countries. And we will never know how many successful attacks on major enterprises occurred that never went public.

**Threats Hide in Memory to Avoid Detection**

Detection technologies are essential defenses in any IT environment. They include next-generation antivirus (NGAV), endpoint protection platform (EPP), endpoint detection and response/extended detection and response (EDR/XDR), and managed detection and response (MDR). But the most advanced threats and new variants of existing threats are specifically designed to evade these tools, usually by hiding in memory.

Scanners try to identify malware and malicious activity by looking at known signatures. But even if you have multiple layers of security technologies, these scanners cannot see threats that don't have recognizable signatures, are fileless, or exist in memory, which is impossible to scan effectively at runtime. After all, if you don't know what to look for and can't see your environment in real time, you can't find what you can't see.

Memory is a major vulnerability in modern cybersecurity because standard cybersecurity tools can't find stealthy, unknown, and evasive threats in memory — certainly not fast enough to stop attacks. As a result, security teams end up one step behind threat actors.

**The Memory Security Gap Is Growing**

Threat actors are targeting memory because it's the best place to persist on a device while remaining invisible. This is because runtime memory is such a big space that it's basically impossible to scan without massively degrading performance, leaving it mostly undefended by security controls.

To avoid compromising performance, detection-based solutions like EDR must look at memory selectively. They depend on picking specific times and spaces in memory to scan and looking for certain indicators, such as the recently released Cobalt Strike Yara rules.

Because threats can hide in a vast space and be reconfigured to avoid triggering rulesets, scanning solutions miss evasive threats almost all the time.

In a device's run-time memory environment, threats can steal credentials, hijack legitimate processes, and even turn a low-privileged user into a system administrator.

For example, malicious versions of the pen-testing framework Cobalt Strike enable threat actors to deploy a loader in the memory of a legitimate application, such as PowerShell. This means the threat exists purely in the memory environment while an application is running.

**Adding Memory Defenses**

The only way to reliably prevent compromise by advanced threats is to deploy a layered security posture that makes attackers' lives difficult. This means building secure networks, hardening systems, and deploying security technologies like EDR, EPP, and AV to spot malicious behavior and keep security teams informed about network activity. Security teams also need to consider solutions that protect memory by denying access to untrusted actors.

One way to protect memory is by using moving target defense technology to randomize the run-time memory environment so attackers can't find what they're looking for, breaking their attack chain. Instead of a static, known target environment, an attacker faces a dynamic memory environment containing decoy traps that capture unauthorized activity for forensic analysis.

As advanced threats become more common, layered security that incorporates memory defense is becoming essential. Without it, there is no effective way to stop threats targeting device memory.

How Good Is Your Advanced Threat Management?

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

We provide the cartoon. You write a witty cybersecurity-related caption to explain the scene above. Our favorite will win a $25 Amazon gift card.

The contest ends on April 26, 2023. Here are four convenient ways to submit your ideas:

*   Email _\[email protected\]_ with the subject line "The Edge April 2023 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

**Last Month's Winner**

Congratulations, Mark Phinick! HCL Software's global VP of BigFix sales snagged first place for March's "Domino Effect" contest. His caption appears below.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: Tower of Babble

If companies prioritize communications and make the DevOps process more transparent, team members will better know what vulnerabilities to look for.

Customer satisfaction is today's business battleground. The winners are the companies that deliver the best, highest-functioning software and applications in the shortest amount of time.

ChatGPT is the latest example of a winning app. In just a few months, the tool has reached 100 million users, making it the fastest-growing consumer application ever. Its success has also set off an artificial intelligence (AI) apps arms race, with competitors, including Google, emerging to grab market share as fast as possible. This race illustrates the ongoing struggle companies face to quickly develop high-performing software and applications that are also highly secure. This is a delicate balance in today's environment, where trading security for speed could lead to disastrous consequences.

**Security-Speed Balance**

One method that companies are embracing to strike this balance is implementing the "shift left." The shift left in this context refers to moving practices related to testing software as early in the development process as possible. By embracing the shift left, technology teams — specifically DevOps teams — can identify bugs, errors, and vulnerabilities early on and resolve them, resulting in high-performing, highly secure software, and applications.

