One of the oldest tactics in cybercrime is still one of the most widely feared — and with good reason, as campaigns are expected to increase and become more sophisticated over the next 12 months.

Phishing continues to represent not just a mainstay threat but also a significant cost to enterprises, with some large organizations with a robust IT and security staff spending $1.1 million per year to mitigate phishing attacks, new data shows.

Phishing-related security activities currently consume, on average, about one-third of the total time available to organizations' IT and security teams, according to a newly published report. A single malicious message costs organization an average of about 27 minutes and $31 in labor to mitigate, but can cost up to $85.33 if a company takes 60 minutes to eliminate the threat, researchers found.

This cost, combined with the consequences of successful phishing incidents — which include loss of account credentials, business email compromise, and data theft — means that about a third of organizations consider phishing to be either a "threat" or "extreme threat" to their businesses, researchers wrote in the report, which was commissioned by email security firm Ironscales and conducted and written by Osterman Research.

This situation is unlikely to improve anytime soon, as threat actors become even more sophisticated in how they craft phishing campaigns not only to hook enterprise workers, but also to make phishing emails harder to detect, the researchers found.

And while the shift to remote working that occurred during the pandemic lifted the burden of phishing slightly and led to a decline in this type of cybercrime activity over the 12 months previous to June 2022, the threat from phishing will soon be on the uptick again, the researchers found.

Enterprises should be on the alert and start preparing now to deal with imminent and "more sophisticated and pernicious" attacks — or expect to spend even more to handle phishing in the future, they said. "The time and cost currently expended on mitigating phishing will increase unless organizations start relying on better phishing protections," the researchers wrote.

**Organizational Burden**

Osterman Research surveyed 252 IT and security professionals in the United States in June 2022 for the report, asking them a range of questions about how their organizations deal with phishing and the impact it has.

Researchers attempted to quantify the actual business cost in terms of time and money spent addressing phishing that enterprises are incurring. They found that it indeed represents a significant investment that rises exponentially the more staff an organization has, and the more phishing emails a company receives.

That email cache from phishing in the current security landscape can be staggering, with some larger organizations receiving thousands of phishing emails per day, the researchers said. "Clearly, no organization has to deal with only a single phishing email," they wrote. "With several billion phishing messages sent globally every day, phishing is a significant proportion of overall email volumes."

**Lost Time and Money**

In terms of time, 70% of organizations surveyed said they spent 16 to 60 minutes per phishing email, representing the time from initial discovery of a potentially malicious email to complete removal from the environment, the researchers said.

On average, most organizations spend about 31 to 45 minutes to mitigate a phishing message, with 29% of respondents reporting this time frame at their respective organizations. Overall, handling phishing-related activities consumes an average of one-third of the working hours available each week for the IT and security teams at their organization, according to respondents.

Researchers also attempted to quantify the actual cost of phishing to an organization by considering a number of factors, including the roles that survey respondents play in mitigating phishing at their respective organizations, as well as their individual salaries.

What they found based on their calculations was that, on an annual basis, organizations spend, on average, $45,726 in salary and benefits paid per IT and security professional to handle phishing, they said.

This cost goes up exponentially depending on how many IT and security professionals an organization has, researchers said. An organization with five IT and security professionals is currently paying $228,630 of the annual salary and benefits paid to handle phishing, for example, while an organization with 25 IT and security professionals incurs significant more cost per year — or about $1.14 million — to handle phishing.

**Evolving Tactics**

To anyone who follows the security landscape, to say that threat actors who engage in phishing are getting more sophisticated is no surprise. By now, most corporate workers are already trained to recognize emails that are potentially malicious, which has spurred cybercriminals to pivot to trickier, more evasive tactics to ensure success.

Half of survey respondents cited three emerging characteristics of the phishing emails that are surfacing in the enterprise now as most worrying in terms of demonstrating these tactics.

The first is the use of adaptive techniques — also known as polymorphic attacks — which vary each phishing message slightly to decrease the likelihood of being detected as a phishing message, the researchers said. These messages "must be evaluated one by one, rather than being able to match using signatures or other known or trained identifiers," making them harder to mitigate, according to the report.

