The new feature detects attempts to modify files and processes for Microsoft Defender for Endpoints on macOS.

Microsoft has announced general availability of tamper protection in Microsoft Defender for Endpoint on macOS. The feature, which has been in public preview since May, will be rolling out over the next few days.

Tamper protection allows administrators who deal with Apple hardware in their environments to block the unauthorized removal of Microsoft Defender for Endpoint on macOS systems, as well as prevent any attempts to tamper with Microsoft Defender for Endpoint files, processes, and configuration settings. The feature elevates the organization’s endpoint security posture, Microsoft said in a post on the Microsoft Tech Community.

“Enhanced tamper resilience across prevalent platforms is a great advantage for organizations seeking to continuously enhance their endpoint security,” the company said.

Tamper protection is a device-level setting, which means the protection will apply to all users on the device. Available settings are “disabled,” “audit,” and “block.” By default, Microsoft Defender for Endpoint on macOS will have Tamper protection set to “audit,” so actions to uninstall the agent, modify Microsoft Defender files, or creating new files in the location where Microsoft Defender is installed will be logged automatically. However, administrators will not see any alerts in the Security Center – they will need to check either on-device logs or under the Advanced Hunting feature.

Tamper protection needs to be switched to “block” in order for administrators to see alerts and for tampering activities to be blocked. The company says a future rollout will automatically switch settings so that “block” becomes the default setting.

Administrators can enable the feature using a mobile device management platform, such as Endpoint Manager or Jamf. Tamper protection is available only for Microsoft Defender for Endpoint version 101.70.19 or above and on macOS versions Monterey, Big Sur, and Catalina.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Rolls Out Tamper Protection for Macs

"Seaborgium" is a highly persistent threat actor that has been targeting organizations and individuals of likely interest to the Russian government since at least 2017, company says.

Microsoft's Threat Intelligence Center (MSTIC) has taken steps to disrupt the operations of "Seaborgium," a Russia-based threat actor that has been involved in persistent spear-phishing and credential-theft campaigns aimed at organizations and individuals in NATO countries since at least 2017.

The threat actor's primary motivation appears to be cyber espionage. Its victims include numerous organizations in the defense and intelligence communities, nongovernmental organizations, think tanks, higher-education institutions, and intergovernmental organizations, mainly in the US and UK. Microsoft said it has identified some 30 organizations that have been targeted in Seaborgium campaigns so far this year alone.

"Seaborgium has a high interest in targeting individuals as well, with 30% of Microsoft’s nation-state notifications related to Seaborgium activity being delivered to Microsoft consumer email accounts," Microsoft said in a blog post this week. Targeted individuals have included former intelligence officials, Russian experts, and Russian citizens outside the country that are of interest to Moscow. Available telemetry and tactics suggest overlaps between Seaborgium and threat groups that others are variously tracking as the Callisto Group, ColdRiver, and TA446, Microsoft said.

Seaborgium is just one of multiple Russia-based groups that are targeting US firms in cyber-espionage campaigns currently. Earlier this year, the US Cybersecurity and Infrastructure Security Agency (CISA) warned about Russian actors systematically stealing sensitive, but not classified, data on US weapons development and technologies used by the US military and government. The warning followed one from January about the potential for more Russian attacks on US targets in retaliation for US-led sanctions over the war in Ukraine.

**Sophisticated Impersonation**

In its blog post, Microsoft described Seaborgium actors as using mostly the same social-engineering tactics over the years to try and gain an initial foothold in a target organization. Before launching a campaign, the threat actor has typically tended to conduct extensive research on targeted individuals to identify their social and business contacts. The research has often involved the threat actor using social media platforms — including fraudulent profiles on LinkedIn — and publicly available information gather intel on individuals of interest.