Here are four steps DevOps teams can take to embrace the shift left, improve application performance, reduce vulnerabilities, and win the security battle.

**Step 1: Define the Security Strategy**

No army worth its salt heads into the field without a detailed map of the terrain, information on adversaries, and a hierarchy in place with responsibilities for every rank. The same should be true of any DevOps unit shifting left.

Companies should take the time to identify who will be in charge of what responsibilities, determine metrics for success, and formalize procedures. DevOps leaders should build appropriately staffed teams, implement processes that maximize security, and determine what kind of tests they will run and how often they will run them. Businesses should also identify and prepare for specific known vulnerabilities that could lead to issues.

Shifting left involves developing a new set of principles for software delivery and security; thus, planning and defining the strategy is very important.

**Step 2: Understand the Development Pipeline and Deployment Process**

As companies shift left, it's critical to have a thorough understanding of the software development pipeline and the deployment process.

This pipeline is the set of tools and processes in place to build and release software and applications. Once this analysis and understanding is complete, DevOps teams can begin carrying out tests in the build pipelines, checking code validity within development environments, and much more.

One solution that is helping DevOps teams map and understand their pipelines and embrace the shift left is observability. With observability, teams can help teams get a single-pane-of-glass view across applications, databases, and infrastructures that can be key to understanding application performance, user experience, and the overall environment required for modern application architecture. Some observability solutions even offer live code profiling that automatically sees potential user issues or performance bottlenecks before code is shipped.

**Step 3: Include Security Automation**

In enterprise technology, software teams have turned to automation to streamline testing for multiple reasons. First, manually testing software can introduce human error. Second, the shift left requires companies to test software as early and often as possible. And while these principles are meant to create more secure, better-performing products, this high volume of testing can also result in overloaded teams, requiring DevOps to manually evaluate every new feature the development team introduces.

To avoid this scenario, DevOps teams should use tools that automate running tests. Doing so will help reduce the stress placed on DevOps teams while also providing faster feedback related to any vulnerabilities that may be found in software code. Generally, automating tests in the development cycle allows organizations to increase the speed with which a product is completed while ensuring that fewer bugs or vulnerabilities are found later.

**Step 4: Build a Culture of Transparency**

While automation and modern technology can contribute significantly to an organization's success, a more human process and trait plays an equally important role — communication and transparency.

One of the key principles behind DevOps is narrowing the divide between development and production. Increasing communication and transparency across the product and software development life cycle can help narrow this divide. As it relates to the shift left, involving the appropriate team members as early as possible and during every step in the process is key to increasing transparency.

By prioritizing communication and adding transparency to the process wherever possible, team members will better understand how to test, what vulnerabilities to look for, and how to make software and applications more secure, better performing, and more resilient.

4 Steps for Shifting Left & Winning the Cybersecurity Battle

Launching CSPM, container workload security, and cloud vulnerability management to modernize cloud security operations.

**MOUNTAIN VIEW, Calif.--(****BUSINESS WIRE****)--** Elastic (NYSE: ESTC) (“Elastic”), the company behind Elasticsearch, today announced expanded capabilities for Elastic Security including Cloud Security Posture Management (CSPM) for AWS, container workload security, and cloud vulnerability management. Building on the previously released Kubernetes security posture management (KSPM) and Cloud Workload Protection Platform (CWPP) capabilities, Elastic now delivers a comprehensive security analytics solution that includes complete Cloud Native Application Protection for AWS.

According to Gartner, more than 85% of organizations are moving to a cloud-first model and 95% of new digital workloads are being deployed on cloud-native platforms. However, 99% of cloud failures will be the customer’s fault due to mistakes like cloud misconfigurations. Research from Elastic Security Labs found that nearly 1 in 3 (33%) attacks in the cloud leverage credential access, indicating that users often overestimate the security of their cloud environments and fail to configure and protect them adequately.

“Many companies have a fragmented approach to cloud security, as security and devops teams pivot between multiple dashboards,” said **Ken Buckler, Research Analyst - Security and Risk Management, Enterprise Management Associates.** “Unified visibility across all cloud resources, as well as on-premises systems, is critical to quickly identify and stop security threats at scale, especially when attackers repeatedly cross boundaries between cloud and on-premise in attempts to evade detection. With Elastic Security, organizations can streamline their cloud security operations by establishing real-time, unified visibility across their environments in a single interface.”