Another is threat actors' use of compromised account credentials — which are either obtained by earlier phishing attacks or purchased on the Dark Web — to hijack current email threads to send out more phishing emails. These messages also are likely to bypass detection, since they're sent from the organization’s own email infrastructure, "removing many threat signals that can be evaluated when messages originate externally," the researchers noted.  

Threat actors also are using other advanced obfuscation techniques in which "payload and link threats are nested, initially presented as benign, or subsequently downloaded," which also means phishing defenses have to work harder to flag potentially malicious emails, the researchers noted.

**Microsoft Teams and Slack**

Another emerging trend that at least half of the survey respondents reported seeing in their environments is phishing that spreads beyond email to communication and collaboration tools. Among the most common new attack vectors are messaging apps and cloud-based file sharing platforms such as Microsoft Teams and Slack, the researchers said.

"As phishing spreads to these new tools — often driven by account credential compromise — IT and security professionals will have to spend even more time addressing threats and seeking to eradicate threat actors from their other services," the researchers said.

What all of this adds up to for the enterprise is that they should get out ahead of the expected imminent surge in phishing attacks now if they want to free up cybersecurity staff to focus on more strategic initiatives, the researchers said.

Specifically, they advised enterprises "should be looking for more capable solutions that detect and stop more phishing attacks, offer detection of advanced polymorphic and nested threats, and protect communication and collaboration tools via a holistic solution rather than being limited to protecting email only."

Phishing Mitigation Can Cost Businesses More Than $1M Annually

Improving the flow of clean, safe code with heightened visibility and automation.

**SAN FRANCISCO, CA, 10/18/2022** — AutoRABIT announces a new update to its Salesforce DevSecOps platform that includes strategic integrations with major communication applications Slack and Microsoft Teams, new automation functionality, and seamless operation with Salesforce’s newest update API version 56.

The expanded functionality also includes opening the 600+ rules of CodeScan — AutoRABIT’s static code analysis solution—to Salesforce DX users, bringing best-in-class code security to a new group of Salesforce power users.

“We’re excited to further expand our suite of solutions to continue to meet the needs of our partners and customers. These updates to our release management processes will continue to help organizations save time and money during a time where both are needed,” said Prashanth Samudrala, VP of Products at AutoRABIT.

AutoRABIT Automated Release Management (ARM) now offers auto-approval for quality gates which moves DevOps teams closer to true Continuous Delivery (CD) by setting quality parameters and automating approvals, reducing manual processes across the development lifecycle. DevOps teams can also leverage a new auto-merge capability to keep development branches in sync — in real time — without having to tend to them individually.

AutoRABIT’s new update also expands upon the already extensive reporting capabilities of their ARM solution to deliver scheduled and automated reports so users can track success metrics on a pre-defined timeline.

Enhanced integrations with communication applications Slack and Microsoft Teams ensure asynchronous, organization-wide visibility into every development milestone. A dedicated channel is created which automatically updates the team when a change, issue, or success occurs within the development pipeline. AutoRABIT ARM also integrates with Hashicorp Vault for management and protection of sensitive data.

AutoRABIT’s newest update covers the entirety of their DevSecOps suite including CodeScan Shield, ARM, and Vault Data Backup & Recovery. These new features work together to create greater security, seamless flow of data, and accountability across Salesforce development teams.

AutoRABIT Accelerates Release Management Processes with Automation and Key Integrations

The tool helps red teams manage their activities, analyze the data from their campaigns, create reports, and better present results to organizations.

The Cybersecurity and Infrastructure Security Agency (CISA) has rolled out a free open source tool to help red teams and penetration testers more efficiently conduct their analysis, visualization, and reporting activities. The platform could help harmonize the necessary, but often boring, work of communicating results to clients and management, the US Department of Homeland Security (DHS) agency said.

The tool, dubbed RedEye, helps visualize command-and-control activities, allowing the teams to replay assessment actions rather than manually parsing log files to recreate events. CISA, along with the Department of Energy's Pacific Northwest National Laboratory (PNNL), created the tool to meet its own internal needs but decided to publish the software to help other red teams and gather feedback and feature requests from the community as a whole.

"The open source release was centered around contributing to the global information security community," a CISA spokesperson told Dark Reading. "Diversity and openness of thought makes products better for everyone, and getting community feedback and even 'pull requests' to contribute to the project make for compelling on-ramps into improvements and helping the community at large."

