With critical infrastructures ever more dependent on the cloud connectivity, the world needs a more stable infrastructure to avoid a crippling cyberattack.

As global conflicts continue, cyber has become the fifth front of warfare. The world is approaching 50 billion connected devices, controlling everything from our traffic lights to our nuclear arsenal. We've already started seeing large-scale cyberattacks, affecting critical industries like oil and gas pipelines and hospitals. But we have yet to experience a truly catastrophic incident that would "break the Internet," disrupting financial markets, supply chains, and daily life. 

Could it happen this year?

**Single Points of Failure**

The migration of public and private sector technology to cloud computing means that a large share of our infrastructure, financial systems, supply chains, healthcare, and other critical services are run by just a handful of companies: Amazon, Google, and Microsoft. On the hardware side of things, the story isn't much better. Just three companies — Palo Alto Networks, Cisco, and Fortinet — control more than 50% of the market for security appliances. The ripple effects of a successful attack on one of these companies would leave no part of the connected world untouched, including the security software intended to protect customers in the event of an attack, much of which runs on infrastructure provided by these same cloud companies. 

For data center security experts, there is also another, far less digital, concern to deal with. Suspicious activity and attacks on US power stations hit an all-time high in 2022, with more than 100 attacks reported in the first eight months of the year alone. Data centers are massive buildings, consuming immense quantities of electricity. To cool their ultrahot servers and buildings, data centers use startling amounts of water. According to Google, its data centers used 4.3 billion gallons of water in 2021. If attackers disrupt the supply of power or water to Amazon, Google, or Microsoft's data centers in a coordinated fashion, they could compromise entire regions of their infrastructure, including backups. 

**Follow the Money**

To put the cost of a catastrophic cyberattack in perspective, consider that in 2021, according to Swiss reinsurer Swiss Re, global economic losses from natural catastrophes such as floods, hurricanes, and wildfires reached $270 billion. This is a large number, but consider the fact that Merchant Machine estimates a global Internet outage would cost the global economy $37 billion a day in lost revenue. 

Still, the economics of technology are not in favor of a more secure future. Enterprises, users, and adversaries all have competing monetary interests preventing more investment in security. Technology companies need to iterate and release updates quickly to keep pace with their competitors, and their customers are often not willing to wait — or pay — for extra security features or for all bugs and vulnerabilities to be resolved. Instead, consumers opt to buy insurance against these inevitable incidents, which may create another crisis of its own.

Insurance companies spend significant amounts of money simulating disasters and estimating their cost so that any single large loss would not do significant financial harm to the insurer. For a catastrophic cyberattack, the costs could reach beyond billions of dollars, meaning bankruptcy not just for the insurers but also the reinsurers, which would likely bring about a systemic financial disruption and a near market collapse on a scale dwarfing the financial crisis of 2008. The US government spent $85 billion to bail out AIG and prevent systemic financial system collapse, but the question this time is: Who bails out an insurer with global losses, and what happens when insurers are too cash strapped to pay out claims?

**So, What Now?**

We need to examine critical infrastructure security and ensure there are plans and fail-safes in place capable of withstanding an extended period of disconnect. Organizations migrating to cloud computing must reevaluate their need for data fidelity and whether on-premises storage is necessary. Security leaders should make catastrophic failure planning part of their risk management strategy, and ensure their vendors also have plans in place to mitigate the impact of a loss of cloud\-hosted services. 

On the regulatory front, if we have any hope of preparing for a global event, we need to evaluate the technical chops of regulators and legislators creating the frameworks intended to keep us safe, as well as the metrics we use to measure the financial health of the insurers and reinsurers on the hook. If the spectacular collapse of several blockchain companies in recent years, successful election meddling via social media, or explosion in ransomware attacks have taught us anything, it's that we must demand more of our elected representatives, and elect leaders who can help run the world of tomorrow. Similarly, regulators need to understand the companies and technologies they oversee. 

There will be a reckoning in the connected world, and the only way our economy (and possibly society) will survive it is by working together to create a safer, more stable infrastructure.

It's Time to Assess the Potential Dangers of an Increasingly Connected World

License Scanner and SBOM Utility will boost the capabilities of OWASP's CycloneDX Software Bill of Materials standard.

IBM has contributed two open source supply chain tools — SBOM Utility and License Scanner — to the Open Worldwide Application Security Project (OWASP) Foundation's CycloneDX Software Bill of Materials (SBOM) standard. These two tools will fill two crucial gaps in CycloneDX, which the OWASP describes as a "full-stack" BOM standard that provides advanced supply chain risk reduction.

The software bill of materials, or SBOM, is an inventory listing all individual components used in software. The discovery of the vulnerability in the Log4j library two years ago highlighted just how few organizations really understood what was inside the software they were running. It wasn't enough to just know which third-party components, libraries, and frameworks were being used — organizations need to be aware of all the dependencies _those_ components were using. In response to various supply chain attacks and the Log4j chaos, the White House issued an Executive Order mandating that developers improve the security of their supply chains. One way is to include and maintain an SBOM for every piece of software they distribute.

"IBM has been advocating for all developers and organizations creating modern software to begin their journey to create SBOMs," says Jamie Thomas, IBM's general manager of systems strategy and development. "These tools are foundational complements to aid developers in this journey, so they can better understand the potential risks in their software supply chains."