Elastic’s comprehensive suite of cloud security capabilities includes:

*   **Cloud Workload Protection** (generally available) — Expands on existing runtime security for traditional endpoints, enabling cloud security teams to gain deep visibility into the entire runtime workload including standalone Linux workloads, virtual machines, and infrastructure hosted in AWS, Google Cloud, and Microsoft Azure.
*   **Container Workload Protection** (beta) — Provides cloud security teams deep visibility into container workloads in managed Kubernetes environments with pre-execution runtime analysis for workloads running in Amazon EKS, GKE, and AKS environments.
*   **Cloud Security Posture Management** (beta) — Enables cloud security teams to continuously detect and remediate misconfigurations across workloads in AWS and Amazon EKS in real-time with Center for Information Security (CIS) benchmark controls, out-of-the-box integrations, and posture management dashboards and reports.
*   **Cloud Vulnerability Management** (beta) — Uncovers cloud-native vulnerabilities in AWS EC2 workloads with minimal resource utilization on workloads and enumerating vulnerabilities with risk context to help cloud security teams identify and respond to potential risk.

“Elastic Security is a unified security solution offering SIEM, endpoint, and cloud security capabilities—rooted in data management and analytics—that enables customers to protect, investigate and respond to threats across their entire infrastructure,” said **Santosh Krishnan, General Manager of Elastic Security, Elastic**. “The expansion of Elastic Security’s comprehensive cloud security capabilities provides organizations with the power they need to modernize their cloud security operations, improve attack surface visibility, reduce vendor complexity, and accelerate remediation.”

For more information, read the blog.

Gartner Press Release, "Gartner Says Cloud Will Be the Centerpiece of New Digital Experiences," November 10, 2021.

**About Elastic:**

Elastic (NYSE: ESTC) is a leading platform for search-powered solutions. We help organizations, their employees, and their customers accelerate the results that matter. With solutions in Enterprise Search, Observability, and Security, we enhance customer and employee search experiences, keep mission-critical applications running smoothly, and protect against cyber threats. Delivered wherever data lives, in one cloud, across multiple clouds, or on-premise, Elastic enables 19,900+ customers and more than half of the Fortune 500, to achieve new levels of success at scale and on a single platform. Learn more at elastic.co.

The release and timing of any features or functionality described in this document remain at Elastic’s sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

_Elastic_ and associated marks are trademarks or registered trademarks of Elastic N.V. and its subsidiaries. All other company and product names may be trademarks of their respective owners.

Elastic Expands Cloud Security Capabilities for AWS

The physical and cyber safety issues surrounding medical devices like IV pumps is finally being meaningfully addressed by a new policy taking effect this week.

The Food and Drug Administration (FDA) this week put into effect fresh guidance concerning the cybersecurity of medical devices — long a concerning area of risk for healthcare organizations and patients alike. The policy is one in a long line of attempts by the FDA to put some guardrails around the susceptibility of things like insulin pumps and heart monitors to hacking, and experts say that this time, the FDA's move might actually make a difference.

Effective immediately, medical device manufacturers are advised to submit "a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities, and exploits."

Manufacturers are also asked to "design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure." This includes making patches available "on a reasonably justified regular cycle," and for newfound critical vulnerabilities, "as soon as possible out of cycle."

And finally, the FDA is asking that new devices come prepared with a software bill of materials (SBOM).

For some, FDA guidance may evoke memories of prior actions that failed to improve cybersecurity in this critical area in any real way. But experts say this long road has finally reached a real, genuine inflection point. Starting now, new medical devices that don't meet these standards will be blocked from the market.

"It's actually been a process that's taken place over approximately the last 10 years," says Cybellum CMO David Leichner. "And it came to fruition two days ago."

**Medical Devices in Cyber-Crisis**

Medical device security has been an alarmingly lagging area for cybersecurity for a very long time, and there's a laundry list of reasons why. Healthcare facilities often use legacy IT and have flat networks that aren't segmented, for instance — even as medical devices for patients are increasingly connected. And security by design isn't common.

"A medical device manufacturer may be very experienced in designing highly reliable and innovative devices, but they may not necessarily be security experts," explains Axel Wirth, chief security strategist at MedCrypt.

