How to solve the software vulnerability problem across the entire SDLC.

In the opening keynote of the 2022 Black Hat security conference, Chris Krebs, the former Department of Homeland Securities cybersecurity director, stated that security is going to get worse before it gets better. Why? Krebs said that "software remains vulnerable because the benefits of insecure products far outweigh the downsides." Rather than ensuring security, the focus across the software development life cycle (SDLC) is beating the competition to market. In fact, innovation is often seen at odds with security — the former believed to be fast-paced and productive, and the latter a roadblock that stifles quick-moving application development. This view is proving to be outdated in the current threat landscape.

With cyberattacks on the rise, the software supply chain is a popular target for cybercriminals who recognize the huge disruption they cause when infecting insecure code. For example, the now infamous Log4Shell vulnerability posed such a risk because the open source Log4j is so commonly used across software applications and online services worldwide, and exploiting the vulnerability requires very little expertise. More recently, the 25,000 malicious plug-ins found across WordPress sites highlight the cybersecurity risk that many businesses face, despite believing they were using secure applications and programs within their websites.

Innovation and security must therefore be viewed through a single lens; one is not possible without the other. Even more importantly, security can no longer be the responsibility of one siloed team. It must be a priority for everyone across the SDLC.

**The AppSec Dilemma**

Despite increased investment into application development, the same importance isn't being applied to security. In such a competitive space, first movers tend to get the reward. Those that enter the market with their "first viable product" are likely looking at how this product can serve customers, not how it can be used securely. With these high expectations, code demands on developers have increased 100 times over the past 10 years, with 92% feeling pressured to write code faster. Pair this with the fact that 53% have no professional secure coding training, while the number of new vulnerabilities within the NIST National Vulnerability Database has increased by over 200% in the past several years, and it seems we're in something of an application security dilemma.

However, it is not an unsolvable dilemma. The solution requires a complete switch-up in the way that many view coding and innovation, with a specific focus on the mindset of the people. It puts security first and recognizes that it's OK to be slower to market if the end product is more secure. According to Boehm's law, "the cost of finding and fixing a defect grows exponentially with time" — a concept that can benefit the bottom line of organizations that prioritize security from the start.

Establishing this security-first mindset is crucial — not just for the development team, but for everyone who plays a role within the SDLC. Product and project managers, DevOps, user experience (UX) designers, and quality assurance (QA) professionals will all influence the end result and therefore need to recognize the current dilemma for application security and how this challenge can be overcome.

**Getting Integrated Education Right**

If teams do not understand _why_ a security-first mindset is so important within application development, they are never going to buy into _how_ it can be achieved. Integrated and continuous application security education for the whole development organization has therefore never been more important. For those creating the code, it is important to deliver foundational learning before hands-on exercises that speak directly to the issues they face on a daily basis. This developer-specific education should be run in parallel with foundational and advanced application security training programs for those with roles in the SDLC that may not necessarily need hands-on expertise. These kinds of initiatives will empower the whole team to think differently, make more informed decisions, and integrate security across every aspect of development.

Yet it is important that organizations understand that application security constantly evolves and changes. Building a security-minded team who apply key AppSec principles at every step of the development cycle can't be accomplished with a "one and done" training program. To ensure teams maintain this security-first mindset, a continued and evolving educational program is key.

Many organizations engage teams by acknowledging and celebrating security champions, who lead a shift in security behavior across the team. By offering incentives or rewards to those that are consistently applying security best practices in their day-to-day work, they encourage champions to engage others and organically influence change. For example, by measuring results — like the number of vulnerabilities in a code before and after training programs — and recognizing success, it is also far easier to get buy-in from the board and justify investment on secure coding education to the decision-makers.

Innovating fast and beating the competition to market while also putting security first is possible when the people of the SDLC make security a top priority. In fact, as the number of vulnerabilities grows and cyberattacks show no sign of slowing down, coding securely is a must for any application to be successful. As long as the entire SDLC is considered in continuous, bespoke, and measurable education initiatives, security does not _have_ to get worse before it gets better.