**Standardizing SBOMs**

Efforts to standardize the SBOM have accelerated with the sharp rise in software supply chain attacks over the past two years.

CycloneDX is one of two primary SBOM standards, the other being the Linux Foundation's Software Package Data Exchange (SPDX). Proponents of CycloneDX, which is newer, describe it as a more lightweight standard better suited to those seeking a machine-readable way to exchange information. The Linux Foundation in 2021 declared SPDX an SBOM standard, though it was initially created for intellectual property and licensing use cases. Both organizations are expanding their respective SBOM standards efforts.

IBM has actively participated in advancing CycloneDX's standards efforts, Steve Springett, director of product security at ServiceNow and chair of the OWASP's CycloneDX working group, tells Dark Reading. "Software supply chain security is a topic of board-level discussions," Springett says. "There are many ways that organizations should improve their software supply chain assurance. And it starts with actually having all the data and more tools to drive more intelligence."

**Licensing Scanner Tool Brings Balance With SPDX**

The CycloneDX working group has introduced some license scanning capabilities over the years, including base-level support for SPDX license IDs. But CycloneDX's licensing capability has lagged the functionality of SPDX. Springett says the addition of IBM's License Scanner fills that void. "It's great that we have a license scanner as part of the project," Springett tells Dark Reading. "Having a dedicated license tool actually will invite more people to the Cyclone DX table that we've built."

Brian Fox, co-founder and CTO of AppSec tool provider Sonatype, agreed. "I think this helps balance things out with CycloneDX on the licensing side," Fox said. "It will provide more building blocks to enable tools in the ecosystem to work better. Being able to more easily add licensed data to your CycloneDX SBOM, if you don't have existing tooling to do that, is a useful utility. Having the ability to validate both formats is also a useful utility."

In an OWASP blog post on Wednesday announcing IBM's contribution, Springett noted that IBM's License Scanner scans files for licenses and legal terms. "It can be used to help identify text matching licenses and license exceptions from the complete, published SPDX License List," he wrote. "It can also be configured to identify additional legal terms, keywords, aliases, and non-SPDX licenses. As a library, License Scanner is designed to be integrated into existing BOM generation software or may be used by itself as a command-line utility."

**SBOM Utility Adds APIs to CycloneDX**

Springett described IBM's SBOM Utility as an API platform that can validate CycloneDX or SPDX-formatted BOMs with their published schemas. It can validate and analyze a variety of BOM types, including hardware (HBOMs) and SaaS (SaaSBOMs). In the future, Springett noted, SBOM Utility will support OWASP's Software Component Verification Standard (SCVS), "which is defining a BOM Maturity Model (BMM) to help in identifying and reducing risk in the software supply chain."

Also, he noted that SBOM Utility could process documents such as Vulnerability Disclosure Reports (VDRs) and Vulnerability Exploitability eXchange (VEX) data formats, which CycloneDX has specified provide risk assessment.

"The SBOM Utility is great because it takes an API approach and allows organizations to slice and dice the CycloneDX data model and all the data in it," Springett says. "If you care about certain aspects of the bill of material, you can quickly query it, which is fantastic. And you can then allow organizations to start creating policy based on the types of data that may or may not exist in that bill of material."

While IBM initially built SBOM Utility and License Scanner for its use, the company has not said whether it plans to release commercial versions.

IBM Contributes Supply Chain Security Tools to OWASP

**HOUSTON, Texas – March 2, 2023** – Hewlett Packard Enterprise (NYSE: HPE) today announced that it entered into a definitive agreement to acquire Axis Security, a cloud security provider. This acquisition will allow HPE to expand its edge-to-cloud security capabilities by offering a unified Secure Access Services Edge (SASE) solution to meet the increasing demand for integrated networking and security solutions delivered as-a-service. Axis Security’s Security Services Edge (SSE) platform addresses the need for improved application performance and increased network security as the number of remote users increases and as enterprises continue to migrate applications to the cloud.

Axis Security’s SSE offerings enable access to corporate and public-cloud resources, and the company’s cloud-based platform will build on Aruba’s existing Software-defined Wide Area Network (SD-WAN) and network firewall offering. This combination will provide a complete edge-to-cloud SASE solution, ensuring that Zero Trust security controls can be applied to people and devices, no matter where they connect – on campus, branch, home, or on the road.

“As we transition from a post-pandemic world, and a hybrid work environment has become the new normal, a new approach is needed for network edge security to protect critical SaaS applications,” said Phil Mottram, executive vice president and general manager, HPE Aruba Networking. “The convergence of Aruba and Axis Security solutions will transform edge-to-cloud connectivity with a comprehensive SASE solution that provides enterprises with the highest levels of security for both IoT devices and all users’ access across geographically distributed locations. Today, we also accelerate our vision to help our customers expand their secure connectivity needs with SASE and private 5G solutions, building on our recently announced agreement to acquire private cellular technology provider, Athonet.

Based in Tel Aviv, Israel, Axis Security provides a cloud-native SSE platform, Atmos, which delivers authenticated user access to private applications at the network edge, a secure web gateway (SWG) to safeguard user access to the Internet, and a cloud access security broker (CASB) that provides secure in-line access to SaaS apps, and Digital Experience Monitoring (DEM) to provide insights into user experience. 

“We developed Axis Security to enable a world where connectivity to every business resource, from anywhere, could always be simple, safe and reliable,” said Dor Knafo, CEO of Axis Security. “Our SSE platform is a natural complement to Aruba’s SD-WAN, network firewall, and dynamic segmentation offerings. Together, we create a unified SASE platform, designed to extend connectivity to edge, and do so through a combination of modern access services – all working together in harmony.”  

**HPE enhances SASE offering with cloud security through integrated Axis Security platform**  
HPE will integrate Axis Security technology with its existing Aruba secure networking offerings to complete its SASE offering, which delivers WAN and cloud security controls directly to the application at the network edge, rather than routing data through the data center. This helps customers by flexibly delivering all of a provider’s networking components as a service with one point of control – instead of acquiring, maintaining, and licensing separate components individually.  
In addition, the HPE GreenLake edge-to-cloud platform will integrate Axis Security’s cloud-native SSE platform, offering customers one single monthly subscription with no capital expenditure.  Customers can deploy these flexible as-a-service solutions with reduced risk and little upfront investment – and scale them according to demand.  

**HPE portfolio integration and availability**  
The transaction is expected to close by the end of the second quarter of the HPE 2023 fiscal year subject to customary closing conditions. HPE will integrate Axis Security’s solutions with its edge-to-cloud security solutions and plans to make them available to customers in the third quarter of the HPE 2023 fiscal year.

**About Hewlett Packard Enterprise**

Hewlett Packard Enterprise (NYSE: HPE) is the global edge-to-cloud company that helps organizations accelerate outcomes by unlocking value from all of their data, everywhere. Built on decades of reimagining the future and innovating to advance the way people live and work, HPE delivers unique, open and intelligent technology solutions as a service.  With offerings spanning Cloud Services, Compute, High Performance Computing & AI, Intelligent Edge, Software, and Storage, HPE provides a consistent experience across all clouds and edges, helping customers develop new business models, engage in new ways, and increase operational performance. For more information, visit: www.hpe.com

Axis Security Acquisition Strengthens Aruba's SASE Solutions With Integrated Cloud Security and SD-WAN

The Decider tool is designed to make the ATT&CK framework more accessible and usable for security analysts of every level, with an intuitive interface and simplified language.

The US Cybersecurity and Infrastructure Security Agency (CISA) has launched Decider, a free tool to help the cybersecurity community more easily map threat actor behavior to the MITRE ATT&CK framework.

Created in partnership with the US Homeland Security Systems Engineering and Development Institute (HSSEDI) and MITRE, Decider is a Web application that organizations can download and host within their own infrastructure, thus making it available to a range of users via the cloud. It's meant to simplify the often onerous process of using the framework accurately and effectively, as well as open up its use to analysts at every level in a given cybersecurity organization.

**ATT&CK: A Complex Framework**

ATT&CK is designed to help security analysts determine what attackers are trying to achieve and how far along they are in the process (i.e., are they establishing initial access? Moving laterally? Exfiltrating data?) It does this via a set of known cyberattack techniques and sub-techniques determined and refreshed periodically by MITRE, that analysts can map on top of what they might be seeing in their own environments.

The goal is to anticipate the bad guys' next moves and shut down attacks as quickly as possible. The framework can also be incorporated into a variety of security tools, and it provides a standard language for communicating with peers and stakeholders during incident response and forensic investigations.

That's all well and good, but the problem is that the framework is notoriously complex, often requiring a high level of training and expertise to select the correct mappings, for instance. It also continually expands, including beyond enterprise attacks to incorporate threats to industrial control systems (ICS) and the mobile landscape, adding to the complexity. In all, it's a sprawling data set to navigate — and cyber defenders often end up in the weeds when trying to use it.

"There are a lot of techniques and sub-techniques that are available and that can get very involved and very technical, and oftentimes analysts are overwhelmed, or it slows them down quite a bit, because they don't necessarily know if the sub-technique they're picking is the right one," James Stanley, section chief at CISA, says, noting that complaints about mis-mappings using the tool are common.

"When you go to the website, there's a lot of information in front of you and it gets daunting quickly. The Decider tool really just brings it into more plain language for an analyst to use, regardless of their level of expertise," he says. "We wanted to give our stakeholders more guidance on how to use the framework, and make it available to, say, junior analysts who could benefit from using it in real time during middle-of-the-night incident response, for instance."

    

Decider uses a series of questions to guide analysts through the framework. Source: MITRE Corp.

On a broader level, proselytizers at CISA and MITRE believe that a wider use of ATT&CK — as encouraged by Decider — will lead to better, more actionable threat intelligence — and better cyber-defense outcomes.

"At CISA, we really want to put the emphasis on using threat intelligence to be proactive in your defense and not reactive," Stanley says. "For a very long time, the industry's go-to for that has been to share indicators of compromise (IOCs), which have very broad, very limited context." 

In contrast, ATT&CK tips the playing field to the defense's advantage, he says, because it's granular and gives organizations a way to understand the specific threat actor playbooks that are relevant to their specific environments.

"Threat actors should know that their playbooks are essentially useless once we highlight what they do and how they do it and incorporate it into the framework," he explains. "Organizations that can use it have a much stronger security posture as opposed to just kind of blindly blocking IP addresses or hashes, like the industry is so used to doing. Decider gets us closer to that."

**Simplifying ATT&CK for Analyst Accessibility**

Decider makes ATT&CK mapping more accessible by walking users through a series of guided questions about adversary activity, with the goal of identifying the correct tactics, techniques, or sub-techniques in the framework to fit the incident in an intuitive way. From there, those results can "inform a range of important activities such as sharing the findings, discovering mitigations, and detecting further techniques," according to CISA's March 1 announcement of the new tool.

    

Decider uses simplified language and definitions for techniques and sub-techniques. Source: MITRE Corp.

  
In addition to the prepopulated guiding questions, Decider uses simplified language that would be accessible to any security analyst, an intuitive search and filter function for uncovering relevant techniques, and a "shopping cart" functionality that lets users export results to commonly used formats. Additionally, organizations can tailor and tune it to their own individual environments, including flagging common mis-mappings.

The hope is for ATT&CK to eventually become a foundational, background tool for cybersecurity organizations, according to John Wunder, department manager, CTI, and Adversary Emulation at MITRE, rather than the unwieldy, if useful, instrument that it has been.

"One thing that I would really love to see as ATT&CK moves more into the background is just a part of the day-to-day operations of cybersecurity and individual analysts just having to pay less attention to it," he says. "It's just something that should form the foundation of what we do and thinking about understanding adversary behaviors, and not something that you have to spend a lot of time thinking through each time you're doing an incident response. Decider is a big step forward to that."

The tool also helps ATT&CK's syntax to become the de facto common nomenclature across tools and security platforms, and for sharing threat intelligence.

"Once you see ATT&CK used across more and more of the ecosystem, and everyone using a common language, then the users of ATT&CK start to see more and more benefit from aligning things to the framework and using it to more effectively correlate tools and so on," Wunder says. "Hopefully through things like Decider that make it easier to use, we'll start to see more and more of that."

CISA, MITRE Look to Take ATT&CK Framework Out of the Weeds

The new White House plan outlines proposed minimum security requirements in critical infrastructure — and for shifting liability for software products to vendors.

The Biden-Harris administration today announced a sweeping new National Cybersecurity Strategy that, among other things, seeks to establish meaningful liability for software products and services and sets mandatory minimum cybersecurity requirements in the critical infrastructure sector.

When fully implemented, the strategy will also strengthen the ability of both federal and private sector entities to disrupt and dismantle threat actor operations and require all entities that handle data on individuals to pay closer attention to how they protect that data.

One key objective of the strategy is for federal regulators to look for opportunities to incentivize all stakeholders to adopt better security practices via tax structures and other mechanisms.

**Rebalancing the Responsibility for Cybersecurity**

"\[The strategy\] takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small users," President Biden wrote in the introduction to his new plan. "By working in partnership with industry, civil society, and State, local, Tribal, and territorial governments, we will rebalance the responsibility for cybersecurity to be more effective and equitable."

Biden's strategy seeks to build collaboration and momentum around five specific areas: critical infrastructure protection, disruption of threat actor operations and infrastructure, promoting better security among software vendors and organizations handling individual data, investments in more resilient technologies, and international cooperation on cybersecurity.

Of these, the proposed initiatives around critical infrastructure security and shifting liability to software vendors and data processors could have the most significant impact.

The critical infrastructure component of Biden's strategy includes a proposal to expand minimum cybersecurity requirements for all operators of critical infrastructure. The regulations will be based on existing cybersecurity standards and guidance such as the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity and the Cybersecurity and Infrastructure Security Agency's (CISA) Cybersecurity Performance Goals.

**A Focus on Secure by Design**

The requirements will be performance based, adaptable to changing requirements, and focus on driving adoption of secure-by-design principles.

"While voluntary approaches to critical infrastructure security have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes," the strategy document said. Regulation can also level the playing field in sectors where operators are in a competition with others to underspend on security because there really is no incentive to implement better security. The strategy provides critical infrastructure operators that might not have the financial and technical resources to meet the new requirements, with potentially new avenues for securing those resources.

Joshua Corman, former CISA chief strategist and current vice president of cyber safety at Claroty, says the Biden administration's choice to make critical infrastructure security a priority is an important one.

"The nation has seen successful cyber disruptions in critical infrastructure that have significantly impacted numerous lifeline functions, including access to water, food, fuel, and patient care, to name just a few," Corman says. "These are vital systems that are increasingly suffering disruptions, and many of the owners and operators of this critical infrastructure are what I call 'target rich, cyber poor.'"

These are often among the most attractive targets for threat actors but have the least number of resources to protect themselves, he notes.

Robert DuPree, manager of government affairs at Telos, views congressional support as key to Biden's plans to bolster critical infrastructure cybersecurity.

"The push to impose mandatory cybersecurity requirements on additional critical infrastructure sectors will need congressional authorization in some cases, which in the current political environment is a longshot at best," he said in a statement. "The Republican House majority is philosophically opposed to new government mandates and is not likely to give the Biden Administration such authority."

**Holding Vendors Accountable for Software Security**

In what is likely to a controversial move, Biden's new national cybersecurity strategy also puts emphasis on holding software vendors more directly responsible for the security of their technologies. The plan specifically shifts liability for insecure software and services to the vendors and away from the end users who bear the consequences of insecure software.

As part of the effort, Biden's administration will work with Congress to try and pass legislation that would prevent software manufacturers and publishers with market power to simply disclaim away liability by contract. The strategy provides a safe harbor for organizations with demonstrably secure practices for software development and maintenance.

"Too many vendors ignore best practices for secure development, ship products with insecure default configurations, or known vulnerabilities," and with insecure third-party components, the strategy document said.

In addition to shifting liability to software vendors, the new strategy also calls for minimum security requirements for all organizations handling individual data especially geolocation and health data.

Support in Congress for efforts to shift liability to software vendors has manifested in fits and starts for over a decade, says Brian Fox, CTO and co-founder of Sonatype. "In 2013, H.R.5793 — Cyber Supply Chain Management and Transparency Act known as the Royce Bill started the conversation around introducing software bills of material (SBOM)," he says.

Ultimately that proposal didn't move forward, but the requirement for all software suppliers to the federal government to produce SBOMs on demand ended up being incorporated in a May 2021 Executive Order from President Biden, he says. "More recently, we've seen the Securing Open Source Software Act of 2022 working its way through committees. It seems clear that Congress is looking for a way to move the industry forward, and the strategy lays out specific new elements to be considered."

**Carrot and Stick**

As part of the effort to guide better security behavior, the federal government will use its enormous purchasing clout to get software and service suppliers to contractually adhere to minimum security requirements. It will use grants and other mechanisms — such as rate-making processes and tax structures — to get organizations to invest more in cybersecurity.

Karen Walsh, cybersecurity compliance expert at Allegro Solutions, says if the plan works as intended it could shift corporate mindsets from a "security means penalties" to a "security means attaining rewards" mentality.

"In many ways, this is similar to how the government already offers incentives for clean energy initiatives," Walsh says.

**Fighting Back**

One major focus of the new strategy is on strengthening federal and private sector capabilities to disrupt threat actor operations and infrastructure. The plans include developing a whole-of-government disruption capability, more coordinated takedowns of criminal infrastructure and resources, and making it harder for threat actors to use US infrastructure for cyber-threat operations.

"Dismantling threat actors is unlikely to take place on a broad scale," says Allie Mellen, a senior analyst at Forrester. "It's similar to the idea of 'hack back' — hypothetically great, but difficult to execute on."

Mellen considers the proposed expansion of regulations on critical infrastructure providers as by far the most significant component of the new strategy.

"Not only does it look to establish a set of minimum cybersecurity requirements, but it also begins to link technology providers such as infrastructure-as-a-service (IaaS) companies to these requirements, broadening its reach," she says.

Claroty's Corman says some of the proposals in the new strategy will likely trigger some hard conversations. But it is high time to have them, he notes.

"The more controversial topics, such as software liability, are admittedly going to be tougher to achieve," Corman notes. But the effort is crucial, he says.

"There is a significant gap between the current state and the desired state for critical infrastructure cyber-resilience — we need bold thinking and bold action in order to narrow that gap."

Biden's Cybersecurity Strategy Calls for Software Liability, Tighter Critical Infrastructure Security

Sold for around $5,000 in hacking forums, the BlackLotus UEFI bootkit is capable of targeting even updated systems, researchers find.

BlackLotus UEFI bootkits are deployed to take over the boot process of operating systems: bypassing security measures and deploying their malicious payloads.

Now, researchers with ESET are raising the alarm that even completely updated Windows 11 systems with UEFI Secure Boot enabled are vulnerable to BlackLotus attacks. Worryingly, the new bootkit, first discovered in October 2022, is readily available for as little as $5,000 on hacking forums.

"It was just a matter of time before someone would take advantage of these failures and create a UEFI bootkit capable of operating on systems with UEFI Secure Boot enabled," ESET explained in the report. "As we suggested last year in our RSA presentation, all of this makes the move to the ESP more feasible for attackers and a possible way forward for UEFI threats — the existence of BlackLotus confirms this."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

BlackLotus Bookit Found Targeting Windows 11

The same "sophisticated" threat actor has pummeled the domain host on an ongoing basis since 2020, making off with customer logins, source code, and more. Here's what to do.

For years, the domain registrar and Web hosting company GoDaddy has experienced a cyber barrage of extraordinary scale, it has confirmed — affecting both the company and its many individual and enterprise clients.

As described in its 10K filing for 2022, released Feb. 16, the company has been breached once every year since 2020 by the same set of cyberattackers, with the latest occurring just last December. It's worth also mentioning that the company has been the subject of earlier cyber incursions as well. The consequences to GoDaddy are one thing, but, more notably, the breaches have led to data compromises for more than 1 million of the company's users.

That may well be the key to why the bad guys keep coming back. Because of the nature of its business, GoDaddy is a connecting link to millions of businesses around the world. As Brad Hong, customer success lead at Horizon3ai puts it: "This is the equivalent of your landlord's office being left unlocked, giving a bad actor access to the keys to your house."

**GoDaddy's Three-Headed Breach**

While the world was coming to grips with COVID-19, thousands of GoDaddy customers had a second problem on their hands. In March 2020, the company discovered that an attacker had compromised the login details for a small number of their employees, as well as 28,000 of their hosting customers.

It was a harbinger of worse things to come.

In November 2021, a threat actor got their hands on a password that allowed them access to Managed WordPress, GoDaddy's hosting platform for building and managing WordPress sites. This case touched 1.2 million Managed WordPress customers.

There was yet more. In a statement published alongside its 10K, GoDaddy shared details of yet a third compromise.

"In early December 2022, we started receiving a small number of customer complaints about their websites being intermittently redirected," the company said. It turned out that an attacker had breached and planted malware on the company's hosting servers for cPanel, a control panel program for Web hosts. This malware intermittently redirected users from the websites they intended to visit, to malicious sites.

In their statement, the company claimed to "have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy. According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities."

**The Supply Chain Problem With Hosting Services**

According to Domain Name Stat, GoDaddy is far and away the largest domain name registrar on the Internet, capturing more than 12% market share with its nearly 80 million registered domains. Scale, alone, would make it an attractive target for cyberattacks, but being a hosting service makes this a whole other animal.

"GoDaddy and other Web hosting sites are prime targets for adversaries looking to conduct supply chain attacks," says Allie Roblee, intelligence analyst at Resilience. A company may take care to implement strong security practices and software, shunting phishing attacks, and patching up software bugs, yet still be vulnerable through a trusted provider like their Web hosting service. "Breaching large service providers like GoDaddy allows adversaries to compromise organizations and individuals they may have been unable to get into directly."

Of course, once attackers get in through the side entrance, they can do anything from stealing credentials to dropping malware, redirecting users to malicious sites, planting backdoors for later use, and much more. But "the implications for these compromises go even beyond that of security," Hong warns.

Consider an innocent person who intends to visit a business's website, but instead ends up redirected to a malicious site. Would that person ever risk visiting that business' website again? This, Hong points out, "hurts the reputation and operations of thousands, if not millions, of legitimate businesses."

Beyond that, there's a broader cost. "Weak security at this vendor level additionally allows attackers to force multiply their ability to carry out whatever objective they wish to," he explains. Such compromises "not only provide them with rich PII and private key data intelligence, but also an extensive network of websites and servers to do their bidding — similar to an IoT botnet, but instead of multiplying traffic, it multiplies the chances of successfully carrying out attacks which rely on humans as a weakness."

**What GoDaddy Customers Can Do**

If it didn't end that first or second time, how likely is it that the campaign against GoDaddy is over now? "It's possible," Roblee warns, "that the attackers still have access to GoDaddy's infrastructure or have the capability to find vulnerabilities in the stolen source code they can exploit to regain access."

For that reason, she says, "customers should audit any recently changed or uploaded files on their website to ensure that malware has not been installed. Additionally, I would recommend checking historical DNS records to see if any of their domains had been temporarily redirected."

Hong's advice is even simpler. "Affected businesses should change everything!" including all potentially affected login credentials, "and especially deprecating and creating fresh SSL private keys if using them."

Preventative measures will be more necessary going forward than ever before. As GoDaddy assessed in their 10K, the risk of attack "is likely to increase as we expand the number of cloud-based products we offer and operate in more countries."

GoDaddy declined to comment for this article beyond its published statement when contacted by Dark Reading.

What GoDaddy's Years-Long Breach Means for Millions of Clients

Access-as-a-service took off in underground markets with more than 775 million credentials for sale and thousands of ads for access-as-a-service.

The cybercrime economy centered around access to compromised systems, services, and networks has grown dramatically in the past year — with a sixfold increase in the number of credentials stolen via malware and offered for sale.

With cyberattackers using information-stealing malware to gather credentials, the expansion of access-as-a-service offerings has blossomed in the criminal underground with thousands of advertisements offering would-be cybercriminals access to compromised systems, according to findings in Recorded Future's newly published annual report.

In addition, the collection of data, use of stolen accounts, and phishing are among the top 10 most-discussed tactics in cybercriminals forums, according to the report.

The analysis of the most popular topics from underground forums demonstrates that stolen credentials and the sale of initial access continue to dominate cybercriminal markets, says David Carver, a senior manager at Recorded Future's Insikt research group.

"Credentials are a massive business because they continue to be successful and profitable for criminals," he says. "So as long as there continues to be fairly easy ways to monetize credentials at scale, which has been true for criminal markets for a long time, I don't see the drive for that type of theft changing."

    

Stolen credentials logged by info-stealing malware grew significantly in 2022. Source: Recorded Future

A decade ago, cybercriminals focused on stealing valuable data or on compromising specific companies that not only could be exploited but would also pay the attacker to leave them alone. Yet with the popularity of ransomware and the ability to use cryptocurrencies as a method of payment, attackers have been able to monetize nearly any breach of an organization. Thus, selling stolen credentials and opportunistic access has become the go-to product of the underground economy.

**MFA Fail**

Deploying stolen credentials has become more difficult for cybercriminals thanks to multifactor authentication (MFA), but attackers have countered with bypass techniques for many types of MFA, so credential theft has continues to be a standard post-breach tactic and access-as-a-service continues to thrive, Recorded Future's Carver explains.

"Until either our concept or our fundamental methods around identity change, there's not going to be a change in the criminal market, or at least not in the way that we're seeing right now," he says.

In 2021, the attackers focused on finding valuable systems and encrypting them with ransomware, with data encrypted for impact (T1486) and system information discovery (T1082) topping the list of trending tactics, techniques, and procedures uncovered by Recorded Future. In 2022, cybercriminals shifted their focus to the collection of data from local aystems (T1005) and the use of valid accounts (T1078) for access, according to the "2022 Annual Report."

The trend shows that access has become increasingly important, as cybercriminals have more options than just ransomware to monetize compromised systems, leading to information-stealing functionality becoming popular, the firm said. Ransomware payments decreased by nearly 60% in 2022 compared with 2021, according to Recorded Future's data.

"Credential sales remain popular on dark web marketplaces, typically for use in account takeover and credential stuffing attacks," the report stated. "The tactic has grown in sophistication with the rise of information-stealing malware and the proliferation of the malware-as-a-service model."

Recorded Future would not discuss the specifics of where its credential numbers came from, but its researchers believe that they have captured evidence of at least half of total campaigns from major info stealers.

"This is as close to 'bare metal' as you can get in terms of what is being exfiltrated and exposed as part of multiple different info-stealer malware campaigns," Carver says. "So to some extent, we're getting these directly as a result of understanding what data that malware is pulling in."

**Not Just Usernames and Passwords**

An attacker's focus on collecting credentials following a compromise has evolved as more information about the user has become necessary to bypass some security controls. Now, attackers are likely to collect session tokens from the browser cache, geographical information, browser version information, and other data in addition to usernames and passwords, Carver says.

"When we think about credential theft, what we actually need to be thinking about is the kind of complete browser fingerprint that some of these info sealers are looking for," he says.

Companies should assume that threat actors have employees' basic credentials, and that multifactor authentication could be bypassed, Carver said. They also need to ensure they can detect anomalous account behavior.

"The absolute first thing that \[companies should\] look at is identity and access management, making sure that across the complete scope of identities or platforms, or users that have access to anything internal, that there is a really robust and well understood security program," he says. "To me, that's table stakes right now for a more secure program, given the rise of info stealers."

Sale of Stolen Credentials and Initial Access Dominate Dark Web Markets

Overcoming the obstacles of this security principle can mitigate the damages of an attack.

When I was forming the idea for the company that would become Veza, my co-founders and I interviewed dozens of chief information security officers (CISOs) and chief information officers (CIOs). No matter the size and maturity of their modern tech-savvy companies, we heard one theme over and over: They could not see who had access to their company's most sensitive data. Every one of them subscribed to the principle of least privilege, but none of them could say how close their company came to achieving it.

"Least privilege" is defined by NIST's Computer Security Resource Center as "the principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function." That sounds simple, but things have changed. Data is now spread across multiple clouds, hundreds of SaaS apps, and systems old and new. As a result, all modern companies accumulate "access debt" — unnecessary permissions that were either too broad in the first place or no longer necessary after a job change or termination.

A KPMG study found that 62% of US respondents experienced a breach or cyber incident in 2021 alone. If any employee falls prey to phishing, but they only have access to non-sensitive information, there may be no economic impact at all. Least privilege mitigates the damage of an attack.

There are three obstacles to achieving least privilege: visibility, scale, and metrics.

**Visibility Is the Foundation**

It's hard to manage something you can't see, and access permissions are spread across countless systems in the enterprise. Many are managed locally within the unique access controls of a system (e.g., Salesforce admin permissions). Even when companies implement an identity provider, such as Okta, Ping, or ForgeRock, this only shows the tip of the iceberg. It cannot show all the permissions that sit below the waterline, including local accounts and service accounts.

    

Source: Veza

This is especially relevant today, with so many companies conducting layoffs. When terminating employees, employers revoke access to the network and SSO (single sign-on), but this does not propagate all the way to the myriad systems in which the employee had entitlements. This becomes unseen access debt.

For companies where legal compliance mandates periodic access reviews, visibility is manual, tedious, and vulnerable to omissions. Employees are dispatched to investigate individual systems by hand. Making sense of these reports (often, screenshots) might be possible for a small company, but not for one with a modern data environment.

**Scale**

Any company might have thousands of identities for employees, plus thousands more for non-humans, like service accounts and bots. There can be hundreds of "systems," including cloud services, SaaS apps, custom apps, and data systems such as SQL Server and Snowflake. Each offers tens or hundreds of possible permissions on any number of granular data resources. Since there is an access decision to make for every possible combination of these, it's easy to imagine the challenge of checking a million decisions.

To make the best of a bad situation, companies take a shortcut and assign identities to roles and groups. This addresses the scale problem but worsens the visibility problem. The security team might be able to see who belongs to a group, and they know the label on that group, but labels don't tell the whole story. The team can't see access at the level of tables or columns. When identity access management (IAM) teams are receiving a never-ending stream of access requests, it's tempting to rubber stamp approvals for the closest-fit group, even if that group confers broader access than necessary.

Companies can't overcome the scale challenge without automation. One solution is time-limited access. For example, if an employee was given access to a group but doesn't use 90% of the permissions for 60 days, it's probably a good idea to trim that access.

**Metrics**

If you can't measure it, you can't manage it, and nobody today has the tools to quantify how much "privilege" has been granted.

CISOs and their security teams need a dashboard to manage least privilege. Just as Salesforce gave sales teams the object model and dashboards to manage revenue, new companies are creating the same foundation for managing access.

How will teams quantify their access? Will it be called "privilege points"? Total permission score? A 2017 paper coined a metric for database exposure called "breach risk magnitude." Whatever we call it, the rise of this metric will be a watershed moment in identity-first security. Even if the metric is an imperfect one, it will shift a company's mindset toward managing least privilege like a business process.

**Going Forward**

The landscape has changed, and it has become practically impossible to achieve least privilege using manual methods. Fixing this will require new technologies, processes, and mindsets. The CISOs and CIOs I work with believe least privilege is possible, and they're making prudent investments to move beyond the bare minimum of quarterly access reviews. It won't be long before manual reviews are a thing of the past, and automation tames the complexity of modern access control.

Everybody Wants Least Privilege, So Why Isn't Anyone Achieving It?

A new report from Adaptive Shield looks at the how volume of applications being connected to the SaaS stack and the risk they represent to company data.

The software-as-a-service (SaaS) app footprint is expanding nonstop at every organization across the globe. Employees are granting third-party apps access to the company's core SaaS apps, like Microsoft 365 (M365) and Google Workspace, causing security risks. Meanwhile, security teams and organizations are unable to track the number of connected apps or quantify the level of risk these apps are causing.

The recently released report from Adaptive Shield, "2023 SaaS-to-SaaS Access Report: Uncovering the Risks & Realities of Third-Party Connected Apps," found an average of 4,371 connected apps in a typical 10,000 SaaS-user organization that are connected to both M365 and Google Workspace. Furthermore, over 89% of third-party apps connected to Google Workspace and 67% of apps connecting to M365 represent a high or medium risk to a company's SaaS data. Disturbingly, many of these apps are granted high-risk permissions that allow them to delete or share confidential and proprietary corporate data.

Providing insights into the unknown SaaS abyss, Adaptive Shield has aggregated anonymized customer data from hundreds of tenants to provide security teams with a realistic view of the ubiquity of third-party apps and explain today's SaaS-to-SaaS realities and risks in depth.

**Understanding the Issue**

Here's a scenario a typical employee could be facing: Google Docs lacks a native mail merge feature. Users who need this feature can find an app that does this. Mailmeteor, for example, can provide this functionality — and requires the employee to grant permissions enabling it to delete Google spreadsheets and send emails on behalf of the user.

Mail Merge, a different app, requests permission to see, edit, create, and delete all Google Docs documents, all Google Sheets spreadsheets, all Google Slides presentations, and any other Google Drive file. Mail Merge also requests permissions to manage drafts and send email, change settings and filters in Gmail, and run when users are not present.

In this scenario, Mail Merge is a more high-risk app for the employee to install. If a threat actor gained control of their Mail Merge application, they could easily delete, download, or encrypt entire Google Drives containing critical corporate data.

**Volume of Third-Party Connected Applications**

The sheer volume of third-party apps makes third-party connected apps nearly unmanageable. As companies grow, the number of apps increases in proportion to that growth.

These are the numbers of M365 connected apps on average by company size:

*   <5,000 users: 522 connected apps
*   5,000-10,000 users: 1,253 connected
*   10,000-20,000 users: 3,508 connected apps

Furthermore, apps connected to Google Workspace are significantly higher than M365. As shown in the chart below, these are the numbers of Google Workspace connected apps on average by company size:

*   <5,000 users: 1,309 connected apps
*   5,000-10,000 users: 4,216 connected apps
*   10,000-20,000 users: 13,913 connected apps

Based on these shocking stats, this means that, on average, a company with 1,000 users should expect to see over 600 apps connected to Google and 200 apps connected to M365.

    

Figure 1: Average number of apps integrated with Google Workspace by users.

A cursory glance at this data might lead one to think that the M365 environment has less cause for concern due to fewer connected applications. However, that is not the case.

While there are more third-party applications typically connected to the Google Workplace, when running the numbers, the amount of oversight and control needed by the security team working with Microsoft and Google to secure the connected apps are on a similar scale.

**Risky Permission and Scopes**

Every third-party app requests specific permissions when connecting to a SaaS app. The report categorizes these permissions as low, medium, and high risk, based on the types of permissions being requested by the application.

The "2023 SaaS-to-SaaS Access Report" details how 39% of apps connected to M365 are considered high risk, and another 28% are medium risk. Only 11% of apps connected to Google Workspace are high risk, but an overwhelming 78% are medium risk and require access to sensitive permissions.  

    

Figure 2. Risk level for apps connected to M365 and Google Workspace

Many applications with high permission scopes are able to read, update, create, and delete content. Apps are often granted full access to mailboxes, and can send emails as the user.

    

Figure 3: Top 3 high-risk permissions requested by apps connected to M365 and Google Workspace.

These permissions pose a significant risk to the company, as apps can be taken over by threat actors, who can steal, sell, encrypt, or publish the data that they find.

**Staying on Top of SaaS-to-SaaS Access**

The scope of SaaS-to-SaaS access makes it impossible to manage manually. Organizations trying to control this attack surface and protect data from the risks imposed by third-party apps require an automated tool.

SSPMs automate third-party app monitoring, providing visibility into each app connected to your SaaS stack and the permissions granted to each application.

Download the full report to read all the insights and findings.

**About the Author**  

    

A former cybersecurity intelligence officer in the IDF, Maor Bin has over 16 years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint and won the operational excellence award during his IDI service. Maor got his BSc in Computer Science and is CEO and co-founder of Adaptive Shield.

Source

DARKReading