In fact, the most cutting-edge medical equipment sometimes introduces new security problems that the old stuff never had. Internet connectivity brings a slew of benefits to providers, but also opportunities for hackers. In the State of Healthcare IoT Device Security 2022 report, healthcare IoT firm Cynerio found that more than half of all connected medical devices are vulnerable, including, for example, nearly three out of every four IV pumps.

Thus, cybercriminals can easily break in and run rampant across a hospital network, reaching whatever endpoints they choose, including these life-saving devices. This could have potential physical consequences for patients if a device is vulnerable to takeover by an unauthorized user. The risk isn't theoretical: A September 2022 report by Proofpoint's Ponemon Institute linked a 20% increase in mortality rates to cyberattacks targeting healthcare organizations.

This is all exacerbated by the fact that when bugs are discovered, device manufacturers have a terrible track record of issuing patches in a timely manner (as is the case for most IoT gear), and healthcare settings have an even more terrible track record of implementing them.

"One reason \[for the insecurity\] is that these devices live longer," Wirth points out. Because they're designed to last a while — which is otherwise a positive thing — "they may be outdated or running outdated software, and any operational technology (OT) that is not necessarily up to date is more difficult to maintain. It's more difficult to deploy patches; it's more difficult to find time during hospital operations to update the device."

Considering the ubiquity of security failures in the industry, coupled with the massive consequences at stake in the event of a breach, many have urged the government to do more than offer "suggestions" for addressing the problems.

**The FDA's New Teeth**

On Dec. 29, President Biden signed into law the Consolidated Appropriations Act, also known as the Omnibus bill, which included Section 3305 — "Ensuring cybersecurity of medical devices" — an amendment to the Federal Food, Drug, and Cosmetic Act. It took effect on Thursday, 90 days after the Omnibus' passing.

So what happens now? It takes time for manufacturers to change their processes and for new products to integrate new rules and regulations (to say nothing of how healthcare, in general, moves more slowly than other industries, by necessity). The FDA has arranged for a six-month window — until Oct. 1 — for manufacturers to get used to the new rules of the road.

From now until then, the FDA will "work collaboratively" with manufacturers to ensure compliance, the agency clarified in an accompanying notice. Once Oct. 1 hits, "FDA expects that sponsors of such cyber devices will have had sufficient time to prepare." At that point, they will begin issuing "refuse to accept" (RTA) decisions to prevent any devices that don't meet the stated standards from reaching the market.

"Manufacturers are asking: 'When does this hit us?,'" Naomi Schwartz, MedCrypt's senior director of cybersecurity quality and safety, explains. "And the FDA is clarifying: 'We're not going to start refusing to accept until October, so that you have time to update all of your documentation and relieve a little bit of pressure and fear. But no kidding, you guys better get your stuff ready in the next six months, because it's coming.'"

What remains to be seen is how the FDA will enforce its rules after a device is released to the public. Preventing a machine from reaching hospitals is one thing, but ensuring that vendors meet so many of the other requirements outlined in these guidelines — like regular monitoring, consistent patching, and responsible vulnerability disclosure — requires never-ending oversight.

"This is definitely going to increase the overhead of the FDA," Cybellum's Leichner figures. "It'll be interesting to see how they go about this."

**The Timeline for Real, Visible Change**

Even once manufacturers start turning out gear that's in compliance with the policy, an overhaul of healthcare device cybersecurity will take a while.

"Medical devices can be very pricey," Wirth points out, "and replacing medical devices in hospitals requires budget, requires training. Sometimes it requires even changes in building and infrastructure. So it'll take a number of years." Section 3305 assigns no deadline for healthcare providers to replace their existing legacy equipment.

Still, he says, "I think we are already seeing better secure devices arrive in the market," especially since the US isn't the only place to start demanding security hardening of the devices.

Even though the FDA's policy might take a while to bear real fruit (and it's too soon to know for certain), we may look back on 2023 as a watershed for the industry.

"This is going to help FDA staff, it's going to help the industry, it's going to motivate people to stop kicking the can down the road and start buckling down now," MedCrypt’s Schwartz concludes. "It's pretty cool."