Does Security Have to Get Worse Before It Gets Better?

Security researchers will handle testing on "headless" API endpoints that lack a user interface and are increasingly exposed to attackers.

**REDWOOD CITY, Calif., Oct. 31, 2022 / PRNewswire/** — Synack, the premier security testing platform, has launched an API pentesting capability powered by its global community of elite security researchers. Organizations can now rely on the Synack platform for continuous pentesting coverage across "headless" API endpoints that lack a user interface and are increasingly exposed to attackers.

"Synack's human-led, adversarial approach is ideal for testing APIs that form the backbone of society's digital transformation," said Synack CTO and co-founder Mark Kuhr, a former National Security Agency cybersecurity expert. "We are thrilled to offer customers a unique, scalable way to secure this growing area of their attack surfaces."

Gartner estimates API abuses will be the most common source of data breaches in enterprise web applications this year. Synack enables organizations to verify exploitable API vulnerabilities such as broken authorization and authentication — noted in the

OWASP API top 10

— can't be abused by malicious hackers.

"Many organizations are struggling to find the top-tier cyber talent needed to root out API-specific vulnerabilities," said Peter Blanks, Chief Product Officer at Synack. "We're excited to extend our Synack platform to provide human-powered offensive security testing on APIs."

Synack's headless API capability builds on years of API pentesting experience through web and mobile applications. The new platform features allow customers to enter API documentation to guide testing scope and coverage. Next, researchers with the Synack Red Team attempt to exploit API endpoints in the way a real external adversary would.

Of the Synack Red Team's over 1,500 global members, only those with proven API testing skills are activated on API requests, reducing noise. Synack's Special Projects division led over 100 successful pentests against headless APIs in 2022, providing customers with critical proof-of-coverage reports while validating researchers' API expertise.

Vulnerability submissions and testing reports are routed through Synack's Vulnerability Operations team for a rigorous vetting process before being displayed in the platform, minimizing false positives and ensuring high-quality results.

For more information about Synack's API security testing, please visit www.synack.com.

**ABOUT SYNACK**

Synack's premier on-demand security testing platform harnesses a talented, vetted community of security researchers and smart technology to deliver continuous penetration testing and vulnerability management, with actionable results. We are committed to making the world more secure by closing the cybersecurity skills gap, giving organizations on-demand access to the most trusted security researchers in the world. Headquartered in Silicon Valley with regional teams around the world, Synack protects federal agencies, DoD classified assets and a growing list of Global 2000 customers, uncovering over 13,000 vulnerabilities for clients in 2021 alone. For more information, please visit www.synack.com.

**SOURCE:** Synack

Synack Expands Security Platform With Adversarial API Pentesting

**BATAVIA, Ohio, Oct. 28, 2022 /PRNewswire/ --** At Multi-Color Corporation ("MCC") we value our customers and employees and understand the importance of protecting personal information. Unfortunately, we regret to provide this notice that we were the victim of a cyberattack. On September 29, 2022, MCC discovered that a third party had unauthorized access to our information technology environment. In response, MCC immediately deployed security measures to address the threat and retained an external incident response team to accelerate our recovery efforts. We proactively notified the Federal Bureau of Investigation and other domestic and foreign regulatory officials in jurisdictions where MCC has operations, including data protection authorities in the European Union, the United Kingdom, and in Australia.

The MCC files and records that were compromised by this cybersecurity incident included sensitive "HR data," such as personnel files and information on enrollment in our benefits programs. However, based on the measures that we have implemented and the actions we have taken, there is no indication that any personal information subject to this cybersecurity incident has been misused or will be misused in the future.

Out of an abundance of caution, MCC is providing complimentary credit monitoring and identity theft protection services to current and former employees (and their immediate family members) who have been impacted by this incident. If you are a former employee of MCC, or a beneficiary of a MCC benefits program, please contact us to determine your eligibility to enroll in our complimentary credit monitoring and identity theft protection services.

