Learn how the latest ransomware variant has heightened attack execution speed and what that means for cybersecurity operations.

There has always been a competition in the ransomware world, with attackers trying to improve the speed of campaign execution and organizations continuously innovating to get ahead of those attacks. Speed is so decisive that ransomware-as-a-service (RaaS) platforms even advertise the speed of execution for prospective ransomware affiliates. LockBit, one of the most successful ransomware groups, has publicly listed its encryption speed versus its competitors' speed to demonstrate its advantage. In short, speed is critical on both sides of the ransomware battle.

Rorschach, one of the newest ransomware variants, has officially taken the "encryption speed king" title from LockBit 3.0. The Rorschach variant was first detected in April 2023 and is a customized strain of the Babuk ransomware code. Rorschach brings speed into the spotlight and warrants a closer look at how ransomware creators increase speed across multiple dimensions of their victims' environment.

**Malware Propagation Speed**

One important speed component is the ability to quickly spread malware as far and wide as possible. In the past, ransomware groups have leveraged many techniques for fast propagation, including supply chain attacks and using existing IT and security tools to propagate their malware.

However, Rorschach has built and demonstrated an interesting self-propagating and autonomous capability that leverages Active Directory (AD) Domain Group Policy Objects (GPO). This enables the malware to rapidly propagate across the network and execute ransomware on every endpoint at blistering speeds. Because of this, the Rorschach variant has pushed the needle further than ever with these interesting innovations for self-propagation.

To counter this innovation, organizations must adopt tools that combat self-propagation, such as active defense technology, which deals with ransomware in real time and detects attackers as soon as possible.

**Data Encryption Speed for Extortion**

On Windows endpoints, Rorschach's creators have carefully chosen to use HC-128, a stream cipher that encrypts large streams of file data with impressive performance. Rorschach ransomware uses the asymmetric key exchange method, which is based on Curve25519. It's efficient in both computational performance and memory consumption while simultaneously retaining strong security.

Like many other ransomware strains, including LockBit and Babuk, Rorschach encrypts only parts of a file instead of the entire file's contents. This tactic is known as intermittent encryption, which has become popular in the last couple of years for its efficiency and speed. Encrypting only parts of the file dramatically reduces the time required to complete the data encryption. By shortening the encryption phase of an attack, ransomware operators give security tools less opportunity to detect them. Data encryption is the visible part of an attack, and attackers are shortening that window to better their odds in the race against defenders.

Like LockBit and other well-known ransomware, Rorschach also leverages parallelism and multithreading for high-performance speedy encryption. Because Rorschach ransomware implementation is customized for each operating system type, it leverages specific Windows capabilities known as I/O completion ports for efficient multithreaded encryption. This technique is borrowed from LockBit 3.0, REvil, Hive, BlackMatter, and DarkSide.

While the data encryption speed rankings among ransomware gangs is interesting, it is important to note that virtually all modern ransomware variants already perform data encryption very quickly. Unfortunately, all are much faster than what most security teams or tools are equipped to deal with.

However, while Rorschach does outpace competitors in speed in some realms, it currently does not appear to exfiltrate data for double extortion. This is in comparison to other ransomware gangs, including LockBit, that first exfiltrate enterprise data. While data encryption is the visible part of a ransomware attack, data exfiltration is the invisible race against defenders. Ransomware actors typically exfiltrate large amounts of data for double extortion before beginning data encryption.

**Staying Under the Radar of Defenders**

One of Rorschach's particularly innovative moves is its ability to stay under the radar by using deception technology — a double-edged sword that is useful for attackers and defenders. Rorschach's advanced security evasion capabilities leverage deception techniques and concepts for malicious purposes, including using obfuscation techniques, valid domain user and service accounts, and argument spoofing techniques to hide the true capabilities of the ransomware.

This kind of defense evasion is new to ransomware threats, but it's not new in the cybersecurity world. To combat Rorschach's technique for self-propagation using AD GPOs and high-speed campaigns, defenders need solutions that can detect and respond to real-time, novel, and autonomous ransomware capabilities.

Rorschach ransomware has borrowed innovations from previously successful ransomware groups including LockBit, Babuk, and REvil and built on their success by adding lightning-fast innovations. The Rorschach variant demonstrates the importance of continuous defender innovation, as well as the need to counter attacker movement in real time.

Rorschach Ransomware: What You Need to Know

To adequately address privacy, manufacturers need to think differently about data.

The pandemic altered the way many B2B2C manufacturers interact with customers. While the retail outlets that would typically distribute their products were closed, many manufacturing brands in consumer packaged goods (CPG), fashion, equipment, etc., realized the value of adopting a direct-to-consumer strategy.

These brands traditionally had limited interaction with the end consumer, as their model was to sell their product to a reseller. However, with resellers closed or operating at limited capacities, many manufacturers wisely built digital experiences to interface with, sell to, and collect data from their customers directly.