The FDA's Medical Device Cybersecurity Overhaul Has Real Teeth, Experts Say

The State of Email Security Report reveals cyber risk commands the C-suite's focus.

**DUBAI****, UAE****,** **March 31, 2023** **/PRNewswire/ --** Mimecast, an advanced email and collaboration security company, today announced the publication of its annual "The State of Email Security 2023" (SOES) report. The global survey is based on responses from 1,700 IT and security decision-makers, providing readers with key takeaways on the current threat landscape and offering recommendations to help organizations improve their cybersecurity posture.

Download the full report – Mimecast's "The State of Email Security 2023"

The global report sheds light on the threats affecting companies across the globe, including the United Arab Emiratesand Saudi Arabia. Ninety four of respondents from the UAE and 100% from Saudi Arabia  reported to have been targeted by emailed-based phishing attacks in the last year, but they all said that they either have a system to monitor and protect against email-borne threats or are actively planning to roll one out.

**Highlights From This Year's Report** 

**Cyber awareness in the C-suite –** As cyberattacks continue to become more sophisticated, business leaders in the region have shown greater willingness to confront the risks involved and invest in proper measures to keep cyberattacks at bay. On average, 95% of companies in the UAE and Saudi Arabia reported needing stronger protection for their Microsoft 365 and Google Workspace applications, while 61% said their company needs to spend more on cybersecurity. However, all companies reported some form of cyber awareness training at their workplace, thus indicating a greater alertness to future attacks. With the increased focus on cyber preparedness by the C-suite, CISOs feel more empowered to articulate their requirements and implement strategies and tactics that will make their organization more secure.  

**Collaboration tools, essential but risky –** With workforces still divided between the office and remote locations, collaboration tools remain an essential yet risky part of communicating with team members. Eighty four percent of SOES participants in UAE and as many as 94% in Saudi Arabia agree that collaboration tools like Microsoft Teams or Slack are essential to their working function, but 82% from both countries expect to be harmed in 2023 by a collaboration-tool-based attack. The sharp increase in the use of these tools puts it directly in the minds of CISOs to ensure that adequate security measures are put in place for them to continue working protected while using them.

**Improved cyber preparedness –** There is a growing realization that cyber risk isn't just an IT problem — it's a critical vulnerability that directly equates to overall business risk. As such, organizations are taking the necessary measures to prepare for impending attacks.   Half are using artificial intelligence and machine learning to help under-resourced teams stay ahead of the curve, while the other half have plans to implement such measures. The use of AI tools will undoubtedly help under-resourced cybersecurity teams stay ahead of attacks and manage threats accordingly. Sixty four percent of Saudi Arabian respondents cited threat prevention as the top benefit of implementing AI, while 54% of organisations in UAE said reduced human error across the company was the biggest advantage. Overall, most companies believe that AI systems will help revolutionize the ways in which cybersecurity is practiced.

"Supply chain vulnerabilities, the rise of online collaboration and the growth of digital networking are among the chief reasons the cyber landscape is becoming more treacherous. The intersection of communications, people, and data carries a tremendous amount of risk, as malicious actors exploit the interconnectedness of the modern work surface," says Werno Gevers, regional leader of Mimecast Middle East. "Our research shows that corporate boards have finally woken up to the realisation that cyber risk is business risk, so it's time for CISOs to make the case for increased budgets and greater cyber resiliency."

Download the full report and view the UAE and Saudi Arabia infographics to learn more, and stay tuned to the Mimecast blog Cyber Resilience Insights_._

**Mimecast: Work Protected™**  

Since 2003, Mimecast has stopped bad things from happening to good organizations by enabling them to work protected. We empower more than 40,000 customers to help mitigate risk and manage complexities across a threat landscape driven by malicious cyberattacks, human error, and technology fallibility. Our advanced solutions provide the proactive threat detection, brand protection, awareness training, and data retention capabilities that evolving workplaces need today. Mimecast solutions are designed to transform email and collaboration security into the eyes and ears of organizations worldwide.  

_Mimecast, the Mimecast logo, and Work Protected are either registered trademarks or trademarks of Mimecast Services Limited in_ the United States _and/or other countries.  All rights reserved.  All other third-party trademarks and logos contained in this press release are the property of their respective owners._

SOURCE Mimecast

Mimecast Report Reveals Nearly 60% of Companies in UAE and Saudi Arabia Need to Increase Cybersecurity Spending

"Anonymous Sudan" has been claiming that its DDoS attacks are in retaliation for anti-Islamic activities, but at least one security vendor is suspicious about its true motives.