They then have used the information to impersonate individuals known to the target and contacted them using new email accounts with email addresses or aliases configured to match the names or aliases of the impersonated individuals, Microsoft said. The tone of the initial contact is usually different depending on whether an individual is a personal/consumer target or someone working in a targeted organization. In the case of the former, Seaborgium actors have typically started with a benign email that exchanges pleasantries on topics of interest to the target and references a nonexistent attachment. Microsoft surmised that the goal of taking this approach is likely to establish a rapport with a target. If the phishing email recipient replies, the threat actor responds with an email containing a link to their credential-stealing infrastructure.

Seaborgium's phishing emails have a more businesslike and organizational tone to them for individuals within a target organization. In these situations, the threat actors have shown a tendency to take a more authoritative approach in directing email recipients to the credential-stealing site — for example, by taking cybersecurity-themed lures. In most campaigns, Seaborgium actors have embedded the URL to their credential-stealing site directly in the email body itself, Microsoft said. But of late, the threat actor has also been using PDF files and attachments spoofing a document or file-hosting service — often OneDrive — to distribute the link.

**Using Stolen Credentials to Steal Emails and Attachments**

Microsoft said its researchers have observed Seaborgium using stolen credentials to directly log in to victims' email accounts and steal their emails and attachments. In a few instances, the threat actor has also been observed configuring victim email accounts to forward emails to attacker-controlled addresses. 

"There have been several cases where Seaborgium has been observed using their impersonation accounts to facilitate dialogue with specific people of interest and, as a result, were included in conversations, sometimes unwittingly, involving multiple parties," Microsoft said, adding that often these conversations have involved potentially sensitive information.

**Under Scrutiny**

As far as the disruption goes, the computing giant has now disabled accounts that Seaborgium actors have been using for victim reconnaissance, phishing, and other malicious activities. This includes multiple LinkedIn accounts. It has also developed detections for phishing domains associated with Seaborgium.

F-Secure, which refers to the threat actor as the Callisto Group, has been tracking its activities since 2015. In a 2017 report, the security vendor had described Callisto Group as a sophisticated actor targeting governments, journalists, and think tanks in the EU and parts of eastern Europe. F-Secure had described the group's campaigns as involving highly convincing spear-phishing emails often sent from legitimate email accounts to which the threat actor had previously gained access, using stolen credentials.

More recently, Google warned about the threat actor in a broader update on malicious cyber activity in eastern Europe since the start of the Ukraine war in February. The company said it had observed ColdRiver — its name for Seaborgium — continuing to use Gmail accounts to send credential-phishing emails to Google and non-Google email accounts belonging to politicians, defense and government officials, journalists, and think tanks. "The group's tactics, techniques and procedures (TTPs) for these campaigns have shifted slightly from including phishing links directly in the email, to also linking to PDFs and/or DOCs hosted on Google Drive and Microsoft One Drive," Google said. The files have contained a link to a credential-phishing domain, according to Google.

Microsoft Disrupts Russian Group's Multiyear Cyber-Espionage Campaign

Omdia Senior Analyst Hollie Hennessy goes over her first experience of DEF CON as a woman in cybersecurity.

If you asked me how I was feeling on Thursday night about attending DEF CON, I would have said "nervous." After a week of preparing for and attending Black Hat — which I'm used to, for the most part — I wasn't sure how different DEF CON would be or what to expect.

I'd heard a lot. Switch your phone off, don't take credit cards, leave your laptop behind …some people asked why I was staying, warned I'd be exhausted, but assured me I'd have fun. And fun was an understatement.

Being able to attend these events in person has massively helped me with confidence and "imposter syndrome." This was mentioned in the opening DEF CON talk on Friday, and I've heard so many women share a similar worry. But in reality, the cybersecurity community is diverse in its talent. Although it may not always feel this way, being in Las Vegas for Black Hat and DEF CON has shown me that all you need is the enthusiasm to become an expert in your chosen specialty. With a community so willing to share knowledge, that's more than enough. I don't need to know everything, and I'm trying to stop myself from thinking that.

As a woman in tech — in cybersecurity even, networking can be difficult to navigate. Luckily, I had the most wonderful experience and genuinely can't say that I've been to many other events (social, work, or otherwise) where people are so kind, welcoming, and eager to teach and learn.