Data that was collected and owned by resellers or intermediaries suddenly became available directly to the manufacturers to learn from and capitalize on — opening new revenue streams by charging other entities for their data, using the information to cross- or upsell products or create a more frictionless experience for customers.

For example, a carmaker recently approached Thoughtworks with the question, "What tools can we arm salespeople with to provide the sales experience of the future?" In partnership, we built a platform that leveraged the carmaker's data to provide quicker access to information and sales tools, meaning greater customer satisfaction.

**Risks of Data Collection**

However, there are inherent risks in collecting consumer data — not only of hacking, malware, and data theft but also misusing the collected data that may damage one's brand or even create legal exposure.

While many think of malware and hacking as the greatest threat to organizations, a new "Looking Glass" trends report from Thoughtworks suggests organizations should be giving equal attention to avoid shooting themselves in the foot by incorrectly using consumer or employee data.

It finds that handling data and information in accordance with evolving regulations and changing expectations will be critical to having a competitive advantage and fostering customer loyalty. In fact, we believe the mishandling of consumer data could yield damages equal to or even greater than a hack.

Rather than reactive measures, enterprises should proactively create ethical frameworks to guide technology and data use. These frameworks establish a baseline of respect and security for customers, minimizing consumer harm. Customer privacy doesn't compromise business goals.

I encourage manufacturers to consider the following to keep data compliant, secure, ethical, and productive, while still working toward objectives:

*   **When it comes to data, what you don't do is as important as what you do.** Since the big-data trend, firms often collect and store data without considering its necessity. Today's machine-learning algorithms also encourage a degree of data hoarding. But data must be recognized as a liability and an asset. Hackers can't steal what you don't collect, and a security snafu can't leak customer information that's not in your database. Think selectively about the data you need and the possible fallout if it is stolen or leaked. Managing less data is easier.
*   **Adopt decentralized security.** As cyber threats evolve, previous methods are ineffective. There's no safe boundary or perimeter anymore. System design should enable risk management and security enforcement across the entire architecture, employing security-in-depth practices such as encrypted communications, segmented regions, granular authentication and authorization, and intelligent intrusion detection systems.
*   **Analyze the AI in security.** AI capabilities are increasingly important in software applications. Organizations should leverage this to help security professionals identify and react to threats and predict attack vectors. While automation isn't a replacement for trained professionals, it can automate basic defenses, allowing focus on critical threats.
*   **Anticipate increased regulation.** While we've flagged some of the most recent regulations to emerge in the privacy space, organizations should be prepared for more. Worldwide, there are a significant number of data protection laws already on the books, with more to come. Challenges will emerge as compliance grows more complex, especially for firms operating in multiple jurisdictions. When GDPR came into effect, many US-based news sites blocked Europeans from accessing their websites because of concerns about falling foul of a law they didn't understand.
*   **Build products with robust security and privacy practices.** This requires commitment and strong leadership; security and privacy should be ingrained in the organization's culture. Teams shouldn't consider these aspects nice-to-have, optional, or postponable for cost-saving purposes. Leaders must set the tone that security is a priority for everyone. Data breaches often result from employees not changing passwords or ignoring alerts.

To adequately address privacy, I urge manufacturers to think differently about data. Specifically, they should prioritize well-thought-out governance measures that enable informed decision-making regarding data collection, access and usage. By appointing data owners, manufacturers could ensure data is handled responsibly and ethically. Having a strong governance framework holds a particular value for organizations in protecting privacy and user data.

Consumer Data: The Risk and Reward for Manufacturing Companies

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Have a few minutes to spare? Come up with a clever cybersecurity-related caption for the cartoon above. If it strikes our fancy, you could win a $25 Amazon gift card!

Here are four convenient ways to submit your ideas before the July 12, 2023, deadline:

*   Email _\[email protected\]_ with the subject line "Dark Reading June Toon."
*   Via social media: Twitter, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

Dark Reading reader David is having a great month! He already won The Edge's "Spring Chickens" May cartoon caption contest, and now he's done it again with the main site's "One by One" May contest. Congratulations, David, and a big thanks to all who played.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Time to Spare?

The threat organizations face with GenAI is not new, but it could speed how quickly private data reaches a wider audience.

Generative artificial intelligence (GenAI) and large language models (LLMs) are the disruptive technologies _du jour_, redefining how enterprises do business and spurring the debate on just how much AI will change the way civilization interacts with computers in the future. The hyperbole is reaching epic proportions as social scientists and pundits debate the End Times facing civilization due to smarter and potentially proactive computing. Perhaps some perspective is in order.

A recent report from Israeli venture firm Team8, "Generative AI and ChatGPT Enterprise Risk," addresses some of the realistic technical, compliance, and legal risks GenAI and LLMs place on corporate boards, C-suites, and cybersecurity personnel. The report underscored the potential operational and regulatory vulnerabilities of GenAI, but cautioned that some concerns might be premature. One concern — that exposing private data submitted to a GenAI application such as ChatGPT might make that data available to others in near real time — is discredited in the report.

"As of this writing, Large Language Models (LLMs) cannot update themselves in real-time and therefore cannot return one's inputs to another's response, effectively debunking this concern," the report states. "However, this is not necessarily true for the training of future versions of these models."

The report identifies several potential threats by risk category. Among the high risks are:

*   Data privacy and confidentiality of nonpublic enterprise and private data.
*   Enterprise, software-as-a-service (SaaS), and third-party security of nonpublic and enterprise data.
*   AI behavioral vulnerabilities, such as prompt interjection, of enterprise data.
*   Legal and regulatory compliance.

Among the threats that fall into the medium risk category are:

*   Threat actor evolution for attacks, such as phishing, fraud, and social engineering.
*   Copyright and ownership vulnerabilities leading to an organization's legal exposure.
*   Insecure code generation.
*   Bias and discrimination.
*   Trust and corporate reputation.

"The CISO is in a position to have the technical knowledge to support processes not necessarily under their umbrella, which might affect their role," says Gadi Evron, CISO-in-residence at Team8 and one of the report's authors. "Some interpretations of upcoming European Union regulation may push the CISO into a position of responsibility when it comes to AI. This may elevate the CISO to a position of responsibility where they are 'ambassadors of trust,' and this is a positive thing for the CISO role."

Chris Hetner, cybersecurity advisor at Nasdaq and chair of Panzura's Customer Security Advisory Council, says an initial risk assessment would identify potential issues with who has access, what can be done, and how the technology will interact with existing applications and data stores.

"You need to determine who has access to the platform, what level of data and code are they going to introduce, \[and does\] that data and code introduce any proprietary exposure to the enterprise," he notes. "Once those decisions are made, there's a process to proceed forward."

The threat organizations face with GenAI is not new, but it could speed how quickly private data reaches a wider audience.

"When it comes to security, it is clear that most companies are in much worse condition to mitigate the risks of their corporate and customer being stolen or leaked than they were just six months ago," opines Richard Bird, chief security officer at Traceable AI. "If we're being intellectually and historically honest with ourselves, the vast majority of companies were already struggling to keep that same data safe before the rise of generative AI.

"The ease of use and access that employees are already taking advantage of with AI technologies with little to no security controls is already showing the increased risk to companies."

**The Human Element**

Bird takes a pragmatic approach to GenAI, adding that companies are going to move fast and not wait on compliance demands to protect their data, customers, supply chains, and technologies. Users have shown "a complete lack of restraint combined with no awareness of the unintended security consequences of using AI," he notes. "This toxic combination is what companies must work quickly to address. AI isn't the key threat here. Human behavior is."

One issue that has yet to be fully analyzed is how users interact with GenAI based on their existing habits and experience. Andrew Obadiaru, CISO for Cobalt Labs, notes that iPhone users, for example, already have native experience with AI through Siri and thus will adapt quicker than users who do not have that experience. Like Bird, Obadiaru thinks those habits might make those users more susceptible to misusing the applications by inputting data that should not get out of an organization's direct control.

"The concerns are, 'What are the additional risks?' Everyone has the ability to tap into \[GenAI technology\] without necessarily going through a security review," he says. "And you can just do that on their personal device."

If employees use personal devices outside of the IT department's control to conduct business, or if employees use GenAI as they use Siri or similar applications, this could pose a security risk, Obadiaru adds. Using GenAI like a personal digital assistant potentially could put confidential data at risk.

**Network Risks**

Sagar Samtani, assistant professor in the Data Science and Artificial Intelligence Lab at the Indiana University Kelley School of Business, cautions that AI models are extensively shared via the open source software landscape. These models contain significant quantities of vulnerabilities within them, some of which CISOs need to be aware of.

"These vulnerabilities place an impetus on organizations to understand what models they are using that are open source, what vulnerabilities they contain, and how their software development workflows should be updated to reflect these vulnerabilities," Samtani says.

Asset management is a critical aspect to any strong cybersecurity program, he adds.

"\[It's\] not the exciting answer, but an essential ingredient," Samtani says. "Automated tools for detecting and categorizing data and assets can play a pivotal role in mapping out corporate networks. ... Generative AI could help provide layouts of corporate networks for possible asset management and vulnerability management tasks. Creating inventory lists, priority lists, vulnerability management strategies, \[and\] incident response plans can all be more \[easily\] done with LLMs in particular."

Generative AI Has Its Risks, but the Sky Isn't Falling

Pressure mounts on the NSO Group's business viability as Khashoggi widow joins group of plaintiffs suing the Israeli firm for Pegasus spyware abuse.

NSO Group is facing a number of existential crises at the moment, and it appears there's a group of enterprising investors — including, reportedly, a Wrigley chewing gum magnate — ready to take advantage, lassoing control of arguably the most destructive and powerful spyware tool known to-date, i.e., Pegasus.

The Israeli firm was blacklisted by the US government in November 2021 for creating and selling its powerful zero-click spyware tool Pegasus, which has been used by its customers to target and track government officials, human rights workers, journalists, activists, academics, embassy workers, and businesspeople across the world. 

The designation placed severe restrictions on the firm's ability to operate by banning any transfer of US technology to NSO Group. Then, in December 2021 NSO Group's spyware was found on the phones of at least nine US State Department employees, which didn't help thaw the firm's relationship with Biden administration either.

There's also the problem of the mounting number of lawsuits.

**NSO Group's Lawsuit Docket Grows**

A new lawsuit filed by Hanan Elatr, widow of murdered Washington Post journalist Jamal Khashoggi, accuses NSO Group's Pegasus spyware of violating US hacking laws to track the couple leading up to the 2018 killing of the vocal Saudi dissident.

Elatr says in the lawsuit that the Pegasus spyware "caused her immense harm, both through the tragic loss of her husband and through her own loss of safety, privacy, and autonomy, as well as the loss of her financial stability and career."

In addition to Elatr, there are other, far more deep-pocketed legal foes for NSO Group to worry about. Apple filed suit in November 2021 against the organization for targeting its users with Pegasus spyware (attacks that are ongoing). And in January, the US Supreme Court denied a petition to block a suit to proceed against NSO Group filed by Meta-owned WhatsApp for spyware damages.

**Juicy Fruit Heir, Sandler Movie Producer Float NSO Purchase**

Despite the legal, business, and brand challenges, NSO Group reportedly continued to hone and improve Pegasus spyware. A recent report from research organization Citizen Lab, which has been at the forefront of working to expose Pegasus abuse, said it discovered at least three new exploit chains against human rights activists as recently as 2022.

Perhaps because of that, investors have begun to sniff out a potential opportunity. Reportedly, a motley gang of investors including Robert Simonds, a US investor whose background includes producing Adam Sandler movies, and his buddy, cannabis industry investor and chewing-gum fortune heir William "Beau" Wrigley, are looking at buying up NSO Group's assets, according to new reporting from The Guardian.

The report adds a spokesperson for Wrigley denied he is in discussions to buy NSO Group assets, while a source close to Simonds said he was "deep" in talks about a sale but aware it would be a steep climb to get the deal done. 

"Placing such powerful surveillance technology in the hands of individuals who may not have deep expertise in the cyber industry or a history of involvement in the sector raises questions about the potential ramifications," Callie Guenther, cyber threat research manager with Critical Start tells Dark Reading about the potential NSO sell-off. "It is essential to ensure that any potential acquirer of NSO's assets possesses the necessary expertise to handle the technology responsibly, maintain appropriate safeguards, and prevent potential misuse."

It should be noted that other attempts at buying control of Pegasus haven't worked out. Last year L3Harris, an American company and US defense contractor was looking into a possible purchase of NSO Group's technology, but the White House objected over "serious counter-intelligence and security concerns," the Guardian added.

Then there is the Israeli government, which closely regulates NSO Group and could potentially intervene in any sell off of its technology, the Guardian points out.

"NSO operates under close regulation by Israel's Ministry of Defense, and any potential sale of its assets would likely face scrutiny from Israeli authorities," Guenther says. "It remains to be seen how such a transaction could proceed and whether it would comply with relevant regulatory requirements and national security considerations."

Perhaps there's a pot-sweetener here though: The Guardian added a juicy rumor to its reporting that Simonds has privately pledged to hand over the surveillance technology to the so called "Five Eyes" alliance between the intelligence agencies of Australia, Canada, New Zealand, the UK, and the US.

Even so, a pledge is not a guarantee. Guenther outlines a number of potential problems with NSO Group's assets falling into the wrong hands, including giving the new owners the power to improve upon its existing capabilities for exploitation, targeting, as well as slow down future potential vulnerability disclosures.

"The acquisition could impact the overall cyber threat landscape. If NSO's spyware technology becomes more accessible or proliferates in unauthorized hands, it could lead to an increase in targeted attacks, surveillance activities, and potential abuse," Guenther warns. "This would necessitate heightened vigilance and strengthened defensive measures from organizations, governments, and cybersecurity communities to mitigate the associated risks."

**Has Pegasus Already Peaked?**

Many may question the power a tool like Pegasus could have when flying on behalf of someone rich enough to buy it, but the true value of NSO Group, and its dominance in the spyware space, might have already peaked.

JT Keating, senior vice president of mobile security firm Zimperium, explained to Dark Reading that the trend is decidedly moving toward open source spyware, making the surveillance tools available to almost anyone and driving down the value of NSOs proprietary Pegasus product.

"Spyware is now mainstream, including the shift from sole reliance on the Dark Web for distribution to seeing the same kits and tools being found on online repositories like GitHub or online communities like Reddit," Keating says. "Regardless of what happens to organizations like NSO, mobile spyware will only continue to proliferate."

Meanwhile though, the squeeze on NSO Group's business continues.

US Investors Sniffing Around Blacklisted NSO Group Assets

Workforce IAM and consumer IAM are not interchangeable — they serve different purposes and constituencies.

The world is increasingly becoming more interconnected, and digital identity is evolving to address the unique needs of organizations and consumers. While the two types of identity and access management — workforce IAM and consumer IAM — share some commonalities, they are designed for distinct use cases and fit different requirements.

"The obvious difference between the two use cases is the user constituencies," says Henrique Teixeira, senior research director at Gartner.

Vendors and buyers often separate the use cases into internal identities (workforce) and external identities (consumer) because there may be requirements that apply to one group but not the other. For example, consent and preference management to protect the privacy of customer data is an important part of consumer IAM, but not so much in workforce IAM, Teixeira says.

Many organizations believe that they can use workforce IAM solutions to solve identity issues around securing consumer identities, says David Mahdi, CIO of Transmit Security.

"As organizations deploy more customer-facing digital services \[via mobile and/or Web\], they now need to invest in CIAM solutions to help establish and maintain trust and privacy," he says.

**Securing the Digital Workforce**

Workforce IAM, also known as employee IAM or corporate IAM, is designed to manage and secure the digital identities of an organization's employees, contractors, and partners. The primary goal of workforce IAM is to protect sensitive corporate data and resources by ensuring that the right people have access to the right information, at the right time, and in compliance with regulatory requirements.

Workforce IAM solutions provide strong, multifactor authentication (MFA) to ensure that users are who they claim to be. This often involves a combination of passwords, one-time passcodes, and biometric factors, such as fingerprint or facial recognition. MFA helps organizations prevent unauthorized access to their systems, thereby reducing the risk of data breaches and cyberattacks.

Role-based access control (RBAC) and attribute-based access control (ABAC) are employed to grant users access to specific resources based on their job function, seniority, department, or other attributes. This fine-grained access control helps organizations maintain the principle of least privilege, which minimizes the potential for insider threats and data leakage. These features allow users to access multiple applications within the organization using a single set of credentials, simplifying the login process and improving user experience. Federation extends single sign-on (SSO) across organizational boundaries, enabling seamless collaboration between partners, suppliers, and customers.

Workforce IAM systems manage user accounts from onboarding to offboarding, including provisioning and deprovisioning access, password resets, and profile updates. Automating these processes not only saves time and effort but also reduces the risk of human error and ensures that access rights remain up to date.

Workforce IAM solutions track and monitor user activities, generating audit trails and reports that help organizations maintain compliance with industry regulations, such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley Act (SOX). These tools also facilitate the identification of suspicious behavior or potential security incidents, allowing for prompt investigation and remediation.

"Employees that make up the workforce sign employee agreements, which essentially means that they must adhere to any and all access policies. This absolutely shapes the UX and security requirements of workforce IAM solutions," Transmit Security's Mahdi says. "That is simply not the case when dealing with consumer security and identities. If they suffer a poor UX, they can and will go elsewhere, especially when it's an online digital service — where competitors are a simple click away."

**Enhancing the Consumer Experience**

Consumer IAM, or customer IAM, focuses on managing the identities of an organization's customers or end users. The main objectives of consumer IAM are to create seamless and secure user experiences across digital touch points, while safeguarding customer data and maintaining compliance with privacy regulations.

Consumer IAM solutions often allow users to register and log in using their social media accounts or other trusted identity providers, streamlining the authentication process and reducing the need for multiple sets of credentials. This convenience helps organizations attract and retain customers, especially in industries with high levels of competition.

Customers can manage their profiles, preferences, and consent settings through self-service portals, giving them more control over their data and interactions with the organization. This empowers customers to update their information, adjust privacy settings, and manage their communication preferences without relying on customer support, thereby reducing operational costs for the organization.

Consumer IAM systems are designed to handle millions of users and to scale rapidly to accommodate growth in user base or increased traffic during peak times. High-performance IAM solutions ensure that customer-facing applications remain responsive and reliable, even under heavy loads, which is crucial for maintaining customer satisfaction and minimizing churn.

Such solutions collect and analyze customer data, enabling organizations to deliver personalized content, offers, and recommendations based on individual preferences, browsing history, and purchase patterns. This level of personalization can enhance customer loyalty, drive repeat business, and increase conversion rates. Additionally, customer analytics can provide valuable insights into user behavior, helping organizations identify trends, opportunities, and areas for improvement.

Consumer IAM plays a critical role in complying with data protection and privacy regulations, such as GDPR and the California Consumer Privacy Act (CCPA). These solutions help organizations manage customer consent for data processing, store and transmit customer data securely, and respond to data subject access requests. By ensuring compliance, consumer IAM can help organizations avoid costly fines and reputational damage.

These systems use advanced techniques, such as machine learning and behavioral analytics, to identify potentially fraudulent activities and assess the risk level of each login attempt. Based on the risk score, the IAM solution may require additional authentication factors or block access altogether. This helps protect customers' accounts from unauthorized access and reduces the organization's exposure to fraud-related losses.

**Picking the Right IAM**

Workforce IAM emphasizes the protection of corporate resources and data, ensuring that employees and partners have appropriate access to systems and information. In contrast, consumer IAM prioritizes the customer experience, personalization, and privacy, aiming to foster trust and loyalty among end users.

As organizations continue to adapt to the ever-changing digital landscape, understanding these distinctions is crucial for selecting the right IAM solution to meet their specific needs. By implementing the appropriate workforce or consumer IAM system, organizations not only improve security and compliance, but they also enhance user experience, drive customer satisfaction, and, ultimately, achieve business success.

Decoding Identity and Access Management for Organizations and Consumers

To properly secure DNS infrastructure, organizations need strong security hygiene and records management, as well as DNS traffic monitoring and filtering.

As a core backbone of the infrastructure, Domain Name Service (DNS) acts as the phone book of the Internet. It helps route users hunting for a specific domain name and connects them to the resources of the IP address connected to that domain. When it runs the way it is supposed to, it is nearly invisible to the typical user — and even to many technical administrators. This lends an air of obscure simplicity that leads many organizations to assume that DNS is a background service that doesn't require more than basic protection and is covered by other Web and email defenses.

That couldn't be further from the truth. A new report from Dark Reading outlines the threats against DNS and what organizations should do to secure DNS infrastructure.

Some of the most common DNS attacks include:

*   Denial of service, which overwhelms DNS services with traffic to disrupt or disable DNS service at an organization.
*   DNS cache poisoning, which manipulates the DNS cache to redirect users trying to go to a legitimate domain to a malicious IP address.
*   DNS hijacking, which changes the DNS records of a domain to redirect users to a malicious IP.
*   DNS tunneling, which leverages outbound DNS traffic to smuggle malicious data from malware exploitation back to attackers' C2 infrastructure.
*   Dangling DNS, which takes over an unused subdomain on cloud and other infrastructure to impersonate a brand or use as a foothold for other attacks.

To ensure the proper security of DNS infrastructure, organizations need a solid combination of strong security hygiene around DNS infrastructure and records management, close monitoring of DNS traffic, effective filtering, and deployment of more advanced protocols, like DNSSEC. The cost of not employing these measures can be high. The average cost of a successful DNS attack is upward of $1 million.

When attacks happen, sometimes the best that many organizations can do is to literally pull the plug on their DNS or network infrastructure.

The Dark Reading report, "Everything You Need to Know About DNS Attacks," explores the nuances of the DNS security awareness gap, including why organizations are struggling to implement a full slate of DNS security measures and what it will take to combat these common DNS attacks. The report examines how to harden DNS infrastructure from attacks, the importance of creating more visibility around DNS, and how DNS protection measures can actually be used to improve other areas of cybersecurity awareness.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Getting Over the DNS Security Awareness Gap

This first-ever event, hosted by the Security Industry Association and ASIS International and designed to advance, connect, and empower women in security, gathered hundreds of industry leaders in Nashville June 12-13, 2023.

**ALEXANDRIA, Va. & SILVER SPRING, Md. –** ASIS International and the Security Industry Association (SIA) closed out the inaugural Security LeadHER conference this week, celebrating a successful and groundbreaking first event held June 12-13 in Nashville, Tennessee. The event was dedicated to advancing, connecting and empowering women in the security profession.

Approximately 300 current and future "LeadHERs" and attendees of all backgrounds and genders gathered for Security LeadHER 2023. This year's Security LeadHER program kicked off on June 12 with a variety of fun and engaging activities, including a behind-the-scenes security tour of Nashville's famed Ryman Auditorium, a tour of the National Museum of African American Music and a women's self-defense class, and wrapped up with a lively networking reception at Johnny Cash’s Bar & BBQ.

On June 13, the Security LeadHER conference programming began with a motivating keynote from author, renowned speaker and sought-after consultant Eliza VanCort on how to "Claim Your Success – Stand Tall, Raise Your Voice and Be Heard." In this dynamic presentation, VanCort shared her personal journey from childhood kidnappings to a near-fatal head injury to becoming a No. 1 bestselling author, addressed some of today's most important women’s leadership issues and offer participants valuable communication and presentation guidance and concrete skills to achieve their goals professionally and in every aspect of their lives.

Additional programming focused on two tracks – Leadership and Security & Innovation – featuring presentations from industry-leading subject matter experts. Track sessions gave actionable guidance on topics such as confidently saying no and setting boundaries, addressing virtual threats and harassment, mitigating our unconscious biases against women in security, anonymizing your digital footprint, protecting data in the cloud, leading by influence and the science of sex and its impact on the industry.

The conference closed with a moving keynote from diversity, equity and inclusion practitioner, spoken word artist, emcee and poetry specialist Charity Blackwell. Attendees enjoyed the immersive spoken word performance and keynote address exploring the meaning of owning your legacy through your work.

"The inaugural Security LeadHER event is a wrap, and what a success it was! My mind is full of new ideas, my LinkedIn account is full of new connections and my heart is full of gratitude for all the hard work done by the SIA and ASIS communities to make this event something to remember," said Elaine Palome, director of human resources, Americas, at Axis Communications and event co-chair for Security LeadHER. "It was so inspiring to see more than 300 women and their allies gathered together to share stories, ideas and knowledge. We are already thinking about next year’s event and hope you will join us."

"Our inaugural Security LeadHER event was a smashing success. The energy in the room was palpable," said Antoinette King, founder of Credo Cyber Consulting LLC and event co-chair for Security LeadHER. "Our opening keynote was delivered by Eliza VanCort. Eliza's insights on communication were incredibly helpful, and I walked away with many new communication tools. The education sessions were super insightful. Our closing keynote, Charity Blackwell, was simply masterful. I left the conference with so much excitement for the future of our industry!"

Security LeadHER 2023 was made possible in part thanks to the generous support of Featured Sponsor Apple; Premier Sponsors dormakaba, Intel and Wesco; Executive Sponsors Axis Communications and Securitas; and Partner Sponsors Allegion, Altronix, Boon Edam, Brivo, GSA Schedules, Inc., IDEMIA, Prosegur and SAGE Integration.

**About ASIS International**

Founded in 1955, ASIS International is the world’s largest membership organization for security management professionals. With 34,000 members hundreds of chapters across the globe, ASIS is recognized as the premier source for learning, networking, standards, and research. Through its board certifications, award-winning Security Management magazine, and Global Security Exchange (GSX) – the most influential event in the profession – ASIS ensures its members and the security community have access to the intelligence and resources necessary to protect their people, property, and information assets.

**About the Security Industry Association**

SIA is the leading trade association for global security solution providers, with over 1,400 innovative member companies representing thousands of security leaders and experts who shape the future of the security industry. SIA protects and advances its members' interests by advocating pro-industry policies and legislation at the federal and state levels, creating open industry standards that enable integration, advancing industry professionalism through education and training, opening global market opportunities, and collaborating with other like-minded organizations. As the premier sponsor of ISC Events expos and conferences, SIA ensures its members have access to top-level buyers and influencers, as well as unparalleled learning and network opportunities. SIA also enhances the position of its members in the security marketplace through SIA GovSummit, which brings together private industry with government decision makers, and Securing New Ground, the security industry's top executive conference for peer-to-peer networking.

Security LeadHER Wraps Groundbreaking Inaugural Conference for Women in Security

This new role of safeguarding cloud deployments requires an exceedingly rare set of technical and soft skills.

A team at a recent cloud-native industry event laughed out loud when they told us, "We just got out of a talk, and apparently we are now infrastructure security engineers." With the rampant layoffs in the tech industry, underlying the amusement of job titles is real uncertainty around expectations for thriving in that new role and associated ecosystem.

In the age of Kubernetes and cloud native application deployment, the infrastructure security engineer is a prize hire. But across dozens of job descriptions and practitioner interviews, we found that this role reflects an exceedingly difficult challenge: to be the best at both indirect influence and hard technical skills.

So what is infrastructure security engineering, anyway? The infrastructure or cloud security team sits at (no surprise) the infrastructure layer, versus the application layer. They are primarily concerned with deployment and the running cloud environment.

The first thing to understand about this role is how much the cloud security shared responsibility model requires of them. In the case of managed Kubernetes platforms, we can assume a general platform-as-a-service (PaaS) model. This implies a shared responsibility model that puts nearly the entire configuration of the cloud in the infrastructure security role's hands. In Google's own words, "For \[Google Kubernetes Engine\], you're responsible for protecting your worker nodes, including deploying patches to the OS, runtime and Kubernetes components, and of course securing your own workload."

But the shared responsibility model is just the start. No role exists in a vacuum, and the third most common requirement in this role, apart from vulnerability management and staying up to date on trends in the space, is imbuing best practices across other teams in the org. As one hiring manager put it, "Your primary responsibility will be to ensure that our engineering teams integrate security best practices into their workflows and deliver secure products and services."

There is an inherent friction in asking a development team to do anything that might slow down the flow of new features into production, even if it has been shown that teams baking security into their DevOps processes actually do deliver more quickly.

**What Infrastructure Security Engineers Need to Succeed**

What do hiring managers think will make candidates successful in the kind of role just described? Not surprisingly, the third most common requirement for this role — behind hands-on experience with cloud platforms and networking — is proficiency in scripting languages, combined with hands-on experience around any combination of infrastructure-as-code (IaC), HashiCorp's Terraform, and the continuous integration/continuous delivery (CI/CD) pipeline. Why? Because if you have never automated deployments with code, it will be impossible to share security best practices with the developers doing it on a daily basis.

The last common requirement in an infrastructure security role is an in-depth understanding of the end-to-end development pipeline. If a security engineer expects to keep up to speed on the latest in the cloud, influence development, and manage cloud vulnerabilities on a day-to-day basis, they need an understanding of efficiency, how it all works together, and how to prioritize.

Here are some more tips from our interviewees:

*   "If you are just looking at the cloud, don't forget Kubernetes. While it is deployed through managed cloud services more often than not these days, it cannot be addressed in the same way one would address vulnerabilities for cloud environments." — Director of cloud security
*   "Triage is critical. When my teams have failed in the past, it was usually because we kept chasing shiny things. By being disciplined and methodical about prioritization, we maintain confidence that we're working on the right problems at \[almost\] any given time." — Manager, infrastructure and IT security
*   "Don't underestimate engineering teams' interest in solving security problems. Empower them with data and context, and see how hungry they are to use it." — Manager, infrastructure and IT security

**Why This Could Be the Hardest Job**

Interestingly, in our research only one job description had a line item for "security reviews," where the role allowed the security team to say yes or no to development changes. This is telling in the context of other observations on the role of direct versus indirect influence over engineering and development; for example, the IaC knowledge is needed not for using it directly, but for being able to tell others how to use it.

Also, communication and mentoring were not listed among the most common job prerequisites, but half of the roles still had high expectations for this soft skill. This was especially true for the more senior positions.

Between the requirement to influence the development teams, the required knowledge of IaC tooling and automation, the need for communication and mentoring, and the near complete absence of formal security reviews, a view of the most successful infrastructure security professional begins to emerge. This person will have broad hands-on experience in the cloud ecosystem, as well as skills to influence and build credibility across skilled teams who are managing highly new, cutting-edge GitOps tools on a daily basis. That is a high bar, indeed!

The Infrastructure Security Engineer Is a Unicorn Among Thoroughbreds

The DDoS collective claims to be teaming up with ReVIL and Anonymous Sudan for destructive financial attacks in retaliation for US aid in Ukraine, but the partnerships (and danger) are far from verified.

The pro-Russian hacktivist collective known as Killnet claims to be working in concert with a resurgent form of the notorious ReVIL ransomware gang. The goal? To mount an attack on the Western financial system.

The group is warning that attacks are imminent, as in the next day or so; but it's unclear whether the threats amount to anything more than bluster and saber-rattling, particularly given Killnet's past track record of, at most, carrying out mildly disruptive distributed denial of service (DDoS) attacks.

Even so, in a video posted on a Russian Telegram channel on June 16, Killnet made ominous threats against the SWIFT banking system (famously targeted by Lazarus in 2018); the Wise international wire transfer system; the SEPA intra-Europe payments service; central banks in Europe and the US (i.e., the Federal Reserve); and other institutions.

"The post claims that threat actors from Killnet, REvil, and Anonymous Sudan will unite for the campaign," according to ZeroFox researchers, writing in a flash alert on the threat. "Killnet indicates that the attack is motivated by the US providing weapons to aid Ukraine, stating: 'repel the maniacs according to the formula, no money — no weapons — no Kiev regime.'"

**Killnet's New Besties: Real or Imaginary?**

When it comes to the claimed partnerships, Anonymous Sudan is an emergent DDoS player that targeted entities in France, Germany, the Netherlands, and Sweden earlier this year, ostensibly in retaliation for perceived anti-Islamic activity in each of these countries. However, despite this religious persona, Trustwave researchers in the past have tied Anonymous Sudan to Killnet, noting it could simply be a masked subsidiary.

As for ReVIL, which imploded in 2022 after a Russian takedown, evidence of a re-emergence is one day old: On June 15, a Telegram channel called, fittingly, "REvil," was created. It was used to circulate a shout-out ("Hello Killnet") that went on to be heavily re-posted in a Killnet-affiliated Telegram channel, according to ZeroFox.

"This is the only post in channel to date and no additional evidence substantiating the partnership has been observed," the researchers noted.

A previous whiff of ReVIL's resurrection came more than a year ago, when rumors surfaced that some members were regrouping — but nothing more came of it.

Killnet could be fabricating the ReVIL partnership to lend some heft and gravitas to its threats against some tough targets. While Killnet has successfully gone after big game before, such as the White House and SpaceX satellite comms in Ukraine, these had "limited impact, causing short service outages and disrupting access to information," ZeroFox researchers said. A ReVIL partnership that's more than a flight of fancy "would allow them greater access to vulnerability exploitation, network intrusion, and data exfiltration."

Absent that, "the \[threatened attacks\], if legitimate, are unlikely to result in mass or prolonged outages to Western banking infrastructure, despite the newly claimed relationships with REvil and Anonymous Sudan," they added.

Even so, the publicity push around a supposedly imminent financial catastrophe could be simply an effort to harry Western governments and financial institutions, ZeroFox concluded — or, given Killnet's penchant for shenanigans, just an attempt to garner attention and notoriety.

Source

DARKReading