This unique fairytale is available for free just before Christmas to enjoy with the entire family.

**MONTPELLIER, FRANCE, December 19, 2022 /****EINPresswire.com****/ --** Bfore.Ai, an AI-driven predictive cybersecurity solutions company, recently launched the very first cybersecurity book in the market. This book, geared towards children and security specialists alike and titled The King, The Knight & The Snowball, was downloaded over 100 times within the first hour of being available. This unique seasonal tale is available now and free for anyone to download and enjoy, just in time for Christmas.

This short fairytale targets cybersecurity professionals and aims to make predictive cybersecurity an understandable and relatable topic for all ages while promoting how important it is to be security conscious in a world where there are so many threats. While the book is designed to open the understanding of cybersecurity at an early age, it’s intended as a gift to the entire technology community and all age groups.

“In today’s world, security is a high-pressure, demanding field. It’s often hard to share a few quiet moments with those we love. We wanted to capture the spirit of sharing and caring that is essential to this time of year,” said Luciano Allegro, CMO at Bfore.Ai. “We felt the best way to do that was to create a book that gives an introduction to a new wave of cybersecurity technology — a predictive cybersecurity — wrapped in a fun story that anyone could enjoy.”

Developed with security professionals in mind, this book offers a great way to start the conversation about cybersecurity in general and predictive cybersecurity, specifically with anyone of any age. Any parent can use the accessible nature of the tale to share the importance of cybersecurity and even address how the nature of security can sometimes seem mystical. 

Bfore.ai created this fun fairytale adventure to help people of all ages learn about the technology that can prevent them or their companies from being victims of cyber threats without the sales pitch aspect that can turn the average person off. In keeping with their intention to promote sharing and moments of caring, this delightful tale is entirely free and ready for anyone to download to enjoy with the whole family. Please visit The King, The Knight & The Snowball.

About Bfore.Ai:

Headquartered in Montpellier, France, Bfore.AI launched in 2020 to deliver actionable intelligence insights to enterprises, focusing on predictive models that can see vulnerable vectors in enterprise cyber networks. For more information, please visit https://bfore.ai/ or contact Sonia Awan – PR for Bfore.Ai at \[email protected\]

Bfore.Ai Releases 'The King, The Knight & The Snowball' - Cybersecurity Book for Children

The latest bypass for Apple's application-safety feature could allow malicious takeover of Macs.

A bypass vulnerability in macOS for Apple's Gatekeeper mechanism could allow cyberattackers to execute malicious applications on target Macs — regardless of whether Lockdown mode is enabled.

Among the details on the bug (CVE-2022-42821), which Microsoft dubbed "Achilles," is the fact that researchers were able to craft a working exploit using the Access Control Lists (ACL) mechanism in macOS, which allows fine-tuned permissioning for applications.

**Popular Target: Apple Gatekeeper for Vetting Applications**

Apple Gatekeeper is a security mechanism designed to ensure that only "trusted apps" run on Mac devices — i.e., those that are signed by a valid authority and approved by Apple. If the software can't be validated by Gatekeeper, the user gets a blocking pop-up explaining that the app can't be executed.

In theory, this mitigates the threat of malicious sideloaded applications that users might accidentally download from pirate sites or third-party app stores. The issue, though, is that bad actors have devoted quite a bit of time to finding bypass avenues for the feature, Microsoft researchers noted, as shown by previous exploited vulnerabilities such as CVE-2022-22616, CVE-2022-32910, CVE-2021-1810, CVE-2021-30657, CVE-2021-30853, CVE-2019-8656, and CVE-2014-8826.

And no wonder: "Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS," Microsoft researchers warned in an advisory issued this week. "Our data shows that fake apps remain one of the top entry vectors on macOS, indicating Gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks."

**Uncovering a New Gatekeeper Bypass**

Piggybacking off of details surrounding CVE-2021-1810, Microsoft researchers looked to create a new bypass — which they managed to do by appending malicious files with special permissioning rules via the ACL mechanism.

Apple employs a quarantine mechanism for downloaded apps, according to the advisory: "When downloading apps from a browser, like Safari, the browser assigns a special extended attribute to the downloaded file. That attribute is named com.apple.quarantine and is later used to enforce policies such as Gatekeeper."

However, there is an additional option in macOS to apply a special extended attribute named com.apple.acl.text, which is used to set arbitrary ACLs.

"Each ACL has one or more Access Control Entries (ACEs) that dictate what each principal can or cannot do, much like firewall rules," Microsoft researchers explained. "Equipped with this information, we decided to add very restrictive ACLs to the downloaded files. Those ACLs prohibit Safari (or any other program) from setting new extended attributes, including the com.apple.quarantine attribute."

And without the quarantine attribute in place, Gatekeeper is not alerted to check the file, which allows it to bypass the security mechanism altogether.

Crucially, Microsoft researchers found that Apple's Lockdown feature, which it debuted in July to prevent state-sponsored spyware from infecting at-risk targets, can't thwart the Achilles attack.

"We note that Apple’s Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles," according to Microsoft.

The issue was disclosed to Apple in July, with fixes rolling out in the latest macOS version. To protect themselves, Mac users are encouraged to update their operating systems to the latest version as soon as possible.

Microsoft Warns on 'Achilles' macOS Gatekeeper Bypass

With 10 layers of obfuscation and fake payloads, the Raspberry Robin worm is nesting its way deep into organizations.

It's likely the group behind the worm called Raspberry Robin is just testing the waters — launching attacks against telecommunications companies and governments across Australia, Europe, and Latin America to see how far their malware can spread — for now.

Researchers at Trend Micro have been tracking Raspberry Robin since September and are warning the worm is notable for its 10 layers of obfuscation and its ability to deploy a fake payload to throw off detection efforts.

Raspberry Robin infected thousands of endpoints in October. Both October's endpoint attacks and the latest targeting of governments and the telecom sector relied on a malicious USB for initial infection.

"Our initial analysis of the malware, which compromised a number of organizations toward the end of September, showed that while the main malware routine contains both the real and fake payloads, it loads the fake payload once it detects sandboxing tools to evade security and analytics tools from detecting and studying the malware's real routine," Trend Micro reported, adding the team will continue to track the malware's activities.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Raspberry Robin Worm Targets Telcos & Governments

Security Service-backed Trident Ursa APT group shakes up tactics in its relentless cyberattacks against Ukraine.

Physical threats against a Ukrainian cybersecurity researcher and a failed attempt to breach a petroleum refinery inside a NATO-member nation are just the latest notable salvos in Russian state-backed APT group Trident Ursa's campaign against Ukraine.

Researchers at Palo Alto Network's Unit 42 reported on the APT group (also known as Gamaredon, Primitive Bear, Shuckworm, and UAC-0010) tactics over the past 10 months, noting the connection between Trident Ursa and the Russian Federal Security Service.

"As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer," the Unit 42 team explained. "Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NATO-Member Oil Refinery Targeted in Russian APT Blitz Against Ukraine

Searchlight Cyber announces rebrand that reflects its status as a fast-growing cybersecurity business.

**Portsmouth,** **UK** **&** **Washington** **DC,** **US** **–** **December** **20** **2022** **\--** Searchlight Cyber, the dark web intelligence company, has announced its rebrand from Searchlight Security, aligning its legal entity in both the UK (Searchlight Cyber Ltd) and the US (Searchlight Cyber LLC). The name change is accompanied by the launch of a new visual identity including a new company logo, website, and an update to its product design.

Searchlight Cyber’s new website is designed to be a knowledge base for security professionals to learn more about the emerging field of dark web threat intelligence. Enterprises, law enforcement, and MSSPs can easily navigate and access resources on how to combat dark web threats including reports, webinars, videos, blogs, case studies and more.

“I am delighted to announce that we are capping off a very exciting year for the company with a rebrand,” says Ben Jones, CEO of Searchlight Cyber. “Since we launched five years ago we have been on a fast-growth trajectory, and this has never been more apparent than in 2022. In this year alone, our headcount has increased by more than 150 percent, we have grown our customer base in both the UK and US, and we’ve launched exciting capabilities in our products. This new brand reflects the maturity of the company and our mission to help protect society from dark web threats, with our new website in particular geared around the value and insight that we can deliver to our customers.”

Searchlight Cyber’s Ransomware Search and Insights - launched just last week \- is among the many product announcements the company has made this year. This enhancement to Searchlight’s Cerberus platform provides enterprises and law enforcement with a consolidated view of the dark web activity of ransomware groups, to help them better understand and protect themselves from one of the most persistent threats in cybersecurity. The product’s supporting threat intelligence report, Dark Web Profiles: The Most Prolific Ransomware Groups of 2022, is one of the many resources that can be accessed on the new Searchlight Cyber website. 

For more information on the rebrand, read the blog Introducing Searchlight Cyber from Ben Jones, CEO of Searchlight Cyber, on the rationale behind the company’s new website and visual identity. 

About Searchlight Cyber

Searchlight Cyber provides organizations with relevant and actionable dark web threat intelligence, to help them identify and prevent criminal activity. Founded in 2017 with a mission to stop criminals acting with impunity on the dark web, we have been involved in some of the world’s largest dark web investigations and have the most comprehensive dataset based on proprietary techniques and ground-breaking academic research. Today we help government and law enforcement, enterprises, and managed security services providers around the world to illuminate deep and dark web threats and prevent attacks. To find out more visit slcyber.io or follow Searchlight Cyber on LinkedIn and Twitter.

Searchlight Security Changes Name to Searchlight Cyber and Launches New Brand

When properly designed and trained, artificial intelligence and machine learning can help improve the accuracy of distributed denial-of-service detection and mitigation.

After early excitement about artificial intelligence (AI) in the late 1980s and early 1990s, followed by a couple of "AI winters" — periods of reduced funding, interest and even disillusionment — we now again see great enthusiasm about all things related to AI and machine learning (ML). It is no wonder that AI/ML is also being considered for network security, including distributed denial-of-service (DDoS) protection.

It's not that AI/ML algorithms have changed so radically — but they have matured. In network security, like in many other fields, the abundance of data and greater-than-ever processing power makes it feasible to implement new AI/ML algorithms in silicon or in the cloud, allowing us to teach machines to be more accurate and faster than humans are.

With DDoS security, the problem is distinguishing "good" from "bad" traffic and minimizing the mitigative actions to reduce the effect on "good" traffic. Apart from accuracy and speed, the percentage of false positives indicates how good your detection is — the lower, the better. Until recently, the industry-accepted rate of 5% to 10% false positives meant that neutralizing a 2Tbps-size DDoS attack could also block 100Gbps to 200Gbps of legitimate network traffic. This needs to improve by at least an order of magnitude.

**AI/ML for Better DDoS Detection**

AI/ML can help network security teams make more accurate and faster decisions about what constitutes a DDoS threat or is an ongoing attack. Knowing the larger Internet-security context is essential — a global perspective of traffic down to the IP address level, with prior history of traffic patterns and abuse — can help prevent making a snap decision about whether certain traffic flows are legitimate. It's like a credit card company tracking all transactions in order to decide which ones are fraudulent.

Big data collected from the network itself — in the form of telemetry from IP routers, enhanced with the larger security context — provides a great base for training AI/ML models to recognize DDoS patterns. Still, human intelligence is irreplaceable: People need to teach AI/ML what to look for. And there is a lot to be taught, from recognizing a botnet DDoS (coming from thousands of IoT devices as regular IP traffic) to understanding when seemingly separate network patterns are all parts of a larger, coordinated DDoS activity.

**Better Mitigation, Too**

Another important role for AI/ML is in defining DDoS mitigation strategies and driving real-time tactics based on changing network conditions and mitigation results.

DDoS detection is a big data problem with somewhat unconstrained resources, limited only by the processing platforms. DDoS mitigation, however, is a problem where resources are constrained. Mitigation capabilities, capacity, and scale can differ from product to product and from one network to another. The actual mitigative actions need to consider all of those details and more — preferences about the number of security filters applied on routers, whether NETCONF or Flowspec should be used, etc. All of these constraints can be passed to an AI/ML system to drive networkwide AI/ML-optimized mitigation.

Additionally, AI/ML algorithms could be used to calculate the efficiency (as measured by false-positive rates) of suggested mitigation scenarios and to test and evaluate different what-if scenarios offline to improve the mitigation further.

**Understanding Wider Context Is Key**

Big data platforms can efficiently sift through massive amounts of data, ingesting information about the Internet-wide security-related context and real-time network data about network flows, usage patterns, and other relevant metrics.

With the help of AI/ML algorithms, it is now possible to detect DDoS activity early and take immediate, targeted, and optimized mitigation measures to thwart such attacks.

By incorporating big data analytics and AI/ML into all stages of a comprehensive DDoS security strategy, we can guard our networks against malicious DDoS attacks, keep the services running, and protect users online.

How AI/ML Can Thwart DDoS Attacks

Startups are coalescing around effective data loss prevention, reducing data attack surfaces, and viable AI automation.

Investors in tech startups like to maintain communities of independent CISOs that entrepreneurs use to explore threats and unsolved problems and to pitch solutions to. In this incubation space, several technologies have begun to stand out: enterprise Web browsers, data posture management, and new takes on automation.

And here's what they have in common: They're innovations that reduce complexity. Consider the impossibility of deploying agents or security controls across heterogeneous devices. To achieve full coverage, they must span employees, third parties, and post-M&A workforces — including personal devices that hit the cloud.

RSA's 2022 Innovation Sandbox winner, Talon Cyber Security, and the startup Island, both believe the enterprise Web browser can solve this and become an external leg of the cloud security architecture.

User data travels in an encrypted connection between the cloud and the browser, the latter of which has been leaky. These new browsers are hardened to malware, contain data loss by blocking uploads, downloads, screen captures, or cut and paste. They also add a layer of privacy. As Ashland CISO Bob Schuetter notes, his secure browser masks Social Security numbers on the screen "so the service reps don't have to look at the actual numbers all day."

These browsers even allow recording sessions for visual playback during incident response. “In reality, what they are is a secure gateway for tracking who's using what SaaS resources,” says Dr. Shane Shook, a cybercrime consultant and expert witness.

Compartmentalized away from the rest of the endpoint, a secure browser sandboxes Web client code, contains the accessed cloud data, and secures traffic between device and cloud. Proponents believe it could become the new cloud perimeter and deliver some of the failed promises of data loss prevention.

**Automation Is Bigger Than SOAR**

2022’s upstarts are pushing automation beyond the security orchestration and automated response (SOAR) category. Many of them note that SOAR speaks to a past when security was dominated by incident response.

Cybersecurity is now under the CIO as much as the CISO. All this creates a huge divide between the CISO's organization that detect threats and the remediation plans which must span multiple departments, and often extend to partners.

There are a number of approaches here. SOAR startups Opus Security and Revelstoke push knowledge dissemination and best practices beyond the CISO. Torq, an Innovation Sandbox finalist, is being used to automate backlogs in IT account provisioning, a byproduct of identity attacks.

BrazenCloud envisions upgrading the plumbing beneath SOAR’s automation, which today mostly involves calling the APIs of other security applications. Yet scripting, open source, and one-off tools are popular in cybersecurity. This leads to the belief that cybersecurity's automation providers should be the ones to move and execute these tool’s binaries and return their outputs — even for the notoriously ephemeral cloud workloads.

**Making Data Security Cloud Native**

On-premises data security was never that good at answering what data we have, where it's located, and who's accessing it. Now, this deficiency is getting addressed as data and metadata become increasingly distributed across multiple clouds.

Analysts are calling it data security posture management (DSPM), which unfortunately sounds like an older cloud security posture management (CSPM) category that Gartner split after ballooning out of control.

The more focused data posture management products integrate with cloud APIs, and map data and its usage. They aspire to relieve the ransomware threat with oversight into backups and to reduce the attack surface by sunsetting old data.

Despite the mind numbing acronyms, this new data-focused category is hot in 2022, with Concentric AI, Laminar, and Eureka Security receiving investments.

The sudden interest here is more than faddish copycatting. Cloud computing requires a higher bar for data security. Not being behind a well-defined perimeter, the cloud is public by default and thus hackers are one authentication hop from accessing the crown jewels.

**Will AI Finally Deliver Cybersecurity Real Value?**

Cybersecurity's buzzword merchants have undermined artificial intelligence and machine learning, turning theminto gratuitous boxes to check. Yet a new generation of practitioners educated in AI and ML see routine success using facial and voice recognition. AI’s success outside cybersecurity, such as facial recognition, has come from tackling narrow problems where sophisticated examples exist to model or train against.

The startup community has begun wielding AI’s strengths to take the small stuff off the hands of practitioners. Some believe advanced virtual assistants (AVAs), similar to Siri or the writing-aide Grammarly, are an aspect of AI that can succeed in cybersecurity.

StrikeReady delivers the detection and response tools a practitioner would use, along with an AVA trained to handle certain security operations center (SOC) logistics. Another unnamed startup, still in stealth mode, is beta testing AVAs that curb the risky behaviors of end users.

Within startup incubation spaces, enterprise Web browsers, virtual assistants, DSPM, and new automation may prove to be the new disruptors. Or they could just end up as a venture capitalist's write-off. Either way, it's the market — and security practitioners in the SOC — who will be the final arbiters of what’s useful and innovative.

Coming to a SOC Near You: New Browsers, 'Posture' Management, Virtual Assistants

VMRay announces the closing of a Series B led by global alternative asset manager Tikehau Capital, which will fuel further expansion of the product portfolio to target a broader set of market segments.

**BOCHUM, GERMANY (PRWEB)** **DECEMBER 20, 2022 --** VMRay, a global player in advanced threat detection and analysis that offers solutions for enterprises, governmental organizations, and MDRs to detect and analyze the most challenging malware and phishing threats, announces the closing of a Series B led by global alternative asset manager Tikehau Capital, through its subsidiary Tikehau Ace Capital and its European Cybersecurity Growth fund alongside new investors NRW.BANK and Gründerfonds Ruhr. Previous investors eCAPITAL and High-Tech Gründerfonds also participated in the round. The new investment will fuel further expansion of the product portfolio to target a broader set of market segments.

VMRay was founded to overcome a big vulnerability in cybersecurity: new, unknown, and sophisticated threats and targeted attacks. The company started its journey by developing a unique, hypervisor-based approach to sandboxing, and kept adding cutting-edge technologies, including its own Machine Learning models, to address emerging and evolving challenges. The solutions aim at improving the efficiency of SOC teams with accurate verdicts, noise-free output, and seamless integrations with major EDR, XDR, SOAR, and Threat Intelligence Platform vendors. The company is now working with 4 of the world’s top 5 technology companies, 37 leading financial institutions and 56 governmental organizations around the world.

“The cyber threat landscape is going through a profound change, and with the increasing volume and complexity of new threats, our customers face new challenges,” said Dr. Carsten Willems, co-founder and CEO of VMRay. “The latest investment has been a collaboration with a strategic scope, enabling VMRay to make its product suitable for a wider range of market segments and use cases including threat intelligence, security automation and MSSPs.” 

“In our role as cybersecurity-focused experts, we were impressed with VMRay's unique value proposition: building more effective detection tools integrated or interfaced with larger cybersecurity solutions. VMRay's ability to automate detection is a clear differentiator, positioning it as the tip of the spear in the global effort to elevate cybersecurity standards globally," said Augustin Blanchard, Executive Director at Tikehau Capital. "We firmly believe the company will sustain scalable, explosive growth in the coming years, driven by skilled leadership and powerful market tailwinds.”

“VMRay has managed to uniquely position themselves in the market, complementing existing solutions as the extra layer of security that is needed to combat advanced and unknown threats,” said Dr. Ulrich Schmitt from High-Tech Gründerfonds. “Having built a strong foundation for further international growth, the company is set to become the global leader in advanced threat detection, and we are excited to support the VMRay team in the years to come.”

Willi Mannheims, Managing Partner at eCAPITAL added, “We’re delighted to be partnering with a syndicate of top investors to continue fueling VMRay’s success and support the company’s experienced management team in driving growth.”

About VMRay  
At VMRay, our purpose is to liberate the world from undetectable digital threats.Led by reputable cyber security pioneers, we develop best-of-breed technologies to detect and analyze unknown threats that others miss. Thus, we empower organizations to augment and automate security operations by providing the world’s best threat detection and analysis platform. We help organizations build and grow their products, services, operations, and relationships on secure ground that allows them to focus on what matters with ultimate peace of mind. This, for us, is the foundation stone of digital transformation.

Cybersecurity Company VMRay Extends Series B Investment to a Total of $34M USD to Drive Growth into New Markets

The technique loads a nonmonitored and unhooked DLL, and leverages debug techniques that could allow for running arbitrary code.

A newly pioneered technique could render endpoint detection and response (EDR) platforms "blind" by unhooking the user-facing mode of the Windows kernel (NTDLL) from hardware breakpoints. This potentially gives malicious actors the ability to execute any function from within NTDLL and deliver it, without the EDR knowing it, researchers warned.

The Cymulate Offensive Research Group, which discovered what it calls the "Blindside" technique, noted in a report released Dec. 19 that the injected commands could be used to perform any number of unexpected, unwanted, or malicious operations on a target system.

Blindside creates an unhooked process. This means the hooks (which allow one application to monitor another) used by EDR platforms to identify if behaviors are malicious will not be present in the unhooked process.

Because many EDR solutions rely entirely or heavily on hooks to track behaviors and malicious activities, they would be unable to track the behaviors of the process launched with Blindside, the researchers explained.

Mike DeNapoli, director of technical messaging at Cymulate, notes that there are other methods to block hooks, but they depend heavily on cooperation from the operating system. Not so with Blindside.

"Blindside leverages hardware operations and can work in circumstances where other methods fail," he explains.

DeNapoli also points out that the use of hardware breakpoints for malicious outcomes is not entirely new, explaining that researchers knew various forms of breakpoints can be used to obfuscate against detection within x86 architectures. However, Blindside has a slightly different approach.

"Previous threat methodologies and techniques have focused on the virtualization of a process, or the use of syscalls to accomplish their goal," he says. "Blindside adds the use of specific debugging breakpoints to force a process to launch without hooks, which is what makes it a new technique."

**Discovering New Techniques Improves Protection**

DeNapoli says discovering new attack vectors allows EDR vendors and their customers to stay ahead of the game on defense.

"When investigating techniques, the Cymulate Offensive Research Team will sometimes discover ideas that could be used to create new techniques," he explains, adding that the justification for going public with the results is bringing greater awareness of these potential attack techniques and methods to EDR vendors and the public — before they are discovered by threat actors and used for malicious purposes.

"EDR solutions use multiple methodologies to monitor applications and processes for circumstances where they perform malicious actions," DeNapoli says. "This idea of behavior-based detection has become the primary and most popular method of anti-malware operations. This makes bypass and compromise of this form of anti-malware operation a major concern of organizations and service providers alike."

John Bambenek, principal threat hunter at Netenrich, agrees that the good news is that this tactic was discovered in advance of an attack and shared with the broader community.

"That way, they can develop mitigations, some of which were in the research itself," he says. "This research identifies the problem and a path forward."

He adds that attackers are constantly developing techniques and looking for holes to bypass our security tools. Earlier this month, vulnerabilities were found in EDR tools from different vendors — among them Microsoft, Trend Micro, and Avast — that give attackers a way to manipulate the products into erasing virtually any data on installed systems.

And another threat group was recently observed using the Microsoft-signed drivers as part of a toolkit designed to terminate antivirus and EDR processes.

"Either we find them first and develop mitigations or we want for the attackers to find them and deal with breaches," Bambenek says.

**Updating Defense Postures**

DeNapoli explains that next-gen EDR platforms will likely evolve away from relying so much on the hooking process.

"Several EDR vendors that Cymulate tested the technique against had already begun to use more than just hooking methods to track behaviors, and more are sure to do so as additional techniques to avoid hooking are brought to the public light," he says.

Working with an organization’s EDR vendor and/or service provider and keeping the system and the configuration of the tools within their infrastructure updated and validated as per vendor/provider recommendations, is a critical step in staying ahead of threat actors, DeNapoli adds.

"Because EDR solutions are only one layer of defenses, and because modern cybersecurity solutions can be complex, it is vital that organizations also regularly validate their security controls," he says.

Bambenek cautions that many organizations believe their job is done when they get EDR deployed everywhere and, while important, it is only one piece of the puzzle.

"Security, unfortunately, will require constant investment, because the attackers are certainly investing in their own R&D," he explains. "Primarily, the work here is on EDR vendors to look at other means to detect the use of these techniques."

'Blindside' Attack Subverts EDR Platforms From Windows Kernel

Asset inventory, behavioral baselining, and automated response are all key to keeping patients healthy and safe.

According to a 2020 memo from the Commonwealth of Massachusetts Department of Public Health, a code black event is "defined as when a hospital's Emergency Department is closed, as declared by an authorized hospital administrator, to all patients (ambulance and walk-in patients) due to an internal emergency."

The memo goes on to list a number of situations constituting internal emergencies, including:

*   Fires
*   Explosions
*   Hazardous material spills or releases
*   Other environmental contamination
*   Flooding
*   Power or other utility failures
*   Bomb threats
*   Violent or hostile actions impacting the Emergency Department

**Code Black/Code Dark**

On April 20, 2022, the Bay State added another item to that list, when code black events were declared at hospitals in Worcester and Framingham, following cyberattacks on Tenet Healthcare Corporation facilities there and in Florida. According to HealthcareITNews, "Tenet immediately suspended user access to impacted IT applications, executed extensive cybersecurity protection protocols and took steps to restrict further unauthorized activity." HealthITSecurity later reported that the attack campaign included a ransomware infection that ultimately cost Tenet $100 million in lost revenue during the second quarter. 

Now, cyberattacks have their own emergency response designation, called "code dark." A recent Wall Street Journal article described code dark procedures at Washington, DC's Children's National Hospital, during which, while IT staff respond to the event, hospital employees are trained to turn off Internet-connected medical equipment to keep an attack from spreading. Under such conditions, the hospital's CISO said, "If we call a code dark, the entire hospital knows to disconnect devices anywhere they can." 

**Patient Safety at Risk**

That's not especially comforting, given healthcare providers' reliance on medical devices. Hospitals are prime targets for threat actors, and especially for ransomware gangs. They know healthcare providers are under great pressure to maintain continuity of operations and to protect patient safety, and so are most likely to pay the cost to unlock medical systems, devices, and data, rather than risk an unfortunate outcome. A new study by the Ponemon Institute underscores this risk, finding that hospitals falling victim to a ransomware attack experience a decline in care quality and outcomes, including longer patient stays, test and procedure delays, and even more complications following care. 

Healthcare organizations invest aggressively in connected devices to improve facilities management and administration, and to provide a higher quality of patient care. Those devices include the Internet of Things (IoT), the Internet of Medical Things (IoMT), and operational technologies (OT). A recent study by Juniper Research forecasts that the average hospital will have as many as 3,850 IoMT devices connected to their networks by 2026. Every device that connects increases the complexity of a hospital's IT estate and its attack surface.

**Zero Trust for Connected Devices Starts With Asset Inventory and Baselining**

The proliferation of these devices in a hospital's IT infrastructure requires meticulous attention be paid to the risk each connected device adds to the network. Without the means to discover, monitor, and manage every connected device, the security of an organization's devices, data, and even patients themselves could be compromised. That makes it imperative to translate the elements of zero trust (never trust, always verify, and least privilege access) and apply them to a connected device security strategy.  

The first step in doing that requires knowing your attack surface. The adage "You can't protect what you can't see" holds true here, making complete device discovery and classification essential and foundational to protecting healthcare environments. This can range from traditional IT devices and medical devices that cannot be discovered via traditional means to elevator and HVAC control systems that are core to hospital operations. The approach needs to be "passive" so it doesn't impact device function.  

The next step is mapping transactions. With connected devices, this starts by using machine learning to establish and understand a baseline of how each device should behave. Since most IoT, IoMT, and OT devices operate within deterministic parameters, having an accurate understanding of normal, safe behavior makes it easier to recognize anomalous behaviors that represent early indicators of compromise. And when you can accurately detect an attack or risky behavior, you can automate policy enforcement that isolates compromised or at-risk devices. 

**Automate Response and Policies With Machine Efficiency**

That granular device profile — what a device is, how it's communicating, where it's connected, and its normal patterns of behavior — contains the elements you need to architect your zero\-trust policies and response — both reactive and proactive. The device context allows you to quickly respond to an attack and minimize and contain the blast radius. It also allows you to maintain operational continuity by keeping gear in service rather than shutting things down that might not need to be taken offline, or that could put patient care at risk if disconnected.  

For example, rather than taking a connected medical device offline if it is being used by a patient, dynamically generate zero\-trust segmentation policies that can quickly isolate the device on the network and allow its "sanctioned" behavior to continue. In contrast, a compromised surveillance camera communicating to a malicious domain can be blocked and taken off the network immediately, without risking an adverse medical outcome. 

**Enlightened, Not Dark**

A code dark protocol that asks doctors, nurses, and medical support staff to disconnect devices is one way to deal with a cyberattack, but it's not the best way. Instead, use an enlightened approach that applies a zero\-trust strategy to protecting connected devices. By starting with an asset inventory of devices in the network, baselining of device behavior, and leveraging automation to respond to threats and quickly stop lateral movement, you can maintain a higher security profile without compromising healthcare quality. When that is the model, network and patient safety can be maintained at a high level, even in the middle of a cyberattack, without pulling the plug.

Source

DARKReading