SBOMs aren't enough. OpenSSF's Alpha-Omega brings in new blood to help secure the open source projects most impactful to the software supply chain.

The intricate labyrinth of open source dependencies across the global software supply chain has created an application security puzzle of mammoth proportions. Whether open source or closed, most of the world's software today is built on third-party components and libraries. Consequently, one piece of vulnerable code in even the smallest of open source projects can have a domino effect that impacts thousands of other applications, APIs, cloud infrastructure components, and more.

This issue is becoming one of the most pressing security concerns of CISOs today, and at an individual enterprise level, organizations are hard at work tackling it with projects like building out software bills of materials (SBOMs), establishing open source security management standards, and creating technical guardrails for developers to follow them.

But these efforts don't necessarily solve the problem at a more systemic level. According to many experts in the open source community, in order to make the biggest dent in the downstream supply chain, more effort needs to be put into helping open source project maintainers clean up their code.

This is the goal of the Alpha-Omega Project. About to hit its one-year anniversary next month, Alpha-Omega is a big-picture security project put together by the Open Source Security Foundation (OpenSSF) and its parent organization, the Linux Foundation, to address the fundamental issues in software supply chain security.

The "Alpha" side of the project is focused on collaborating with the maintainers of the open source projects most critical to the broader supply chain — including notables like node and jQquery — to help them level up the security posture of their code. These are projects hand-selected by the OpenSSF Securing Critical Projects working group using expert opinion and data from benchmarks like the Open SSF Criticality Score to determine the projects with the biggest downstream impact.

The "Omega" side of the project turns to the long-tail of software supply chain security, using automation and tooling to identify critical security vulnerabilities across a range of 10,000 widely deployed open source projects. It's an effort to scale up the remediation of the lowest-hanging, most obvious flaws that are pervasive across the supply chain.

Funded initially by Google and Microsoft, with additional toolchain and personnel support from financial giant Citi, Alpha-Omega wrapped up 2022 by snagging an additional $2.5 million from Amazon Web Services. More crucially, the project is preparing for 2023 with two new critical hires — Yesenia Yser, formerly a product security engineer for Red Hat, and Jonathan Leitschuh, who just finished up his one-year stint as the first Dan Kaminsky Fellow for Human Security. Yser steps in as a senior software security engineer, and Leitschuh will continue his research on automating open source security research and remediation as a senior software security researcher.

**Alpha-Omega Project's First Year**

This project is one of several high-profile security projects spearheaded and fundraised by OpenSSF and Linux Foundation in the past year to tackle the systemic issues in open source security. Following the organizations' successful model for rapid funding and action on security projects, Alpha-Omega has already made headway on a number of significant fronts.

According to the project's first annual report, the project has already engaged with five different open source projects: Node.js, the Eclipse Foundation, the Rust Foundation, jQuery, and the Python Software Foundation. Over the course of 2022, Alpha-Omega doled out $1.5 million in grants to different projects, including $460,000 to the Rust Foundation, $400,000 to the Eclipse Foundation, and $300,000 to Node. In the case of Node, that support helped it reactivate the Node Security Working Group and get it working on a security and threat model for Node.js. It also spurred the triaging of 20 different vulnerability reports across the project's code base.

Additionally, Alpha-Omega recently released the initial version of the Omega Analysis Toolchain, which orchestrates 27 different security analyzers for identifying critical vulnerabilities in open source packages. The project also released a number of experimental tools, including a triage portal to make security research and reporting more efficient.

For year two, the project plans to accelerate work on the Omega side of the house.

**What 2023 Has in Store for the Project**

The addition of Yser and Leitschuh to the Alpha-Omega Project will not only infuse more brainpower, time, and talent into existing efforts, but also plenty of enthusiasm for moving the needle on open source security.

"Open source software is in every piece of equipment that is used today, from our automotives, airplanes, phones, trackers, and even utility systems," says Yser, who has deep roots in the DevSecOps and software supply chain worlds. In her position at Red Hat she was the supply chain ops technical lead.

"The vision for the project has a global impact of improving the security posture of open source software, supply chain security, and the lives of folks around the world," she says.

Yser will be working directly on improving the Omega toolchain and the triage portal to help engineer improvements in how projects and vulnerability impacts are analyzed and prioritized for mitigation.

"For the Omega tool chain, a goal for this year will be to have an operationalized system that a maintainer or developer can leverage," she says. "For the Triage Portal, the goal will be to support a researcher's ability to triage a discovered finding via importing a SARIF report to the portal and handle their investigation within the system. The system will remain limited to the Alpha-Omega team until noted otherwise, but thanks to open source software, a researcher can run their own instance and submit pull requests to the repository and support the overall mission."

Yser will be working in close collaboration with Leitschuh, who brings significant and very fresh experience to bear in the area of scaling and automating fixes across open source projects. He spent last year's fellowship working on this exact problem. His goal is to continue the work he did there and use what he learned to further his mission of rooting out the most prevalent and impactful flaws lurking across a wide swath of open source projects.

"We may not know where those little pegs are that are holding up the entire software industry exist," Leitschuh says. "It could be one of those tiny little pieces of software that has 15 stars on GitHub that nobody knows, but it's holding up the entire Internet. So how do we secure those projects that no one knows about but \[are\] somehow fundamental to the entire supply chain?"

He says his work during the fellowship helped him further home in on his niche of not necessarily going very deep on any one security vulnerability, but instead looking at a certain type of vulnerability and developing automated ways of finding that same flaw in lots of different places across the open source ecosystem. This dovetails perfectly with the Omega ethos, which is what led him to his newest gig.

Leitschuh will keep supporting refinements on automated methods for running down flaws in Data Flow and Control analysis and auto pull request generation. But he's also going to be continuing the very manual work of collaboration. One of the important lessons he learned last year is that a lot of the work ahead of him and his Alpha-Omega team is not necessarily technical. It's about building relationships with maintainers to help them see how sometimes even simple fixes to their projects can have a huge impact on global software supply chain security postures.

"Technologists and software people, we don't always love the human element — it's easier for us to sit down and write a line of code that detects this thing and throw it over a wall than it is for us to engage with an actual person and try to convince them this is a thing worth fixing," he says.

He explains how one instance last year illustrates this point perfectly. In this case he worked with a maintainer of a YAML Parser that had a 6-year-old remote code execution flaw that had a lot of downstream impact. For a long time when Leitschuh approached him about it, the maintainer told him, "Don't trust untrusted YAML. This is not my vulnerability."

Finally, after sitting the maintainer down in a video call with lots of technical debate, Leitschuh was able to show him that the change he requested was extremely narrow and could have a huge impact.

"So he's now willing to fix this 6-year-old remote code execution vulnerability in this YAML Parser because someone like me sat down with him on a video call, finally, and had a conversation with him to convince him the minimal thing that he needed to do to make it more secure," he says.

While Leitschuh could have automated fixing the vulnerability downstream, the more elegant fix was having this discussion instead.

"I thought it was worth it for me to sit down and spend the time focusing on this one piece of software to try to convince this maintainer. Having those conversations is what's going to have a wider positive impact writ large on the entire industry," he says. "At that point you just need boots on the ground. You need people that know what they're talking about to sit down and spend time that is required to engage with an actual person."

Software Supply Chain Security Needs a Bigger Picture

**CAMBRIDGE, England****,** **Jan. 12, 2023** **/PRNewswire/ --** Darktrace, a global leader in cyber security artificial intelligence, today released three new cyber-threat trend reports revealing 2022 attack data observed across its global customer fleet.1 The industry reports pertain to the energy, healthcare, and retail sectors respectively.

"These industry-specific reports are the first of their kind released by Darktrace, representing an important effort to surface the data underpinning the rapidly evolving threat landscape that we are defending against," commented Toby Lewis, Global Head of Threat Analysis, Darktrace.

"The trends reveal crucial sector-specific challenges, from the tendency for hackers to siphon off the energy sector's resources in the form of crypto\-jacking, through to the invaluable nature of patient data which leads to data exfiltration in the healthcare sector," commented Lewis. "The surge in credential-based attacks across the retail sector reflects the fact that identity theft will be a key trend for 2023, increasing the need for AI-based behavioral analytics for understanding employee actions in rich context and authenticating the actions taken using certain credentials."

**Energy Sector: Key Findings**

Against the backdrop of a global energy crisis, Darktrace's energy sector report reveals that illegal crypto\-mining threats,whereby bad actors steal energy and processing power from other devices and networks, are on the rise across the industry. Notable findings include:

*   High-priority crypto\-mining accounted for 13 times more of all observed cyber incidents in the UK energy sector in 2022 compared to 2021
*   High-priority crypto\-mining accounted for 3 times more of all observed cyber incidents in the US energy sector in 2022 compared to 2021

The report divulges two real-world crypto\-mining threat finds from a European and US energy organization respectively, which were both stopped by Darktrace's AI technology. In the former case, attackers were caught attempting to mass pool crypto\-mining capabilities using 5 internal servers at the organization.

**Retail Sector: Key Findings**

As online shopping remains popular, Darktrace's retail sector report reveals that over the course of 2022, criminals increasingly turned toward credential theft, spoofing and stuffing to target this multi-billion-dollar industry's online infrastructure. Notably:

*   Credential theft, spoofing and stuffing accounted for over 170% more of all observed cyber incidents in the US retail sector in 2022 compared to 2021
*   Credential theft, spoofing and stuffing accounted for over 14% more of all observed cyber incidents in the UK retails ector in 2022 compared to 2021
*   Credential theft, spoofing and stuffing accounted for over 70% more of all observed cyber incidents in the Australian retail sector in 2022 compared to 2021

One threat find in the report from August 2022 details the discovery of a never-before-seen attack tool lying dormant inside a well-known UK automotive retailer. Months before Darktrace had been adopted by the retailer, one of its devices had become infected with novel malware that lay dormant, establishing a foothold and waiting for the right time to launch an attack. After deployment, Darktrace AI caught the malware when it made multiple authentication attempts using spoofed credentials for one of the organization's security managers. If successful, the attack could have undermined the organization's entire security posture, allowing malicious software to gain control of the company's infrastructure from within.

**Healthcare Sector: Key Findings**

Often viewed as a 'soft target' for cyber-criminals, hospitals and other healthcare organizations are extremely rich data sources from which attackers can make a profit by selling patient information such as medical records, credit cards or banking details. Darktrace's healthcare sector report notably revealed:

*   Data exfiltration was one of the top 3 observed threats faced by healthcare providers globally, with organizations in the UK and Australia suffering an increased volume in 2022
*   The most common attack type observed across healthcare globally in 2022 was suspicious network scanning, a form of intelligence gathering which often constitutes the initial phase of a cyber-attack

The report details a real-world sophisticated threat faced by a US healthcare provider in which a malicious PowerShell script was discovered to be deployed on one of the organization's internal servers, an attempt to give bad actors remote control over the target network. The threat was autonomously thwarted by Darktrace's RESPOND™ technology before attackers could do harm.

**About Darktrace**

Darktrace (DARK.L), a global leader in cyber security artificial intelligence, delivers complete AI-powered solutions in its mission to free the world of cyber disruption. Breakthrough innovations from the Darktrace Cyber AI Research Centre in Cambridge, UK and its R&D centre in The Hague, The Netherlands have resulted in over 125 patent applications filed and significant research published to contribute to the cyber security community. Darktrace's technology continuously learns and updates its knowledge of 'you' for an organization and applies that understanding to achieve an optimal state of cyber security. It is delivering the first ever Cyber AI Loop, fuelling a continuous end-to-end security capability that can autonomously prevent, detect, and respond to novel, in-progress threats in real time. Darktrace employs over 2,200 people around the world and protects over 8,100 organizations globally from advanced cyber-threats. It was named one of TIME magazine's 'Most Influential Companies' in 2021.

The data pertains to the period January-October 2022 and is compared with the same period in 2021.

Darktrace Publishes 2022 Cyberattack Trend Data For Energy, Healthcare & Retail Sectors Globally

**SAN FRANCISCO -- (****BUSINESS WIRE****) --** Cloudflare, Inc. (NYSE: NET), the security, performance, and reliability company helping to build a better Internet, today announced an expansion of its relationship with Microsoft to help customers easily deploy, automate, and enhance their organization’s Zero Trust security.

Working from anywhere is more common than ever, and critical applications have moved to the cloud—no longer residing inside an office protected by a secure perimeter. This fundamental shift in where and how people work has caused enterprises to rethink legacy tools and abandon the traditional castle-and-moat approach to security, looking towards Zero Trust instead. As CIOs continue to navigate this paradigm shift, Cloudflare has developed a new set of integrations with Microsoft to help organizations on this journey. Now, mutual customers can seamlessly deploy Zero Trust security tools in minutes, with no complex code changes, and add industry-first features, such as Cloudflare’s Remote Browser Isolation technology.

"When I speak with CIOs, I continue to hear that their number one concern remains security, closely followed by adapting to the new hybrid world,” said Matthew Prince, CEO and co-founder at Cloudflare. “We want to make it easier than ever for IT leaders to deploy Zero Trust security across the enterprise and keep users safe wherever they are working from. I’m thrilled that we are deepening our integration with Microsoft so we can help our joint customers easily deploy Zero Trust security across some of the most used applications in the workplace.”

Through these new integrations, Cloudflare now provides a comprehensive identity driven approach to protect applications, users, devices and networks from attacks. These integrations pair Microsoft Identity solutions and Cloudflare network security tools to create a quality Zero Trust offering.

“A cloud-native Zero Trust security model has become an absolute necessity as enterprises continue to adopt a cloud-first strategy,” said Joy Chik, President, Identity and Network Access, Microsoft. “Cloudflare has developed robust product integrations with Microsoft to help security and IT leaders prevent attacks proactively, dynamically control policy and risk, and increase automation in alignment with Zero Trust best practices.”

Cloudflare and Microsoft Azure Active Directory (Azure AD) customers can now:

*   **Deploy Zero Trust Security without changing one line of code:** Now joint customers can choose to define specific rules in either Azure AD or in Cloudflare Access i.e. which users can access specific applications based on various factors such as user risk level, device platform, location, etc. and enforce across both products without changing a line of code.
*   **Isolate high-risk users automatically with industry leading browser isolation technology:** By integrating Cloudflare’s Remote Browser Isolation with Azure AD, high-risk users, such as temporary employees, are contained proactively in a remote browser session for added security.
*   **Save IT teams hundreds of hours of manual work:** Cloudflare Access will use the System for Cross-Domain Identity Management (SCIM) to directly integrate with Azure AD. Groups are automatically synced across Cloudflare and Azure Active Directory platforms and groups, saving hundreds of hours of manual work from IT teams.
*   **Keep sensitive Government data off of the public Internet:** By connecting Azure Government Cloud to Cloudflare’s global network via the Secure Hybrid Access (SHA) program, Government customers (‘GCC’) will be able to keep sensitive traffic secure by staying off of the public Internet. Additionally, Government customers (‘GCC’) will be able to define and enforce granular rules defining who can access what using the joint solution from the dashboard without any code changes.

Cloudflare has worked with Microsoft since 2018 to provide mutual customers with an improved Internet experience by securing web applications and safeguarding employees with identity and device protections. Cloudflare’s deep integrations across Microsoft 365 and Azure have supported many of the largest Fortune 500 companies on their Zero Trust journey, enabling customers to simply and easily support their security and performance needs. Most recently, Microsoft named Cloudflare the winner of its Security Software Innovator of the Year award.

To learn more about Cloudflare’s integration with Microsoft, check out the resources below:

*   Blog: Expanding our collaboration with Microsoft: proactive and automated Zero Trust security for customers
*   Joint reference architecture
*   Joint Zero Trust Webinar
*   Microsoft landing page
*   Docs: Enable SCIM on the Zero Trust dashboard
*   Docs: Use multiple Azure AD Conditional Access Policies with Access
*   Docs: Isolate Azure AD risky users

**About Cloudflare**

Cloudflare, Inc. (www.cloudflare.com / @cloudflare) is on a mission to help build a better Internet. Cloudflare’s suite of products protect and accelerate any Internet application online without adding hardware, installing software, or changing a line of code. Internet properties powered by Cloudflare have all web traffic routed through its intelligent global network, which gets smarter with every request. As a result, they see significant improvement in performance and a decrease in spam and other attacks. Cloudflare was awarded by Reuters Events for Global Responsible Business in 2020, named to Fast Company's Most Innovative Companies in 2021, and ranked among Newsweek's Top 100 Most Loved Workplaces in 2022.

**Forward-Looking Statements**

This press release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expect,” “explore,” “plan,” “anticipate,” “could,” “intend,” “target,” “project,” “contemplate,” “believe,” “estimate,” “predict,” “potential,” or “continue,” or the negative of these words, or other similar terms or expressions that concern Cloudflare’s expectations, strategy, plans, or intentions. However, not all forward-looking statements contain these identifying words. Forward-looking statements expressed or implied in this press release include, but are not limited to, statements regarding Cloudflare’s partnership with Microsoft and the potential resulting benefits to Cloudflare customers, the potential benefits to customers of integrating Cloudflare and Microsoft products, the potential opportunity for Cloudflare to attract additional customers and to expand sales to existing customers through Cloudflare’s product integrations with Microsoft, the expected functionality and performance of Cloudflare’s Zero Trust and other products and technology, Cloudflare’s technological development, future operations, growth, initiatives, or strategies, and comments made by Cloudflare’s CEO and others. Actual results could differ materially from those stated or implied in forward-looking statements due to a number of factors, including but not limited to, risks detailed in Cloudflare’s filings with the Securities and Exchange Commission (SEC), including Cloudflare’s Quarterly Report on Form 10-Q filed on November 3, 2022, as well as other filings that Cloudflare may make from time to time with the SEC.

The forward-looking statements made in this press release relate only to events as of the date on which the statements are made. Cloudflare undertakes no obligation to update any forward-looking statements made in this press release to reflect events or circumstances after the date of this press release or to reflect new information or the occurrence of unanticipated events, except as required by law. Cloudflare may not actually achieve the plans, intentions, or expectations disclosed in Cloudflare’s forward-looking statements, and you should not place undue reliance on Cloudflare’s forward-looking statements.

Cloudflare Expands Relationship With Microsoft

This move accelerates the company’s vision of becoming the de facto identity security platform of choice for the modern enterprise.

**AUSTIN, January 12, 2023 –** SailPoint Technologies, Inc., the leader in enterprise identity security, today announced it has acquired SecZetta, the leading provider of third-party identity risk solutions. With nearly half of today’s enterprises comprised of non-employees, organizations need to factor this growing group of identities into their approach to identity security. With SecZetta, SailPoint will help companies gain better visibility into all types of identities, across both employee and non-employee identities – from third-party contractors to temporary workers, and non-human identities – all from a single, market-leading identity security platform. This acquisition will give enterprises the centralized approach needed, plus the proper identity proofing required to fully validate non-employee identities across their businesses. 

"The enterprise identity landscape has changed significantly in the last few years. We went from a largely in-office workforce to a distributed, virtual workforce and now a hybrid workforce. On top of that, most enterprises no longer rely solely on full-time employees to keep their business running. Yet not all of these companies have considered how this change impacts their approach to identity security," said Grady Summers, EVP Product for SailPoint. "With SecZetta, we can quickly give our customers the consolidated intelligence and visibility they need to ensure proper oversight into all identities and their technology access needs, regardless of whether they are a full-time employee or not."

SailPoint and SecZetta have a long-standing partnership. Once SecZetta’s solutions are fully integrated into SailPoint’s Identity Security Cloud platform, SailPoint will deliver a unified platform to customers — providing context-rich identity information with the right level of intelligence needed to answer the "who should have access to what", "when" and "why" questions for this unique, often under-secured set of identities. With SecZetta, SailPoint will also be able to further help companies with identity consolidation efforts, merging and organizing workforce data across authoritative sources to create a centralized repository of identities.  This identity intelligence will then be offered as a packaged offering within the Identity Security Cloud platform to deliver the next generation of identity security — one that provides the critical layer of risk management and governance needed across both employee and non-employee identities from a single platform.

"Acquiring SecZetta allows us to quickly address an emerging threat to our customers’ business — and that is this gap in visibility over non-employee identities. Here at SailPoint, we want to be known as the kind of company our customers can always rely on to anticipate and solve for their needs as they continue to evolve," said Mark McClain, CEO and Founder, SailPoint.  "This announcement underscores our relentless focus on accelerating our vision of becoming the de facto identity security platform of choice that discovers, manages and secures all identities across the modern enterprise." 

**About SailPoint**

SailPoint is the leading provider of identity security for the modern enterprise. Enterprise security starts and ends with identities and their access, yet the ability to manage and secure identities today has moved well beyond human capacity. Using a foundation of artificial intelligence and machine learning, the SailPoint Identity Security Platform delivers the right level of access to the right identities and resources at the right time—matching the scale, velocity, and environmental needs of today’s cloud-oriented enterprise. Our intelligent, autonomous, and integrated solutions put identity security at the core of digital business operations, enabling even the most complex organizations across the globe to build a security foundation capable of defending against today’s most pressing threats.

SailPoint Acquires SecZetta to Provide Identity Security for Non-Employee Identities

Unpatched Cisco bugs, tracked as CVE-2023-20025 and CVE-2023-20026, allow lateral movement, data theft, and malware infestations.

Two security vulnerabilities in Cisco routers for small and midsize businesses (SMBs) could allow unauthenticated cyberattackers to take full control of a target device to run commands with root privileges. Unfortunately, they'll remain unpatched even though proof-of-concept exploits are floating around in the wild.

Among other things, a successful compromise could allow cyberattackers to eavesdrop on or hijack VPN and session traffic flowing through the device, gain a foothold for lateral movement within a company's network, or run cryptominers, botnet clients, or other malware.

"It’s an attractive target from a technical point of view. As an attacker, if you manage to get remote code execution on core routing or network infrastructure, your ability to move laterally increases exponentially," noted Casey Ellis, founder and CTO at Bugcrowd, in an emailed comment.

**Critical-Rated Bug Offers Root Privileges**

The first bug is a critical-rated authentication bypass issue (CVE-2023-20025) that exists in the Web management interface of the devices and carries a rating of 9 out of 10 on the CVSS vulnerability-severity scale.

Meanwhile, the second flaw — tracked as CVE-2023-20026 — can allow remote code execution (RCE) with a caveat: an attacker would need to have valid administrative credentials on the affected device to be successful, so the bug is rated medium, with a 6.5 CVSS score.

They both affect all versions of the RV016, RV042, RV042G, and RV082 routers, which have reached end of life (EoL). As such, the appliances therefore no longer receive security updates, according to the networking giant's Jan. 11 advisory.

The advisory noted that both bugs are "due to improper validation of user input within incoming HTTP packets," so an attacker needs only to send a crafted HTTP request to the Web-based management interface to gain root access on the underlying operating system.

Cisco "is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory," it said, though in-the-wild attacks have so far not been spotted.

While there are no workarounds that address the bugs, a possible mitigation would be to disable remote management of the routers and block access to ports 443 and 60443, according to Cisco, meaning the routers would only be accessible through the LAN interface.

"It’s always a best practice not to allow remote administration of network devices accessible from the open internet, however, small business using some MSP/MSSPs have to leave it open for their service providers," John Bambenek, principal threat Hunter at Netenrich, noted via email. "That said, this is the worst of all worlds with PoC code publicly available and no ... patches available."

Replacing the devices is the best course of action to fully protect one's business, the researchers noted.

**Big Impact, Even at EoL**

Researchers noted that the routers' existing installed base is significant, even though the devices have been discontinued. It's not uncommon for out-of-date gear to linger on in business environments well after it's been cut off — offering a rich playground for cyberattackers.

"The Cisco small business routers affected by these vulnerabilities still see reasonably widespread usage, though they are all officially end of life," Mike Parkin, senior technical engineer at Vulcan Cyber, said via email. "The challenge will be that these devices are typically found in small businesses with limited resources or used by individuals who may not have the budget to replace them."

And, it's not just SMBs who are affected, Bugcrowd's Ellis noted: "SMB routers are very widely deployed, and in a post-COVID hybrid/work from home world, it’s not just an SMB problem. Branch offices, COEs, and even home offices are potential users of the vulnerable product."

Critical Cisco SMB Router Flaw Allows Authentication Bypass, PoC Available

Energy has become the new battleground for both physical and cyber security warfare, driven by nation-state actors, increasing financial rewards for ransomware gangs and decentralized devices. Chris Price reports.

The physical threat to the world's critical national infrastructure (CNI) has never been greater. At least 50 meters of the Nord Stream 1 and 2 underground pipelines that once transported Russian gas to Germany were destroyed in an attack in late September 2022, though it remains unclear who is to blame.

More recently, Russia has also shifted its war in Ukraine to targeting energy infrastructure with its own missiles and Iran-supplied Shahed-136 drones. According to a tweet from Ukraine's President Volodymyr Zelensky on Oct. 18, "30% of Ukraine's power stations have been destroyed, causing massive blackouts across the country," while on Nov. 1 during a meeting with the European Commissioner for Energy, Kadri Simson, Zelensky said that between "30% and 40% of \[the country's\] energy systems had been destroyed."

**Growing Cybersecurity Threat**

However, physical security threats resulting from the war in Ukraine and increasing tensions between East and West aren't the only serious threats to our CNI. There is a growing cybersecurity threat too. On May 7, 2021, the Colonial Pipeline that originates in Houston, Texas, and that carries gasoline and jet fuel to the southeastern US was forced to halt all of its operations to contain a ransomware attack.

In this attack, hackers gained entry through a VPN (virtual private network) account that allowed employees to access the company's systems remotely using a single username and password found on the Dark Web. Colonial paid the hackers, who were an affiliate of a Russia-linked cybercrime group Darkside, a $4.4 million ransom shortly after the attack.

Less than a year later, Sandworm, a threat group allegedly operated by the Russian cybermilitary unit of the GRU, attempted to prevent an unnamed Ukrainian power provider from functioning. "The attackers attempted to take down several infrastructure components of their target, namely: Electrical substations, Windows-operated computing systems, Linux-operated server equipment, \[and\] active network equipment," the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said in a statement.

Slovak cybersecurity firm ESET, which collaborated with Ukrainian authorities to analyze the attack, said the attempted intrusion involved the use of ICS-capable malware and regular disk wipers, with the adversary unleashing an updated variant of the Industroyer malware.

"The Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine," ESET explained. The victim's power grid network was understood to have been penetrated in two waves, the initial compromise coinciding with the Russian invasion of Ukraine in February 2022 and a follow-up infiltration in April allowing the attackers to upload Industroyer2.

**Digitized Environments**

According to John Vestberg, CEO of Clavister, a Swedish company specializing in network security software, "it is now beyond doubt that cybercriminals pose an ever-increasing threat to critical national infrastructure." He adds: "CNI, such as oil and gas, is a prime target for ransomware gangs." He believes energy firms and their suppliers need to take a more proactive, rather than reactive, approach to cybersecurity using predictive analytics and tools like AI (artificial intelligence) and ML (machine learning) technologies.

Camellia Chan, CEO and founder of Flexxon brand X-PHY, agrees: "It's crucial that CNI organizations never take their eyes off the ball," she says. "Good cybersecurity is an ongoing, proactive, intelligent, and self-learning process and embracing emerging tech such as AI as part of a multilayered cybersecurity solution is essential to detect every type of attack and help create a more robust cybersecurity framework."

Nor are the well-organized, often state-sponsored, ransomware gangs the only problem CNI organizations face. Part of the issue is that as industrial organizations (including utilities such as water and energy companies) digitize their environments, they are exposing potential security weaknesses and vulnerabilities to threat actors much more than in the past.

**Integrated IT/OT Networks**

Whereas traditionally security was not viewed as being of critical importance because an organization's OT (operational technology) network was designed to be isolated, and also because it ran proprietary industrial protocols and custom software, this is no longer the case.

As Daniel Trivellato, VP of OT product engineering at Forescout, a cybersecurity automation software company, says: “OT environments have modernized and are no longer air-gapped from IT networks, meaning that they are more exposed and their lack of security measures poses a critical risk." In connecting these two environments, organizations are increasing the threat landscape but not necessarily putting in appropriate measures to mitigate the risk.

According to Trivellato, this hasn't gone "unnoticed by threat actors" with ICS- and OT-specific malware such as Industroyer, Triton, and Incontroller evidence of the increasingly sophisticated capabilities that attackers have begun to deploy in attacking, resulting in many serious incidents. "While most OT devices can't be patched out, there are practices to address the weaknesses such as device visibility and asset management, segmentation, and continuous monitoring of traffic," Trivellato adds.

**Grid Edge Risk**

For Trevor Dearing, director of critical infrastructure solutions at zero-trust segmentation company Illumio, part of the attraction to cybercriminals of attacking energy companies is the potentially high rewards on offer. "Many of the gangs are realizing that if they can prevent the service from being delivered to customers then companies are more likely to pay the ransom than if they are just stealing data," he says.

A further problem, he says, is that energy systems no longer just comprise the traditional grid including power stations and power lines. Instead, what's emerging is what's known as the "grid edge" — decentralized devices such as smart meters as well as solar panels and batteries in people's homes and businesses. Utah-based company sPower, which owns and operates over 150 generators in the US, was believed to be the first renewable energy provider to be hit by a cybersecurity attack in March 2019 when threat actors exploited a known flaw in Cisco firewalls to disrupt communications over a span of about 12 hours.

One way that renewable energy systems are particularly vulnerable to attack is through their inverters. Providing the interface between solar panels and the grid, these are used to convert the DC (direct current) energy generated by the PV (photovoltaic) solar panel into AC (alternating current) electricity provided to the mains. If the inverter's software isn't updated and secure, its data could be intercepted and manipulated in much the same way as previous attacks in Ukraine and the US. Furthermore, an attacker could also embed code in an inverter that could spread malware into the larger power system, creating even more damage.

According to Ali Mehrizi-Sani, associate professor at Virginia Polytechnic Institute and State University and co-author of a 2018 paper assessing the cybersecurity risk of solar PV, hackers can artificially create a malfunction in a PV system to launch cyberattacks to the inverter controls and monitoring system.

"This is a vulnerability that can be, and has been, exploited to attack the power system," he told online publication PV Tech in November 2020. And while currently the potential risk of a cybersecurity attack to solar power networks remains low because the technology hasn't yet reached critical mass, as it becomes more decentralized — with solar panels installed in public places and on top of buildings — managing networks will increasingly rely on robust, cloud-based IoT security.

**Greater Regulation**

One way that governments as well as organizations can ensure the highest levels of CNI protection is with the implementation of standards. For example, Germany put in IT security laws several years ago, making it mandatory for all network providers, operators, and other CNI businesses to ensure they meet the ISO 27001 family of standards for information security management systems (ISMS), while in the UK there are obligations stipulated in the BSI Criticality Ordinance to demonstrate a complete IT security strategy to secure the operation of critical infrastructure.

Similarly in the US, the NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) group of standards govern critical infrastructure of all entities that materially affect the BES (Bulk Electrical System) in North America — though this set of standards only applies to electricity and not to the oil and gas industries. According to Cliff Martin, head of cyber incident response at GRCI Law, a legal, risk, and compliance consultancy firm, staff who are responsible for CNI need to be trained accordingly and understand that their actions can have real consequences. "This means they can't simply copy and paste traditional IT cybersecurity measures over to the IT environment — it just doesn't work like that."

However, Illumio's Dearing says that what's happening is that more and more companies are developing a single strategy for both OT and IT environments. "The key," he says, "is to assume you are going to be breached and plan accordingly. If you segment by separating out all the different bits of your infrastructure, then an attack on one part isn't necessarily going to have a knock-on effect on all the other parts."

The war in Ukraine and attacks on the Nord Stream pipelines have alerted companies to the physical threat posed to energy infrastructure, especially during winter in the northern hemisphere. However, that's not the only concern. Cybersecurity attacks on CNI are increasing, partly because of a growing threat from nation-state actors but also because cybercriminals are realizing that they can make serious money from potentially denying a much-needed service to customers. At the same time, the convergence of OT and IT technologies is providing a potentially much greater attack surface for cybercriminals to target.

Whereas traditionally security has not been seen as a critical consideration for OT, this needs to change with an increased focus on technical solutions such as segmentation and continuous monitoring of network traffic if companies are going to prevent a potentially catastrophic breach to CNI from taking place.

_**—Story by Chris Price**_

_This story first appeared on_ _IFSEC Global__, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more._

Securing the World's Energy Systems: Where Physical Security and Cybersecurity Must Meet

Russia's NoName057(16) group offers incentives and prizes via Telegram channel for "heroes" to mount attacks against targets within Ukraine and pro-Ukrainian countries.

A Russian threat group is offering incentives and cryptocurrency prizes in an effort to recruit Dark Web volunteers — who it calls "heroes" — to its distributed denial-of-service (DDoS) cyberattack ring.

A group tracked as NoName057(16) has launched the project, called DDosia, which aims at bolstering an earlier effort to mount DDoS attacks on websites in Ukraine and pro-Ukrainian countries. However, rather than try to do all the work themselves, DDosia "entices people to join their efforts by offering prizes for the best performers, paying rewards out in cryptocurrencies," Avast researcher Martin Chlumecký wrote in a post on the Avast.io "Decoded" blog published Jan. 11.

Avast researchers first identified NoName057(16) in September, when they observed Ukraine-targeted DDoS attacks that the group was carrying out using botnets. The campaign specifically targeted websites belonging to governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine, as well as in neighboring countries supporting Ukraine, such as Estonia, Lithuania, Norway, and Poland.

A remote access Trojan (RAT) called Bobik was instrumental in carrying out the DDoS attacks for the group in the original attack, which had a success rate of 40 percent using the malware, the researchers said.

However, the group ran into a hitch in their plans when the botnet was taken down in early September, according to the group's Telegram channel, the researchers said. NoName057 subsequently launched DDosia to target the same set of pro-Ukraine entities on Sept. 15 as a response to this setback, they said.

"By launching the DDosia project, NoName057(16) tried to create a new parallel botnet to facilitate DDoS attacks," Chlumecký wrote in the post. The project also represents a pivot to a public, incentive-based DDoS effort versus the more secretive Bobik botnet, the researchers said.

**DDosia Technical Details**

The DDosia client is comprised of a Python script created and controlled by NoName057(16). The DDosia tool is only available for verified/invited users via a semiclosed Telegram group — unlike the Babik malware, the researchers said. Another differentiator between the two efforts is that DDosia appears to have no additional backdoor activity, they noted. Bobik on the other hand offers extensive spyware capabilities, including keylogging, running and terminating processes, collecting system information, downloading/uploading files, and dropping further malware onto infected devices.

To become a DDosia member, a volunteer must through a registration process facilitated by the @DDosiabot in the dedicated Telegram channel, the researchers said. After registering, members receive a DDosia zip file that includes an executable.

NoName057(16) also "strongly recommends" that volunteers use a VPN client, "connecting through servers outside of Russia or Belarus, as traffic from the two countries is often blocked in the countries the group targets," Chlumecký wrote.

The principal DDosia C2 server used in the DDosia campaign was located at 109. 107. 181. 130; however, it was taken down on Dec. 5, researchers said. Because NoName057(16) continues to actively post on its Telegram channel, the researchers assume it must have another botnet, they said.

The DDosia application has two hardcoded URLs that are used to download and upload data to the C2 server. The first one is used to download a list of domain targets that will be attacked, while the second one is used for statistical reporting, the researchers said.

DDosia sends the list of targets to the botnet as an uncompressed and unencrypted JSON file with two items: targets and randoms, the researchers said.

"The former contains approximately 20 properties that define DDoS targets; each target is described via several attributes: ID, type, method, host, path, body, and more," Chlumecký wrote. "The latter describes how random strings will look via fields such as: digit, upper, lower, and min/max integer values."

DDosia also generates random values at runtime for each attack, likely because attackers want to randomize HTTP requests and make each HTTP request unique for a better success rate, the researchers said.

**Rewarding DDoS "Heroes"**

The most important new aspect of DDoS attacks is the possibility of volunteers who get involved in the campaign being rewarded, the researchers said. Via one of the aforementioned technical aspects of how DDosia works, NoName057(16) collects statistical information about performed attacks and successful attempts by its network of volunteers, which it calls "heroes," they said.

NoName057(16) pays out these heroes — who Chlumecký noted can "easily" manipulate the statistics for success — in cryptocurrency sums of up to thousands of rubles, or the equivalent of hundreds of dollars.

**DDosia: Looming Potential for Disruption**

Currently, the success rate of the DDosia campaign is lower than the previous Bobik campaign, with around 13% of all of attempted attacks disrupting targets, the researchers said.

However, the project "has the potential to be a nuisance when targeted correctly," Chlumecký wrote. The group currently has about 1,000 members; however, if that rises, researchers expect its success rate also to grow, they said.

"Therefore, the successful attack depends on the motivation that NoName057(16) provides to volunteers," Chlumecký explained.

The researchers estimate that one DDosia "hero" can generate about 1,800 requests per minute using four cores and 20 threads, with the speed of request generation depending on the quality of the attacker’s Internet connection. Assuming that at least half of the current membership base is active, this means that the total count of requests to defined targets can be up to 900,000 requests per minute, the researchers said.

"This can be enough to take down Web services that do not expect heavier network traffic," Chlumecký noted. Meanwhile, "servers that expect a high network activity load are more resilient to attacks," he added.

"Given the evolving nature of DDosia and its fluctuating network of volunteers, only time will tell how successful DDosia ultimately will be," Chlumecký said.

Indeed, Russia's attack on Ukraine in February 2022 has driven DDoS attacks to an all-time high, allowing attackers to cause digital and IT-related disruption in a cyberwar that's been mounted alongside the ground war since it began.

NonName057(16) are among a number of threat groups perpetrating these attacks, albeit one of the less sophisticated ones whose attacks at this point remain low-impact and cause little significant damage, the researchers said.

Chlumecký likened the group to another pro-Russia threat actor Killnet, whose activities are aimed at drawing media attention: "NoName057(16) activities are still more of a nuisance than dangerous."

Big Prizes, Cash on Offer for Joining 'DDosia' Anti-Ukraine Cyberattack Project

Organizations must be vigilant about balancing performance gains with security, governance, and compliance as they expand their use of Kubernetes.

It's not so much whether organizations are using Kubernetes today, but how they are expanding its use. The use of multiple clusters, for example, is increasing and moving across organizational boundaries. Kubernetes itself is being shored up to meet the resulting security issues. The newest version, Kubernetes 1.26, adds features designed to strengthen the chain of trust, among other security updates. In fact, there are a number of projects organizations should be watching — and potentially evaluating — to ensure they are optimizing their use of Kubernetes while building stronger security, observability, governance, and compliance.

**SPIFFE and SPIRE****

Identity for everything is an important part of securing your Kubernetes environment, but end-to-end identity is still an unsolved problem — especially in multicluster Kubernetes environments. Say you have a service in Kubernetes and you need to authenticate to an off-cluster service that's running in the cloud or on-premises. How do you ensure you have a secure chain of identity from the launch of the service to all of the things it's communicating with and connecting to — on and off cluster?

The SPIFFE project is a set of open source standards for securely identifying software systems in workloads across heterogeneous environments and organizational boundaries. Secure Production Identity Framework for Everyone (SPIFFE) defines short-lived cryptographic identity documents, or Shadow Virtual Intrusion Detection System (SVIDS), that workloads can use to authenticate to other workloads. SPIFFE's partner in identity is SPIRE, the SPIFFE runtime environment. SPIRE implements the SPIFFE spec, enforcing multifactor attestation to issue identities. While there is still work to be done, the SPIFFE and SPIRE projects — both incubated by the Cloud Native Computing Foundation (CNCF) — are helping set the groundwork not only for end-to-end identity but also zero trust. 

****Sigstore****

The old adage that a chain is only as strong as its weakest link couldn't be truer than when it comes to the software supply chain. As shown by the rash of supply chain hacks we've seen in the past few years — attacks that are likely to increase as the stakes grow higher — it's increasingly important to ensure that nothing in the supply chain has been tampered with. One of the ways to do that is to sign everything — especially if you are doing everything (or even most things) as code.

Sigstore — under the auspices of the Linux Foundation — is intended to make cryptographic signing in the supply chain easier. Sigstore removes the cryptography burden from developers, enabling them to use an email address via the OpenID Connect (OIDC) protocol as a preexisting identifier to sign their code. We're seeing organizations implement Sigstore in more traditional ways, but it will be interesting to see if they adopt OIDC-based signing (through the Fulcio portion of the Sigstore project) and the Rekor signature log as a more agile way to manage signing and attestation of signatures or verification of signatures. It will also be interesting to see if Sigstore is eventually implemented not just in new products, but also within the enterprise itself.

****Kyverno and OPA Gatekeeper**

Kyverno, which provides Kubernetes-native policy management, is a project to watch because organizations are paying more attention to admission policies, particularly as the Kubernetes community moves toward pod security admission. There are only three profiles associated with Kubernetes-native pod security admission — a model that is simple by design. If you want more complexity, you need to go with something like Gatekeeper and Open Policy Agent (OPA). Some organizations find Kyverno easier to use with Kubernetes. It's YAML-based, so it doesn't require learning a new language. However, other organizations have invested in learning Rego, the language used with Open Policy Agent, as OPA is a general-purpose policy engine that can be used to automate policies throughout the stack. Indeed, there are a variety of open source policy engines available right now. The real question is whether the landscape will continue to be dotted with engines that have varying degrees of integration with Kubernetes, or if one will eventually become the de facto standard.  

**eBPF-Based Projects**

Kubernetes and the technologies it works with rely heavily on core Linux capabilities. One of these is Extended Berkeley Packet Filter(eBPF), which is increasingly used in networking, security and auditing, and tracing and monitoring tools. Importantly, when it comes to runtime security, eBPF provides observability at a deep level. You can't secure what you can't see, and eBPF provides the level of observability you need for Kubernetes and container platforms in a more consumable fashion. eBPF is being leveraged by many projects, including Falco, a Kubernetes runtime security tool, and Cilium, which provides, secures, and observes network connectivity among container workloads. The biggest indicator of which projects will rise to the top is how nicely they play with Kubernetes. For example, Cilium is interesting because it is written in Go rather than C, which makes it easier to integrate into Kubernetes.

**Kubernetes Networking Projects**

We're seeing more and more organizations deploy multiple clusters, with the resulting need for solutions that communicate or interact across clusters. Skupper is interesting because it enables organizations to create a kind of virtual application network from namespaces in one or more Kube clusters. It's a whole new approach to managing communication between clusters, negating the need for VPNs or special firewall rules. The Gateway API, which comes from the Kube SIG Network, is working to evolve and secure Kubernetes service networking to make it more extensible, with a set of APIs that push it beyond L3 to L4 and L7. Gateway API is an open source project managed by the SIG Network community.

**Conclusion**

As organizations expand their use of Kubernetes, they must constantly be vigilant about balancing performance gains with security, governance, and compliance.

Kubernetes-Related Security Projects to Watch in 2023

**PITTSBURGH****,** **Jan. 12, 2023** **/PRNewswire/ --** New research from leading cybersecurity provider Hornetsecurity has found that 33% of companies are not providing any cybersecurity awareness training to users who work remotely.

The study also revealed nearly three-quarters (74%) of remote staff have access to critical data, which is creating more risk for companies in the new hybrid working world.

Despite the current lack of training and employees feeling ill-equipped, almost half (44%) of respondents said their organisation plans to increase the percentage of employees that work remotely.

Daniel Hofmann, CEO of Hornetsecurity, said: "The popularity of hybrid work, and the associated risks, means that companies must prioritise training and education to make remote working safe".

"Traditional methods of controlling and securing company data aren't as effective when employees are working in remote locations and greater responsibility falls on the individual. Companies must acknowledge the unique risks associated with remote work and activate relevant security management systems, as well as empower employees to deal with a certain level of risk."

**Challenges and risks**

The independent survey, which quizzed 925 IT professionals from a range of business types and sizes globally, highlighted the security management challenges and employee cybersecurity risk when working remotely.

The research revealed two core problems causing risk: employees having access to critical data, and not enough training being provided on how to manage cybersecurity or how to reduce the risk of a cyber-attack or breach.

Hofmann commented: "Increasing remote working cybersecurity measures is particularly important in the current climate, as cybercriminals are becoming smarter and using remote working to their advantage. We've seen an increase in smartphone attacks as hackers understand that both personal and professional data can likely be accessed as people can, and often do, carry out work on personal devices".

**Remote working security issues** 

While companies have adapted to new ways of working, cybersecurity risks linked to remote working, remain un-tackled. Nearly a fifth of IT professionals (18%) say workers are not secure when working remotely, but almost three-quarters of employees (74%) have access to critical data. Perhaps unsurprisingly, 14% of respondents said their organization suffered a cybersecurity incident related to remote working.

Remote working is not only known by professionals to bring unique issues, but people are experiencing the consequences of inadequate protection measures and insufficient remote management.

**Lack of knowledge amplifies risk** 

The study also highlighted a lack of understanding, confidence and knowledge around cybersecurity from employees when working remotely. Nearly half (43%) of IT professionals rate their confidence in their remote security measures as 'moderate' or worse, with the survey also finding that 'uncontrolled file sharing' was a common source of cybersecurity incidents (16%).

Organisations can reduce risks associated with cybersecurity by increasing education and training. Basic training could improve matters significantly: Hornetsecurity's Security Awareness Training, for example, helps firms to strengthen their human firewall.

**Use of endpoint management**

Having strong systems in place to protect employees is essential. The study found that the main sources of cybersecurity incidents were compromised endpoints (28%) and compromised credentials (28%). In addition, 15% said that employees use their own devices with some endpoint configuration for remote work. It's clear that having both security awareness training and investment in endpoint management systems are vital to have robust remote cybersecurity for organizations.

Hofmann concluded: "To tackle the knowledge gap, training such as our end user Cyber Security Awareness Training helps ensure attackers are less likely to carry out a successful breach when trying to exploit employees. This and endpoint management, are the two basic steps in reducing remote working risks".

**About Hornetsecurity**

Hornetsecurity is the leading security and backup solution provider for Microsoft 365. Its flagship product is the most extensive cloud security solution for Microsoft 365 on the market, providing robust, comprehensive, award-winning protection: Spam and virus filtering, protection against phishing and ransomware, legally compliant archiving and encryption, advanced threat protection, email continuity, signatures and disclaimers. It's an all-in-one security package that even includes backup and recovery for all data in Microsoft 365 and users' endpoints.

Hornetsecurity Inc. is based in Pittsburgh, PA with other North America offices in Washington D.C. and Montreal, Canada. Globally, Hornetsecurity operates in more than 30 countries through its international distribution network. Its premium services are used by 50,000+ customers including Swisscom, Telefónica, KONICA MINOLTA, LVM Versicherung, and CLAAS.

1 in 3 Organizations Do Not Provide Any Cybersecurity Training to Remote Workers Despite a Majority of Employees Having Access to Critical Data

**New York and London, January 11, 2023 --** **Hack The Box**, a leading gamified continuous cybersecurity upskilling and talent assessment platform, today announces a **Series B investment round of $55 million** led by Carlyle, alongside Paladin Capital Group, Osage University Partners, Marathon Venture Capital, Brighteye Ventures, and Endeavor Catalyst Fund. The new investment will accelerate Hack The Box’s growth trajectory with a focus on further building out its category-defining “gamer-first” solutions offering. Hack The Box will also enhance its go-to-market function, doubling down on the company’s ongoing international expansion with strong commercial traction in the US, Europe and APAC.

Hack The Box has continued to attract significant funding interest due to its highly engaging adversarial cyber up- and reskilling solutions that are powered by ultra-realistic coding gameplay and thereby effectively advance the security readiness of Hack The Box’s rising number of blue-chip enterprise and government customers. Chief Information Security Officers and other senior cybersecurity decision-makers increasingly turn to Hack The Box to assess how secure their organizations look like from an attacker’s perspective and address the weakest link in cyber - the human element - through a performance-driven and thus highly transparent evaluation of in-house and external cyber talent.  

Tripling in size over the last two years, Hack The Box has the largest global hacking community with more than 1.7 million platform members. With its thriving community being at the heart of the company, Hack The Box will continue to invest heavily in R&D. The company will execute against a product roadmap that entails top-notch content releases and groundbreaking features, making Hack The Box the ultimate reference point for cybersecurity professionals of all backgrounds, skill levels, and industries, allowing them to keep pace with the rapidly evolving cyber technology and threat landscape. 

Hack The Box offers a superior 360°platform that not only enables individuals, businesses, government institutions and universities to level up their offensive and defensive security skills, but also provides access to job opportunities in cybersecurity, thus addressing the industry’s serious talent shortage. Providing mind-triggering, hands-on, and highly entertaining learning content that mimics real-world threat scenarios and features the latest up-to-date attack techniques and methods, Hack The Box is setting new standards in cybersecurity expertise.

“Our mission is to create and connect cyber-ready humans and organizations through highly engaging hacking experiences that cultivate out-of-the-box thinking. The game in cyber has changed with defensive, reactive and recovery postures not being fit-for-purpose in the face of an ever-increasing and ever-evolving wave of sophisticated attacks. A new proactive offensive & defensive approach is needed to take the fight to cybercriminals rather than waiting to be hit. From individual security professionals to companies, this means adopting a ‘hacker mindset’, learning to think and act like an attacker. This is the kind of mindset that we cultivate through Hack The Box”, **highlights Haris Pylarinos, Founder and CEO at Hack The Box**_._ 

**Constantin Boye, a Director at Carlyle, comments,**"The demands on security and IT professionals have never been greater. An industry-wide talent shortage and an exponentially growing number of cyber threats place great importance on professionals and organizations to maintain best-in-class security practices. Hack The Box is a pioneer in constantly providing fresh and curated training and upskilling content, in a fully gamified and intuitive environment, enabling individuals and organizations to tackle real-world hacking problems. We are excited for the next stage of Hack The Box’s evolution and are proud to be part of this journey."

**Gibb Witham, Senior Vice President at Paladin Capital Group, adds,**"With a vibrant community of 1.7 million registered security professionals and enthusiasts, Hack The Box is setting the bar for a new generation of product-led growth companies in the cybersecurity industry. We are thrilled to see Hack The Box becoming a vital partner for enterprises and governments in crafting security teams prepared for cyber attacks."

This Series B funding takes Hack The Box’s total amount of capital raised to date to $70 million, fortifying the company’s position within the global cybersecurity ecosystem.

Source

DARKReading