No agreement could be reached on terms of a firm offer, the provider of AI-based cybersecurity products says.

US private equity firm Thoma Bravo, which has been on a cybersecurity vendor buying spree lately, has walked away from plans to add British cybersecurity firm Darktrace to its portfolio.

The two sides parted ways after failing to come to an agreement on the terms of a deal. The news sent shares of Darktrace plunging nearly 35% Thursday on the London Stock Exchange, falling from 514.6 pence per share (about US$5.91) at close of trading Wednesday to 337.1 pence per share (roughly $3.87) on Thursday.

Darktrace — a provider of AI-based cybersecurity technologies — on Aug. 15 announced that it had received several "preliminary and conditional proposals" from Thoma Bravo to purchase the company. The security firm said Thoma Bravo was in early discussions to buy it out in an all-cash transaction, but it had cautioned at the time that there was no certainty that an offer would be made.

On Thursday, Darktrace said those discussions had broken down, and that an agreement could not be reached on the terms of an offer.

"Further to the announcement made earlier today by Thoma Bravo that it does not intend to make an offer for the Company, the Board of Darktrace confirms that discussions with Thoma Bravo have terminated," the company said. "As a result of the announcement made earlier today by Thoma Bravo, the Company is no longer in an offer period for the purpose of the UK Takeover Code."

Thoma Bravo did not immediately respond to a Dark Reading request for comment on the development.

British rules governing proposed mergers and acquisition prohibit Thoma Bravo from making an offer for Darktrace for another six months, unless another firm makes a formal offer to buy the company, Reuters and several British media outlets noted.

Darktrace was founded in 2013 and currently claims to have more than 7,400 customers in 110 countries. It reported revenues of $419.3 million for fiscal year 2022 before revising that number down to $415.5 million after determining that $3.8 million in revenues should have been attributed to fiscal year 2021. Darktrace went public on the LSE in April 2021. At one point, the security vendor's market cap hit more than $8 billion, but questions over the company's valuation drove its stock down shortly thereafter and kept it there for most of this year.

Darktrace also has had its share of controversy related to British billionaire Mike Lynch, who is one of the biggest shareholders in the company. Lynch is currently fighting extradition to the US after a British court held him culpable earlier this year of artificially inflating the value of his previous company Autonomy before selling it to HP for $11.1 billion in 2011. HP filed a lawsuit against Lynch after the company was forced to write-down the value of Autonomy by $8.8 billion one year after acquiring the firm.

**Market Valuation an Unlikely Factor**

All of that said, Richard Stiennon, chief research analyst at IT-Harvest, says Thoma Bravo's change of plans likely had little to do with Darktrace being overvalued. In fact, most publicly traded cybersecurity companies are way down from their highs last summer and, if anything, are dramatically undervalued, Stiennon says.

"I don't think Thoma Bravo is backing off of Darktrace because of valuations," he says. "I think strategically there is not a clear market for the AI-enhanced threat hunting that Darktrace touts. The market is pretty much equal to Darktrace's revenue today."

**Thoma Bravo's Cybersecurity Buying Spree**

The Darktrace acquisition, if it had gone through as planned, would have added yet another company to Thoma Bravo's rapidly growing roster of cybersecurity acquisitions. Recently the private equity firm has spent tens of billions of dollars acquiring the likes of identity service provider SailPoint for $6.9 billion, Ping Identity for $2.8 billion, Proofpoint for $12.3 billion, and Sophos for $3.9 billion.

Overall, 2021 marked a record year for merger and acquisition activity in the cybersecurity sector, with some $77.5 billion in M&A volume and $29.3 billion private equity and venture capital investments, according to Momentum Cyber. Through the end of the first quarter of 2022, Momentum reported $12.2 billion in M&A activity and $7 billion in financing from VCs and PE firms.

Darktrace Shares Plunge After Thoma Bravo Acquisition Falls Apart

You certainly don't need to panic, but you do need to form a plan to prepare for the post-quantum reality.

Unless you live under a rock, you'll know that quantum computers will break the cryptography we use today in as little as 10 years. Unfortunately, most analysis on this topic is simplistic. The quantum threat is described as though a day will come where quantum is unleashed and all systems will be broken at once. This is far from the truth.

As a CISO, it's important to develop a nuanced understanding of this critical topic. You certainly don't need to panic, but you need to form a plan that's based on your business, with all its idiosyncrasies. Your peers in other companies should be doing the same thing; however, their plans will look different. There is no generic answer to the quantum threat.

In reality, the threat will materialize slowly. The first machines able to run Shor's algorithm will take weeks to break an RSA key. Only the highest value targets will be considered for attack, given the immense cost expected for that amount of computation. Over time, more machines will be capable of breaking keys, and the cost and time associated with the task will reduce dramatically. Eventually, anyone will be able to perform this attack within minutes for minimal cost.

Your goal as a CISO is to assess your risk over this unknown time frame. Do you process data so sensitive that you're likely to be among the first targets? Is some of your data more valuable than the rest? What about the lifetime of the data — how long does it need to remain secret? These are all questions to consider as you create a pragmatic plan to address the quantum threat.

**Understand the Status Quo**

At a recent conference, I heard a law firm describe its response to a major cyberattack. During the confusing first days, the company was desperate to assess whether its critical data was safe. Yet the respondents realized they weren't sure what data mattered most. Eventually they concluded their client data was more important than the rest of the business combined. This shaped the firm's subsequent decisions and accelerated its response time.

Ideally, you would reach these conclusions before a major cyberbreach. And certainly, you must understand your business priorities before you plan your post-quantum migration plan. CISOs need to develop an inventory of every system that describes:

*   The business importance of the data.
*   How cryptography protects the data at rest and in transit.
*   How long the data needs to remain secret. 

If you already have this data in hand, congratulations — you're unusually well-prepared. For most CISOs, however, this information is patchy, at best. Understanding the status quo is the critical first step in your migration.

**Pragmatically Prioritize**

Next comes the difficult piece. With your pragmatic hat on, you need to decide the order in which to migrate your systems to post-quantum algorithms. You can't change everything at once, and it's likely to be years between the time your first systems are migrated and the last.

Your highest priority should be long-term sensitive data that is transmitted across the Internet. This includes health data, government secrets, client data, and intellectual property. This data is especially vulnerable thanks to an attack sometimes known as "hack now, decrypt later," in which attackers record encrypted transmissions to decrypt in the future using a quantum computer.

If your company develops physical devices, such as in the Internet of Things (IoT) industry, you will need to pay particular attention to migrating roots of trust toward post-quantum algorithms. Devices that are expected to remain secure for 10 or more years are definitely at risk from fraudulent firmware once the quantum threat arrives.

This is the hardest step in the migration process because it's unique to your business. But it's worth doing correctly so that you allocate resources appropriately. This process also highlights the vendors you need to work closely with, as they migrate their own systems to post-quantum protection.

**Start Testing**

Once your migration plan is in place, the next step is to perform testing to understand the impact of shifting your systems toward post-quantum algorithms. The new post-quantum algorithms behave differently than the algorithms we use today, and it won't always be a simple task to pull one algorithm out and replace it with another.

Even with the recent NIST announcement of its initial quantum-resistant algorithm candidates, post-quantum algorithms are not yet standardized, and it may take until 2024 until that happens. Use this time wisely to understand where you need to invest additional resources to cope with the changes that lie ahead.

**Take the Chance to Build Better**

Whenever I talk about quantum, I find the conversation quickly drifts to the quantum threat. However, I encourage people to think positively about quantum technology and even the quantum threat itself.

Responding to the threat will require an immense upheaval of systems, similar in scope to the Y2K challenge. This is a rare opportunity to touch each of our systems and change them for the better. It's certain that this algorithm migration won't be the last one we have to conduct. Let's use this opportunity to build crypto agility into our systems, so the next migration is far less painful.

And while we are rebuilding crypto systems, we should explore how we can build on firmer foundations. This is where quantum technology has a role to play. As we look to a future where threat actors have quantum computers as a weapon, we should look to defend ourselves with the same amount of power. Quantum is a dual-edged sword, and we should ensure that, as defenders, we are ready to wield it for protection as well.

A Pragmatic Response to the Quantum Threat

From analyzing your company's risk profile to knowing where keys are stored and who can access them, prioritize key clean-up and management. Make compliance an outcome and develop a risk management strategy.

The stratospheric rise in the number of global cybersecurity attacks cast a floodlight on the critical need to follow best practices with encryption and security in general. Adopting an inside-out mindset is one thing; putting it into practice is another.

To assist, the team at Cryptomathic has compiled a list of five key pointers to better cryptographic key management to help organizations jumpstart the journey.

**Tips for Better Cryptographic Key Management**

**1\. Start with really good keys — and an inventory scan.** Without a doubt, the most important thing you can do is make sure that your organization is using high-quality keys. If you don't use good keys, what's the point? You're building a house of cards.

Creating good keys requires knowing where the keys come from and how they were generated. Did you create them on your laptop or with a pocket calculator, or did you use a purpose-built tool designed specifically for the job? Do they have enough entropy? From generation, to usage, to storage, the keys should never leave the secure boundaries of a hardware security module (HSM) or a similar device.

Chances are, your organization is already using keys and certificates — do you know where they reside? Who has access to them and why? Where are they stored? How are they managed? Create an inventory of what you have and then start to prioritize the clean-up and centralization life cycle management for those keys, certificates, and secrets.

**2\. Analyze your entire risk profile across your whole environment.** You can create the most brilliant, thorough, and comprehensive cybersecurity strategy, but ultimately, it will only be successful if everyone in your organization buys in and complies with it. That's why it's important to develop a risk management strategy with input from representatives from across the business. Include compliance and risk people from the beginning to keep the process honest. For the security processes and protocols to be meaningful, they must include everyone from IT people to the business units who bring use cases and can go back and explain to their peers why the security steps are necessary.

**3\. Make compliance an outcome, not the ultimate objective.** This might sound counterintuitive, but hear me out. Even though compliance is incredibly important, there's an inherent risk to using regulatory compliance as the sole driver of your strategy. When systems are designed to simply tick the boxes on a regulatory checklist, organizations miss the broader, more important point: to design and build for better security.

Instead, use regulations and security standards as a guideline for the minimum set of requirements and then make sure that your efforts actually address your security and business needs going forward. Don't let compliance be a distraction from the real objective.

**4\. Balance security with usability.** How does security affect usability? Have you created a system that's so secure that it's impractical for most users? It's imperative to find a balance between security and the user experience, and to make sure that the security processes don't hinder people from actually doing their work. For example, multifactor authentication can be a great way to make access more secure, but if it's not implemented correctly, it can cause workflows to break down and efficiency to take a nosedive.

**5\. Be a specialist … that knows when to call an expert.** Key management is serious business and should be treated as such. Someone in your organization should become really proficient at understanding the tools and technology to establish good key management practices at the core of everything your organization does.

At the same time, it's equally important to recognize when you need expert support, like when your organization has too many keys to manage. The National Institute for Standards and Technology (NIST) publishes a huge document that lays out recommendations for everything that should and shouldn't be done to establish good key management practices. Cryptography professionals deep-dive into these recommendations to make sure that the cryptographic tools and key management solutions offered meet these standards. That way, when your organization needs additional support for the key management process, you'll have the framework to evaluate the options and find the expertise you need to secure your assets effectively.

5 Keys to Better Key Management

Instagram and Facebook parent company Meta was slapped with the fine for exposing the personal data of minors.

Following an investigation that began in 2020, Ireland's data privacy regulation agency will reportedly issue Meta a $400 million fine, for mishandling Instagram user data belonging to minors.

The Data Protection Commissioner (DPC) told Reuters the full decision on the Instagram data privacy fine will be released in a few days.

Reuters reported the DPC was looking into the ability of 13-to-17-year-old users to obtain business accounts, exposing their personal information in violation of GDPR data privacy rules. Instagram and Facebook parent company Meta has vowed to appeal, but has since put measures in place to protect under-age users' data.

Last March, the DPC issued a €17 million (US$16.9 million) fine against Meta for noncompliance with GDPR regulations following a series of 12 data breaches.

Reuters added that the draft ruling against Instagram was shared with other European Union regulators, so there could be more fines coming.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Meta to Appeal $400M GDPR Fine for Mishandling Teen Data in Instagram

A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.

Breaches involving phishing and credential compromise have received a lot of attention in recent years because of how frequently threat actors have employed the tactics in executing both targeted and opportunistic attacks. But that doesn't mean that enterprise organizations can afford to lessen their focus on vulnerability patching one bit.

A report from Kaspersky this week identified more initial intrusions last year resulting from exploitation of vulnerabilities in Internet-facing applications than breaches involving malicious emails and compromised accounts _combined_. And data the company has collected through the second quarter of 2022 suggests the same trend might be playing out this year as well.

Kaspersky's analysis of its 2021 incident-response data showed that breaches involving vulnerability exploits surged from 31.5% of all incidents in 2020 to 53.6% in 2021. Over the same period, attacks associated with the use of compromised accounts to gain initial access declined from 31.6% in 2020 to 17.9% last year. Initial intrusions resulting from phishing emails decreased from 23.7% to 14.3% during the same period.

**Exchange Server Flaws Fuel the Exploit Frenzy**

Kaspersky attributed the surge in exploit activity last year as likely tied to the multiple critical Exchange Server vulnerabilities that Microsoft disclosed, including a set of four zero-days in March 2021 known as the ProxyLogon flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). When chained together they allowed attackers to gain complete remote control over on-premises Exchange Servers. 

Attackers — which included organized criminal gangs and state-sponsored groups from China — quickly exploited tens of thousands of vulnerable Exchange Server systems and dropped Web shells on them before Microsoft could issue a patch for the flaws. The vulnerabilities evoked considerable concern because of their ubiquity and severity. They even prompted the US Department of Justice to authorize the FBI to take the unprecedented step of proactively removing ProxyLogon Web shells from servers belonging to hundreds of organizations — in most cases, without any notification.

Also driving the exploit activity in 2021 was another trio of Exchange Server vulnerabilities collectively labeled ProxyShell (CVE-2021-31207, CVE-2021-34473, CVE-2021-34523) that attackers used extensively to drop ransomware and in business email compromise (BEC) attacks.

More than a year later, the ProxyLogon and ProxyShell vulnerabilities continue to be targets of heavy exploit activity, says Konstantin Sapronov, head of Kaspersky's Global Emergency Response Team. One of the most severe of these flaws (CVE-2021-26855) has also been the most targeted. Kaspersky observed the vulnerability — part of the ProxyLogon set — being exploited in 22.7% of all incidents involving vulnerability exploits that it responded to in 2021, and the flaw continues to be a favorite among attackers this year as well, according to Sapronov.

**Same Exploitation Trend Likely Playing Out in 2022**

Even though several serious vulnerabilities have surfaced this year — including the ubiquitous Apache Log4j vulnerability (CVE-2021-44228) — the most exploited vulnerabilities of 2021 remain very prevalent in 2022 as well, Sapronov says, even beyond the Exchange server bugs. For instance, Kaspersky identified a flaw in Microsoft's MSHTML browser engine (CVE-2021-40444, patched last September) as the most heavily attacked vulnerability in the second quarter of 2022.

"Vulnerabilities in popular software such as MS Exchange Server and library Log4j have resulted in a huge number of attacks," Sapronov notes. "Our advice to enterprise customers is to pay close attention to patch management issues."

**Time to Prioritize Patching**

Others have noted a similar spike in vulnerability exploit activity. In April, researchers from Palo Alto Networks' Unit 42 threat research team noted how 31%, or nearly one in three incidents, they had analyzed up to that point in 2022 involved vulnerability exploits. In more than half (55%) of those, threat actors had targeted ProxyShell. 

Palo Alto researchers also found threat actors typically scanning for systems with a just-disclosed flaw literally minutes after the CVE is announced. In one instance, they observed an authentication bypass flaw in an F5 network appliance (CVE-2022-1388) being targeted 2,552 times in the first 10 hours after vulnerability disclosure.

**Post-Exploitation Activity is Tough to Spot**

Kaspersky's analysis of its incident-response data showed that in nearly 63% of cases, attackers managed to stay unnoticed in a network for more than a month after gaining initial entry. In many cases, this was because the attackers used legitimate tools and frameworks such as PowerShell, Mimikatz, and PsExec to collect data, escalate privileges, and execute commands. 

When someone did quickly notice a breach, it was typically because the attackers had created obvious damage, such as during a ransomware attack. "It's easy to detect a ransomware attack when your data is encrypted, as services are unavailable, and you have a ransom note on your monitor," Sapronov says.

But when the target is a company’s data, attackers need more time to roam around the victim’s network to collect necessary information. In such cases, attackers act more stealthily and cautiously, which makes these kinds of attacks harder to detect. "To detect such cases, we suggest employing a security tool stack with extended detection and response (EDR)-like telemetry and implement rules for detection of pervasive tools used by adversaries," he says.

Mike Parkin, senior technical engineer at Vulcan Cyber, says the real takeaway for enterprise organizations is that attackers will take any opportunity they can to breach a network. 

"With a range of exploitable vulnerabilities, it’s not a surprise to see an uptick," he says. Whether the numbers are higher for vulnerabilities over socially engineered credential attacks, is hard to say, he notes. 

"But the bottom line is threat actors will use the exploits that work. If there's a new remote code exploit on some Windows service, they’ll flock to it and breach as many systems as they can before the patches come out or firewall rules get deployed," he says.

The real challenge is the long-tail vulnerabilities: The ones that are older, like ProxyLogon, with vulnerable systems that have been missed or are ignored, Parkin says, adding that patching must be a priority.

Vulnerability Exploits, Not Phishing, Are the Top Cyberattack Vector for Initial Compromise

The initial access broker (IAB) for ransomware gangs known as UAC-0098 has targeted Ukrainian organizations in five separate phishing campaigns spanning April to August.

Former members of the Russia-linked Conti ransomware gang are repurposing their tactics to join in with an initial access broker (IAB) that's been targeting Ukraine in a series of phishing campaigns that occurred over a recent four-month span.

Google Threat Analysis Group (TAG) has been tracking recent activity of a group it identifies as UAC-0098, which researchers think now includes former members of the notorious ransomware actor.

As TAG's Pierre-Marc Bureau wrote in a blog post published Wednesday, UAC-0098 — historically known for delivering the IcedID banking Trojan as a prelude to human-operated ransomware attacks — in recent months has acted specifically against Ukrainian organizations, the government of Ukraine, and pro-Ukraine European humanitarian and nonprofit organizations.

The activity's goal has been to sell persistent access into such targets' networks to various ransomware groups, including Quantum and Conti (aka FIN12 or Wizard Spider).

UAC-0098's latest campaigns demonstrate a shift in focus to politically motivated actions, reflecting the group's affiliation with Conti and, unsurprisingly, its support of Russia's military actions against Ukraine, notes Tom Kellermann, CISM and senior vice president of cyber strategy at Contrast Security.

"Conti's recent engagement in the war illustrates not only their patriotism to Russia but their need to pay homage to the regime," he said in an email to Dark Reading.

**Making the Connection**

Google TAG discovered five separate and specific phishing campaigns that occurred from April to August, using tools and tactics previously identified with Conti. Threat actors impersonated several known entities to lure victims into downloading malware using typical phishing tactics to give ransomware groups access for further threat activity.

The first campaign that linked UAC-0098 to Conti caught TAG's attention in late April, when researchers identified attacks delivering AnchorMail, also referred to as "LackeyBuilder." AnchorMail, developed by Conti and previously installed as a Trickbot module, is a version of the Anchor backdoor that uses the simple mail transfer protocol (SMTPS) for command-and-control (C2) communication.

"The campaign stood out because it appeared to be both financially and politically motivated," Bureau wrote in the post. "It also seemed experimental: instead of dropping AnchorMail directly, it used LackeyBuilder and batch scripts to build AnchorMail on the fly."

Researchers also identified UAC-0098 activity in another email campaign that occurred earlier in the month to deliver IcedID and Cobalt Strike as attachments to Ukrainian organizations. This particular initial phase of the group's Conti-linked activity occurred between mid-April to mid-June, and primarily targeted hotels in the Ukraine.

**Other Campaigns**

Another phishing attack occurred on May 11 when UAC-0098 targeted Ukrainian organizations in the hospitality industry with phishing emails impersonating the National Cyber Police of Ukraine. The emails contained a download link urging targets to use it to update their operating systems; the link generated a PowerShell script to fetch and execute IcedID.

On May 17, UAC-0098 used a compromised account of a hotel in India to send phishing emails again to Ukrainian hospitality organizations, researchers said. The emails included an attached .ZIP archive containing a malicious .XLL file that downloaded a variant of IcedID.

On that day, the same compromised account also was used to target humanitarian nongovernmental organizations (NGOs) in Italy, delivering IcedID as an .MSI file through the anonymous file sharing service dropfiles\[.\]me.

Two days later in a fourth separate campaign, UAC-0098 impersonated representatives of Elon Musk and his StarLink satellite service using the address "\[email protected\]\[.\]info" to send phishing emails claiming to deliver software required to connect to the Internet using StarLink satellites. The email included a link to an .MSI installer dropping IcedID, downloaded from the attacker-controlled domain, "starlinkua\[.\]info."

Four days later, a similar attack targeted a wider range of Ukrainian organizations operating in the technology, retail, and government sectors using the same IcedID binary with a file name that resembled a Microsoft update, researchers said.

The last phishing campaign by UAC-0098 uncovered by TAG occurred on May 24, and targeted the Academy of Ukrainian Press with a phishing email containing a Dropbox link to a malicious Excel document. The document directly fetched a Cobalt Strike file from an IP address previously used to deliver IcedID payloads in the campaign against the Italian NGOs on May 17, researchers said.

**Conti's Notorious Past**

Conti, a ransomware group active since late 2019, ceased operations as a formal entity in May. However, its members have carried on its cybercriminal legacy, remaining as active as ever either as part of other ransomware groups or as independent contractors focused on data theft, initial network access, and other criminal endeavors.

In its heyday, Conti was known as one of the most dangerous and ruthless ransomware groups in the world; one of its last acts, in fact, so crippled the government of Costa Rica that the country was forced into a state of emergency.

Though linked to Russia, Conti previously had flip-flopped in its support of Russia's invasion of Ukraine, initially showing support on its data leak site early in the conflict before issuing a retraction that condemned "the ongoing war." The group then noted in a statement soon after that it would take "retaliatory measures" if the West launched cyberattacks against Russia or Russian-speaking countries.

The latest alignment with UAC-0098 now appears to show that at least some former members of Conti are backing Russia once more. It also demonstrates a blurring of the lines between financially motivated and government-backed groups in Eastern Europe, "illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests," noted TAG's Bureau.

Another group that notably also has turned against Ukraine is Trickbot, which IBM researchers said in July had been systematically attacking Ukrainian targets over the previous three-month period. Trickbot over the years has evolved from a banking Trojan to an initial access broker and a distributor for several ransomware and malware tools, including the Conti and Ryuk ransomwares, and the Emotet Trojan.

Former Conti Ransomware Members Join Initial Access Broker Group Targeting Ukraine

Investment to fuel growth and market presence as demand grows for SaaS' next-generation security tools for managed service providers.

**WILMINGTON, N.C., Sept. 8, 2022 / PRNewswire —** SaaS Alerts, the cybersecurity company purpose-built for managed service providers (MSPs) to protect and monetize their customers' core business SaaS applications, announced today that it has secured a $22 million growth investment from global software investor Insight Partners to accelerate the growth of its SaaS Security monitoring and response platform.

The accelerated rate of SaaS Application adoption by businesses, driven by the need to provide collaboration and productivity tools to remote workforces and for more centralized and tightly controlled business data resources, has elevated awareness and critical concern for major threat vectors and security gaps that exist in SaaS Application security. These security concerns present opportunities for MSPs to better safeguard their clients while offering SaaS security services that drive profitable new revenue streams.

SaaS Alerts was designed to help MSPs monitor and protect their customers' usage of today's most popular SaaS applications such as Microsoft 365, Google Workspace, Salesforce, Dropbox and more — and to safeguard against security threats to a business' SaaS environment such as data theft, data that's at risk due to unintentional employee mishaps and actions taken by bad actors.

"We couldn't be more excited to partner with Insight Partners and we see their investment in SaaS Alerts as a monumental endorsement for what we have built and what we intend to build as we collaborate going forward," said Jim Lippie, CEO of SaaS Alerts. "I'm very proud of our team for reaching this milestone and look forward to working with Insight to continue to build value for our MSP partners and stakeholders."

"SaaS applications have become essential for businesses of every size and MSPs need the ability to better protect those applications on behalf of their customers. SaaS Alerts has pioneered SaaS security for MSPs and has a clear vision for how detecting and correlating abnormal user behavior can greatly impact the MSP industry," said Philine Huizing, Principal at Insight Partners. "We're excited to partner with SaaS Alerts as the company scales to address this unique opportunity."

**About SaaS Alerts**

SaaS Alerts is the cybersecurity company purpose-built for MSPs to protect and monetize customers' core SaaS business applications. SaaS Alerts offers a unified, real-time monitoring platform for MSPs to protect against: data theft, data at risk and bad actors and integrates with the most popular SaaS Applications. Learn more at www.saasalerts.com.

**About Insight Partners**

Insight Partners is a global software investor partnering with high-growth technology, software, and Internet startup and ScaleUp companies that are driving transformative change in their industries. As of June 30, 2022, the firm has over $80B in regulatory assets under management. Insight Partners has invested in more than 700 companies worldwide and has seen over 55 portfolio companies achieve an IPO. Headquartered in New York City, Insight has offices in London, Tel Aviv, and Palo Alto. Insight's mission is to find, fund, and work successfully with visionary executives, providing them with practical, hands-on software expertise to foster long-term success. Insight Partners meets great software leaders where they are in their growth journey, from their first investment to IPO. For more information on Insight and all its investments, visit insightpartners.com or follow us on Twitter @insightpartners.

SOURCE: SaaS Alerts

SaaS Alerts Secures $22M Investment from Insight Partners to Scale SaaS Security Monitoring and Response Platform

Penetration testing not only serves to triage and validate other defect discovery activities, it informs risk management activities, such as threat modeling and secure design.

As threats become much more pervasive and dynamic, organizations are adopting proactive security measures such as penetration testing to build out a comprehensive security strategy.

Pentesting validates that software and hardware controls have been implemented by using the same tools and techniques an attacker would use to uncover vulnerabilities. This way, organizations can identify gaps in their overall information security program and measure the effectiveness of their patch management and incident response programs.

However, modern DevSecOps teams need more speed and flexibility than what traditional pentesting engagements can deliver. Incremental pentesting programs can help identify and address security gaps more frequently because they focus on smaller segments at a time.

With the needs of DevSecOps teams in mind, penetrating testing-as-a-service (PTaaS) is seeing a higher profile.

**Development Teams Align Pentesting with DevSecOps**

PTaaS company Cobalt announced its new Agile Pentesting service to help security teams align penetration testing with the continuous integration and continuous delivery (CI/CD) pipeline. The smaller pentest engagements can help extend the reach of security teams and accelerate secure build-to-release timelines.

Andrew Obadiaru, Cobalt's CISO, says that end users of this offering are security and development teams who are looking to align pentesting more closely to their DevSecOps processes.

"These are teams who are pentesting beyond compliance obligations and conducting more targeted tests that focus on a specific area of an asset, or a specific vulnerability across an asset," he says.

The Agile Pentesting offering allows organizations to focus on a specific area of an asset, such as a new feature or product release, specific vulnerability, or incremental testing.

"Focused pentesting allows organizations and IT teams to quickly determine potential vulnerabilities or security flaws in a specific product or feature prior to deploying into production," Obadiaru adds.

**Incremental Pentesting a Risk-Based Effort**

John Steven, CTO at ThreatModeler, an automated threat modeling provider, says part of the prioritization that occurs with incremental penetration testing should be the alignment of test scope with new features and release promises.

"This creates natural alignment between delivery and security priority and focus," he explains. "Additionally, there's a quick benefit: defect studies indicate that where code churns, bugs — and vulnerability — are more likely to be found."

Steven adds that "the dirty secret" is that all penetration testing is incremental.

"Exhaustively testing even a small system would take months," he says. "Taking an incremental posture on penetration first acknowledges that the effort is 'risk-based', prioritizing that which is most impactful and likely."

Second, it allows the activity to fit more closely within the cadence of delivery, so that its results can be acted on with a minimum (if any) exposure time of vulnerable systems in production.

"Confining penetration testing efforts to those things threat modeling indicate are high impact and potentially likely for a worrying population of adversaries is perhaps the most key optimization organizations can make," he adds.

Dave Gerry, chief operating officer at Bugcrowd, a crowdsourced cybersecurity specialist, says a long-standing challenge with pentesting has been the "point-in-time" nature of the tests.

"At some pre-defined period of time, the test is completed against the then-current version of the application and a report is delivered," he says.

The challenge is that development changes significantly over the course of years, and often by the time a pentest is completed and the report is delivered, the information is already out of date due to application changes.

"By completing incremental testing on the application, security organizations can gain current and ongoing visibility into the security posture of the application as the smaller scope allows for faster testing turnaround," Gerry explains.

This enables security organizations to receive real-time information into the current security posture of the application, network, or infrastructure within scope.

**Automation Aids Continuous Testing**

Jason Rowland, vice president of penetration testing and cloud services at Coalfire, a provider of cybersecurity advisory services, says that continuous testing, given resource constraints faced by the infosec community, will require an approach that maximizes use of testers and offloads work that can be automated.

"Utilizing platforms to perform attack surface discovery and vulnerability identification, as an example, will become prevalent as we unlock the true value of offensive security," Rowland says.

As an industry impaired by the sheer volume of vulnerabilities, security alerts, and frameworks, prioritizing the behaviors of the adversary provides clarity and facilitates better decisions on the use of finite security resources, he says.

"This model is being adopted and will continue to gain prevalence as organizations focus on activities that deliver the specific outcome of minimizing the impact of security incidents," Rowland notes.

Obadiaru adds that while pentesting is a modernized approach to enhanced security, this process and method will continue to evolve — especially as cyberattacks become more commonplace and complex.

"Security tools will need to remain strong and keep up with heightened demands," he says. "It's likely we'll also see increased use of pentesting in non-traditional security areas, such as mergers and acquisitions, assurance, and regulatory compliance."

**PTaaS Offers Real-Time Insights**

Gerry notes that in the past few years, there's been an increased shift from traditional pentesting to PTaaS.

"Rather than point-in-time assessments, organizations are leveraging pentesting as an important tool in their risk and security program, rather than a necessary evil to maintain compliance with internal or external requirements," he says.

He explains by leveraging a PTaaS offering, security teams gain the ability to view results in real time via a SaaS platform, integrate pentesting into their development and security product suite, and institute ongoing testing across retests, focused-scope testing, and new product capability testing.

"Every change to a network or application, whether a major release or incremental release, represents an opportunity for new vulnerabilities to be introduced," Gerry says. "Security organizations must maintain the ability to gain real-time visibility into the current posture — both from a risk governance perspective and from a compliance perspective."

Rowland says as organizations begin to prioritize defense and detection capability investments based on the tactics, techniques, and procedures of the actors most likely to target their organization, the role of offensive security has become increasingly integrated and central to the success of the security strategy.

"Since the tactics of the adversary and attacks surface are dynamic, offensive security must continuously validate that the program is keeping pace," he explains. "Regular testing is necessary to drive and validate adjustments to defenses based new intelligence, architectural changes, or the introduction of new assets."

Steven believes that many people think of penetration testing in an "attacker-centric" way, forgetting that penetration testing is a highly technology-specific pursuit when it comes to software and platforms as well.

"We found that specialized teams were necessary for ATMs, automotive, healthcare, Web, and mobile," he says. "Still others handled mainframe and OS-level penetration testing."

He says as applications move to the cloud, penetration testing and the teams servicing that activity must adapt.

"The cloud isn't a single monolith — it's several major providers, each with tens or hundreds of specific APIs and control sets," Steven adds. "Penetration testers will have to use tools to discover sprawling cloud-based assets, no longer confined to a datacenter or IP range, and then quickly become experts in the tech stacks used by any in-play orchestration platforms, control planes, and providers."

Pentesting Evolves for the DevSecOps World

After a high-profile 2017 breach and a Holiday Inn ransomware hit earlier this year, IHG confirms that its booking channels and applications have been disrupted in yet another cyberattack.

InterContinental Hotels Group (IHG) has disclosed its systems have been breached — again — and that its booking systems and applications have been "significantly disrupted" since Sept. 5.

UK-based IHG operates 17 iconic hospitality brands, including Holiday Inn, Crowne Plaza, and Candlewood Suites. This is the third compromise the massive hotel company has had since 2017.

"IHG is working to fully restore all systems as soon as possible, and to assess the nature, extent, and impact of the incident," explained IHG in a notification of the cyberattack. "We will be supporting hotel owners and operators as part of our response to the ongoing service disruption. IHG's hotels are still able to operate and to take reservations directly."

In the previous attack, the company's point-of-sale systems were compromised, allowing cybercriminals to steal customer credit-card details for guests across 1,200 hotels. Then, in a less sweeping incident, just last month the Holiday Inn in Istanbul was reportedly the victim of a LockBit ransomware attack.

**Three Attacks Is a Trend**

It's likely the three separate attacks are connected, Justin Vaughan-Brown with Deep Instinct said in an emailed statement. 

"Unfortunately, this is not the first cyberattack that Holiday Inn has experienced, with breaches in 2017 and one last month in Istanbul," Vaughan-Brown noted. "Once cybercriminal groups know that an organization can be breached, it can encourage further attacks."

Some follow-on attacks are simple copycat cybercrimes, while others are carried out for bragging rights — i.e., to demonstrate the ability to pull off the same caper better or faster than the competition, Vaughan-Brown explained.

**Hot Hotel Data**

Any organization, like a hotel chain, that holds onto massive amounts of valuable, personal data will continue to be a prime target for cyberattacks, Erfan Shadabi, a cybersecurity expert with Comforte AG explained in a statement provided to Dark Reading.

"Consumer-based industries such as travel and entertainment, retail, and financial services definitely apply, as they collect sensitive information on large swathes of their customers and prospects," Shadabi explained. "The reason is simple: threat actors want that data for personal gain."

Holiday Inn Owner InterContinental Has a Breach Trend

Continued collaboration will help win the fight as cybersecurity remains a national priority. International and public-private cooperation is helping stem the damage from ransomware threats and cyberattacks.

As a cybersecurity leader, a large part of my job involves defending companies against cybercrime; the rest is spent figuring out how I can take the fight to the cybercriminals. You'll hear many people say things like "the threat landscape is always changing" or "cybercrime never sleeps." What they really mean is that cybercrime is a global problem — it affects every industry and every time zone. This is why I believe this is a fight we can only win by collaborating across public and private sectors, taking advantage of the skill sets, expertise, and jurisdictions our combined forces offer.

**The Power of Collaboration in Action**

My journey as a cybercrime fighter has led me into some unusual spaces. Back in early 2020, I helped co-found the CTI League, a volunteer organization that works to defend the healthcare industry from cybercriminals. The CTI League peaked at around 2,000 members, with several hundred members originating from governments and agencies all over the world, representing 80 different countries.

The power of collaboration like this cannot be understated. We were able to track and report vulnerabilities in a matter of hours and/or dismantle threats in a matter of days. Taking down malicious sites became a matter of a quick conversation, while engaging law enforcement involved little more than a quick shout-out or visiting a private channel. The league showed that it was possible to work across borders, organizations, and with governments all over the world.

**Borderless Expertise — The Private Sector's Advantage**

The cybersecurity industry has grown immensely over the past 10 years, and has continued to try to keep pace with cybercriminals. Some of the brightest minds working on the most advanced technologies have made it possible to gather risk signals, detect threats, and help prevent attacks everywhere, including for government agencies and global nongovernmental organizations. The depth of the private sector's expertise, and, in some cases, the capabilities of organizations' themselves to throttle cybercriminal infrastructure, cannot be overstated. It's key to staying on top of a global, borderless ransomware problem.

This diversification of expertise and the skill sets that are needed to succeed in such a fast-moving, competitive environment means that operationally, the private sector will always be faster, more agile and more focused than the public sector, which is generally spread much thinner and consequently limited to a number of select, specialized priority missions. This means that the private sector will always have a different, likely broader view of the threat landscape than the public sector and, consequently, broader operation scope, too. This puts the private sector in a unique position where it can help inform and expand missions undertaken by the public sector. Missions like taking on the entire cybercrime ecosystem.

**The Public Sector's Governance Opportunity**

Governmental agencies have the ability to not only centralize insights, findings, and investigative groups, but they can levy the kinds of broad policy enforcements that can change the way the industry and organizations operate. A good example of this is the "Know Your Customer" (KYC) rules enforced on financial institutions.

KYC enforcement has made a huge impact on financial crimes, and is starting to have an impact on ransomware where exchanges agree to enforce them properly. Governance initiatives like this can help the public sector improve its security posture, mitigate modern risks, and improve efficiency. By uniting lawmakers and enforcement agencies, the public sector can change the course of the industry and the landscape in which criminals and private sector outfits operate.

**Joining Forces to Combat Cybercrime**

Combining the capabilities of both groups and attacking the very ecosystem that they thrive in is the only way we are going to beat cybercriminals at their game. There is already a precedent for this kind of success.

For the last year, I have also been a member of the IST Ransomware Task Force (RTF), a group of industry experts who dedicate time to fighting the scourge of ransomware. Led by the Institute of Security and Technology (IST), the RTF works across industry sectors and collaborates closely with policy makers, law enforcement, and other agencies to ensure that we both protect our nation and take the fight to the threat actors who profit from this crime.

Since publishing its inaugural report, we have seen good progress, as 88% of the recommendations that were in the report have seen some implementation. The complete status of report recommendations can be read here (PDF). Just as encouragingly, Director Jen Easterly of the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Agency (CISA) made it clear that the US government's Joint Ransomware Task Force would include a significant role for the private sector, and the IST Ransomware Task Force specifically.

We still have much work ahead of us. Ransomware is not just the well-known names we read about in the papers, names such as Conti, LockBit, and Ryuk. These are just façades — brands that hide an ecosystem of criminals who move around and change their tactics on a regular basis, because it's profitable. Until we join together and attack that profitability, whether it's through driving up the cost of doing business or seizing their ill-gotten gains, we won't disrupt their businesses. I do believe we can do it, though. There's more of us than there are of them, and we are just as dedicated and passionate as they are — perhaps more so because we are fighting for the common good of organizations everywhere.

Together, we can take away the tools they use to build their software. We can identify and restrict the places that provide them with sanctuary, and we can reach out and empty their pockets, destroying their lifestyle. By hitting at the very heart of what makes them successful — criminal enterprises — we can disrupt every ransomware group at once, ultimately crushing them entirely. However, we should expect these criminals to look for different schemes, and that's why building lasting partnerships to keep the pressure on the whole ecosystem will be so important.

Source

DARKReading