I know this experience is not the same for all women attending, but it's great to see progress made and a zero-tolerance policy toward sexual harassment from both DEF CON and Black Hat and the willingness to enforce this. I was pleasantly surprised to make friends in the girls' restrooms (who would've thought it!) and hope to make many more in years to come.

So, what are my tips?

1.  **Don't try to do too much.** There's so much to do and see and you're better off taking your time to focus on the areas that interest you most. I spent most of my time in the IoT Village (I'm all about the things) and Car Hacking Village. I missed a few that I wanted to get to, but there's always next time!
2.  **Save the talks for post-conference.** A colleague gave me some great advice to spend most of my time in the villages, as the talks are accessible after the event. Unless you want to attend a talk that isn't recorded, or have some burning questions for the speakers, make the most of walking around and seeing all the wonderful things the event has to offer in the flesh.
3.  **Talk to people!** It can be daunting to pluck up the courage to say hi, but one of the best things about attending in-person events (especially after COVID) is meeting others face to face. I guarantee you'll learn something new, and even make some new friends and connections.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DEF CON: A Woman's First Experience

South Staffordshire in the UK has acknowledged it was targeted in a cyberattack, but Clop ransomware appears to be shaking down the wrong water company.

South Staffordshire plc, a UK water-supply company, has acknowledged it was the victim of a cyberattack. Around the same time, the Clop ransomware group started threatening Thames Water that it would release data it has stolen from the utility unless Thames Water paid up.

The problem? Thames Water wasn't breached. 

Apparently, Clop got its UK water companies confused. 

South Staffordshire serves about 1.6 million customers and recently reported that it was targeted in a cyberattack and was "experiencing a disruption to out corporate IT network and our teams are working to resolve this as quickly as possible." It added there has been no disruption on service. 

"This incident has not affected our ability to supply safe water, and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers," the water company said. 

Meanwhile, Thames Water, the UK's largest water supplier to more than 15 million people, was forced to deny it was breached by Clop ransomware attackers, who threatened they now had the ability to tamper with the water supply, according to reports. 

"As providers of critical national infrastructure, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide resilient services to our customers and the environment,” the larger water company told the UK Mirror. 

While Clop seems to have its records all wrong, both water utilities mounted capable responses to the ransomware group's attack on critical infrastructure, according to Edward Liebig, global director of cyber ecosystem at Hexagon Asset Lifecycle Intelligence. 

"I’m impressed by South Staffordshire Water’s ability to defend against the cyberattack in the IT systems and buffer the OT systems from impact," Liebig said. "And had Thames Water not done an investigation of the 'proof of compromise,' they may very well have decided to negotiate further. In both instances, each organization did their due diligence."

Clop Ransomware Gang Breaches Water Utility, Just Not the Right One

Just as one crop of malware-laced software packages is taken down from the popular Python code repository, a new host arrives, looking to steal a raft of data.

Just a week after 10 malicious software packages were found nesting in the Python Package Index (PyPI) repository, several more have come to light, uncovered by different firms. It's becoming a bit of a whack-a-mole exercise, snuffing out bad code only to find more taking its place.

In last week's disclosure, researchers at Check Point found Trojanized packages mimicking popular legitimate components, containing droppers for information-stealing malware. That prompted Kaspersky analysts to scour the open source repository further, which led to the discovery of two more rogue offerings, dubbed "pyrequests" and "ultrarequests," that purported to be one of the most popular packages in PyPI (which is simply named “requests“).

"The attacker used a description of the legitimate 'requests' package in order to trick victims into installing a malicious one," according to Kaspersky's Tuesday analysis. "The description contains faked statistics, as if the package was installed 230 million times in a month and has more than 48,000 stars on GitHub. The project description also references the web pages of the original requests package, as well as the author’s email. All mentions of the legitimate package's name have been replaced with the name of the malicious one."

If installed, the result is a W4SP Stealer infection, through which attackers can steal Discord tokens, saved cookies, and passwords from browsers in separate threads.

Meanwhile, researchers at Synk on Tuesday published findings around a dozen malicious PyPI packages aimed at stealing Discord and Roblox users’ credentials and payment info. According to Kyle Suero, Snyk's lead researcher on the report, the malware will also attempt to steal Google Chrome data or pilfer passwords and bookmarks from Windows machines to pivot throughout all accounts.

All of the offending packages have been removed from PyPI; however, it's unclear how many times they were downloaded before that.

Attacks on code repositories continue to snowball. According to ReversingLabs, attacks on npm and PyPI have collectively spiked from 259 in 2018 to 1,010 in 2021 — a 290% increase.

"As long as we keep ignoring the core of the problem — which is how do you trust code — we are not handling software supply chain security," said Tomislav Peričin, co-founder and chief software architect at ReversingLabs, said in a recent report.

Whack-a-Mole: More Malicious PyPI Packages Spring Up Targeting Discord, Roblox

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Come up with a cybersecurity-themed caption for the cartoon above, and you could win a $25 Amazon gift card if it's chosen as Dark Reading editors' favorite. Here are four convenient ways to submit your idea:

*   Email _\[email protected\]_ with the subject line "Dark Reading August Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

The contest ends Wednesday, Sept. 7, 2022. We look forward to your submissions.

**Last Month's Winner**

July's "Modern-Day Fable" caption contest now how a modern-day twist that would even make Aesop laugh. Congratulations go to winner Dana Morrow, director of security services at Foresite MSP. A $25 Amazon gift card is on the way.  

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Vicious Circle

Cybercrime has been funded with cryptocurrency, but the valuation of various digital currencies has dropped by more than two-thirds and cybercriminals are feeling the pinch.

The dramatic decline in cryptocurrency has dampened activity around specific types of financial crimes — most significantly, investment scams and illegal Dark Web transactions — leading to a drop in consumer losses for the first half of 2022.

That's according to an analysis published on Aug. 16 from blockchain data provider Chainalysis.

Overall, the cumulative revenue collected by scammers dropped by two-thirds — 65% — for the first seven months of the year, according to the firm. The decline is only partly linked to the decrease in the value of major cryptocurrencies. Bitcoin, for example, plunged in value by 51% between Jan. 1 and July 31, and that still doesn't account for the total drop.

The number of deposits connected to scams also dropped by more than two-thirds, suggesting that fewer consumers were falling prey to those efforts, says Kim Grauer, director of research at Chainalysis.

"Most scams are investment scams, and if investments across the board are down, then less funds will flow to the services that are, in fact, scams," she says. "We also saw a lot of law enforcement wins in the past year which have further deterred scammers."

Since their peak last November, major cryptocurrencies have dropped precipitously in value, reaching lows in June. Bitcoin dropped nearly 72%, from its $67,567 close on Nov. 7, 2021, to $19,018 on June 17. Similarly, Ethereum plunged nearly 80% to close at about $994 on June 17. Both digital assets have recovered from those lows in the past two months.

    

Monthly deposits to scams have declined. Source: Chainalysis

Cryptocurrency is the financial backbone of most online crimes, Chainalysis stated in its midyear update, so the drop in cryptocurrency has impacted other major cybercrimes, such as money laundering and ransomware. Both have dropped by 20% to 25% since the beginning of the year, according to cybersecurity firms. 

That said, crimes that do not depend on enticing victims with cryptocurrency have been less affected by the volatility. Business e-mail compromise (BEC), for example, still accounted for 35% of the dollar losses in 2021, compared with 0.7% for ransomware, according to the FBI's Internet Crime Complaint Center (IC3).

"Nobody likes a crypto bear market, but the one silver lining is that illicit cryptocurrency activity has fallen along with legitimate activity, albeit not as sharply," the company stated. "This is especially encouraging in scams, where the decrease in market hype seems to mean fewer are fooled by scammers, and in darknet markets, where law enforcement’s \[shutdowns of major markets\] appears to have dampened the entire sector."

**DeFi Services Still Hot Targets**

One constant? Hacking of digital wallets and decentralized financial (DeFi) services continued to grow. Overall, cybercriminals stole at least $1.9 billion in cryptocurrency through hacking online services so far in 2022, an increase of about two-thirds from the same period in 2021.

The majority of the hacking profits comes from hacking DeFi protocols, Chainalysis stated in the mid-year report.

"DeFi protocols are uniquely vulnerable to hacking, as their open source code can be studied ad nauseum by cybercriminals looking for exploits — though this can also be helpful for security as it allows for auditing of the code," the company stated. "\[I\]t's possible that protocols' incentives to reach the market and grow quickly lead to lapses in security best practices."

Specific regions have also focused on specific types of crime. North Korean nation-state actors have compromised specific DeFi protocols, leading to massive gains for the sanctioned government. The attackers stole approximately $1 billion so far in 2022, accounting for the majority of the $1.9 billion in losses from exchanges and services, as of July 2022.

"We have seen ransomware attacks coming out of North Korea, but right now DeFi hacking is the most profitable thing for the North Korean hacking organizations to carry out," Grauer says. "North Korean hacking organizations have realized how profitable this type of hacking can be if done correctly, so have continued to carry out attacks throughout 2022."

Financial institutions, consumers, and cybersecurity professionals should not expect the decline in fraud related to cryptocurrency to continue, Chainalysis stressed. Consumers need to be better educated about the risks, while the cybersecurity of decentralized financial protocols needs to be bolstered and audited. Finally, legitimate exchanges should have protections in place to prevent the transfer of money to known scams, and law enforcement should develop their capabilities to seize cryptocurrency from bad actors, the company stated.

With Plunge in Value, Cryptocurrency Crimes Decline in 2022

The security flaw tracked as CVE-2022-30216 could allow attackers to perform server spoofing or trigger authentication coercion on the victim.

Researchers have discovered a vulnerability in the remote procedure calls (RPC) for the Windows Server service, which could allow an attacker to gain control over the domain controller (DC) in a specific network configuration and execute remote code.

Malicious actors could also exploit the vulnerability to modify a server's certificate mapping to perform server spoofing.

Vulnerability CVE-2022-30216, which exists in unpatched Windows 11 and Windows Server 2022 machines, was addressed in July's Patch Tuesday, but a report from Akamai researcher Ben Barnes, who discovered the vulnerability, offers technical details on the bug.

The full attack flow provides full control over the DC, its services, and data.

**Proof of Concept Exploit for Remote Code Execution**

The vulnerability was found in SMB over QUIC, a transport-layer network protocol, which enables communication with the server. It allows connections to network resources such as files, shares, and printers. Credentials are also exposed based on belief that the receiving system can be trusted.

The bug could allow a malicious actor authenticated as a domain user to replace files on the SMB server and serve them to connecting clients, according to Akamai. In a proof of concept, researchers exploited the bug to steal credentials via authentication coercion.

Specifically, they set up an NTLM relay attack. Now deprecated, NTLM uses a weak authentication protocol that can easily reveal credentials and session keys. In a relay attack, bad actors can capture an authentication and relay it to another server — which they can then use to authenticate to the remote server with the compromised user's privileges, providing the ability to move laterally and escalate privileges within an Active Directory domain.

"The direction we chose was to take advantage of the authentication coercion," Akamai security researchers Ophir Harpaz says. "The specific NTLM relay attack we chose involves relaying the credentials to the Active Directory CS service, which is responsible for managing certificates in the network."

Once the vulnerable function is called, the victim immediately sends back network credentials to an attacker-controlled machine. From there, attackers can gain full remote code execution (RCE) on the victim machine, establishing a launching pad for several other forms of attack including ransomware, data exfiltration, and others.

"We chose to attack the Active Directory domain controller, such that the RCE will be most impactful," Harpaz adds.

Akamai's Ben Barnea points out with this case, and since the vulnerable service is a core service on every Windows machine, the ideal recommendation is to patch the vulnerable system.

"Disabling the service is not a feasible workaround," he says.

**Server Spoofing Leads to Credential Theft**

Bud Broomhead, CEO at Viakoo, says in terms of negative impact to organizations, server spoofing is also possible with this bug.

"Server-spoofing adds additional threats to the organization, including man-in-the-middle attacks, data exfiltration, data tampering, remote code execution, and other exploits," he adds.

A common example of this can be seen with Internet of Things (IoT) devices tied to Windows application servers; e.g., IP cameras all connected to a Windows server hosting the video management application.

"Often IoT devices are set up using the same passwords; gain access to one, you've gained access to them all," he says. "Spoofing of that server can enable data integrity threats, including planting of deepfakes."

Broomhead adds that at a basic level, these exploitation paths are examples of breaching internal system trust — especially in the case of authentication coercion.

**Distributed Workforce Broadens Attack Surface**

Mike Parkin, senior technical engineer at Vulcan Cyber, says while it doesn't appear that this issue has yet been leveraged in the wild, a threat actor successfully spoofing a legitimate and trusted server, or forcing authentication to an untrusted one, could cause a host of problems.

"There are a lot of functions that are based on the 'trust' relationship between server and client and spoofing that would let an attacker leverage any of those relationships," he notes.

Parkin adds a distributed workforce broadens the threat surface considerably, which makes it more challenging to properly control access to protocols that shouldn't be seen outside the organization's local environment.

Broomhead points out rather than the attack surface being contained neatly in data centers, distributed workforces have also expanded the attack surface physically and logically.

"Gaining a foothold within the network is easier with this expanded attack surface, harder to eliminate, and provides potential for spillover into the home or personal networks of employees," he says.

From his perspective, maintaining zero trust or least privileged philosophies reduces the dependence on credentials and the impact of credentials being stolen.

Parkin adds that reducing the risk from attacks like this requires minimizing the threat surface, proper internal access controls, and keeping up to date on patches throughout the environment.

"None of them are a perfect defense, but they do serve to reduce the risk," he says.

Windows Vulnerability Could Crack DC Server Credentials Open

Threat hunting not only serves the greater good by helping keep users safe, it rewards practitioners with the thrill of the hunt and solving of complex problems. Tap into your background and learn to follow your instincts.

Growing up in the Pacific Northwest, I was fascinated by treasure hunting. I love the idea of finding something valuable or important. I had an arsenal of tools even the most seasoned treasure hunters would envy: a metal detector, a bucket, and a plastic shovel. Yet the most valuable tool I possessed was my firm belief that I would find treasure as long as I looked hard enough.

Threat hunting is like treasure hunting in many ways. Threat hunters also have their tools of the trade.

Several years ago, I traded that plastic shovel for a data visualization tool (i.e., Kibana) and too much coffee. I still feel the excitement of the hunt for something valuable. You see, treasure hunting and threat hunting both stimulate the mind. They are both filled with hidden clues, there is no set path, and sometimes you must solve complex problems. There is unmistakable value in discovering threats, so that we can improve the security of our organizations.

At one point in my military career, I worked as a networking specialist on a cyber-protection team, where I became a network traffic analysis expert. The mission was simple — just hunt. Remember, no good treasure hunt starts without a treasure map. That's where this threat-hunting story begins.

I received a PDF version of the network map that contained hundreds of endpoints, ports, protocols, and services (PPS) to quickly identify acceptable and normal network traffic as a baseline. The posters we printed from the PDF were the size of twin-sized blankets. Yet, we hung them up on the ops floor. We had our "treasure map," and set out to analyze the hex and packet captures (PCAPs).

We found nothing that deviated from the baseline and PPS listing. But I still had the unshakeable belief from my youth that I would find something if I looked hard enough. We were parsing through millions of network events and terabytes of data. I decided to investigate the top-talking ports – even the acceptable ports outlined on the PPS.

"Manual" threat hunting, for lack of better words, relies on highly skilled people and the knowledge they have collected over years in the field. Down the list I went looking at HTTPS, HTTP, DNS, SMTP, and so on. Finally, I arrived at port 1433, or SQL, which is the primary language used for managing data. This was significant as it's often a large attack surface for hackers and adversaries. I built a query and modified data fields to quickly identify the IPs communicating with one another.

One pair of IPs looked a little unusual and didn't fit into the schema of the other IPs. It stood out to me because I understood the network (thanks to our trusty map). That's when I discovered unencrypted SQL data. I could see everything and the data in these tables made my jaw drop. This data was leaving the network unencrypted. I immediately notified my mission commander, who carried it up the chain – we discovered it was a configuration error that was quickly fixed. The goal of discovering threats was so that we could take action to remediate them.

**Learning From Experience**

Eight-year-old me would have been very proud of my ability to find such a significant threat – being able to improve our security was certainly of value. There were many lessons to be learned from this hunt that I have held with me over the years:

*   Understand the network you're working on to easily recognize patterns and behaviors that deviate from normal.
*   Question and review all traffic, even acceptable or normal traffic. Network traffic is guilty until proven innocent in the world of threat hunting.
*   Not every hunt will result in threats being found, but always listen to your instincts. If you know it's out there, it probably is.

Threat hunting is an opportunity to help a greater good. Cyberattacks are relentless. We must work together as professionals to change the playing field. Equally, be willing to accept help. I have been fortunate to find work that brings me so much joy. I love what I do because it connects me with a lifelong drive. There are many specialties within cybersecurity; finding your particular niche will make you successful in this field.

Lessons From the Cybersecurity Trenches

Heads of CIA and CISA headline event at DC Convention Center.

Returning in person after two years, the 13th Annual Billington Cybersecurity Summit is a three-day event designed to examine the nation's pressing cyber needs and the impact of the Biden Administration's fast-moving cyber strategic direction.

The summit explores "Transforming Cybersecurity Through a Unified Approach" with a focus on the hottest cyber topics. More than 125 speakers spanning government, military, nonprofits, industry, and academia, including CIA Director William Burns; Chris Inglis, National Cyber Director, EOP; DHS CISA Director Jen Easterly; John Sherman, CIO, DOD; and two top cyber officials from Ukraine will discuss cyber trends and issues during more than 40 sessions.

**WHEN**

September 7-9, 2022

Sept 7: 8:45 a.m.-5 p.m.

Sept 8: 8:30 a.m.-5 p.m.

Sept 9: 9 a.m.-noon

**TOPICS**

The summit has more than 40 panel discussions, breakout sessions, and fireside chats. Agenda topics include:

*   Cyber Lessons Learned from Ukraine
*   Securing Infrastructure in an Increasingly Connected World
*   Election Security and the 2022 National Elections
*   Lessons Learned for Fortifying a Strong Cybersecurity Workforce
*   All-Star VC Roundtable: What Are the Next Game-Changing Cyber, Disruptive Technologies?
*   The Cyber Threat Landscape and Zero Trust: Lessons Learned and Success Stories
*   Future of Encryption: Moving to a Quantum-Resistant World
*   Cybersecurity Public/Private Engagement
*   Addressing Insider Threat while Protecting Privacy
*   Future Panel | Cybersecurity and the Future of 5G
*   Enhancing the Security of Open-Source Software and the Supply Chain
*   Automating Cybersecurity: Applying AI Internally and at the Edge
*   Beyond Ransomware: Identifying the Next Cyber Threats

**WHERE**

Walter E. Washington Convention Center

801 Mt Vernon Pl NW

Washington, DC

**HOW**

Learn more or register at https://billingtoncybersummit.com/. Complimentary government and military tickets are available. Tickets for corporate attendees are $895; academic and non-profits are $125; and students are $25. Press is free for credentialed reporters but must register in advance online.

**WHY**

Presented by over 40 sponsors, led by Amazon Web Services, Raytheon Intelligence & Space, and Cisco Secure, the Billington Summit convenes leading senior cyber government decision-makers to examine key trends and topics while fostering deeper dialogue between government leaders and private industry.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading