At Black Hat Europe, a security researcher details the main evasion techniques attackers are currently using in the cloud.

BLACK HAT EUROPE 2022 – London - CoinStomp. Watchdog. Denonia.

These cyberattack campaigns are among the most prolific threats today targeting cloud systems — and their ability to evade detection should serve as a cautionary tale of potential threats to come, a security researcher detailed here today.

"Recent cloud-focused malware campaigns have demonstrated that adversary groups have intimate knowledge of cloud technologies and their security mechanisms. And not only that, they are using that to their advantage," said Matt Muir, threat intelligence engineer for Cado Security, who shared details on those three campaigns his team has studied.

While the three attack campaigns are all about cryptomining at this point, some of their techniques could be used for more nefarious purposes. And for the most part, these and other attacks Muir's team has seen are exploiting misconfigured cloud settings and other mistakes. That for the most part means defending against them lands in the cloud customer camp, according to Muir.

"Realistically for these kinds of attacks, it has more to do with the user than the \[cloud\] service provider," Muir tells Dark Reading. "They are very opportunistic. The majority of attacks we see have more to do with mistakes" by the cloud customer, he said.

Perhaps the most interesting development with these attacks is that they are now targeting serverless computing and containers, he said. "The ease of which cloud resources can be compromised has made the cloud an easy target," he said in his presentation, "Real-World Detection Evasion Techniques in the Cloud."

**DoH, It's a Cryptominer**

Denonia malware targets AWS Lambda serverless environments in the cloud. "We believe it's the first publicly disclosed malware sample to target serverless environments," Muir said. While the campaign itself is about cryptomining, the attackers employ some advanced command and control methods that indicate they're well-studied in cloud technology.

The Denonia attackers employ a protocol that implements DNS over HTTPS (aka DoH), which sends DNS queries over HTTPS to DoH-based resolver servers. That gives the attackers a way to hide within encrypted traffic such that AWS can't view their malicious DNS lookups. "It's not the first malware making use of DoH, but it certainly isn't a common occurrence," Muir said. "This prevents the malware to trigger an alert" with AWS, he said.

The attackers also appeared to have tossed in more diversions to distract or confuse security analysts, thousands of lines of user agent HTTPS request strings.

"At first we thought it was might be a botnet or DDoS ... but in our analysis it was not actually used by malware" and instead was a way to pad the binary in order to evade endpoint detection & response (EDR) tools and malware analysis, he said.

**More Cryptojacking With CoinStomp and Watchdog**

CoinStomp is cloud-native malware targeting cloud security providers in Asia for cryptojacking purposes. Its main _modus operandi_ is timestamp manipulation as an anti-forensics technique, as well as removing system cryptographic policies. It also uses a C2 family based on a dev/tcp reverse shell to blend into cloud systems' Unix environments.

Watchdog, meanwhile, has been around since 2019 and is one of the more prominent cloud-focused threat groups, Muir noted. "They are opportunistic in exploiting cloud misconfiguration, \[detecting those mistakes\] by mass scanning."

The attackers also rely on old-school steganography to evade detection, hiding their malware behind image files.

"We're at an interesting point in cloud malware research," Muir concluded. "Campaigns still are lacking somewhat in technicality, which is good news for defenders."

But there's more to come. "Threat actors are becoming more sophisticated" and likely will move from cryptomining to more damaging attacks, according to Muir.

3 Ways Attackers Bypass Cloud Security

Cloud-native application protection platform (CNAPP) addresses security challenges in multicloud environments, including integrating applications across multicloud or hybrid cloud environments.

The COVID-19 pandemic accelerated digital transformation initiatives for many businesses. For many, this entailed embracing cloud-native application development to make possible rapid deployment of software. The downside? Increased security risks across large and ephemeral cloud environments.

As cloud security only continues to become more complex and difficult to manage, organizations are increasingly looking at cloud-native application protection platforms (CNAPP) to protect their cloud infrastructure and applications running in the cloud. The idea behind CNAPP is to consolidate point solutions to enable more automation and reduce security gaps between tools.

**Bundling CSPM, CWPP, CIEM**

"You can think of CNAPP as the king of acronyms in cloud security," says Kate MacLean, senior director of product marketing at Lacework. "It encompasses everything from CSPM \[cloud security posture management\], CWPP \[cloud workload protection platform\], CIEM \[cloud infrastructure entitlements management\], and more, bringing these features together into a single platform."

Lacework recently updated its CNAPP offering, Polygraph Data Platform, with agentless workload scanning for secrets and vulnerabilities plus attack path analysis.

These new capabilities are designed to help IT security teams achieve better visibility into their organizations’ complex, dynamic, and unique environments so they can better identify, understand, and respond to the security alerts that matter, according to the company.

MacLean explains that agentless workload scanning helps build layered security into the cloud environment, giving IT security teams the ability to scan more resources for vulnerabilities in a faster and more comprehensive way.

"With broader coverage in the runtime environment and continuous monitoring, teams have a better understanding of potential risks in the cloud so they can proactively secure for them," she says.

**Addressing Workload, Configuration Security**

Ami Luttwak, co-founder and CTO of Wiz, says CNAPP aims to address workload and configuration security by scanning the areas during development and protecting them at runtime.

The company provides an agentless, API-centered approach offering organizations instant coverage of their multicloud environments. Wiz's platform scans public buckets, data volumes, and databases in Amazon Web Services, Google Cloud Platform, and Microsoft Azure and classifies data so that organizations can find out what data is located where.

"CNAPP is becoming the main platform for security and dev teams for everything they need from cloud security, from code time to production," he says. "It solves for the core challenges of protecting cloud infrastructure from a security perspective."

The platform uses schema matching across the entire environment to understand data flow and lineage, including when data is moved between environments or regions and improper storage of production data. It also continuously assesses for compliance to ensure security standards are consistently enforced across business units, regions, applications, and users, according to Wiz.

**Holistic Cloud Security**

A proper CNAPP protects cloud application development throughout the entirety of the application development life cycle — from build time through runtime. This simplified approach covers all clouds, and a single tool handles vulnerabilities, remediation, compliance, and reporting, giving it necessary context and visibility. With multiple tools and security functions consolidated into one platform, a CNAPP can replace multiple point solutions — not to mention countless hours of operational usage.

CNAPP Shines a Light Into Evolving Cloud Environments

The supply chain attack is piggybacking off an earlier breach to deploy new wiper malware.

A previous cyberattack on an Israeli software developer is being used by Agrius Advanced Persistent Threat (APT) group to launch wiper attacks against various organizations in the diamond industry.

Although Agrius and its attack against Israeli IT and HR companies last February was previously known, using the "Fantasy" wiper in attacks is new, according to researchers at ESET.

Fantasy is a modified iteration of the Apostle malware, the team said. But while its predecessor Apostle masqueraded as ransomware, Fantasy dispenses with the charade and moves directly to destroying files.

So far, ESET reported, Fantasy victims have been found in Hong Kong, Israel, and South Africa.

"Agrius is a newer Iran-aligned group targeting victims in Israel and the United Arab Emirates since 2020," ESET researchers explained. "Agrius exploits known vulnerabilities in internet-facing applications to install webshells, then conducts internal reconnaissance before moving laterally and then deploying its malicious payloads."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Agrius Iranian APT Group Cuts Into Diamond Industry

To be most effective, protective DNS services need to constantly reassess and rescore domains as additional data comes in.

**Question: What is the importance of a domain score when determining whether a domain is a threat?**

**Dave Mitchell, CTO, Hyas:** Did you know over 93% of all malware employs DNS as a mechanism to identify and contact its command and control (C2) to receive instructions? This is why a truly holistic cybersecurity strategy must include protection from malicious domains.

Being able to properly assess the reputation and safety of a particular domain is critical to preventing breaches. However, these results are often presented in terms of a threat scoring system, which can misleadingly imply static results. To be most effective, solutions in this space need to constantly reassess and rescore domains as additional data comes in. Legacy approaches to protective DNS fail to adapt to the inherently dynamic nature of the Internet. A proactive system must score potential threats in real time, categorizing the DNS traffic based on both static and dynamic indicators of malicious intent.

First, there are the known bad domains. These are domains that have been publicly reported and confirmed to be malicious. Blocking these domains is critical, but it is only a reactive measure. If your organization gets hit during the first wave of an attack that utilizes new malware or a new exploit, these static lists will not help. Using public block lists also leaves you open to attacks from known threats utilizing different infrastructure. Publicly known malicious domains are usually subject to the strictest layer of protection, and communication with them is forbidden. Someone would have to have a very good reason to access one of these domains.

More proactive scoring methods rely on assigning a threat category to all queried domains based on a wide variety of indicators. This is a huge advantage over the static approach, as detecting a threat in its early stages can give administrators the invaluable time they need to block domains involved with the attack before it is executed — thereby rendering it inert. For a solution to do this effectively, it requires advanced threat intelligence capabilities and an intimate understanding of attacker infrastructure and methodology to know how domains are being used and by whom.

Based on this information, advanced protective DNS services monitor domain traffic for suspicious indicators. For example, if a domain is brand new, bought from an unscrupulous registrar, purchased by a buyer from an area associated with cybercrime, and paid for in cryptocurrency, it's probably smart to block it — even if that domain hasn't been used in an attack yet. The number and severity of the suspicious indicators it finds will determine how the system classifies the domain. Sometimes the indicators are low-priority enough to permit communication with the domain, while still getting marked for further analysis. If the domain is later determined to be malicious, further communication will be blocked. Every service provider has its own secret sauce when it comes to scoring domains, so do your homework and demo a number of services before settling on one.

The more high-quality data a service has access to, the more accurate its results are likely to be when combined with continuous analysis. This is key for generating meaningful scores that maintain the delicate balance between overly aggressive blocking — annoying users and potentially slowing down the pace of business — or even worse, mistakenly letting malicious communication through, defeating the purpose of implementing the protection in the first place.

Beyond these built-in protections, administrators can usually set up custom lists or policies that make the system alert them and/or outright block DNS requests if a domain has multiple negative traits that meet or exceed established parameters. Once alerted, administrators can investigate the incident and proactively deal with it before it causes damage. An advanced protective DNS service also gives you a level of control in enforcing policies, as you can preemptively block certain DNS communications — for example, instituting a blanket block on certain hacker hotbeds. If clean traffic gets caught up in these custom rules, it is easy enough to add domains to the solution's allow list.

Every provider approaches the overall process of scoring domains differently — quite radically in some cases. Bare-minimum (sometimes free) protective DNS services often rely on static, publicly available lists, while more sophisticated services incorporate data from premium intelligence services to stay a bit more current. But the top options use advanced threat intelligence, based on examination of prior attacks and dynamic analysis, to predict domain risk. With the first two types, you are operating from a reactive stance and will almost certainly fall victim to an attack at some point. However, an advanced protective DNS helps secure your assets from new and emerging threats, giving your enterprise the upper hand against threat actors.

How Do I Use the Domain Score to Determine Whether a Domain Is a Threat?

Increased federal cybersecurity regulations provide a pivot point for manufacturers to reconsider their access management strategy.

Because they are dependent on dozens of highly technical processes, modern factories can't afford to let security burden end users who rely on technology. While this sounds simple enough, putting a plan in action isn't easy.

The pandemic, the Internet of Things (IoT), and the proliferation of cloud technologies sparked digital transformation, practically overnight. Manufacturers were forced to adopt new technologies to keep up with remote work, while still relying heavily upon on-premises infrastructure. Increased regulations like those from the National Institute of Standards and Technology (NIST) and Cybersecurity Maturity Model Certification (CMMC) posed even greater security complexities as manufacturers ramped up production to meet global demands. All of these factors led to a disheveled infrastructure that has allowed cybercriminals to thrive.

To ensure compliance, maintain bottom lines, and solve fragmentation, manufacturers need an access management strategy that works with all aspects of their environment. An agile single sign-on solution is the best place to start.

**Integrating Single Sign-on**

Single sign-on (SSO) isn't new. Many manufacturers have been utilizing the function for years to streamline operations. But with so much diverse technology, some of it dating back decades, manufacturing's patchwork environment has created a fragmentation challenge for both end users and IT departments.

While end users have to juggle several passwords across multiple apps, websites, and workstations, IT has the additional burden of monitoring user access and managing security in this complex environment. This includes conducting password resets and manually on- and offboarding users for each app.

It's necessary that SSO integrates with every application and endpoint — both on-premises and in the cloud. Not only would this help solve fragmentation and reduce the burden on IT, but with fewer logins to remember (or none at all), it would also increase productivity and satisfaction for end users. As more policies and regulations require additional authentication, modernizing SSO cannot be a maybe, but is a must.

**Enable Compliance With Access Management**

Before attacks like the one on Colonial Pipeline, many manufacturing plants had poorly secured workstations to streamline employee access to keep critical processes functioning. However, that ease of access also opened the door to cyber criminals. In response, increased regulations from the Department of Defense (DoD), like NIST and CMMC, completely transformed the security environment to protect federal infrastructure.

This may be less complicated for modern manufacturers with largely cloud environments. But for those smaller or midsize manufacturers that still rely a lot of on-premises technology, improving security can be frustrating for end users. And frankly, many organizations can't afford to overhaul this older technology to accommodate modern solutions that favor cloud. Instead, they need SSO that accommodates them.

Among the several digital identity requirements outlined by NIST, organizations that process any data related to government agencies or the DoD (a large bucket into which many manufacturers fall) must log in every time a system or application is accessed. In essence, this means no more unsecured workstations that workers can walk up to and start working on. NIST also requires increasingly complex passwords for every login and, in many circumstances, enforces multifactor authentication (MFA).

For end users who previously only had to log in a handful of times throughout their shift, this added authentication can become a burden — especially for plant workers wearing full protective gear who previously only had to push a few buttons to enable operations. With factories under more pressure than ever before, their bottom lines cannot afford to deal with hindered productivity.

These increased regulations represent a pivotal moment for the on-premises manufacturer. In short, if your SSO doesn't integrate with every login, it's time for you to rethink your access management strategy with these two words: passwordless experience.

**The Passwordless Experience**

Without the ability to use SSO for every login, there's more risk of credentials being forgotten — or worse, compromised. The fewer credentials an end user has to remember, the less likely that person is to forget a password or write it down. So, isn't the best password the one you don't know?

Think about it. If a user only logs in by tapping an NFC badge to a reader or by using biometrics, that password will remain stored away, only invoked in the background when the user authenticates. In combination with a push notification or physical token for MFA, organizations can provide employees with a completely passwordless experience that benefits both security and productivity. This also enables better holistic digital identity management, traceability, and agility across the entire organization.

While compliance should be achieved, it does not equal security. It's time to ditch meeting the minimums and strive toward efficient methods that enable growth. The technology you have is only as good as your ability to use it, so ensure it's useful for everyone. Because after all, without SSO for every login, you are only as strong as your weakest password.

**About the Author**

    

As the Senior Vice President of Worldwide Engineering and Cyber at Imprivata, Joel Burleson-Davis is responsible for building, delivering, and evolving the suite of Imprivata's cybersecurity products. Before joining Imprivata, Joel was Chief Technical Officer at SecureLink, the leader in critical access management. There he developed advanced solutions for enterprises to secure access to their most valuable assets, systems, and data. While at SecureLink, Joel was responsible for the overall technology and operational strategy and execution including direction and oversight for Product Development, Quality Assurance, IT and Cybersecurity Operations, Compliance, and Customer Success.

Single Sign-on: It's Only as Good as Your Ability to Use It

More than three-quarters of police and emergency responders worry about ransomware attacks and data leaks, while their organizations lag behind in technology adoption.

Cybersecurity threats have become commonplace for police departments, first responders, and other public-safety groups, with 93% of organizations experiencing a cybersecurity issue in the past year.

That's according to a report released on Dec. 8 by cloud platform provider Mark43, based on a survey of 343 first responders. The 2023 U.S. Public Safety Trends Report found that 76% of first responders had concerns that their IT systems are vulnerable to ransomware attacks and data breaches.

At the same time, the vast majority of first responders must deal with outdated technology and disconnected systems, with 68% of public-safety officers required to file paperwork from the office rather than in the field, and 67% of first responders encountering issues with inefficient technology, according to the report.

While adopting technology can solve many issues that currently plague first responders, most state and local agencies do not have the technical expertise to protect such technology against threats, says Larry Zorio, chief information security officer for Mark43, which provides information systems for law-enforcement and first responder agencies.

"These agencies in many cases do not have a dedicated security staff who can worry about these issues all day, ensuring that data is backed up and running vulnerability scans," he says. "To the the \[cybersecurity\] community, these are table stakes — you need to be doing patching, you need to be doing vulnerability scanning ... but these agencies are realizing that they cannot protect themselves from these risks on their own."

First responders' cybersecurity concerns are not unwarranted. In 2019 and 2020, ransomware groups started targeting state, local, tribal, and territorial (SLTT) government agencies in earnest. In 2019, for example, 22 town agencies and local government organizations were targeted with a coordinated ransomware attack disrupting services for citizens. Ransomware attacks on local school systems impacted education for at least 753,000 students during 2019 and 1.2 million in 2020.

And in 2021, the FBI warned that ransomware spread by the Conti cybercriminals group had targeted at least 16 healthcare and first responder networks. In September 2022, a ransomware attack disrupted 911 service for Suffolk County, NY.

**Targeting First Responders**

These attacks carry with them additional risks for citizens, the FBI stated in its 2021 advisory.

"Cyberattacks targeting networks used by emergency services personnel can delay access to real-time digital information, increasing safety risks to first responders and could endanger the public who rely on calls for service to not be delayed," the advisory stated. "Loss of access to law enforcement networks may impede investigative capabilities and create prosecution challenges."

In general, the information technologists believe that ransomware attacks will continue at the same pace. The vast majority of IT professionals (84%) see ransomware as a significant threat to businesses, according to a study commissioned by Ransomware.org. In addition, 41% of IT professional believe their company is more likely to be a target this year, and 43% believe the threat will remain the same.

**Cloud Adoption Lags**

For first responders, the cybersecurity threats are balanced against the slow adoption of technology that could make their jobs and operations more efficient. While the majority of first responders believe that an integrated system for reporting would streamline operations, only a quarter of first responder organizations (27%) have moved to the cloud — two-thirds have not, the Mark43 survey found.

The Mark43 survey found that compliance and data transparency are also significant concerns for first responders, with 86% of respondents asking for improved crime reporting and two-thirds of those surveyed wanting more public transparency.

The agencies need to prioritize technology, data management, and cybersecurity roles. Instead, cybersecurity is often tasked to untrained IT workers inside the department or to officers that are nearing retirement, Zorio says.

"I don't feel that officers, who are trying to serve our communities, the fact that they are worried about that every day is definitely a concern," he says. "The industry in general needs to help them where we can, because it is not their job to worry about cybersecurity."

The survey defined cybersecurity issues as both malicious attacks by cybercriminals and availability problems caused by attacks.

Lack of Cybersecurity Expertise Poses Threat for Public-Safety Orgs

IE is still a vector: South Koreans lured in with references to the deadly Halloween celebration crowd crush in Seoul last October.

North Korean threat group APT37 was able to exploit an Internet Explorer zero-day vulnerability to deploy documents loaded with malware as part of its ongoing campaign targeting users in South Korea, including defectors, journalists, and human rights groups.

Google's Threat Analysis Group (TAG) found the zero-day flaw in the Internet Explorer JScript engine in late October, tracked under CVE-2022-41128, and now reports that Microsoft was responsive and has issued applicable patches.

To lure in potential victims, the malicious documents referenced the deadly crowd crushing incident in Seoul that happened during Halloween celebrations on Oct. 29.

"This incident was widely reported on, and the lure takes advantage of widespread public interest in the accident," the TAG team reported. "This is not not the first time APT37 has used Internet Explorer 0-day exploits to target users."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

APT37 Uses Internet Explorer Zero-Day to Spread Malware

Phishing has long been one of the best ways to gain access to a target organization. It didn't used to be this way. In the early days of computer security, the remote code exploit (RCE) was the preferred method of gaining access, as it required no user interaction. In fact, if something required user interaction, it wasn't considered a serious threat. Better security practices started to take hold, and the RCE method of access became much more challenging. And it turned out, getting users to interact was easier than ever imagined.

The same cycle has started to repeat itself with on-premises targets. Organizations have started to make advances in securing their internal networks against using endpoint detection and response (EDR), and other technologies are better equipped to detect malware and lateral movement. While attacks are becoming more difficult, it's by no means an ineffective strategy for an attacker yet. Deploying ransomware and other forms of malware is still a common outcome.

**Why Your Cloud Infrastructure Is a Top Target for Phishing Attacks**

The cloud has given phishers a whole new frontier to attack, and it turns out it can be very dangerous. SaaS environments are ripe targets for phishing attacks and can give the attacker a lot more than access to some emails. Security tools are still maturing in this environment, which offers attackers a window of opportunity where methods such as phishing attacks can be very effective.

**Phishing Attacks Targeting Developers and Software Supply Chain**

As we saw recently, Dropbox had an incident due to a phishing attack against its developers. They were tricked into giving their Github credentials to an attacker by a phishing email and fake website, despite multifactor authentication (MFA). What makes this scary is that this wasn't just a random user from sales or another business function, it was developers with access to a lot of Dropbox data. Thankfully, the scope of the incident doesn't appear to affect Dropbox's most critical data.

GitHub, and other platforms in the continuous integration/continuous deployment (CI/CD) space, are the new "crown jewels" for many companies. With the right access, attackers can steal intellectual property, leak source code and other data, or conduct supply chain attacks. It goes even farther, as GitHub often integrates with other platforms, which the attacker may be able to pivot. All of this can happen without ever touching the victim's on-prem network, or many of the other security tools that organizations have acquired, since it is all software-as-a-service (SaaS)-to-SaaS.

Security in this scenario can be a challenge. Every SaaS provider does it differently. A customer's visibility into what happens in these platforms is often limited. GitHub, for example, only gives access to its Audit Log API under its Enterprise plan. Getting visibility is only the first hurdle to overcome, the next would be to make useful detection content around it. SaaS providers can be quite different in what they do and the data that they provide. Contextual understanding of how they work will be required to make and maintain the detections. Your organization may have many such SaaS platforms in use.

**How Do You Mitigate Risks Associated With Phishing in the Cloud?**

Identity platforms, such as Okta, can help mitigate the risk, but not completely. Identifying unauthorized logins is certainly one of the best ways to discover phishing attacks and respond to them. This is easier said than done, as attackers have caught on to the common ways of detecting their presence. Proxy servers or VPNs are easily used to at least appear to come from the same general area as the user in order to defeat country or impossible travel detections. More advanced machine learning models can be applied, but these are not yet widely adopted or proven.

Traditional threat detection is starting to adapt to the SaaS world as well. Falco, a popular threat detection tool for containers and cloud, has a plug-in system that can support nearly any platform. The Falco team has already released plug-ins and rules for Okta and GitHub, among others. For example, the GitHub plug-in has a rule that triggers if any commits show signs of a crypto miner. Levering these purpose-built detections is a good way to get started in bringing these platforms into your overall threat detection program.

**Phishing Is Here to Stay**

Phishing, and social engineering in general, will never be left behind. It has been an effective attack method for years, and will be for as long as people communicate. It is critical to understand that these attacks are not limited to the infrastructure you own or manage directly. SaaS is especially at risk due to the lack of visibility most organizations have to what actually happens on those platforms. Their security cannot be written off as someone else's problem, as a simple email and fake website is all it takes to get access to those resources.

Phishing in the Cloud: We're Gonna Need a Bigger Boat

Rapid adoption showcases increased interest in cyber education and training for individuals looking to enter the field while helping decrease the workforce gap.

**ALEXANDRIA, Va., Dec. 8, 2022 /PRNewswire/ —** (ISC)² – the world's largest nonprofit association of certified cybersecurity professionals – today announced it has registered more than 110,000 (ISC)² Candidates to help address the global cybersecurity workforce gap of 3.4 million professionals. The recruitment milestone comes within three months of launching (ISC)² Candidates, to help individuals pursue or consider a career in cybersecurity.

(ISC)² Candidates provide those pursuing or building a cybersecurity career with exclusive offerings, including discounts on (ISC)² certification education courses, study materials and events. The initiative encourages Candidates to work toward earning an (ISC)² certification such as the (ISC)² CISSP® or (ISC)² Certified in CybersecuritySM entry-level certification.

"The early success of (ISC)² Candidates underscores the strong global interest in cybersecurity careers and how programs aimed at educating the next generation of professionals can effectively help address the global workforce gap," said Clar Rosso, CEO, (ISC)². "The strong adoption of (ISC)² Candidates demonstrates there is no shortage of interest in joining the profession; the challenge is creating new entry points that remove barriers and embrace the diverse skillsets, experiences and aptitudes necessary for a successful career. (ISC)² is preparing these individuals by providing a new cybersecurity career pathway through (ISC)² Candidates."

The 2022 (ISC)² Cybersecurity Workforce Study reveals there is no single pathway into cybersecurity. The data shows a shift in how people are entering the field, with nearly half of respondents under the age of 30 moving into cybersecurity from a career outside IT. The change highlights the importance of (ISC)² Candidates, as it provides a way for individuals to enter the field through non-traditional methods.

**Free Certification Exams and Training for 1 Million**

(ISC)² also has launched One Million Certified in Cybersecurity. This initiative pledges to provide free, entry-level cybersecurity certification exams and self-paced educational program courses to one million new professionals starting a career in cybersecurity. More than 98,350 people have enrolled for a free Certified in Cybersecurity course and exam in the last three months.

To learn more, visit www.isc2.org/candidate.

**About (ISC)²  
**(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our association of candidates, associates, and members, nearly 280,000 strong, is made up of certified cyber, information, software, and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™. For more information on (ISC)², visit www.isc2.org, follow us on Twitter, or connect with us on Facebook and LinkedIn.

(ISC)² Recruits 110,000 People Interested in a Cybersecurity Career in Three Months

Startup raises $8.5 million in seed funding led by Ten Eleven Ventures.

**CHARLESTON, S.C., Dec. 8, 2022 /PRNewswire/ —** Interpres Security, a company dedicated to helping companies optimize their security performance with a comprehensive new approach to managing the defense surface, announced its emergence from stealth alongside $8.5M in seed financing led by Ten Eleven Ventures. The Interpres Security platform offers a customized, continuous, and threat-informed analysis of an organization's detection and mitigation capabilities and provides automated security engineering directives based on this evaluation, ultimately enabling a hardened security posture in the most efficient manner possible.

To address the expanding number of cybersecurity threats, organizations now use an average of 76 tools in their security stack. Despite this level of investment, organizations still do not know how effective this tooling is against their specific and expanding threat profile. Without a clear picture of the most relevant threats or how well their current tools work against them, organizations do not have a complete view of how well-defended they are.

After experiencing a systems breach firsthand at a classified security operations center, members of the Interpres Security founding team developed a new Threat Centric Methodology to validate the effectiveness of all of the security vendors in the environment. This approach proved successful, and later the same methodology became the genesis for Interpres Security's automation of these capabilities into their new platform.

Interpres Security currently integrates the MITRE ATT&CK framework to prioritize threat coverage based on the adversaries most likely to target an organization, the malware and techniques those adversaries use, and the prevalence of those attacks as seen in the wild. It then recommends mitigations, telemetry collection strategies, and detection logic best suited to fill the prioritized gaps in coverage across the enterprise to detect and mitigate threats most likely to target the organization. It does all this while utilizing the organization's existing investment in cybersecurity products and solutions. Once the defense ecosystem is optimized, Interpres maintains this state through a situational awareness dashboard that detects drift in configuration and changes to risk posture while offering detailed board-level reporting.

"Until now, only large security engineering teams have even been able to attempt to analyze, validate, and optimize an organization's specific security toolset and processes. However, the detailed analysis and threat intelligence needed is extremely time-consuming and manually intensive to complete. The capabilities that we have automated within the Interpres platform goes beyond the scope of what humans can complete regularly, in real-time," said Nick Lantuh, Chief Executive Officer and Co-Founder at Interpres Security and former Founder and President of NetWitness (acquired by EMC in 2011). "It's time for a new approach. Automation and threat-informed prioritization are necessary to properly assess, configure, optimize and align current security tools to optimally defend against advanced threats in a timely manner. That's the value of the Interpres platform."

"We see CISOs regularly struggle to get a handle on which security tools are most effective for their organization's specific needs," said Mark Hatfield, General Partner at Ten Eleven Ventures and new board member at Interpres Security. "They want to hold the vendors accountable for what they've promised - to understand how well their tools stand up to threats they are most likely to face. The exceptional team at Interpres Security has developed a platform that does exactly that - help companies 'shrink the stack', get the most out of their existing cybersecurity investments, understand where they are and are not protected, rationalize product investments and harden their defenses."

**About Interpres Security**

Interpres Security makes security performance intelligible and provable for the enterprise with a comprehensive new approach to managing the defense surface. With Interpres, security teams can take a threat-informed perspective to understand what their current tools can detect and defend against, identify gaps and inefficiencies, and iteratively improve their security posture with a data-driven and custom tailored approach. Interpres Security is backed by top cybersecurity specialist investor, Ten Eleven Ventures. To learn more and request a demonstration of the platform, visit their website at InterpresSecurity.com and follow the company on LinkedIn or Twitter.

**About Ten Eleven Ventures**

Ten Eleven Ventures is the original cybersecurity-focused, global, stage agnostic investment firm. The firm finds, invests, and helps grow top cybersecurity companies addressing critical digital security needs, tapping its team, network, and experience to help build successful businesses. Since its founding, Ten Eleven Ventures has raised over $US 1 billion and made over 40 cybersecurity investments across stages worldwide, including KnowBe4, Darktrace, Twistlock, Verodin, Cylance, and Ping Identity. For more information, please visit www.1011vc.com or follow us on Twitter @1011vc.

Source

DARKReading