An apparently pro-Islamic group that has hit numerous targets in Europe with distributed denial of service (DDoS) attacks over the past few months may actually be a subgroup of the Russian hacktivist collective known as Killnet.

The group, which calls itself "Anonymous Sudan," has claimed responsibility for recent DDoS attacks against targets in France, Germany, the Netherlands, and Sweden. All the attacks were apparently in retaliation for perceived anti-Islamic activity in each of these countries. The attacks on Swedish government and business entities, for instance, followed an incident of Quran-burning in Stockholm. The same, or similar, reason was the trigger for DDoS attacks against Dutch government agencies and an attack on Air France, where the group — in a break from character — stole data from the airline's website rather than DDoSing it.

**Anonymous Sudan's Killnet Links**

Researchers from Trustwave, who have been tracking Anonymous Sudan for the past several months, this week said there is some evidence to suggest the group is a front for Killnet. In a report, Trustwave said its researchers have not been able to confirm if Anonymous Sudan is, in fact, based in Sudan or if any of its members are from that country. The group's Telegram posts are in Russian and English, and other telemetry instead point to at least some of its members being Eastern European.

Just as with Killnet, all of Anonymous Sudan's targets have been in countries that have opposed Russia's invasion of Ukraine and/or have assisted the latter in some way. It's most recent threat — on March 24 — to attack targets in Australia fits into the same patterns, as does a DDoS attack against Israeli cybersecurity vendor Radware.

Also just like Killnet, Anonymous Sudan has mostly employed DDoS attacks to send its message to intended targets. And both Killnet and Anonymous Sudan have made claims on their respective Telegram channels that officially connect to each other. In January for instance, Anonymous Sudan claimed to have assisted Killnet in a DDoS attack against Germany's Federal Intelligence Service, Trustwave said.

Just why Anonymous Sudan would brand itself as a pro-Islamic group rather than a pro-Russian group allied with — or possibly a part of — Killnet remains unclear, according to Trustwave researchers. "Anonymous Sudan has been extremely active taking credit for attacks via its Telegram channel, but details concerning the true reasoning behind its efforts remain murky."

**A Noisy Hacktivist Collective**

Killnet itself is a noisy hacktivist group, that, in the months since Russia's invasion of Ukraine, has hit, or claimed to hit, numerous organizations worldwide in DDoS attacks. The group has described the attacks as retaliation against the US-led support for Ukraine in the war — and indeed, all of its victims have been in countries that have rallied behind Ukraine. Most of its attacks so far have been on organizations in Europe. But in February, Killnet launched DDoS attacks against more than one dozen major US hospitals, including Stanford Health, Michigan Medicine, Duke Health, and Cedar-Sinai. Last October, the group launched DDoS attacks against multiple US airports, including Los Angeles International Airport (LAX), Chicago O'Hare, and the Hartsfield-Jackson Atlanta International Airport.

Killnet has touted these attacks as major incidents. But security experts, and victim organizations themselves, have characterized the group as a medium severity threat at worst, but one that however cannot be ignored. Following Killnet's attacks on US hospitals, for instance, the American Health Association (AHA) described Killnet's attacks as typically not causing much damage but on occasion having the potential to disrupt services for several days.

Trustwave SpiderLabs security researcher Jeannette Dickens-Hale characterizes the threat that Anonymous Sudan presents the same way. 

"Based on Anonymous Sudan's recent DDoS attacks, its connection to, and similarity in tactics techniques, and procedures (TTPs) to Killnet, it appears that the group has a low to medium sophistication level," she says. "Killnet, conveniently just like Anonymous Sudan, mainly launches DDoS attacks and threatens extortion with data they may or may not have." 

Trustwave SpiderLabs assesses that Killnet has the same threat level. Anonymous Sudan's recent attack against Air France and the threat to sell its data — that it may or may not actually have — could indicate an escalation in motivation and attack type, Dickens-Hale says.

**Killnet's "Black Skills" Launch**

Killnet's incessant attempts to drum up support for its efforts — mostly through exaggerated claims of its successes — are another thing that researchers are keeping an eye on. Flashpoint this week, for instance, reported observing Killnet's leader "Killmilk" announcing the creation of a private military hacking outfit called "Black Skills".

The security vendor assessed that Killmilk's description of Black Skills was an attempt to position Killnet as the cyber equivalent of Russian mercenary operation the Wagner Group. Earlier in March, Killnet also announced a DDoS-as-a-service offering called "Black Listing" that Flashpoint perceived as another attempt by the collective to carve a more formal identity for itself. 

"Black Skills/Black Listing appear to be an attempt from Killnet to establish itself as a corporate identity," Flashpoint researchers concluded. "According to our intelligence, the new group will be organized and structured, with subgroups taking care of payroll, public relations and technical support, pen testing, as well as data collection, analysis, information operations, and hits against priority targets."

Pro-Islam 'Anonymous Sudan' Hacktivists Likely a Front for Russia's Killnet Operation

With companies pushing to adopt zero-trust frameworks, adaptive authentication and access — once languishing — looks finally ready to move out of the doldrums.

Although only seeing tepid adoption to date, adaptive access and authentication is set to gain steam among businesses this year as organizations pursue zero-trust capabilities that grant and restrict access to data and systems based on context.

In the latest sign of life in the evolving industry, startup company Oleria announced on March 21 that it had jumped into the market for providing adaptive access that can keep applications secure and allow access while minimizing blind spots and the overprovisioning of privileges. The company's executives maintained that easing deployment of granular and adaptive authentication will convince business customers to more rapidly adopt the technologies.

Companies already know that they need the context-aware security that adaptive access provides, says Jagadeesh Kunda, co-founder and chief product officer of Oleria.

"Modern IT has become a continuous, complex system, adapting dynamically to business needs, \[but\] the gap we hear from CISOs and CIOs is the ability to effectively manage access," he says. "With the typical organization running hundreds of applications to support an ever-changing environment, assigning roles and access on a static basis is no longer sufficient or sustainable."

While most companies strive for more granular access controls, adaptive technologies have foundered due to the complexity of the solutions. In its 2022 "MarketScape" report for advanced authentication, analyst firm International Data Corp. estimated that fewer than three in 10 companies use multifactor authentication (MFA), which is only an initial step toward the more advanced access controls represented by adaptive access and authentication. Overall, only 9% of companies have added context-based access policies, which in many ways are the foundation of adaptive access controls, according to Okta's 2022 "State of Zero Trust" report.

**Cloud Native Security Means Adapting**

Yet companies are convinced of the necessity of adaptive access because the ability to grant users access to the appropriate data in the proper way has become significantly more important. While only 9% of companies currently have access controls based on context, a significant 42% of businesses intend to implement those policies in the next 12 to 18 months, Okta stated in its report.

    

Only 9% of companies use context-based access policies, but 42% plan to adopt them. Source: Okta

The technology allows companies — and their security teams — to be more agile, says Chris Niggel, chief security officer for the Americas at Okta.

"It helps protect data by allowing the organization to be confident that sensitive data is only being accessed by approved individuals using approved systems," he says. "It allows IT and security teams to enable the business by more quickly granting and revoking access to this sensitive data."

While seemingly similar, adaptive access and adaptive authentication are slightly different concepts, Oleria's Kunda says. Adaptive access gives a user permissions to specific resources based on the user's behavior, the context of the request, the state of their device, and the overall organizational risk level, while adaptive authentication allows for changing privileges based on those criteria.

With the two technologies, companies can determine the level of access that is appropriate in a particular context and deliver that access, he says.

"As organizations increasingly recognize the importance of dynamically granting or denying access based on contextual factors, such as user behavior and risk level, adoption of adaptive access approaches will continue to increase," Kunda says.

**Pursuing Zero Trust**

With so much of companies' infrastructure relying on the cloud, executives have increasingly focused on zero-trust frameworks as a way to harden security while still accommodating hybrid workers.

In addition to a secondary code or token offered by two-factor authentication, a variety of other factors can be taken into account, such as the access device, user's location, time of day, and current level of risk for the organization. Depending on those criteria, the user may have an easier authentication experience if they are logging into a network or service from a common location, at a regular time of day, and using a known device.