A number of organizations have published significant security tools as open source software in the past year. In August, NetSPI released two adversary simulation tools, PowerHuntShares and PowerHunt, to help companies detect vulnerable network shares and manage their attack surfaces. In November 2021, Google published its ClusterFuzzLite software as open source, a program that allows application security specialists to run various fuzzing capabilities against their software. The company released two related tools, OSS-Fuzz and ClusterFuzz, in 2016 and 2019, respectively.

The RedEye project could be a boon to red teams, especially those at smaller companies and agencies that do not have the support of a development team to make internals tools, says Charles Henderson, global head of IBM Security's X-Force team. By making a red team's reporting and communicating tasks more efficient, the tool can open up more time to do as much red teaming as possible, he says. Daily tasks, such as data aggregation, collating data, and working on presentation all take a lot of time — time that could be better spent simulating attacks.

"We spend a lot of time in security creating tools that are really centered around the 'cool' parts of security — the stuff that gets presented at conferences," Henderson says. "The truth of the matter is that we spend a lot of time in security on auxiliary functions, like reporting and the aggregation of data, which are — for lack of a better term — unsexy. To the degree we can start to decrease the time sink associated with those tasks, then we are going to be far better at security."

**Cyberattack Reporting**

RedEye can help red team members and executives understand the attack paths by creating visualizations of the entries in log files. The tool currently supports Cobalt Strike logs, but will expand to support telemetry from other red team toolsets, CISA said. The goal is to allow red team analysts to be able to better visualize and understand attempted and successful attack paths used during penetration tests and display that information clearly.

"This tool ... allows an operator to assess and display complex data, evaluate mitigation strategies, and enable effective decision making in response to a Red Team assessment," CISA said in the project documentation. "The tool parses logs, such as those from Cobalt Strike, and presents the data in an easily digestible format. The users can then tag and add comments to activities displayed within the tool."

The tool will be useful for companies that utilize in-house red teams as well as penetration-testing services as a way to standardize reporting. IBM creates its own tools to handle such activities, but the company is a "fairly advanced shop," says IBM Security's Henderson. "You would be surprised how few tools are out there for folks that may not not have the development resources that we do."

If RedEye becomes popular, it could help to standardize reporting formats and feature sets for reporting and analysis tools. However, CISA stresses that use of the tool is not a government requirement nor is it intended to be.

"While CISA is excited for the community to get the opportunity to use this tool on their own engagements, we trust that each red team will use the tools that meet their specific use case as they deem appropriate," the agency spokesperson said. "RedEye can help augment the way in which offensive reports and evidence is presented to customers/clients, but it is not intended to drive universal alignment around a common standards."

**Not Another Tool for Nefarious Hackers**

Adversary-attack simulation tools such as Cobalt Strike and Brute Ratel have grown in popularity, not only with defenders, but with attackers as well. While many tools created to help red teams and penetration testers are dual use, equally beneficial to the attacker as well as the defender, but RedEye really does not fall into that category, IBM Security's Henderson says.

"Criminals have gotten much better at eliminating the time sinks in their operations and focusing on the return on their investments, and this is the first time in a long time that a tool is coming out that is focusing on efficiency gains for the defender," he says. "I think that benefit to the stakeholders in security testing is going to be far more meaningful than any benefit that could be provided to criminals."

The CISA spokesperson said CISA plans to add a roadmap for the tool's development to the GitHub repository in the future, and specify which adversary-simulation tools it plans to support.

CISA Offers Free RedEye Analytics Tool for Red Teams

With the IT universe expanding, collaboration, thoughtfulness, and discipline can ensure a more secure future.

Does your organization truly understand the shared responsibility model? Shared responsibility emerged from the early days of cloud computing as a way to delineate responsibilities between cloud providers and their customers, but often there's a gap between what shared responsibility means and how it is interpreted. With the decentralization of IT, this gap is getting worse.

**Decentralization of IT**

Our applications, servers, and overall technology used to be under the purview and control of the IT department, yet with the shift to cloud, and specifically software-as-a-service (SaaS), this dynamic has changed. Whether it's the sales team bringing in a customer relationship management (CRM) system like Salesforce, or the HR department operating a human resources information system (HRIS) like Workday, there's a clear "expanding universe" of IT that no longer sits where it used to. Critical business workflows exist in separate business units far from IT and security and are managed as such. Our corporate IT footprints have become decentralized.

This is not some minor, temporary trend. With the ease and speed of adopting new SaaS applications and the desire to "lift and shift" code into cloud-based environments, this is the future. The future is decentralized.

**Challenging Security Realities**

The shift to business-owned and -operated applications puts security teams in a position where risk management is their responsibility; they are not even able to log in to some of these critical systems. It's like asking your doctor to keep you healthy but not giving her access to your information or having regular check-ups. It doesn't work that way.

Beyond the challenging human skills gap, there's technical entropy and diversity everywhere, with different configuration settings, event logs, threat vectors, and data sensitivities. On the access side, there are different admins, users, integrations, and APIs. If you think managing security on Windows and Mac is a lot, try it across many huge applications.

With this reality, how can the security team be expected to combat a growing amount of decentralized business technology risk?

**Shared Responsibility Becomes Shared Fate**

We must operate our technology with the understanding that shared responsibility is the vertical view between cloud provider and customer, but that enterprise-owned piece of shared responsibility is the burden of multiple teams horizontally across an organization. Too often the mentality is us versus them, availability versus security, too busy to care about risk, too concerned with risk to understand "the business." This must change.

An incident in security doesn't just impact security. We've heard "united we stand, divided we fall." We need to say that more in cyber — we win or lose together. This is why the horizontal view, across the org for the "customer-owned" piece of shared responsibility, must be viewed as a shared fate.

**Fighting Back, Together**

Great, we must do more. We all hear that a lot. But what specifically can we do immediately to improve our situation?

*   **Connect the people:** Regardless of the technology, we are still in an environment where technology is deployed, managed, and used by people. Bring together the people involved in particular technologies or workflows and make sure they know each other and can communicate well.

*   **Create a shared security-productivity vision:** If each group and/or role understands what incentives, responsibilities, and other dynamics exist for their teammates, there will be more empathy and better interactions.

*   **Continue to include security after procurement:** Once a new app is rolled out, the security team needs to be informed to determine who has access to the tool, how it will be used, and what data is stored within it. It's critical that the defenders in your organization have this visibility in order to protect against threats.

*   **Create a consistent access method:** This can be through your existing IAM tools, like Okta or Ping, but it's imperative to understand how users — both inside and outside of your organization — are going to be using the app and who has admin access and rights. This way, you can limit over-privilege and prevent wide-reaching data exposure and risk.

*   **Set organization-wide policies across apps:** For example, create file-sharing rules within tools like Google Drive or Box. This can be done without the security team blocking productivity among teams. When there's a clear partnership between security and the business, simple rules around passwords, expiration dates, or access control for file sharing can be the baseline for which threat detection rules and policy violations are more clearly written and deployed.

*   **Conduct a risk assessment of every app in your environment:** Whether it's employee data in Workday or Zoom recordings of board meetings that your apps are storing, it's critical to know the relative importance and risk level of each app. Ask yourself if adversaries would want to access it and, if so, how much they'd gain from the data. This will help you determine the types of apps you allow in your network, as well as policies and controls associated with the rollout.

*   **Roll out an integration policy, and stick to it:** With organizations of more than 1,000 employees using more than 150 SaaS applications on average today, it's important to understand integrations between apps like Google and Slack. While at times wildly convenient for a particular employee, this new integration web quickly changes risk profiles of your sanctioned SaaS applications, and it's incredibly difficult to keep up once your culture allows for random third-party integrations to connect to SaaS. Be disciplined here about setting a policy and sticking to it.

While our IT universe is expanding, with some collaboration, thoughtfulness, and discipline, we can have a more productive _and_ a more secure future. It's on us to make sure our shared fate is a positive one.

Shared Responsibility or Shared Fate? Decentralized IT Means We Are All Cyber Defenders

New Crypto Source program extends Mastercard’s safe, secure, and trusted services.

Mastercard today introduces Crypto SourceTM, a new program to enable financial institutions to bring secure crypto trading capabilities and services to their customers.

The 2022 Mastercard New Payments Index reported that 29% of respondents globally hold cryptocurrency as an investment, with another 65% indicating a preference for crypto-related services to be provided by their current trusted financial institution.\*

In partnership with regulated and licensed crypto custody providers, Mastercard's financial institution partners will gain access to a comprehensive suite of buy, hold and sell services for select crypto assets, augmented with proven identity, cyber, security and advisory services. This Crypto Source offering is complemented by Mastercard Crypto SecureTM to bring additional security to the crypto ecosystem and support card issuers in their compliance with complex regulations.

Now, Mastercard’s suite of crypto-related offerings for banks and fintechs includes:

*   **Technology and partnership support to enable buy, hold and sell** of select crypto assets
*   **Security management** including Mastercard’s identity solutions, crypto analytics, transaction monitoring, anti-money laundering, ‘Know Your Business’ and lifecycle stages, cybersecurity, and biometrics
*   **Crypto spend and cash out capabilities offered** through a range of products, including crypto cards, open banking and cross border services. Financial institutions would also be able to offer additional functionality using Mastercard’s technology such as digital receipts and loyalty solutions
*   **Crypto program management** including program design, product development and technology implementation, as well as go-to-market optimization and marketing consultancy services, providing end-to-end support for banks, fintechs and issuers to offer crypto programs at scale

“At Mastercard, trust is our business. What we are announcing today is a connected approach to services that will help bring users safely and securely into the crypto ecosystem. Our recent investments in this space, such as the acquisition of CipherTrace and Ekata, are providing us with a unique set of capabilities to help provide our customers and consumers with the most technically advanced solutions available in the market,” **said** **Ajay Bhalla, President, Cyber & Intelligence at Mastercard.**

To support this program, Mastercard is expanding its partnership and work with Paxos Trust Company, a leading regulated blockchain infrastructure platform. The partnership aims for Paxos to provide crypto-asset trading and custody services on behalf of the banks, while Mastercard will leverage its technology to integrate those capabilities into banks’ interfaces, resulting in a seamless experience for the consumer.

“Our commitment is simple – to explore crypto and the underlying digital assets technology to support consumer choice in payments. Today is an exciting step in our crypto journey that draws on the strengths of our global businesses, from open banking and identity verification to analytics and fraud monitoring to settlement solutions. We’re excited to build on our long-term partnership with Paxos – co-innovating to bring safe and secure technology to financial institutions. Our crypto product innovations will provide choice at scale and continue to bring one-of-a-kind opportunities to financial institutions as they seek to offer new, advanced services to their customers,” **said Jorn Lambert, Chief Digital Officer at Mastercard.**

“Mastercard has a powerful network of financial institutions around the world. This exciting offering developed by Paxos and Mastercard will give FIs the fastest and most trusted way to offer safe, reliable crypto access for their consumers globally. We’re thrilled to partner with Mastercard to further accelerate the mainstream adoption of digital assets,” **said Walter Hessert, Head of Strategy at Paxos.**

Over the past few years, Mastercard has been working alongside its customers and partners to bring new services and capabilities that help make crypto more accessible, safe and secure. These efforts have been complemented with the addition of new technologies through Finicity, Ekata, RiskRecon and CipherTrace. This unique combination of services provides eligible financial institutions the opportunity to directly manage crypto asset investments for consumers. Mastercard also continues to support banks, governments and others through its Crypto & Digital Currencies Consulting Services.

Mastercard Crypto Source is currently being prepared for pilot programs. Additional details on broader availability will be made available at a later date.

Mastercard To Bring Crypto Trading Capabilities To Banks

There's nothing yet to suggest CVE-2022-42889 is the next Log4j. But proof-of-concept code is available, and interest appears to be ticking up.

Researchers are closely tracking a critical, newly disclosed vulnerability in Apache Commons Text that gives unauthenticated attackers a way to execute code remotely on servers running applications with the affected component.

The flaw (CVE-2022-42889) has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and exists in versions 1.5 through 1.9 of Apache Commons Text. Proof-of-concept code for the vulnerability is already available, though so far there has been no sign of exploit activity.

**Updated Version Available**

The Apache Software Foundation (ASF) released an updated version of the software (Apache Commons Text 1.10.0) on September 24 but issued an advisory on the flaw only last Thursday. In it, the Foundation described the flaw as stemming from insecure defaults when Apache Commons Text performs variable interpolation, which basically is the process of looking up and evaluating string values in code that contain placeholders. "Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers," the advisory said.

NIST, meanwhile, urged users to upgrade to Apache Commons Text 1.10.0, which it said, "disables the problematic interpolators by default."

The ASF Apache describes the Commons Text library as providing additions to the standard Java Development Kit's (JDK) text handling. Some 2,588 projects currently use the library, including some major ones such as Apache Hadoop Common, Spark Project Core, Apache Velocity, and Apache Commons Configuration, according to data in the Maven Central Java repository.

In an advisory today, GitHub Security Lab said it was one of its pen testers that had discovered the bug and reported it to the security team at ASF in March.

Researchers tracking the bug so far have been cautious in their assessment of its potential impact. Noted security researcher Kevin Beaumont wondered in a tweet on Monday if the vulnerability could result in a potential Log4shell situation, referring to the infamous Log4j vulnerability from late last year.

"Apache Commons Text supports functions that allow code execution, in potentially user supplied text strings," Beaumont said. But in order to exploit it, an attacker would need to find Web applications using this function that also accept user input, he said. "I won't be opening up MSPaint yet, unless anybody can find webapps that use this function and allow user supplied input to reach it," he tweeted.

**Proof-of-Concept Exacerbates Concerns**

Researchers from threat intelligence firm GreyNoise told Dark Reading the company was aware of PoC for CVE-2022-42889 becoming available. According to them, the new vulnerability is nearly identical to one ASF announced in July 2022 that also was associated with variable interpolation in Commons Text. That vulnerability (CVE-2022-33980) was found in Apache Commons Configuration and had the same severity rating as the new flaw.

"We are aware of Proof-Of-Concept code for CVE-2022-42889 that can trigger the vulnerability in an intentionally vulnerable and controlled environment," GreyNoise researchers say. "We are not aware of any examples of widely deployed real-world applications utilizing the Apache Commons Text library in a vulnerable configuration that would allow attackers to exploit the vulnerability with user-controlled data."

GreyNoise is continuing to monitor for any evidence of "proof-in-practice" exploit activity, they added.

Jfrog Security said it is monitoring the bug and so far, it appears likely that the impact will be less widespread than Log4j. "New CVE-2022-42889 in Apache Commons Text looks dangerous," JFrog said in a tweet. "Seems to only affect apps that pass attacker-controlled strings to-StringLookupFactory.INSTANCE.interpolatorStringLookup().lookup()," it said.

The security vendor said people using Java version 15 and later should be safe from code execution since script interpolation won't work. But other potential vectors for exploiting the flaw — via DNS and URL — would still work, it noted.

Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text

Just 65 cybersecurity professionals are in the workforce for every 100 available jobs, new study shows.

Widely reported shortages of trained cybersecurity professionals are driving the industry to try to come up with some with creative recruiting and training solutions. But it's complicated. 

At the very same time, automation is increasingly performing the tedious entry-level tasks that early-career threat hunters once built their chops working on, making it harder to gain early experience. 

The result is demand for job openings requiring some previous cybersecurity experience over the past year grew 2.4 times faster than the rate of the rest of the economy, while only 65 cybersecurity professionals are in the workforce for every 100 available jobs, according to newly released research from CyberSeek and partners National Initiative for Cybersecurity Education at NIST, Lightcast, and ComTIA. Overall there were some 769,736 cybersecurity job openings listed over the 12-month period ending in September of this year.

"The CyberSeek data reaffirms the critical importance of feeder roles and thinking more creatively about on-ramps and career pathways," Ron Culler, vice president cyber learning officer, CompTIA said about the cybersecurity employee recruitment study findings. "We see this trend continuing and are committed to ensuring that cybersecurity professionals are prepared for the current and future challenges this will bring."

Besides staffing up the security operations, employers are increasingly searching for potential hires with cybersecurity skill sets across other specialized areas of business including auditor, software developer, cloud architect, and tech support engineer, CyberSeek found. 

**Cybersecurity Experience Expectations Unrealistic **

In many cases, those demands for cybersecurity experience are unnecessary, Timothy Morris, chief security adviser with Tanium, tells Dark Reading.

"Degrees are not required for most cybersecurity jobs," Morris explains. "Provide on-the-job training with tuition assistance for degrees. Building great, world-class cybersecurity teams requires a skill diversity. I've had success with folks that have varied backgrounds (teachers, retailers, mechanics) seeking a new career." 

Instead, Morris suggests employers search out job seekers with curiosity and a passion for solving problems. 

Phil Neray, vice president of cyber-defense strategy at CardinalOps, agrees and suggests hiring managers looking for cybersecurity talent consider applicants with past job experience in crime and fraud investigations, history and foreign policy, data science, IT networking, and music.

"Hiring in a tough labor market requires a certain level of open-mindedness and intellectual humility on the part of the hiring manager," Neray tells Dark Reading. "There are lots of people with nontraditional backgrounds who can become excellent cybersecurity professionals because they exhibit key traits like a willingness to learn, an analytical 'hacker mindset' when discovering the unknown, creativity, and attention to detail."

Cybersecurity's Hiring Spree Requires a Recruiting Rethink

Excessive statefulness hurts the ability to scale networks, applications, and ancillary supporting infrastructure, thus affecting an entire service delivery chain's ability to withstand a DDoS attack.

In this era of accelerated digital transformation, organizations have come to rely on increasingly complex application and service delivery chains to seamlessly and consistently deliver goods and services across the Internet. In turn, they expect similar levels of service and consistency from business partners and suppliers — and all at Internet speed and scale.

This is why, of the three elements of information security — confidentiality, integrity, and availability — it is availability that is at the forefront of the organization's ability to conduct business and attain its goals. The growing reliance on remote work and education has only served to increase the criticality of availability across all verticals, at all levels of contribution.

As a result of this wholesale shift in operational models, it is now possible for threat actors to disrupt not only an organization's public-facing applications and services — which is bad enough, both in terms of revenue and of brand reputation — but to negatively impact the ability of front-line workers to execute their responsibilities. This is the goal of distributed denial-of-service (DDoS) attacks.

**Scaling Defenses as DDoS Attacks Increase**

Threat actors launch DDoS attacks for a variety of reasons, including extortion, contracted attacks from business competitors, ideological motivations, disputes related to online gaming, and even simple nihilism. And DDoS attacks against an organization's supply chain partners or external services vendors can be just as disruptive as a direct attack against the organization's organic assets. The record-breaking number of DDoS attacks observed during 2021 exhibited significant increases in preattack reconnaissance, the introduction of multiple new DDoS vectors, and unprecedented growth in multivector DDoS attacks targeted across multiple verticals.

While metrics such as attack volume (bits-per-second, or bps), throughput (packets-per-second, or pps), and application-layer load (transactions-per-second \[tps\] or queries-per-second \[qps\]) are necessary for understanding attack dynamics and scaling DDoS defenses, it is important to realize that DDoS attacks are attacks against both capacity and state.

In the networking context, maintaining state means tracking the current status or condition of a given network communication session. In terms of applications and services, it means doing so for discrete transactions or processes. While stateful operation can be desirable in some specific circumstances and for short time frames, excessive instantiations of state impose significant constraints on the ability to scale networks, applications, and ancillary supporting infrastructure, thus affecting the ability of the entire service delivery chain to withstand DDoS attacks.

**How DDoS Attacks Overcome Stateful Firewalls, IPSes, and Load-Balancers**

Placing a stateful firewall — a category that encompasses Web application firewalls (WAFs) — on an enterprise network enhances security by dropping all incoming network traffic not directly related to outgoing user-initiated network requests. However, it does not help secure public-facing Web servers, authoritative DNS servers, application servers, and the like because incoming packets to those servers and services are unsolicited.

Also, low-volume DDoS attacks can overwhelm even the highest-capacity stateful firewalls. This is due to the significant memory and processing overhead consumed in tracking connection state for all incoming Internet traffic; it simply isn't possible to do so at Internet scale. When stateful firewalls — or the applications, services, and servers sited behind them — are subjected to a DDoS attack, the firewall state-tables are quickly exhausted, and either the firewalls themselves will be rendered inoperable under the increased traffic load or the programmatically generated attack traffic will crowd out legitimate incoming connections by exhausting the ability of the firewall to track state.

This allows attackers to successfully disrupt the organization's public-facing services, including e-commerce, high-demand content, customer service and support applications, and DNS, as well as the VPN infrastructure for the remote workforce.

Stateful load-balancers, intrusion prevention systems (IPSes), and the applications and services behind them are also susceptible to state exhaustion as a result of DDoS attacks. The same is true of applications that carry excessive state at key points in the service delivery chain. Accordingly, state minimization and state distribution should be key in network and application design.

**Best Current Practices for Network Infrastructure**

Industry coalition Mutually Agreed Norms for Routing Security (MANRS) suggests a set of network infrastructure self-protection best current practices (BCPs) to implement to ensure that the network itself is resilient and can maintain availability even in the face of attack. Critical service delivery elements, such as authoritative and recursive DNS servers, application and content farms, etc., must also be configured and deployed in a scalable, distributed, and resilient manner. Stateless access-control lists (ACLs) should be implemented to enforce situationally appropriate network access control policies for servers, services, and applications, reducing the options available to attackers.

Out-of-band (OOB) management capabilities and edge-to-edge visibility into all network traffic are crucial to maintaining situational awareness and control when under attack.

Flow telemetry, such as NetFlow and IPFIX, should be exported from edge routers and layer-3 switches to provide visibility into all traffic ingressing, egressing, and traversing the network. All network edges should be instrumented. Flow telemetry collection and analysis allows network operators to detect, classify, and trace back DDoS attack traffic in real time.

Network infrastructure-based DDoS mitigation techniques such as flowspec and source-based remote triggered blackholing (S/RTBH) allow edge routers and layer-3 switches to be leveraged against DDoS attacks. Along with flow telemetry export, these mechanisms should be supported in all peering- and customer aggregation-edge network infrastructure elements.

Intelligent DDoS mitigation systems (IDMSes) are intended to protect against volumetric, application-layer, and state-exhaustion DDoS attacks. They incorporate DDoS-specific countermeasures that are either fully stateless or which instantiate into a minimal, ephemeral state that is quickly shed in order to differentiate between DDoS attack traffic and legitimate user/partner traffic. IDMSes can typically evaluate all contents of the packet header and payload, reassemble fragmented packets and application-layer messages, and evaluate incoming requests to ensure that they are sourced from legitimate clients, rather than DDoS-capable botnets.

By implementing these BCPs and ensuring that they have the ability to detect, classify, trace back, and mitigate DDoS attacks, organizations can ensure that their public-facing applications, services, and content remain available — even in the face of attack.

The Risk of Stateful Anti-Patterns in Enterprise Internet Architecture

Main driver for the change: "Plaintext SMS messages are inherently insecure."

Private messaging app Signal plans to discontinue the ability for Android users to send and receive plaintext SMS and MMS messages with the Signal app.

The app developer cited its priority of providing security and privacy to users for the decision — as well as protecting users from surprise messaging bills from their mobile providers and providing an overall more streamlined and clear user experience.

"The most important reason for us to remove SMS support from Android is that plaintext SMS messages are inherently insecure. They leak sensitive metadata and place your data in the hands of telecommunications companies. With privacy and security at the heart of what we do, letting a deeply insecure messaging protocol have a place in the Signal interface is inconsistent with our values and with what people expect when they open Signal," the mobile messaging app provider wrote in a post late last week.

The phaseout will occur over the next few months, and Android Signal users will receive notifications on how to export SMS messages and select a default SMS messenger, as well as how to invite users to Signal who texted them via SMS. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Signal to Ditch SMS/MMS Messaging on Android

Ransom Cartel ransomware-as-a-service operator blog claims to offer a new and improved version of REvil ransomware.

Although the REvil ransomware-as-a-service operation appeared to evaporate last October, analysts have found the group's influence is still considerable. 

Notably, threat researchers from Unit 42 reported finding connections between REvil activities and that of ransomware group Ransom Cartel, an up-and-coming cybercrime group claiming to offer "the same, yet improved software" as REvil. 

Following analysis, the Unit 42 team determined Ransom Cartel somehow was able to gain access to REvil ransomware source code. Ransom Cartel also mimics REvil tactics, including double extortion, Unit 42 added. However, the researchers said there are some aspects of the REvil operation that Ransom Cartel seems to lack. 

"Based on the fact that the Ransom Cartel operators clearly have access to the original REvil ransomware source code, yet likely do not possess the obfuscation engine used to encrypt strings and hide API calls," the Unit 42 ransomware report explained, "we speculate that the operators of Ransom Cartel had a relationship with the REvil group at one point, before starting their own operation."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading