Businesses need to re-evaluate their cyber-insurance policies as firms like Lloyd's of London continue to add restrictions, including excluding losses related to state-backed cyberattackers.

Companies will need to re-evaluate their cyber-insurance premiums after major insurance companies have adopted exclusions for catastrophic cyberattacks conducted by "state-backed" actors.

This limits the risk that companies can offset with cyber insurance, security and risk experts tell Dark Reading — making taking out a policy potentially not worth it.

In the latest limits on cyber policies, insurance marketplace Lloyd's of London issued a notice on Aug. 16 to its member insurers, or syndicates, requiring that they exclude coverage for state-backed cyberattacks. The motive for the additional restrictions is to protect insurance companies and their underwriters from catastrophic loss, and help manage systemic risk that could overwhelm insurers, Lloyd's market bulletin stated.

**Is Cyber Insurance Still Worth It?**

While the insurers' position is understandable, businesses — which have already seen their premiums skyrocket over the past three years — should question whether insurance still mitigates risk effectively, says Pankaj Goyal, senior vice president of data science and cyber insurance at Safe Security, a cyber-risk analysis firm.

"Insurance works on trust, \[so answer the question,\] 'will an insurance policy keep me whole when a bad event happens?' " he says. "Today, the answer might be 'I don't know.' When customers lose trust, everyone loses, including the insurance companies."

The cyber-insurance industry has seen profits decline sharply in the past decade, as losses jumped from 35% of the revenue from premiums five years ago, to 72% in 2020. To adapt, insurance companies have dramatically raised the cost of policies — by 74% just in 2021, after rising 22% in 2020, according to FitchRatings.

    

Cyber insurance loss ratios peaked at 72% in 2020. Source: FitchRatings

Yet, insurance firms have also focused on limiting their liability. In 2021, global insurance firm AXA decided to stop paying ransoms to cybercriminals. And over the past two years, insurance companies have added act-of-war exclusions to their policies.

In its market bulletin (PDF), Lloyd's argued that the risk posed by cyberattacks continues to evolve and its members need to adapt to the threats posed by large or widely distributed attacks. While wartime risks are often excluded, Lloyd's requires that syndicates go further and ensure that certain policies have "a suitable clause excluding liability for losses arising from any state-backed cyberattack."

"If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage," the insurance facilitator stated. "In particular, the ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb."

The decisions come after pharmaceutical firm Merck won its lawsuit against its insurers after they refused to pay its $1.4 billion in business losses sustained in the NotPetya crypto-ransomware attack in 2017. The judge in the case ruled that the insurance policies' act-of-war exclusion did not apply, because the clause was meant to only exclude losses during armed conflicts.

Regardless, the policy changes are poorly thought out, some argue. 

 "Signs point to continued breaches and hacks, resulting in a longer claims process, and more litigations," says Goyal. "Unless the industry can collectively fix the way cyber insurance policies are understood, written and priced, ensuring that they are based on actual data and individual organizational risk — one size does not fit all — there is no end to the challenges and mistrust in cyber insurance."

**Too Broad an Exclusion**

The key problem is that the term "state-backed cyberattack" could be a very broad exclusion, and if abused by the insurance industry, one that will scuttle the usefulness of cyber insurance, experts say.

Attributing an attack to a nation-state is notoriously difficult, says James Turgal, vice president of cyber-risk and strategy for Optiv, a cybersecurity consultancy.

"Even if a computer involved in the attacks was traced back to an IP address located in an Iranian or North Korean military base, that doesn't necessarily mean that it was an attack done with the knowledge of or at the direction of the government's authorities," he says. "It could have been compromised by hackers in other countries \[as a false-flag attempt\]."

Currently, almost two-thirds of companies — 64% — suspect that they have been either directly targeted or impacted by a nation-state attack, says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. Many of the major sources of cyberattacks against North American, European, and Asian companies come from cybercriminal groups linked in some way with China, Iran, North Korea, or Russia. Whether that link will equate to being "state-backed" is an open question.

"These companies are clearly going to be worried about whether insurers will deem most attacks to be nation-state sponsored," he says. "As a result, we expect most businesses that are serious about security to double down on their efforts to protect themselves from hackers in the first place."

Insurers will have to develop clear guidelines regarding what evidence and data will be used to determine the attribution of an attack, and what behavior patterns or data points they will consider in determining whether an attack is state-backed, he says.

**Time to Beef Up Cyberdefenses**

Indeed, the exclusion will likely result in fewer companies relying on cyber insurance as a way to mitigate catastrophic risk. Instead, companies need to make sure that their cybersecurity controls and measures can mitigate the cost of any catastrophic attack, says David Lindner, chief information security officer at Contrast Security, an application security firm.

Creating data redundancies, such as backups, expanding visibility of network events, using a trusted forensics firm, and training all employees in cybersecurity can all help harden a business against cyberattacks and reduce damages.

"Organizations cannot just rely on their cyber insurance policy and must proactively protect themselves from these catastrophic cyberattacks," Lindner says.

Companies also should not expect insurance firms to reverse course. Their approach is just a continuation of the industry's reactive approach to cyber insurance, says Safe Security's Goyal. Insurance firms have increased premiums, put sub-limits on ransomware, and now, have adopted arguably broad exclusions, which may just result in delayed payouts and an increase in lawsuits when insurers refuse to pay out on a large policy.

Cyber-Insurance Firms Limit Payouts, Risk Obsolescence

Documents allegedly belonging to an EU defense dealer include those relating to weapons used by Ukraine in its fight against Russia.

NATO is investigating the leak of data reportedly stolen from a European missile systems firm, which hackers have put up for sale on the Dark Web, according to a published report.

The leaked data includes blueprints of weapons used by Ukraine in its current war with Russia.

Integrated defense company MBDA Missile Systems, headquartered in France, has acknowledged that data from its systems is a part of the cache being sold by threat actors on hacker forums after what appears to be a ransomware attack.

Contradicting the cyberattackers' claims in their ads, nothing up for grabs is classified information, MBDA said. It added that the data was acquired from a compromised external hard drive, not the company's internal networks.

NATO, meanwhile, is "assessing claims relating to data allegedly stolen from MBDA," a NATO official told Dark Reading on Monday.

"We have no indication that any NATO network has been compromised," the official said.

**Double Extortion**

MBDA acknowledged in early August that it was "the subject of a blackmail attempt by a criminal group that falsely claims to have hacked the company's information networks," in a post on its website.

The company refused to pay the ransom and thus the data was leaked for sale online, according to the post.

Specifically, threat actors are selling 80GB of stolen data on both Russian- and English-language forums with a price tag of 15 bitcoins, which is about $297,279, according to a report from the BBC, which broke the news about the NATO investigation Friday. In fact, cybercriminals claim to already have sold data to at least one buyer.

NATO is investigating one of the firm's suppliers as the possible source of the breach, according to the report. MBDA is a joint venture between three key shareholders: AirBus, BAE Systems, and Leonardo. Though the company operates out of Europe, it has subsidiaries worldwide, including MBDA Missile Systems in the United States.

The company is working with authorities in Italy, where the breach occurred.

MBDA reported $3.5 billion in revenue last year and counts NATO, the US military, and the UK Ministry of Defense among its customers.

**Classified Info & Ukraine**

Hackers claimed in their ad for the leaked data to have "classified information about employees of companies that took part in the development of closed military projects," as well as "design documentation, drawings, presentations, video and photo materials, contract agreements, and correspondence with other companies," according to the BBC.

Among the sample files in a 50-megabyte stash viewed by the BBC is a presentation appearing to provide blueprints of the Land Ceptor Common Anti-Air Modular Missile (CAMM), including the precise location of the electronic storage unit within it. One of these missiles was recently sent to Poland for use in the Ukraine conflict as part of the Sky Sabre system and is currently operational, according to the report.

This might provide a clue about the motive of threat actors; advanced persistent threats (APTs) aligned with Russia began hitting Ukraine with cyberattacks even before the Russian official invasion on Feb. 24.

After the conflict on the ground began, threat actors continued to throttle Ukraine with a cyberwar to support the Russian military efforts.

The sample data viewed by the BBC also included documents labelled "NATO CONFIDENTIAL," "NATO RESTRICTED," and "Unclassified Controlled Information," according to the report. At least one stolen folder contains detailed drawings of MBDA equipment.

The criminals also sent by email documents to the BBC including two marked "NATO SECRET," according to the report. The hackers did not confirm whether the material had come from a single source or more than one hacked source.

Nonetheless, MBDA insists that the verification processes that the company has executed so far "indicate that the data made available online are neither classified data nor sensitive."

NATO Investigates Dark Web Leak of Data Stolen From Missile Vendor

CISOs must adopt a new mindset to take on the moving targets in modern cybersecurity.

The concept of cybersecurity will always be defined by moving targets. Protecting an organization’s sensitive and valuable assets boils down to a competition, with bad actors attempting to outperform their targets with novel tools and strategies.

While the cybersecurity industry has always been marked by changing trends and the sudden debut of new technologies, the pace of change is accelerating. In just the last year, enterprises and large institutions have seen their activities frozen by ransomware, while major data breaches have damaged the reputations of towering organizations such as Facebook and LinkedIn. The emergence of cloud-native and hybrid cloud applications, in particular, has led to renewed security concerns. According to Flexera's 2022 State of the Cloud Report, 85% of respondents see security as their top cloud challenge.

Dramatic headlines regarding attacks and ransomware can cause cybersecurity leaders to become hyper-focused on preventing a breach at all costs. However, despite the sensational headlines that often accompany cybersecurity attacks, a breach doesn’t have to be a catastrophe. With the right combination of defensive tactics and pre-positioning, cybersecurity leaders can build confidence in the strength of their systems.

CISOs must adopt a new mindset to take on the moving targets in modern cybersecurity. These three questions will help security leaders understand how to best defend their most sensitive assets.

**1\. Where Is My Data?**

When cybersecurity leaders aim to prevent breaches by any means necessary, they're operating from a place of fear. This fear is caused by a lack of knowledge or understanding: When an organization doesn’t know where its sensitive data is kept and how well that data is protected, it can be easy to imagine any scenario in which the system is breached.

The first step toward achieving an effective cybersecurity posture is knowing exactly where data is being kept. Lack of awareness doesn’t just increase the risk of a data breach; it also increases the likelihood that an organization devotes critical resources to protect data that isn’t sensitive. CISOs must take steps to put data at the center of their security and prioritize the data that is most valuable to the business.

To protect their most valuable assets, organizations need to understand where data is stored within complex cloud architectures. After cataloging these assets, organizations must then classify whether the data holds real business value. Taking this data-centric approach to security ensures that an organization's most valuable assets are secured while spending less time on assets that require less security.

**2\. Where Is My Data Going?**

While an organization may be able to catalog where data is stored within its own systems, the challenge of cloud computing is in keeping track of where sensitive data is going. Today, developers and other employees can make a copy of sensitive data with a single click, with the potential to take that information outside of a protected environment and make it vulnerable to attacks. Automated data pipelines and data services can also extract data and move it elsewhere, leaving organizations with no idea as to who has access to their most valuable information.

Once organizations understand where data is kept and which assets are most valuable, they must then tag that sensitive data and track where it is going. This type of research can reveal a wide variety of surprises. For example, sensitive data could be traveling to a foreign server, taking it out of compliance with geographic regulations, or a bad actor could be accessing a single asset at the same time every night. When data travels, it must travel with its security posture — knowing where it’s going is key to understanding and predicting potential threat vectors.

**3\. What Happens if I Get Hacked?**

The constantly changing nature of cybersecurity, combined with the increasing number of attacks and breaches, means that it's highly likely that organizations will experience a breach during the course of their regular operations. However, this shouldn’t be reason to panic. Effective pre-positioning ensures that security teams can better manage risk and have the tools in place to ensure business continuity when a bad actor has gained access to their systems.

In this proactive approach to cybersecurity, knowledge is power. When organizations know which assets are most important and where these assets are located, it becomes much easier to protect them prior to being breached. CISOs and other security leaders must wade through an overwhelming amount of alerts and information; discovering and prioritizing high-value information makes it possible to triage operations and focus on what matters most.

In the constant battle between hackers and cybersecurity teams, the side that remains calm and projects confidence will be the winner. Focusing on preparation and knowledge allows cybersecurity leaders to remain confident in the strength of their systems, knowing that even the inevitable breach will not have any catastrophic impact.

The 3 Questions CISOs Must Ask to Protect Their Sensitive Data

Citizen development allows users to design creative solutions for immediate problems, but it requires training and oversight to avoid security holes.

Microsoft 365 Empowers Business Users to Shoot Themselves in the Foot

Citizen development allows users to design creative solutions for immediate problems, but it requires training and oversight to avoid security holes.

August 29, 2022

Citizen development allows users to design creative solutions for immediate problems, but it requires training and oversight to avoid security holes.

by Michael Bargury, CTO & Co-Founder, Zenity

August 29, 2022

6 min read

Article

Nearly 3 Years Later, SolarWinds CISO Shares 3 Lessons From the Infamous Attack

SolarWinds CISO Tim Brown explains how organizations can prepare for eventualities like the nation-state attack on his company’s software.

August 24, 2022

SolarWinds CISO Tim Brown explains how organizations can prepare for eventualities like the nation-state attack on his company’s software.

by Kolawole Samuel Adebayo, Contributing Writer

August 24, 2022

5 min read

Article

Meta Takes Offensive Posture With Privacy Red Team

Engineering manager Scott Tenaglia describes how Meta extended the security red team model to aggressively protect data privacy.

August 23, 2022

Engineering manager Scott Tenaglia describes how Meta extended the security red team model to aggressively protect data privacy.

by Jeffrey Schwartz, Contributing Writer, Dark Reading

August 23, 2022

6 min read

Article

Expiring Root Certificates Threaten IoT in the Enterprise

What happens when businesses' smart devices break? CSOs have things to fix beyond security holes.

August 22, 2022

What happens when businesses' smart devices break? CSOs have things to fix beyond security holes.

by Julianne Pepitone, Contributing Writer

August 22, 2022

6 min read

Article

NIST Weighs in on AI Risk

NIST is developing the AI Risk Management Framework and a companion playbook to help organizations navigate algorithmic bias and risk.

August 20, 2022

NIST is developing the AI Risk Management Framework and a companion playbook to help organizations navigate algorithmic bias and risk.

by Edge Editors, Dark Reading

August 20, 2022

3 min read

Article

Thoma Bravo Closes $6.9B Acquisition of Identity-Security Vendor SailPoint

All-cash transaction deal that was first announced in April means SailPoint is no longer a publicly traded company.

August 17, 2022

All-cash transaction deal that was first announced in April means SailPoint is no longer a publicly traded company.

by Dark Reading Staff, Dark Reading

August 17, 2022

1 min read

Article

Cybercriminals Weaponizing Ransomware Data for BEC Attacks

Attacked once, victimized multiple times: Data marketplaces are making it easier for threat actors to find and use data exfiltrated during ransomware attacks in follow-up attacks.

August 12, 2022

Attacked once, victimized multiple times: Data marketplaces are making it easier for threat actors to find and use data exfiltrated during ransomware attacks in follow-up attacks.

by Edge Editors, Dark Reading

August 12, 2022

3 min read

Article

Looking Back at 25 Years of Black Hat

The Black Hat USA conference's silver jubilee is an opportunity to remember its defining moments, the impact it has made on the security community, and its legacy.

August 10, 2022

The Black Hat USA conference's silver jubilee is an opportunity to remember its defining moments, the impact it has made on the security community, and its legacy.

by Andrada Fiscutean, Contributing Writer, Dark Reading

August 10, 2022

9 min read

Article

Don't Take the Cyber Safety Review Board's Log4j Report at Face Value

Given the lack of reporting requirements, the findings are more like assumptions. Here's what organizations can do to minimize exposure.

August 09, 2022

Given the lack of reporting requirements, the findings are more like assumptions. Here's what organizations can do to minimize exposure.

by Matt Chiodi, Chief Trust Officer, Cerby

August 09, 2022

5 min read

Article

What Adjustable Dumbbells Can Teach Us About Risk Management

A new workout leads to five smart lessons about the importance of converging security and fraud into a unified risk function.

August 08, 2022

A new workout leads to five smart lessons about the importance of converging security and fraud into a unified risk function.

by Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5

August 08, 2022

5 min read

Article

Name That Edge Toon: Up a Tree

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

August 01, 2022

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

by John Klossner, Cartoonist

August 01, 2022

1 min read

Article

Overcoming the Fail-to-Challenge Vulnerability With a Friendly Face

Ahead of their Black Hat USA talk in August, Simon Pavitt and Stephen Dewsnip explain the value of helping people practice cyber defense via a "malicious floorwalker" exercise.

July 27, 2022

Ahead of their Black Hat USA talk in August, Simon Pavitt and Stephen Dewsnip explain the value of helping people practice cyber defense via a "malicious floorwalker" exercise.

by Karen Spiegelman, Features Editor

July 27, 2022

6 min read

Article

Why Layer 8 Is Great

To help discern legitimate traffic from fraud, it helps to understand user intent as shown through their behavior.

July 25, 2022

To help discern legitimate traffic from fraud, it helps to understand user intent as shown through their behavior.

by Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5

July 25, 2022

4 min read

Article

Understanding Proposed SEC Rules Through an ESG Lens

Cyber threats are putting environmental, social, and governance discussions at the forefront of board meetings and C-suite discussions around the globe.

July 22, 2022

Cyber threats are putting environmental, social, and governance discussions at the forefront of board meetings and C-suite discussions around the globe.

by Stephen Lawton, Contributing Writer

July 22, 2022

5 min read

Article

Equitable Digital Identity Verification Requires Moving Past Flawed Legacy Systems

Data science can be used to improve access to government assistance while reducing fraud.

July 21, 2022

Data science can be used to improve access to government assistance while reducing fraud.

by Jordan Burris, Senior Director of Product Market Strategy for the Public Sector, Socure

July 21, 2022

5 min read

Article

Microsoft 365 Empowers Business Users to Shoot Themselves in the Foot

Researchers warned that cyberattackers will be probing the code for weaknesses to exploit later.

Cyberattackers have compromised the internal systems of LastPass, making off with source code and intellectual property.

The password management company said it detected anomalous activity in its development environment two weeks ago. After digging into the forensic data, investigators determined that someone (or someones) compromised a developer account to gain access to the network, taking "portions of source code and some proprietary LastPass technical information," according to an announcement posted this week.

Crucially, the adversaries weren't able to access customer data or encrypted password vaults.

"We utilize an industry-standard 'zero-knowledge' architecture that ensures LastPass can never know or gain access to our customers' Master Password \[and it\] ensures that only the customer has access to decrypt vault data," according to LastPass.

That said, Ajay Arora, co-founder and president at BluBracket, noted that attackers will be looking hard for potential weaknesses to exploit in the LastPass source code, potentially leading to follow-on attacks.

"An additional consequence that can occur from stolen or leaked source code is that this code can disclose secrets about an application's architecture," he said via an emailed statement. "This may reveal information about where certain data is stored and what other resources an organization may use. These factors could then equip bad actors to inflict additional harm on an organization after the fact."

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, also said in a statement that the attackers could have been probing around to see if they could find an avenue into LastPass partner or supplier networks.

“Cybersecurity companies are being targeted to facilitate island hopping," he said. "After the FireEye breach, the industry should have woken up. In 2022, cybersecurity companies must practice what they preach. Many still underinvest in their own cybersecurity. Expect to be hit and prepare to respond.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

LastPass Suffers Data Breach, Source Code Stolen

Microsoft and others say they have observed nation-state actors, ransomware purveyors, and assorted cybercriminals pivoting to an open source attack-emulation tool in recent campaigns.

Enterprise security teams, which over the years have honed their ability to detect the use of Cobalt Strike by adversaries, may also want to keep an eye out for "Sliver." It's an open source command-and-control (C2) framework that adversaries have increasingly begun integrating into their attack chains.

"What we think is driving the trend is increased knowledge of Sliver within offensive security communities, coupled with the massive focus on Cobalt Strike \[by defenders\]," says Josh Hopkins, research lead at Team Cymru. "Defenders are now having more and more successes in detecting and mitigating against Cobalt Strike. So, the transition away from Cobalt Strike to frameworks like Sliver is to be expected," he says.

Security researchers from Microsoft this week warned about observing nation-state actors, ransomware and extortion groups, and other threat actors using Sliver along with — or often as a replacement for — Cobalt Strike in various campaigns. Among them is DEV-0237 (aka FIN12), a financially motivated threat actor associated with the Ryuk, Conti, and Hive ransomware families; and several groups engaged in human-operated ransomware attacks, Microsoft said.

**Growing Use**

Earlier this year, Team Cymru reported observing Sliver being used in campaigns targeting organizations in multiple sectors, including government, research, telecom, and higher education. One campaign, between Feb. 3 and March 4, involved a Russian-hosted attack infrastructure, while another targeted government entities in Pakistan and Turkey. In many of these attacks, Team Cymru observed Sliver being used as part of the initial infection tool chain to deliver ransomware. In other instances, the threat intelligence firm found Sliver being used in opportunistic attacks involving potential exploitation of Log4j and VMware Horizon vulnerabilities.

Researchers from BishopFox developed and released Sliver, as an open source alternative to Cobalt Strike, in 2019. The framework is designed to give red-teamers and penetration testers a way to emulate the behavior of embedded threat actors in their environments. But as with Cobalt Strike, these same features also make it an attractive threat actor tool.

**An Attractive Alternative for Adversaries**

Sliver is written in the Go programming language (Golang), and therefore can be used across multiple operating system environments, including Windows, macOS, and Linux. Security teams can use Sliver to generate implants as Shellcode, Executable, Shared library/DLL, and as-a-Service, Microsoft said. Researchers added that Golang helps adversaries also because of the relatively limited tooling available for reverse engineering of Go binaries.

Sliver also supports smaller payloads — or stagers — with a handful of features that allow operators to retrieve and launch a full implant. 

"Stagers are used by many C2 frameworks to minimize the malicious code that's included in an initial payload (for example, in a phishing email)," Microsoft said. "This can make file-based detection more challenging."

Sliver also offers many more built-in modules than Cobalt Strike, says Andy Gill, adversarial engineer at Lares Consulting; these built-in capabilities make it easier for threat actors to exploit systems and leverage tooling to facilitate access, Gill says. Cobalt Strike, in contrast, is more of a bring-your-own payload/module tool.

"Sliver lowers the barrier of entry for attackers. \[It\] offers more customization in terms of payload delivery and ways of adapting attacks to evade defenses," he notes. 

But the most appealing factor for threat actors currently is its relative obscurity and the lack of work that has been undertaken — so far, at least — in building detections for Sliver, Hopkins from Team Cymru says. "Sliver has a lot of the same capabilities as Cobalt Strike, but without such a large spotlight being shone on it," he says. This has created a potential gap in detection coverage that some attackers are now trying to exploit.

And finally, the fact that it's free, open source, and available on GitHub also makes Sliver attractive compared to Cobalt Strike, which is commercial and therefore requires threat actors to crack the license mechanism each time a new version is released, Gill says.

**Cobalt Strike Remains Gold Standard — but Attackers Have Other Frameworks**

At the same time, it would be a big mistake for organizations to discount adversarial use of Cobalt Strike, researchers warn. 

In the first quarter of this year, for instance, Team Cymru observed some 143 Sliver samples that were likely being used as a first-stage tool in attack campaigns — compared with 4,455 samples of Cobalt Strike being used for potentially malicious purposes. 

"Defenders would be unwise to take their eyes off Cobalt Strike," Hopkins says. "Cobalt Strike is synonymous with — and the gold standard of — command-and-control networks."

Sometimes, the tools are used in tandem. Researchers at Intel 471 earlier this year observed Sliver being deployed along with Cobalt Strike, Metasploit, and the IcedID banking Trojan via a new loader called "Bumblebee". The company's chief intelligence officer Michael DeBolt says the framework has one feature that likely makes it especially useful for threat actors. 

"Sliver has a lot of features, \[but\] one that might be especially useful is its ability to limit execution to specific time frames, hosts, domain-joined machines, or users," he says "This feature can prevent the implant from executing in unintended environments, such as sandboxes, which aids against detection."

Sliver is just one of several C2 frameworks that attackers are using as alternatives to Cobalt Strike. Researchers from Intel 471, for instance, recently added detection for a legitimate red-teaming tool called Brute Ratel, after observing some threat actors using it for C2 purposes. 

Earlier this year, Palo Alto Networks' Unit 42 threat-hunting team uncovered what appeared to be Russia's notorious APT29 (aka Cozy Bear) using Brute Ratel in an attack campaign. 

Meanwhile, Gills from Lares pointed to Posh2, a C2 framework which, though not new, offers threat actors a chance of evading Cobalt Strike-centric detection mechanisms. And Hopkins from Team Cymru says his company is currently tracking a C2 framework called "Mythic" following some initial indications of adoption within the threat-actor community.  

Frameworks tend to vary in capabilities such as lateral movement, injection, and call out, Gill says. 

"\[So\], from a defensive standpoint, operators are better off profiling and generating signatures for techniques than analyzing specific C2 frameworks," he notes.

'Sliver' Emerges as Cobalt Strike Alternative for Malicious C2

Consumers gain control of their data while companies build better relationships with their customers — but third-party ad-tech firms will likely continue to stand in the way.

For more than two decades, the economic advantages of third-party firms' collection of information on consumers stymied technologists' dreams of giving people more control over their data and inhibiting the collection of personal information.

Now, faced with increasing privacy regulations and penalties, public agencies and private-sector businesses are leaning into the concept of "no-party data" — information shared by the consumer directly with a company with which they have a relationship that can still be used to personalize their experience. As a result, technology firms and academic researchers are developing data architectures to support no-party data technologies while giving control — and more data security — to the consumer.

Sometimes called "zero-party data," the no-party data movement has gained traction because of the consumer pushback against third-party advertising-technology firms, which often collect data against the consumer's wishes, says Ant Phillips, chief technology officer for Celebrus, which announced its no-party solution earlier this month.

"Third-party data collection and data sharing is not something that consumers ever signed up for — they did not wake up and say, 'I want to share my data with lots of companies,'" he says. "The business case \[for no-party data\] is around brands wanting to do the right thing for consumers because most consumers do not have a problem trusting certain brands, but they don't want to spread their data all around the Internet."

**The Struggle Is Real**

Giving consumers control over what information is collected about them has been a long struggle. In the late 1990s, pro-privacy firm Zero Knowledge Systems attempted to create a certificate-based system that could attest to certain consumer attributes — such as being an adult — without the need for personal identification. In 2008, Microsoft pursued the technology in its U-Prove system, after acquiring the company Credentica, which was founded by Stefan Brands, a former ZKS cryptographer.

For the most part, those technologies could not compete with the business success of ad-tech firms using third-party cookies.

The result is that privacy-conscious consumers actively fight against cookie tracking, and policymakers and browser developers have followed suit. In 2017, Apple announced its Intelligent Tracking Prevention, which would block tracking through third-party cookies, much to the consternation of advertisers. Since 2018, the European Union has required advertisers to get users' consent to use third-party cookies. And in 2019, Mozilla announced that its Firefox browser would block third-party cookies; Google followed suit, pledging to phase out third-party cookies in 2023. Facing low opt-in rates, companies have resorted to the deceptive design of the dialog boxes that ask users to consent to using their data.

With significant resistance to data collection, companies have focused on engaging with consumers. No-party data — which analyst firm Forrester Research calls "zero-party data" — is information collected directly from the consumer. It is typically collected through preference settings or micro-experiences, where a product maker or service provider will directly ask a consumer about their habits.

Zero-party data is the future, says Stephanie Liu, an analyst with Forrester Research.

"​The principles of zero-party data are going to be the foundation of data collection moving forward: transparent, consented, and provides value back to the consumer," she says. "Brands are historically terrible at asking consumers for data. ... But as consumer data gets harder to acquire, companies need to invest in the strategy and tech of what they're going to ask of consumers, how, and what benefit they'll deliver in return."

**'Creepy' Targeted Advertising**

The battle between advertising firms and privacy advocates often centers around tracking of citizens across websites. While tracking people through their real life is usually prohibited, large online ad-tech firms are able to effectively stalk consumers across the Internet. Currently, more than 80% of US citizens believe they lack control of the data collected about them by companies and the government, and they believe that businesses collecting data poses risks that outweigh the benefits, according to a survey by the Pew Research Center.

A significant part of the problem is that, despite the data collection, advertising either seems to miss the target or is so accurate that it's borderline creepy. In addition, ad-tech firms often catch behavior that has nothing to do with consumer buying intentions or habits, and they often use information in ways consumers would not approve. Policymakers have recognized the unintentional privacy costs of the third-party data market, passing regulations such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Protection Act (CCPA) and similar legislation in the United States.

For all these reasons, the third-party data model is broken, argues Celebrus' Philips. Consumers do not want to be tracked, and the slight benefit of ad-tech firms' capability to tailor marketing is greatly outweighed by the privacy risks posed by the technology and the fact that advertising firms' predictions of consumers' interests are often not accurate.

"From an economics view, the whole model is wasted capital — it's an economic waste," he says. "One misplaced ad is not going to break the bank, but in aggregate it is inefficient."

With no-party data, the consumer offers up information about themselves. Yet they still want to retain control of the data. Otherwise, they have no guarantee that the third-party companies will not use that data in ways that were not intended.

Technology firms have started offering solutions to allow personalization while giving the consumer control of their data. Celebrus' system, for example, stores information in local storage, allowing the consumer to retain control, and does all personalization and processing on the user's machine. On its face, the technology resembles Solid, a project created in a collaboration between Web progenitor Tim Berners-Lee and the Massachusetts Institute of Technology, which allows users to create virtual data "pods" on their systems that they can give trusted companies access to in a granular way, says John Bruce, co-founder and CEO of Inrupt, which is commercializing the technology.

"Solid allows people to make themselves known to providers without losing control of data," he says. "Businesses are truly beginning to understand that they can better service the customer if they retain their trust and allow them to keep control of their data."

**Consumers Want Personalization**

Ad-tech firms will not go away, but they will likely have less access to consumer data. Delivering personalization to consumers while at the same time limiting the collection of data will be the future, according to analyst firm McKinsey & Co., which found that 71% of consumers expect a personalized experience. Companies that excel at delivering that experience typically see 40% more profits on those services, the firm found.

The result will be that advertising will be less targeted but closer to what consumers want and with less of what we have today — annoying, creepy, and harmful uses of data, says Forrester's Liu.

"\[I\]t's not just the shoes you already purchased that still follow you across the Internet, but \[advertisements targeting\] those who've lost their pregnancies and can't opt out of baby ads," Liu says. "A big part of why we're here — with Apple releasing new privacy features, a quickly evolving privacy regulatory landscape, and rising consumer awareness — is because we've creeped out consumers, and they are fed up."

'No-Party' Data Architectures Promise More Control, Better Security

DevSecOps can help overcome inheritance mentality, especially in low- and no-code environments.

By 2025, total global data creation will reach 181 zettabytes. For enterprises, that data is an asset, allowing them to leverage a variety of technology platforms to create highly personalized customer experiences that engender loyalty and attract new business. However, these experiences are dependent on cloud infrastructures using shared security modes. That's where the risk lies, and it's increasing as technology grows to incorporate a new army of citizen developers using low-code and no-code platforms.

**Understanding and Overcoming the Inheritance Mindset **

Gartner estimates that by 2025, 70% of enterprise applications will be built from low-code and no-code platforms such as Salesforce and ServiceNow. Responding with an inheritance-based mindset is a sure way to set more than two-thirds of enterprise apps up for failure.   

"Inheritance mindset" is an apt descriptor for the problems plaguing infrastructure. It brings to mind a rich, spoiled children who are entirely dependent on the work done and people who came before them. That’s not a good way to build a legacy, and it's an equally bad way to build a system.

When you have a legacy mindset, you assume that the infrastructure is set. The platform is safe, and the security is built in. Trust is assumed simply because the technology was there before the administrator.

That inheritance mindset plagues low-code and no-code platforms. Users rely on the safety of a platform to carry them through an entire enterprise infrastructure. Instead, the security of that platform should apply only to that platform.

Let's say Salesforce developers create an automated assignment program for new leads. They use it within Salesforce for internal assignments, and it's fine. They can rely on the safety of the platform. They decide to expand it to improve automation. They connect that program to an external-facing CRM like ServiceNow, SAP, or Oracle. The inheritance mindset takes over: Salesforce is safe. ServiceNow, SAP or the third-party is safe.

So, Salesforce + third party = safe.

But, there's a great deal of unknown in that plus sign. How do you safely and compliantly connect the internal program created in Salesforce to the external program created in the third-party platform? There is a lot of room for error in that single character.  

And that’s only one connection. Many programs created in Salesforce touch hundreds of others. That’s hundreds of unknowns being treated like the plus sign described above by people who have little to no development experience.  

The only solution is to take that development back down to earth with a return to DevSecOps principles.

**Establishing the DevSecOps Framework **

DevSecOps frameworks have been written, rewritten, and written again since the concept was created. There’s no need to reinvent the wheel when establishing them, especially when SAFECode and the Cloud Security Alliance has built six pillars:

1.  **Collective responsibility:** Security is the responsibility of every person in the enterprise —but people can’t meet standards they don’t know. Leads should be assigned to drive cybersecurity policy and ensure it is disseminated across the enterprise.  
2.  **Collaboration and integration:** Knowledge must be shared and transferred. Half the reason that enterprises fall into the legacy mindset is that everyone who knew the old system is gone. Continuous knowledge sharing helps eliminate this issue.
3.  **Pragmatic implementation:** Pragmatic implementation ties into the developer experience. Processes that are difficult, mundane, and unwieldy are not followed for long. Security should be baked into development practices — that is, every line of code requires a line of test. A high-performing enterprise would take that further by using a tool to automate each line of test code.
4.  **Compliance and development:** Compliance requirements should guide the development process in a way that does not allow developers to deviate from them. A developer for a financial institution, for example, would work on a platform that is designed to be compliant with the Gramm-Leach-Bliley Act. The developer does not have to know the individual ins and outs of the act to be compliant because they are built into the platform.  
5.  **Automation:** Tasks that are predictable, repeatable, and high volume should be automated whenever possible to remove the burden from developers and reduce the risk of human error.
6.  **Monitor:** Modern cloud infrastructures change and grow. It’s vital to keep track of it — ideally, through some form of orchestration that allows an at-a-glance view of all the various interconnections.

In a low- or no-code environment, these pillars are not as straightforward as one would expect. The people using these tools are often business experts with little familiarity with DevSecOps fundamentals.

**Bringing Together People, Processes, and Technology**

The use of low-code and no-code platforms can actually help close this skills gap. Employees want to learn new skills. Enterprises can support that by establishing a DevSecOps framework focusing on people, processes, and technology. 

*   **Processes:** In a zero-trust environment, low-code and no-code developers don’t have to worry about making connections that endanger system integrity because they are incapable of doing so. They have no baseline authority outside of their isolated system.  
*   **People:** A culture of accountability is different from a culture of blame. Accountability means that individuals feel comfortable coming forward with a problem or mistake because the focus is on the issue, not the person.
*   **Technology:** Technology is the single biggest barrier to proper implementation of DevSecOps principles because it is out of the developers' hands. They must use what the organization gives them. If that technology doesn’t work, developers will come up with workarounds that are neither secure nor safe. Essentially, the technology becomes one big shadow IT generator.

We live in an exciting time for development. More and more people have the opportunity to build software, test strategies, and improve business value. But with that comes risk. Enterprises that look at ways to offload that risk onto technology will keep their development down to earth while leaving room to explore.

How DevSecOps Empowers Citizen Developers

Six out of the eight products achieved an "A" rating or higher for blocking malware attacks. Reports are provided to the community for free.

**AUSTIN, Texas – Aug. 25, 2022** — CyberRatings.org, the nonprofit entity dedicated to providing transparency on cybersecurity product efficacy, has published results of its Q2 2022 Endpoint Protection Comparative Test.

Focused on endpoint products that feature antivirus protection, the products tested were Avast Free Antivirus, AVG AntiVirus Free, ESET Internet Security, McAfee Total Protection, Norton 360, Microsoft Defender, Sophos Home Premium and Trend Micro Maximum Security.

“The bad guys are getting bolder and malware / ransomware campaigns continue to get more sophisticated,” said Vikram Phatak, CEO of CyberRatings.org. “Most infections occur in the first few hours after a new campaign is launched. The time it takes for a security product to block the attack matters a lot,” adds Phatak. “That is why we tested not only how much malware a product blocks, but how _quickly_ it blocks an attack.”

Over 40,000 live tests were performed on each product, providing a ±0.49% margin of error. Trend Micro Maximum Security offered the most protection, blocking 97.97% of malware. Sophos Home Premium provided the second-highest protection, blocking 97.47%, followed by Microsoft Defender at 97.13%. Sophos was the quickest to add protection for previously unblocked malware, closely followed by Trend Micro.

With more businesses embracing remote work, a user’s protection is likely limited to the web browser and their endpoint protection product. Therefore, it’s important to be informed about which products are performing as advertised.

The Comparative Test Reports provide metrics for products blocking malware over time, average time a product added protection, and average time it took a product to add protection.

The test was funded by CyberRatings.org and no vendor paid to be in or out of the test. As a service to the community, CyberRatings.org is providing these reports for free.  

The following endpoint protection / antivirus products were tested:  

  

*   Avast Free Antivirus – v22.4.6011 (build 22.4.7175.725)
*   AVG AntiVirus Free – v22.4.3231 (build 22.4.7175.725)
*   ESET Internet Security – v15.1.12.0
*   McAfee Total Protection – v16.0 R46
*   Norton 360 (latest updates)
*   Sophos Home Premium – v4.1.0
*   Trend Micro Maximum Security – v17.7.1243
*   Windows Defender – Antimalware Client v4.18.2203.5

**Additional Resources**

*   Follow CyberRatings.org on Twitter
*   Follow CyberRatings.org on LinkedIn

**About CyberRatings.org**   
CyberRatings.org is a non-profit 501(c)6 entity dedicated to quantifying cyber risk and providing transparency on cybersecurity product efficacy through testing and ratings programs. To become a member, visit www.cyberratings.org

Endpoint Protection / Antivirus Products Tested for Malware Protection

OpenSSF welcomes Capital One as a premier member affirming its commitment to strengthening the open source software supply chain.

**SAN FRANCISCO, Aug. 24, 2022** — Capital One joins the Open Source Security Foundation (OpenSSF) as a premier member, affirming its commitment to strengthening the open source software supply chain. OpenSSF is a cross-industry organization hosted at the Linux Foundation, designed to inspire and enable the community to secure the open source software we all depend on, including development, testing, fundraising, infrastructure, and support initiatives.

Capital One joins the OpenSSF Governing Board in charge of leading the organization and providing strategic direction. “We are happy to welcome Capital One to the Open Source Security Foundation,” says Brian Behlendorf, General Manager of OpenSSF. “As a highly regulated company that has invested in technology, Capital One has experience building the governance structure, modern architecture and collaborative culture that is critical for well-managed open source software delivery. By joining the OpenSSF, Capital One is demonstrating a serious commitment to secure open source software that benefits our entire ecosystem.”

As one of the nation’s leading digital banks, technology is central to Capital One’s business strategy and how value is delivered to more than 100 million customers. The company began a technology transformation over a decade ago, which included an open source-first declaration in 2015. A modern architecture in the cloud is allowing Capital One to take advantage of the world’s innovations and accelerate delivery by committing to a collaborative software-building approach among the open source community.

“Today some of the most ground-breaking digital experiences created for customers are based on open source software. As a company that widely adopts this technology, Capital One is incredibly proud to join the OpenSSF and the world’s technology leaders as we collaborate to strengthen the software security supply chain,” said Chris Nims, EVP of Cloud & Productivity Engineering at Capital One. “As a highly-regulated company, we are seasoned in managing compliance and governance and advocate for standardization, automation and collaboration. We look forward to working together to identify solutions that advance the OpenOSSF mission and give back to the open source community.”

Earlier this year, the OpenSSF unveiled a 10-point plan at the Open Source Security Summit hosted in conjunction with the White House in May. The plan feeds into 10 different workstreams, like finding ways to reduce patching response times for open source software, developing new metrics to track code and components, moving the industry away from non-memory safe programming languages that make it difficult to find and fix vulnerabilities, establishing a framework for incident response teams that can be deployed across the open source community and conducting annual third-party reviews of the top 200 most critical open source security components.

More recently, the OpenSSF hosted a Town Hall especially for open source software maintainers, contributors, software developers, and open source software users who know security is important, but haven’t made the leap to join an OpenSSF Working Group or Project yet. On Tuesday, Sept. 13, they will be hosting an OpenSSF Day EU at the Open Source Summit Europe in Dublin, Ireland, and online.

Capital One joins other OpenSSF premier members 1Password, AWS, Atlassian, Cisco, Citi, Coinbase, Dell Technologies, Ericsson, Fidelity, GitHub, Google, Huawei, Intel, IBM, JFrog, JPMorgan Chase, Meta, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, Sonatype, VMware, and Wipro.

**About OpenSSF**

The Open Source Security Foundation (OpenSSF) is a cross-industry organization hosted by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at: openssf.org.

**About the Linux Foundation**

Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Source

DARKReading