Please note that MCC generally does not retain sensitive personal data on our customers or suppliers, and there is no evidence at this juncture that such personal information was involved in this incident. If you are a customer or supplier of MCC, and you believe we retain your sensitive personal data, please contact us immediately.

We have established a dedicated call center to answer questions you may have about this incident, including on how to enroll in our complimentary credit monitoring and identity theft protection services. For United States residents: contact 888-291-2363, available Monday – Friday, 9:00 am to 9:00 pm EST. For non-United States residents: contact +44(0)330 053 3818, available 24/7. We have also established a dedicated website about this incident that includes a Frequently Asked Question (FAQ) section, and it is available at https://www.mcclabel.com/en/data-security-notice.

Multi-Color Corporation, 4053 Clough Woods Drive, Batavia, OH 45103.

SOURCE Multi-Color Corporation

Notice: Multi-Color Corporation Statement on Data Security Incident

With scant details attached, Google Chrome seeks to shore up yet another exploited zero-day vulnerability.

Google Chrome has issued an urgent fix for an actively exploited zero-day bug in its browser. 

This is the seventh Chrome actively exploited zero-day flaw this year, underscoring how big of a target it has become for cyberattacks. 

As users scramble to patch, Google isn't releasing many details about the vulnerability, tracked under CVE-2022-3723, except to note that it's a type confusion bug in V8, which is Google's open source high-performance JavaScript and WebAssembly engine. Type confusion bugs are can lead to out-of-bounds memory access and arbitrary code execution, according to MITRE.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said in its urgent update. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Urgent: Google Issues Emergency Patch for Chrome Zero-Day

**Atlanta, GA:** As Cybersecurity Awareness Month winds down, Cyversity Atlanta in partnership with CLASS-LLC announces the launch of its first cybersecurity apprenticeship cohort. Registered with the US Department of Labor, this apprenticeship program seeks to advance Diversity, Equity, Inclusion, and Accessibility (DEIA) across cybersecurity occupations, especially for historically underrepresented populations such as women and communities of color through experiential learning as well as formal educational activities.

Since 2004, the President of the United States and Congress have declared October to be Cybersecurity Awareness Month, helping individuals protect themselves online as threats to technology and confidential data become more commonplace.

Cyber Leadership and Strategy Solutions (CLASS-LLC) is a cybersecurity service firm. Keyaan J Williams, Founder/Managing Director explains, “This year’s Cybersecurity Awareness Month campaign theme is “See Yourself in Cyber.” This theme is on point with what Cyversity Atlanta and CLASS-LLC are doing with our apprenticeship. We will be the corporate partner that supports the Registered Apprenticeship Program (RAP) that Cyversity manages to increase the participation of minorities and women in the cybersecurity workforce. The apprentices selected in Q4 will start working with CLASS-LLC with us on January 3, 2023.”

“This yearlong, paid experience will place apprentices with CLASS-LLC, working alongside our experienced information security practitioners. In addition, apprentices will take online courses and gain valuable industry certifications to prepare them to succeed as experienced and credentialed cybersecurity professionals,” Williams continues.

Cassandra Dacus, Cyversity Atlanta Chapter President, expounds on the apprenticeship, “As a non-profit organization, Cyversity relies on the generosity and the engagement of those companies and institutions who recognize the importance of our work. Such groups work on the front lines of cybersecurity and thus have keen insights into the dynamics of cybersecurity and the particular value that a diverse and inclusive workforce makes possible. Cyversity’s efforts train a diverse and inclusive workforce making opportunities available to forward-looking companies to fill a multimillion shortfall in the cyber security workforce.”

About CLASS-LLC: CLASS-LLC is a cybersecurity and business services firm. It is not a technology company but aligns with strategic partners to develop comprehensive solutions. CLASS-LLC uses professional certification workshops and custom developed training to develop the cybersecurity capabilities of the entire workforce, from general computer users to senior executives.

About Cyversity: Cyversity works to achieve the consistent representation of women and underrepresented minorities in the cybersecurity industry through programs designed to diversify, educate, and empower. Cyversity tackles the ‘great cyber divide’ with scholarship opportunities, diverse workforce development, innovative outreach, and mentoring programs.

To schedule an interview with Keyaan Williams or Cassandra Dacus, please call Lisabeth Begin, Publicist, at 727-243-6965 or email at \[email protected\] For more information about CLASS-LLC go to https://www.class-llc.com/

Cyber Leadership and Strategy Solutions (CLASS-LLC) and Cyversity Launch a Cybersecurity Apprenticeship Cohort

**SAN FRANCISCO, October 28, 2022** — Nozomi Networks Inc., the leader in OT and IoT security, today announced the SANS 2022 OT/ICS Cybersecurity Report finds ICS cybersecurity threats remain high as adversaries set their sights on control system components. In response, organizations have significantly matured their security postures since last year. In spite of the progress, more than a third (35%) don’t know whether their organizations had been compromised and attacks on engineering workstations doubled in the last 12 months.

> “In the last year, Nozomi Networks researchers and the ICS cybersecurity community have witnessed attacks like Incontroller move beyond traditional targets on enterprise networks, to directly targeting OT,” said Nozomi Networks Co-founder and CPO Andrea Carcano. “While threat actors are honing their ICS skills, the specialized technologies and frameworks for a solid defense are available. The survey found that more organizations are proactively using them. Still, there’s work to be done. We encourage others to take steps now to minimize risk and maximize resilience.”

**ICS Cybersecurity Risks Remain High**

*   62% of respondents rated the risk to their OT environment as high or severe (down slightly from 69.8% in 2021).
*   Ransomware and financially motivated cybercrimes topped the list of threat vectors (39.7%) followed by nation-state sponsored attacks (38.8%). Non-ransomware criminal attacks came in third (cited by 32.1%), followed closely by hardware/software supply chain risks (30.4%).
*   While the number of respondents who said they had experienced a breach in the last 12 months dropped to 10.5% (down from 15% in 2021), 35% of those said the engineering workstation was an initial infection vector (doubling from 18.4% last year).
*   35% did not know whether their organizations had been compromised (down from 48%) and 24% were confident that they hadn’t had an incident, a 2x improvement over the previous year.
*   In general, IT compromises remain the dominant access vector (41%) followed by replication through removable media (37%).

**ICS Cybersecurity Postures are Maturing**

*   66% say their control system security budget increased over the past two years (up from 47% last year).
*   56% say they are now detecting compromises within the first 24 hours of an incident (up from 51% in 2021). The majority (69%) say they move from detection to containment within 6 to 24 hours.
*   87.5% have conducted a security audit of their OT/control systems or networks in the past year (up from 75.9% last year) – one-third (29%) have now implemented a continual assessment program.
*   The overwhelming majority (83%) monitor their OT system security. Of those, 41% used a dedicated OT SOC
*   Organizations are investing in ICS training and certification: 83% of respondents are professional control system certification holders – a significant jump from 54% in the last 12 months.
*   Nearly 80% have roles that emphasize ICS operations up from 50% in 2021.

**To learn more about the latest trends in OT/ICS cybersecurity:**

*   Download: The State of OT/ICS Cybersecurity in 2022 and Beyond

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Nozomi Networks-Sponsored SANS Survey Finds Security Defenses are Getting Stronger as Cyber Threats to OT Environments Remain High

Operators of The Real Deal and German Deep Web underground marketplaces are in custody for allegedly dealing in drugs, weapons, malware, and more.

A pair of splashy busts this week, one in the US and the other in Germany, demonstrates that global law enforcement teams are actively pursuing Dark Web forum criminal activity. 

On Oct. 26, the Northern District of Georgia filed charges against Daniel Kaye for his alleged operation of The Real Deal underground marketplace that sold malware, stolen credentials, and even money-laundering services, according to the Department of Justice statement. 

"This case is an example of our persistent determination to work with our international partners to hold criminals accountable no matter how sophisticated their cyber fraud or their geographic location," Keri Farley, Special Agent in Charge of FBI Atlanta, said about the charges. "Let this indictment be a message that the FBI and our partners place a high priority on the investigation and prosecution of hackers who intrude into our infrastructure and threaten the personal security of our citizens."

As if to underscore the point, Bavarian authorities arrested a 22-year-old unnamed student for operating a platform called Germany on the Deep Web that law enforcement said is notorious for selling drugs and more under the motto, "No control, everything allowed." 

Maybe not everything. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Dark Web Forum Busts Come Days Apart

The next generation of cybersecurity pros will need to participate frequently in relevant training to expand their skills and stay engaged.

The shortage of cybersecurity professionals worldwide is a growing concern for organizations of all sizes, as threats mount and attack vectors become more difficult to defend against.

CyberSeek.org counts nearly 770,000 open jobs in cybersecurity, and the data is showing that employer demand for cybersecurity workers is growing 2.4 times faster than the overall rate across the US economy.

To adequately train the next generation of cybersecurity pros, organizations need to start thinking more collaboratively, using virtual technologies as learning tools, and turning to upskilling to offer opportunities to in-house talent.

**Teaching the Why Along With the How**

Some of the changes in training and education approaches are fundamental, argues Andrew Hay, COO at Lares Consulting, an information security consulting firm.

"We often teach people the 'how' but never the 'why' when it comes to cybersecurity training," he says. "For example, we'll show someone how to run a tool to detect a vulnerability, but we won't educate them on why the vulnerability surfaced in the first place."

He says if you don't show people how to prevent vulnerabilities from occurring, you're doomed to keep showing them how to detect them after the fact.

"We have an entire team dedicated to showing our customers how to detect, mitigate, and prevent attacks within their organization," he says. "Not only do we show effect, but we also show cause." Hay says by training people to prevent insecure configurations in the first place, you can help them reduce their attackable surface area.

He adds that cyber-range and capture-the-flag (CTF) events are fantastic learning environments to hone your skills and grow as a cybersecurity professional.

"You'll get to experience how others think about attacking a system, what tools and techniques they use, and their thought process," Hay says. "It's invaluable."

**Playing NICE**

Danielle Santos, manager of communications and operations for NIST'S National Initiative for Cybersecurity Education (NICE), says investing in cybersecurity training and education now is critical to meet this growing demand.

"We are coordinating with government, academic, and industry partners to build on existing successful programs, facilitate change and innovation, and bring leadership and vision to increase the number of skilled cybersecurity professionals," she explains. By facilitating a mechanism whereby the educators, trainers, and employers can come together as a community, they are better positioned to have training that meets the workforce demand.

NICE is also responsible for maintaining the Workforce Framework for Cybersecurity, which describes tasks, knowledge, and skills that are needed to perform cybersecurity work. It provides a standard for training and certification providers to establish knowledge and skill requirements according to tasks in the workplace.

**Smashing Training Silos**

Mika Aalto, co-founder and CEO at Hoxhunt, a Helsinki-based provider of enterprise security awareness solutions, says that the motivation for training today is compliance-driven, not security-driven, which leads to training implementations that can't address human cybersecurity risk.

He argues that organizations should take a risk-based view of the actual attacks employees face and focus on building the right culture and driving the adoption of the correct habits.

"When it comes to the core sins, organizations are running punitive programs that fail to capture employees' hearts and minds," he says.

Making matters worse, training frequency is occasional, and curriculum is built with a one-size-fits-all mentality. "Today's technology allows us to automatically develop and deliver individual training experiences at scale, driving behavior change rather than raising awareness," he says.

From Aalto's perspective, another core sin is that the training often gets siloed. "Awareness professionals are blind to the attacks and metrics managed by security operations," he says. "They lack the cohesive processes and technology to share intelligence and augment detection and response capabilities."

He says that modern teams should work in harmony, with effective training platforms that enable employees to hunt attacks that have infiltrated the organization and integrate that data into operations to mitigate the threats in real time.

"Extending awareness into the center of the security stack is a game-changer in how training is conducted and leveraged," he adds.

**Innovations in Training**

Santos notes that over the past several years, simulated training has shown promise as a mechanism to learn new cybersecurity skills. Training offered through cyber ranges, for example, allows learners to experience simulated real-world scenarios and demonstrate applied knowledge and skills.

"Additionally, apprenticeships, while not new to the broader workforce, but relatively new as they apply to the cybersecurity workforce, is a proven approach to expanding cybersecurity talent," she says.

She highlights the US Departments of Commerce and Labor's recent partnership on a 120-day Cybersecurity Apprenticeship Sprint to promote the Registered Apprenticeship model as a way to develop and train a skilled and diverse cybersecurity workforce.

**Moving to New Training Models**

Kelly Albrink, Bishop Fox practice director for application security, points out that cybersecurity training has historically culminated in a multiple-choice test that relies on memorization.

"With the Internet at our fingertips, memorization is far less important than problem solving," she explains. "So, training should be more focused on hands-on exercises that directly map to what real cybersecurity work looks like."

She mentions her company's Bishop Fox Academy, an internal training program to help people gain both technical skills and soft skills. "Bishop Fox is one of the few companies with actual entry-level roles for junior consultants," Albrink says. "We have a formal mentor program that matches consultants based on their interests and specializations."

She says that in earlier iterations of the mentor program, the company received a lot of feedback from both mentors and mentees that they wanted more structure and guidance on how to get the most out of the program, which led to the creation of a worksheet to help guide initial conversations. It included both "getting to know you" questions to help pairs build an immediate connection, as well as guidance on goal setting.

"We also understand that not every mentor match is the best fit so, 2-3 times a year we give people the opportunity to get a new match or extend their current pairing," she adds. "I typically encourage people to have multiple mentors and receive mentoring on more than one topic."

**The Benefits of Upskilling**

"When you upskill existing cybersecurity, staff you can cut down the learning curve within your organization and often fill gaps faster," Ron Culler, vice president cyber learning officer at CompTIA, explains.

However, it's not just existing cybersecurity staff that should be the focus — he says organizations should be looking across their workforce and at all its IT staff. "Many of these individuals have strong foundational knowledge of the organization," he says. "They can be some of the best candidates to work in cybersecurity, simply because cybersecurity encompasses all aspects of an organization."

Santos agrees that upskilling is an effective approach to filling talent gaps more quickly in an organization. "It utilizes the existing workforce, many of whom have transferrable skills that can be applied to a cybersecurity," she says.

**Cybersecurity Touches All Aspects of an Organization**

CompTIA offers education, training, and certification options for individuals interested in working in cybersecurity and those already in the profession. Four certifications are specific to cybersecurity skills at different career levels — entry, mid, and advanced. Cybersecurity is also embedded in the company's other certifications in networking, data, cloud computing, and other disciplines.

Culler points out that traditional approaches have often focused on individuals with a heavy background in technology.

"While this is still needed, cybersecurity encompasses much more than just tech," he says. "Diverse experiences and skills are needed to fill gaps in cybersecurity roles throughout organizations."

As he puts it, cybersecurity is not a technology issue, but rather something that touches every aspect of an organization.

**Training the Next Generation of Hackers**

From Albrink's perspective, you can't buy enough senior talent to meet the demands of the market. The only viable solution is to train the next generation of hackers.

"In terms of best practices, newcomers often want to learn everything and get overwhelmed," she says. "If they pick two focuses, and those two things synergize well, they'll be much better set up for success."

She adds that learning in a vacuum, like simply reading a book or watching a video, doesn't lead to good results. "I always recommend that you pick a hands-on project to apply what you're trying to learn," she says. "For example, every webapp hacker should build and deploy their own app."

She says that gives you a much better perspective on how difficult it can be to put common defensive recommendations into practice and helps you to better understand the struggles that developers face.

**More Flexibility, More Investment**

Albrink says she's seen a trend of publicly available training moving to a more on-demand subscription-based model. "This gives learners the flexibility to fit their training schedule to their busy lives," she says. "So, instead of trying to knock out a red team lab in 30, 60, or 90 days, they get access for a year."

The downside is the training has become a lot more expensive and out of reach for most people paying for it themselves.

Santos explains the US Department of Commerce supports a workforce development model, to include training, that leans on an employer-driven regional approach. "An employer-driven approach aims to ensure that the supply of cybersecurity talent is job-ready," she says.

Culler agrees it's important to invest in cybersecurity training now because cybersecurity threats aren't going away or lessening. "We need a cyber aware and cyberskilled workforce for organizations to remain competitive and thrive in the current environment and into the future," he says.

From Aalto's perspective, the key word is "invest." He points out that around 90% of breaches contain a human element, almost always initiated by a phishing attack, and yet only 3% of security budgets go to awareness.

"That imbalance tilts the advantage towards the threat actors, whose attacks get more relentless and sophisticated by the day," he says.

In a risk landscape where cybersecurity is increasingly expensive and hard to get, and where regulations tighten all the time, it's up to organizations to take a risk-based approach to protect themselves where they're most vulnerable — their people.

"It works, if your training is done right," Aalto says.

Wanted: Cybersecurity Training That Breaks Down Silos

The threat actor uses commands from legitimate IIS logs to communicate with custom tools in a savvy bid to hide traces of its activity on victim machines.

Hacking group Cranefly is using the new technique of using Internet Information Services (IIS) commands to deliver backdoors to targets and carry out intelligence-gathering campaigns.

Researchers at Symantec have observed a previously undocumented dropper Trojan called Geppei being used to install backdoors (including Danfuan and Regeorg) and other custom tools on SAN arrays, load balancers, and wireless access point (WAP) controllers that may lack appropriate security tools, according to a blog post on Oct. 28.

In examining the activity, the team noticed that Cranefly is using ISS logs to communicate with Geppei.

"The technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks, making it novel," Brigid O Gorman, senior intelligence analyst on Symantec’s Threat Hunter team, tells Dark Reading. "It is a clever way for the attacker to send commands to its dropper."

ISS logs record data such as webpages visited and apps used. The Cranefly attackers are sending commands to a compromised Web server by disguising them as Web access requests; IIS logs them as normal traffic, but the dropper can read them as commands, if they contain the strings Wrde, Exco, or Cllo, which don't normally appear in IIS log files.

"These appear to be used for malicious HTTP request parsing by Geppei — the presence of these strings prompts the dropper to carry out activity on a machine," Gorman notes. "It is a very stealthy way for attackers to send these commands."

The commands contain malicious encoded .ashx files, and these files are saved to an arbitrary folder determined by the command parameter and they run as backdoors (i.e., ReGeorg or Danfuan).

Gorman explains that the technique of reading commands from IIS logs could in theory be used to deliver different types of malware if leveraged by threat actors with different goals.

"In this instance, the attackers leveraging it are interested in intelligence gathering and delivering backdoors, but that doesn't mean this technique couldn't be used to deliver other types of threats in the future," she says.

In this case, to date, the Symantec threat team has found evidence of attacks against just a handful of victims.

"That is not unusual for groups focused on espionage, as these attacks tend to be focused on a small number of selected victims," Gorman explains.

**Cranefly: A Threat of Reasonable Sophistication**

Gorman explains that the development of custom malware and new techniques requires a certain level of skills and resources that not all threat actors have.

"It implies that those behind Cranefly have a certain level of skills that makes them capable of carrying out stealthy and innovative cyberattacks," she says, noting the gang also takes steps to cover up its activity on victim machines.

The dropped malicious backdoors are removed from victim machines if the Wrde command is called with a specific option ("r").

"A step like that displays quite a high level of operational security by the group," she adds.

**Deploying an In-Depth Defense Strategy**

Gorman says that the typical rules apply to defending against Cranefly as they do when it comes to most types of cyberattacks: Organizations should adopt a defense-in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain.

"Organizations should also be aware of and monitor the use of dual-use tools inside their network," she says, noting that Symantec would also advise implementing proper audit and control of administrative account usage.

"We'd also suggest creating profiles of usage for admin tools as many of these tools are used by attackers to move laterally undetected through a network," she says. "Across the board, multifactor authentication (MFA) can help limit the usefulness of compromised credentials."

Cranefly Cyberspy Group Spawns Unique ISS Technique

Embedding security throughout your company has greater organizational impact and myriad benefits.

As cybersecurity has become an increasingly important consideration in corporate decision-making, there's been a corresponding move to elevate the role of the chief information security officer (CISO) to a higher point in the executive hierarchy. The reasoning seems to be, "If cyber is important, CISOs must be important." However, elevating the role sets the CISO up to be a lone voice in the desert crying "security," with little connection to the day-to-day decision-makers in IT, engineering, or products.

This has led to some undesirable consequences, like the Facebook exec who thought it was OK that the company's security measures caused hours-long delays in responding to its Oct. 4, 2021, outage, or the Uber exec who paid off hackers who breached his system, rather than acknowledge the breach, or the numerous CISOs who have invested in "additional layers of security" rather than admit they made poor selections initially. In all of these cases, the CISO's isolation from functional business units undoubtedly played a role in the tunnel thinking these decisions reflect.

**Organizational Impact**

Perhaps it's time to reimagine the role of the CISO. Maybe it's better to see the CISO's importance reflected in organizational impact rather than organizational status. Perhaps embedding security in functional units will result in better security.

Imagine the CISO as a part of the IT organization ecosystem. They would be involved in every decision about the infrastructure, and security concerns would be integral to those decisions rather than tacked on after the fact. This would allow for a set of "security" solutions based on how the network is structured and managed, rather than on special security capabilities inserted into the infrastructure by an outside group.

Imagine a security expert embedded in the software development organization. They would be able to refine the development process to make sure code is written and tested with an eye to security, without saddling the developers with processes that are alien to them, thereby reducing the vulnerabilities in the company's code. Imagine a security expert embedded in product lines. They would be able to make sure the corporate infrastructure protects their IP and that their development process reduces the vulnerabilities in their product.

In all these cases, security becomes a factor in corporate decisions grounded in the reality of corporate operations. The technical expertise of the CISO becomes integral to day-to-day work rather than a constraint imposed upon it. Similarly, security and compliance need to work seamlessly so that financial systems and communications with partners and vendors remain secure. This extends to telecom systems and other hardware.

**The Risk Factor**

This seems like a more impactful way to make the technical dimension of security a powerful voice in company execution. However, one may wonder if this will diminish the policy dimension, balkanizing it to address the special interests of individual functional units. This concern can be addressed by expanding the role of the chief risk officer to include the security policy functions currently carried out by the CISO. 

This has the benefit of keeping security policy at the C-level, where it gets the attention it needs. It has the further benefit of having cybersecurity risk considered in the context of other risks (risk to availability, risk to reputation, to address the cases above). Security would no longer be an end in itself, but a dimension of doing business. This doesn't mean security needs to battle it out with other concerns and make accommodations that compromise the security posture of the organization. Rather, it sets up an environment that trades the either/or mentality for one that seeks to satisfy all requirements.

There are numerous access control technologies that would have protected Facebook effectively without locking out its own personnel. When the security risk is considered along with the availability risk, those more pragmatic solutions would emerge.

Source

DARKReading