"An access management tool might collect signals about what kind of endpoint you are working on, where you are in the world, and what your previous access patterns are to determine level of risk," says Michael Kelley, senior director analyst at Gartner. "That determination of level of risk is used to decide how you are authenticated and, potentially, what you have access to, and what kind of access you have once you have been authenticated."

While most modern applications continue to use static authentication, adaptive authentication is expanding. Over the past four years, nearly every provider of access management tools has added some form of adaptive access to their products, he says.

Adaptive access (AA) is a step along the path of zero trust, says Andras Cser, a vice president and principal analyst for security and risk at Forrester Research.

"Adaptive access means lower customer friction as AA solutions only raise friction for those users that indicate \[they pose\] higher risk levels, \[such as\] using new devices, using a hitherto unknown IP address geolocation, displaying 'superman' travel — logins in 10 minutes from places that are 1000s of miles apart," Cser says.

Adaptive Access Technologies Gaining Traction for Security, Agility

Decentralized identity products are increasingly projected to be introduced to the market in the next couple of years.

Although the decentralized identity market is still in its infancy, it has been gaining traction in recent years and has the potential to change existing identity, authentication, and access for the better. In 2022, the decentralized identity market was projected to reach $270 million.

    

Through decentralization and blockchain technology, there are an increasing number of people taking back control of their data. Although the digital identity space is still in its initial stages, it is possible that decentralized identity with blockchain could make identity management decentralized, simplified, and seamless, completely transforming the market landscape. Startups and DID initiatives continue to develop proofs of concept (PoC) for decentralized identity in government, finance, healthcare, and other fields, and the opportunities for decentralized identity continue to grow and evolve.

**eIDAS 2.0 Driving Growth**

Omdia believes that the eIDAS 2.0 regulation will be a significant driver for growth in decentralized identity during the forecast period. The updated eIDAS 2.0 initiative is built on the existing, cross-border, legal framework for trusted digital identities, the European electronic identification, and trust services initiative (eIDAS Regulation), which was adopted in 2014. By September 2023, all EU member states must ensure that a digital identity wallet is available to all EU citizens, residents, and businesses in the EU and usable not only for identity documents but for all attestations, including those with sensitive personal data such as health-related data and documents.

**Advantages of Decentralized Identity**

The advantages that decentralized identity gives users over traditional identity and access management solutions include control, security, privacy, and ease of use:

*   Control – Control gives identity owners and digital devices power over their digital identifiers. Because users have complete control and ownership of their identities and credentials, they can decide which information they want to reveal and can prove their claims without depending on any other party.
*   Security – Security reduces attack surfaces by storing personal identifiable information (PII). Blockchain is an encrypted decentralized storage system that is safe, flexible, and reduces the risk of an attacker gaining unauthorized access to steal or monetize user data.
*   Privacy – Privacy enables entities to use the principle of least privilege (PoLP) to designate minimal or selective access for identity credentials. PoLP is a term correlated with information security. It states that any person, gadget, or process should only have the minimal rights necessary to execute the considered task.
*   Ease of use – Decentralized identity technology gives users the advantage of easily creating and managing their identities with user-friendly neoteric decentralized identity apps and platforms.

**Disadvantages of Decentralized Identity**

In contrast, the disadvantages of decentralized identity include no large-scale adoption, legacy systems, and regulation and identity data fragility:

*   No large-scale adoption – Governments and organizations are still attempting to figure out how to deploy decentralized identity technology at scale while most non-tech users have not even heard of this phenomenon.
*   Legacy systems and regulation – Replacing existing legacy systems and creating interoperable global standards and governance are also important issues.
*   Identity data fragility – While a secondary issue, identity data fragility, which refers to duplication, confusion, and inaccuracy in identity management, remains.

**More Decentralized Identity Products Coming**

The popularity of decentralized identity is gathering pace with vendors such as IBM, Microsoft, and Ping Identity entering the fray. Even governments are looking at the technology. Omdia believes that over the next couple of years, more decentralized identity products will be launched onto the market, and this will help the technology become more mainstream. The decentralized identity market is expected to have significant growth during the forecast period, increasing to $6.5 billion in 2027.

Source

DARKReading