Vulnerable configurations, software flaws, and exposed Web services allow hackers to find exploitable weaknesses in companies' perimeters in just hours, not days.

The average ethical hacker can find a vulnerability that allows the breach of the network perimeter and then exploit the environment in less than 10 hours, with penetration testers focused on cloud security gaining access most quickly to targeted assets. And further, once a vulnerability or weakness is found, about 58% of ethical hackers can break into an environment in less than five hours.

That's according to a survey of 300 experts by the SANS Institute and sponsored by cybersecurity services firm Bishop Fox, which also found that the most common weaknesses exploited by the hackers include vulnerable configurations, software flaws, and exposed Web services, survey respondents stated.  

The results mirror metrics for real-world malicious attacks and highlight the limited amount of time that companies have to detect and respond to threats, says Tom Eston, associate vice president of consulting of Bishop Fox.

"Five or six hours to break in, as an ethical hacker myself, that is not a huge surprise," he says. "It matches up to what we are seeing the real hackers doing, especially with social engineering and phishing and other realistic attack vectors."

The survey is the latest data point from cybersecurity companies' attempts to estimate the average time organizations have to stop attackers and interrupt their activities before significant damage is done.

Cybersecurity services firm CrowdStrike, for example, found that the average attacker "breaks out" from their initial compromise to infect other systems in less than 90 minutes. Meanwhile, the length of time that attackers are able to operate on victim's networks before being detected was 21 days in 2021, slightly better than the 24 days in the prior year, according to cybersecurity services firm Mandiant.

**Organizations Not Keeping Up**

Overall, nearly three-quarters of ethical hackers think most organizations lack the necessary detection and response capabilities to stop attacks, according to the Bishop Fox-SANS survey. The data should convince organizations to not just focus on preventing attacks, but aim to quickly detect and respond to attacks as a way to limit damage, Bishop Fox's Eston says.

"Everyone eventually is going to be hacked, so it comes down to incident response and how you respond to an attack, as opposed to protecting against every attack vector," he says. "It is almost impossible to stop one person from clicking on a link."

In addition, companies are struggling to secure many parts of their attack surface, the report stated. Third parties, remote work, the adoption of cloud infrastructure, and the increased pace of application development all contributed significantly to expanding organizations' attack surfaces, penetration testers said.

Yet the human element continues to be the most critical vulnerability, by far. Social engineering and phishing attacks, together, accounted for about half (49%) of the vectors with the best return on hacking investment, according to respondents. Web application attacks, password-based attacks, and ransomware account for another quarter of preferred attacks.

"\[I\]t should come as no surprise that social engineering and phishing attacks are the top two vectors, respectively," the report stated. "We've seen this time and time again, year after year — phishing reports continually increase, and adversaries continue to find success within those vectors."

**Just Your Average Hacker**

The survey also developed a profile of the average ethical hacker, with nearly two-thirds of respondents having between a year and six years of experience. Only one in 10 ethical hackers had less than a year in the profession, while about 30% had between seven and 20 years of experience.

Most ethical hackers have experience in network security (71%), internal penetration testing (67%), and application security (58%), according to the survey, with red teaming, cloud security, and code-level security as the next most popular types of ethical hacking.

The survey should remind companies that technology alone cannot solve cybersecurity problems — solutions require training employees to be aware of attacks, Eston says.

"There is not a single blinky-box technology that is going to repel all the attacks and keep your organization safe," he says. "It is a combination of people process and technology, and that has not changed. Organizations gravitate toward the latest and greatest tech ... but then they ignore security awareness and training their employees to recognize social engineering."

With attackers focused on exactly those weaknesses, he says, organizations need to change how they are developing their defenses.

Most Attackers Need Less Than 10 Hours to Find Weaknesses

Previously observed using fake Coinbase jobs, the North Korea-sponsored APT has expanded into using Crypo.com gigs as cover to distribute malware.

Researchers are warning that Lazarus has expanded its campaign using fake jobs with cryptocurrency exchanges to trick macOS users into downloading malware.

Just last month, researchers observed Lazarus using Coinbase job openings to trick macOS users into downloading malware. Now, SentinelOne says the same threat group has expanded its phishing campaign to include fraud job postings at another cryptocurrency exchange, Crypto.com.

According to the SentinelOne report on the new crypto job lure, the additional victims were initially contacted by Lazarus through LinkedIn messaging.

Lazarus is an advanced persistent threat (APT) group with ties to the North Korean state. SentinelOne pointed out that the attack group has been targeting cryptocurrency exchanges since 2018, and has specifically used fake cryptocurrency exchange jobs as lures since 2020.

"The Lazarus (aka Nukesped) threat actor continues to target individuals involved in cryptocurrency exchanges," the SentinelOne researchers wrote. "This has been a long-running theme going as far back as the AppleJeus campaigns that began in 2018."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Lazarus Lures Aspiring Crypto Pros With Fake Exchange Job Postings

Why cyber teams are now front and center for business enablement within organizations, and the significant challenges they face.

The past two years have marked a host of changes for cybersecurity professionals, as the pandemic, the ransomware tsunami, and increasing political and regulatory scrutiny have all created mounting expectations as their role becomes part and parcel with the lifeblood of organizations.

In a session at next week's SecTor 2022 conference taking place in Toronto, Tony Anscombe, chief security evangelist at ESET, will address this recent period of upheaval and role evolution, and what cyberteams can expect going forward. The bottom line? They should be prepared for pressure, pressure, and more pressure.

**2020–2022: Cybersecurity Grows in Stature, Pressure Mounts**

During his panel on Oct. 5, entitled "Two Years of Accelerated Cybersecurity and the Demands Being Placed on Cyber Defenders," Anscombe will discuss how the importance of implementing a good cybersecurity team and platforms really became a conversation when the COVID-19 pandemic lockdowns sent everyone home — and more importantly, how it marked the beginning of a two-year evolution of cyber-defense having a central role in business discussions.

"The use of cloud technologies and remote desktop protocol (RDP) were hallmarks of 2020 being the year of digital transformation," he tells Dark Reading. "But it was also a year of cybersecurity transformation, because those teams began the move from a back-office role to the front office; they became the business enabler as opposed to the business obstacle. Companies were saying, 'OK, everybody's gone home — how do we keep going?' And realistically it was the security team that was the enabler for remote working, online ordering for the sandwich shops, taking remote payments, and other basic needs."

Thus, 2020 saw cybersecurity teams became far more visible in the daily life of businesses; but that was just the beginning of an ongoing elevation in stature, Anscombe explains — because then, ransomware attacks began accelerating, and ransom amounts started growing.

He explains that this period represents a tipping point for when it became commonplace for ransomware-as-a-service (RaaS) gangs to go after millions of dollars in a single hit, such as $4.4 million for Colonial Pipeline; $40 million for CNA Financial; and $70 million for Kaseya, to name just a few. Thus, ransomware became an important existential crisis for companies, and ransomware gangs became a near-ubiquitous threat.

"We saw an entire evolution of monetization in that particular year, which lured cybercriminals in and made it a business imperative to deal with, and then it became a frontline political issue after the attack on Colonial Pipeline," Anscombe says. "So you saw government stepping up and saying, 'Hey, we need to do something about cybercrime, we have voters lining up outside gas stations.'"

This year, the political aspects of cybercrime have only been exacerbated, he says, thanks to the conflict in Ukraine: "You see all the agencies around the world saying we need to protect critical infrastructure from nation-state attacks etc., so that's upping of the game again."

Defense is meanwhile easier said than done, as ransomware actors continue to grow in sophistication.

"At the moment, I think as a cybersecurity defender ... you've got these ransomware attacks that were once attachments of emails that are now advanced persistent threat (APT)-style attacks exploiting long-term vulnerabilities in systems, putting their markers in networks and coming back to them later on," Anscombe says.

**Regulation & Reporting Requirements Up the Ante**

Where cyberteams sit within the hierarchy of businesses has also been affected by additional regulation and cyber-incident reporting requirements, which creates the need for a cross-discipline discussion of risk with legal and compliance departments, Anscombe also notes. This creates enormous pressure on cyberteams thanks to fact that the sheer number of requirements is growing, creating thorny complexities.

"Imagine you're a public company, and you're in insurance or the finance industry, and you do business internationally, you've got to comply with privacy requirements for the California Consumer Privacy Act and GDPR, you've got to meet the FDIC's cyber-incident reporting requirements," he explains. "The SEC has proposed others. And if you're a water utility company, you might have to comply with the critical infrastructure reporting. This is becoming very bureaucratic, and it needs to be harmonized in some way."

He adds, "Most importantly, the role of the cyber-defender is about to change significantly again, because you're probably going to have to have a paralegal sitting at the end of the desk during incident response. And, one of the big, big challenges for a lot of businesses will be adhering to their cyber-risk insurance policy, which affects the finance department. It's kind of the backstop, you're going to have to fall back on these policies. And the policies are becoming more stringent."

Meanwhile, all of these increased and new pressures that security teams are feeling are exacerbating some of the existing challenges, such as the workforce-gap issue — which Anscombe believes will create even more change for cyber-defense teams.

"I think all of this change just puts more burden on the cybersecurity resourcing issue, and become even more challenging for companies that to find the right level of people," Anscombe says. "Does that mean companies then go to managed service providers (MSPs)? Does it mean they start dragging in more resource from partners? Does it mean more of it becomes outsourced? I think that's a maybe the thing to watch for the 2023 segment of cyber."

Amid Sweeping Change, Cyber Defenders Face Escalating Visibility — and Pressure

Initial reports suggest a basic security error allowed the attacker to access the company's live customer database via an unauthenticated API.

Australian telecommunication giant Optus is reportedly receiving help from the FBI in investigating what appears to have been an easily preventable breach that ended up exposing sensitive data on nearly 10 million customers.

Meanwhile, the apparent hacker or hackers behind the breach on Tuesday withdrew their demand for a $1 million ransom along with a threat to release batches of the stolen data till the ransom was paid. The threat actor also claimed he or she deleted all the data stolen from Optus. The apparent change of heart, however, came after the attacker already earlier had released a sample of some 10,200 customer records, seemingly as proof of intent.

**Second Thoughts**

The attacker's reason for withdrawing the ransom demand and the data leak threat remain unclear. But in a statement posted on a Dark Web forum — and reposted on databreaches.net — the alleged attacker alluded to "too many eyes" seeing the data as being one reason. "We will not sale data to anyone," the note read. "We can't if we even want to: personally deleted data from drive (Only copy)." 

The attacker also apologized to Optus and to the 10,200 customers whose data was leaked: "Australia will see no gain in fraud, this can be monitored. Maybe for 10,200 Australian but rest of population no. Very sorry to you."

The apology and the attacker's claims of deleting the stolen data are unlikely to assuage concerns surrounding the attack, which has been described as Australia's largest-ever breach.

Optus first disclosed the breach on Sept. 21, and in a series of updates since then has described it as affecting current and previous customers of the company's broadband, mobile, and business customers from 2017 onward. According to the company, the breach may have potentially exposed customer names, dates of birth, phone numbers, email addresses, and — for a subset of customers — their full addresses, driver's license information, or passport numbers.

**Optus Security Practices Under the Microscope**

The breach has stoked concerns of widespread identity fraud and pushed Optus into — among other measures — working with different Australian state governments to discuss the potential for changing driver's license details of affected individuals at the company's cost. "When we get in touch, we'll place a credit on your account to cover any relevant replacement cost. We’ll do this automatically, so you don’t need to contact us," Optus informed customers. "If you don’t hear from us, it means that your driver’s license doesn’t need to be changed."

The data compromise has put Optus security practices squarely under the spotlight especially because it appears to have resulted from a fundamental error. The Australian Broadcasting Corporation (ABC) on Sept. 22 quoted an unidentified "senior figure" inside Optus as saying the attacker was basically able to access the database via an unauthenticated application programming interface (API). 

The insider allegedly told ABC that the live customer identity database the attacker accessed was connected via an unprotected API to the Internet. The assumption was that only authorized Optus systems would use the API. But it somehow ended up getting exposed to a test network, which happened to be directly connected to the Internet, ABC quoted the insider as saying.

ABC and other media outlets described Optus CEO Kelly Bayer Rosmarin as insisting the company was the victim of a sophisticated attack and that the data the attacker claimed to have accessed was encrypted.

If the report about the exposed API is true, Optus was the victim of a security mistake that many others make. "Broken user authentication is one of the most common API vulnerabilities," says Adam Fisher, solutions architect at Salt Security. "Attackers look for them first because unauthenticated APIs take no effort to breach."

Open or unauthenticated APIs often are the result of the infrastructure team, or the team that manages authentication, misconfiguring something, he says. "Because it takes more than one team to run an application, miscommunication frequently occurs," Fisher says. He notes that unauthenticated APIs occupy the second spot in OWASP's list of the top 10 API security vulnerabilities.

An Imperva-commissioned report earlier this year identified US businesses as incurring between $12 billion and $23 billion in losses from API-linked compromises just in 2022. Another survey-based study that Cloudentity conducted last year found 44% of respondents saying their organization had experienced data leakage and other issues stemming from API security lapses.

**"Spooked" Attacker?**

The FBI did not respond immediately to a Dark Reading request for comment via its national press office email address, but the Guardian and others reported the US law enforcement agency as being called in to assist with the investigation. The Australian Federal Police, which is investigating the Optus breach, said it was working with overseas law enforcement to track down the individual or group responsible for it.

Casey Ellis, founder and CTO of bug bounty firm Bugcrowd, says the intense scrutiny the breach has received from the Australian government, public, and law enforcement may have spooked the attacker. "It's fairly rare for this type of interaction to be as spectacular as this one has been," he says. "Compromising nearly half the population of a country is going to garner a lot of very intense and very powerful attention, and the attackers involved here clearly underestimated this." 

Their response suggests the threat actors are very young and likely very new to criminal conduct, at least of this scale, he notes.

"Clearly, the Australian government has taken this breach very seriously and is going after the attacker voraciously," Fisher adds. "This strong response might have caught the attacker off guard," and likely prompted second thoughts. "However, unfortunately, the data is already out in the open. Once a company finds itself in the news like this, every hacker pays attention."

FBI Helping Australian Authorities Investigate Massive Optus Data Breach: Reports

Azure says cloud-native single sign-on with a passwordless option is most-requested new AVD feature in the product's history.

Microsoft Azure Virtual Desktop (AVD) users now have the option for single sign-on (SSO), as well as passwordless authentication, with the public preview of the latest Microsoft upgrade. 

"Today we're announcing the public preview for enabling an Azure AD-based single sign-on experience and support for passwordless authentication, using Windows Hello and security devices (like FIDO2 keys)," Microsoft's David Belanger explained in a blog post about the new feature's debut. 

According to the announcement of the public preview of the new cloud security feature, after users install the September Cumulative Update Preview, the features will be available on Windows 10 and 11, as well as Windows Server 2022. 

According to Belanger's post, the latest AVD upgrade will allow users to: 

*   Enable a single sign-on experience to Azure AD-joined and Hybrid Azure AD-joined session hosts when using the Windows and web clients
*   Use passwordless authentication to sign in to the host using Azure AD
*   Use passwordless authentication inside the session when using the Windows client
*   Use third-party Identity Providers (IdP) that integrate with Azure AD to sign in to the host

The Azure Academy tutorial for administrators explaining how to deploy the new updates said the new SSO option was the "most requested AVD feature of all time." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Rolls Out Passwordless Sign-on for Azure Virtual Desktop

There are numerous strategies to lessen the possibility and effects of a cyberattack, but doing so takes careful planning and targeted action.

Digital transformation is transforming every aspect of the way organizations compete and operate today. This radical change is reshaping the way that enterprises produce, store, and manipulate an ever-increasing amount of data — emphasizing the need to ensure data governance.

Computing environments are also more sophisticated than they used to be, frequently encompassing the public cloud, the enterprise data center, and a variety of edge devices — including remote servers and Internet of Things (IoT) sensors. This complexity increases the attack surface, making it more difficult to monitor and secure.

A lack of data protection, global pandemic effects, and an increase in attack complexity have allowed for a significant rise in compromised and hacked data that is increasingly common in the workplace. In fact, an external attacker may breach the network perimeter of an organization and access local network resources 93% of the time.

It's a good thing, however, that the sensitivity of distinct data sets and the accompanying regulatory compliance requirements are taken into account by adequate data security.

**Data Security Is More Important Than Ever**

During the pandemic, more customers also became remote customers as more workers became remote workers. As a result, keeping an online environment secure has increased in significance for companies.

When supply chain and labor concerns are already making business difficult, such interruptions can make things even more difficult. As a consequence, a cyberattack can harm a company's reputation with clients and business partners, result in lost revenue, and pose a risk of data loss.

In fact, according to the 2022 data breach report from IBM and the Ponemon Institute, the average cost of a data breach has increased to a record high of $4.4 million.

This highlights the importance of protecting confidential information, which must be a significant responsibility for businesses and organizations.

**Four Data Security Practices Your Organization Should Implement**

A recent study indicated that most businesses have weak cybersecurity procedures, leaving them open to data loss. Although data security isn't the be-all, end-all of cybersecurity defenses — like perimeter and file security, to mention a couple — it is still one of several essential techniques for assessing dangers and lowering the risk involved in managing and storing data.

Fortunately, practical methods and strategies have been created to prevent poor data security practices. Here are four of the best data security practices you should know about.

**1\. Implement Access Controls**

Access controls are crucial to data security because they regulate who has access to and uses business data and resources. Access control rules ensure users have the proper access to corporate data and are who they say they are through authentication and authorization.

They are essentially the selective limiting of data access. Authentication and authorization are two important parts of access control. There can be no data security without authentication and authorization.

Access control reduces the possibility of unapproved users entering logical and physical systems and jeopardizing security. It is an essential part of security compliance programs, as it ensures that access control policies and security technology are in place to protect sensitive data, such as customer information.

**2\. Utilize Endpoint Security Tools to Safeguard Your Data**

Endpoints on your network are continuously in danger. As a result, you must have a robust endpoint security infrastructure to reduce the likelihood of potential data breaches. Start by putting the following strategies into practice:

*   **Antivirus software:** Ensure it is set up on all workstations and servers. Run routine scans to keep your system healthy and detect any infestations, such as ransomware.
*   **Anti-spyware software:** Spyware is a type of harmful computer software frequently installed without the user's awareness. You can remove or block those with the aid of anti-spyware and anti-adware software.
*   **Firewalls:** These operate as a barrier between your data and fraudsters, which is why most experts consider them among the best data protection practices. Internal firewalls are another option for enhancing security.

**3\. Employ Data Encryption**

One of the most fundamental data security best practices is encryption, which is frequently disregarded despite its importance. Data encryption serves to protect digital data confidentiality while it is stored on computers and sent over the Internet or other networks. These algorithms ensure confidentiality and support key security initiatives such as authentication, integrity, non-repudiation, and authenticity.

**4\. Develop a Risk-Based Security Strategy**

Pay close attention to the minor things, such as the hazards your business may encounter and how they might damage employee and customer data. Here, a thorough risk assessment is necessary. The following are some actions that risk assessment enables you to take:

*   Determine the kind and location of your assets.
*   Determine the cybersecurity condition you are in.
*   Maintain an accurate security approach.

Using a risk-based approach, you can adhere to regulations and safeguard your company from potential leaks and breaches.

**Safeguard Your Organization's Data and Protect Your Business in the Future**

Although it frequently appears on the agenda of executive committee meetings, given the escalating concerns posed by the pandemic, strengthening data security must require additional attention. Businesses should be proactive in addressing the threats and develop strategies for preventing successful cyberattacks — rather than reacting when they are already happening. Despite the fact that recovery measures exist, prevention is always better than a cure.

This pandemic has shown us that minimizing the hazards associated with cyberattacks requires careful planning and stronger data security practices. The proper procedures, such as implementing access controls and data encryption, must be used in conjunction with the appropriate security software in order to avoid the magnitude of a data breach and the hidden costs that come with it.

There are numerous strategies to lessen the possibility and effects of a cyberattack, but doing so takes careful planning and targeted action. Businesses must improve the creation and implementation of security measures and make remote working methods resistant to cyberattacks. Start by following these data security practices so that you will be better equipped to handle the rising number of cyberthreats, and protect your company in the future.

4 Data Security Best Practices You Should Know

This Tech Tip outlines three steps security teams should take to protect information stored in Salesforce.

No one likes to hear the B-word: _breach_. Developers definitely don't want to hear that word in relation to a platform they use day in and day out.

When GitHub revealed details about a security breach that allowed an unknown attacker to download data from dozens of private code repositories earlier this year, it was a nightmare scenario. Attackers were using information collected from GitHub to target two third-party cloud platforms-as-a-service (PaaS): Heroku and Travis CI.

Attackers had stolen OAuth tokens issued to Heroku and Travis CI and used them to access and download the contents of private repositories, GitHub found.

Where does the most sensitive information reside in your organization? For organizations using Heroku, Salesforce houses the information that, if exposed, could cripple the organization. Security teams need to think about protecting their Salesforce data. Why should they put the organization's cybersecurity at risk by relying on third-party integrations?

These three simple steps can help improve cybersecurity posture on Salesforce.

**1\. Use Salesforce-Native Applications**

Applications built on Salesforce ensure that your data remains in one place with the same cybersecurity posture as the Salesforce platform. With apps consolidated on a single platform, the attack surface is greatly reduced.

**2\. Establish a Zero-Trust Model**

Never trust, always verify. All users should have the minimum level of permissions and access needed to be able to complete their necessary tasks while requiring users to prove their need and identities before access. Audit everything.

**3\. Utilize Secrets Management**

Never store credentials in clear text, and always assume private repositories are public. Having a secrets management solution ensures that your secrets are rotated along with having an appropriate level of security compliance around your credentials.

With this improved cybersecurity posture, developers, infosec teams, and the CEO will be at ease knowing that the organization's most sensitive data is secure.

Lessons From the GitHub Cybersecurity Breach

TCP-based, DNS water-torture, and carpet-bombing attacks dominate the DDoS threat landscape, while Ireland, India, Taiwan, and Finland are battered by DDoS attacks resulting from the Russia/Ukraine war.

**WESTFORD, Mass.,** **September 27, 2022** — NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT) today announced findings from its 1H2022 DDoS Threat Intelligence Report. The findings demonstrate how sophisticated cybercriminals have become at bypassing defenses with new DDoS attack vectors and successful methodologies.

"By constantly innovating and adapting, attackers are designing new, more effective DDoS attack vectors or doubling down on existing effective methodologies," said Richard Hummel, threat intelligence lead, NETSCOUT. "In the first half of 2022, attackers conducted more pre-attack reconnaissance, exercised a new attack vector called TP240 PhoneHome, created a tsunami of TCP flooding attacks, and rapidly expanded high-powered botnets to plague network-connected resources. In addition, bad actors have openly embraced online aggression with high-profile DDoS attack campaigns related to geopolitical unrest, which have had global implications."

NETSCOUT's Active Level Threat Analysis System (ATLAS™) compiles DDoS attack statistics from most of the world's ISPs, large data centers, and government and enterprise networks. This data represents intelligence on attacks occurring in over 190 countries, 550 industries, and 50,000 autonomous system numbers (ASNs). NETSCOUT's ATLAS Security Engineering and Response Team (ASERT) analyzes and curates this data to provide unique insights in its biannual report. Key findings from the 1H2022 NETSCOUT DDoS Threat Intelligence Report include:

*   There were 6,019,888 global DDoS attacks in 1st half of 2022.
*   TCP-based flood attacks (SYN, ACK, RST) remain the most used attack vector, with approximately 46% of all attacks continuing a trend that started in early 2021.
*   DNS water-torture attacks accelerated into 2022 with a 46% increase primarily using UDP query floods, while carpet-bombing attacks experienced a big comeback toward the end of the second quarter; overall, DNS amplification attacks decreased by 31% from 2H2021 to 1H2022.
*   The new TP240 PhoneHome reflection/amplifications DDoS vector was discovered in early 2022 with a record-breaking amplification ratio of 4,293,967,296:1; swift actions eradicated the abusable nature of this service.
*   Malware botnet proliferation grew at an alarming rate, with 21,226 nodes tracked in the first quarter to 488,381 nodes in the second, resulting in more direct-path, application-layer attacks.

**Geopolitical Unrest Spawns Increased DDoS Attacks**

As Russian ground troops entered Ukraine in late February, there was a significant uptick in DDoS attacks targeting governmental departments, online media organizations, financial firms, hosting providers, and cryptocurrency-related firms, as previously documented. However, the ripple effect resulting from the war had a dramatic impact on DDoS attacks in other countries including:

*   Ireland experienced a surge in attacks after providing service to Ukrainian organizations.
*   India experienced a measurable increase in DDoS attacks following its abstention from the UN Security Council and General Assembly votes condemning Russia's actions in Ukraine.
*   On the same day, Taiwan endured its single-highest number of DDoS attacks after making public statements supporting Ukraine, as with Belize.
*   Finland experienced a 258% increase in DDoS attacks year-over-year, coinciding with its announcement to apply for NATO membership.
*   Poland, Romania, Lithuania, and Norway were targeted by DDoS attacks linked to Killnet; a group of online attackers aligned with Russia.
*   While the frequency and severity of DDoS attacks in North America remained relatively consistent, satellite telecommunications providers experienced an increase in high-impact DDoS attacks, especially after providing support for Ukraine's communications infrastructure.
*   Russia experienced a nearly 3X increase in daily DDoS attacks since the conflict with Ukraine began and continued through the end of the reporting period.

Similarly, as tensions between Taiwan, China, and Hong Kong escalated in 1H2022, DDoS attacks against Taiwan regularly occurred in concert with related public events.

**Unparalleled** **Intelligence**

No other vendor sees and knows more about DDoS attack activity and best practices in attack protection than NETSCOUT. In addition to publishing the DDoS Threat Intelligence Report, NETSCOUT also presents its highly curated real-time DDoS attack data on its Omnis Threat Horizon portal to give customers visibility into the global threat landscape and understand the impact on their organizations. This data also fuels NETSCOUT's ATLAS Intelligence Feed (AIF) which continuously arms NETSCOUT's Omnis and Arbor security portfolio. Together with AIF, the Omnis and Arbor products automatically detect and block threat activity for enterprises and service providers worldwide.

Visit our interactive website for more information on NETSCOUT's semi-annual DDoS Threat Intelligence Report. You can also find us on Facebook, LinkedIn, and Twitter for threat updates and the latest trends and insights.

**About NETSCOUT**

NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT) protects the connected world from cyberattacks and performance disruptions through advanced network detection and response and pervasive network visibility. Powered by our pioneering deep packet inspection at scale, we serve the world's largest enterprises, service providers, and public sector organizations. Learn more at www.netscout.com or follow @NETSCOUT on LinkedIn, Twitter, or Facebook.

Adversaries Continue Cyberattacks with Greater Precision and Innovative Attack Methods According to NETSCOUT Report

Netography Fusion® gives security and cloud operations teams visibility and control of network traffic and context across users, applications, data, and devices.

**Annapolis, MD – September 27, 2022 —** Netography today announced further innovation to its Netography Fusion® platform, delivering scalable, continuous network visibility and control required by security operations center (SOC) and cloud operations teams. Netography Fusion enables organizations to significantly reduce cyber threat risks and costly downtime in real-time with improved security and business context, as well as powerful remediation automation capabilities through alerts, custom detections, and integrations. The platform is the only security product that secures the Atomized Network—including legacy, on-premises, hybrid, multi-cloud, and edge environments.

“Since the pandemic hit, networks have rapidly evolved into composites of multi-cloud, hybrid-cloud, and on-prem infrastructure with mobile and remote workforces. The implications for network security are massive,” said Martin Roesch, Netography CEO. “The Atomized Network is elastic, ephemeral, and encrypted, and organizations are blinded to the composition of their networks and entire categories of attack. This creates gaps where attackers can hide between the technologies and operational teams who use them. Defending the Atomized Network must be done in real-time, detecting and responding to threats as they emerge with a solution architected for the world we are now in.”

Netography Fusion is a cloud-scale, network-centric platform; it reconstitutes capabilities disrupted by the combined impact of encryption in security-as-a-service (SaaS) and Zero Trust environments and atomization and replaces network-scoped capabilities formerly delivered by deep packet inspection (DPI) hosted on appliances. It also provides visibility in places where Endpoint Detection and Response (EDR) solutions simply cannot see independently. A frictionless deployment model enables defenders to secure their Atomized Networks immediately, when, and where needed.

Newly added context labels and tagging allow security and cloud teams to visualize and analyze networks by application, location, compliance groups, or any other scheme. The UX/UI provides analysts with a flexible and optimized workflow to pivot and analyze massive amounts of data quickly.

“Multiple teams, including the SOC and Cloud Ops teams at FICO are continuing to expand their use of Netography Fusion’s scalable network visibility and control platform,” said Shannon Ryan, Senior Director, Core Security Services and Architecture, FICO. “The addition of context labels enables new use cases, including policies that we can apply to specific applications or our on-premises or multi-cloud infrastructure, enabling us with visibility and alerts for specific compliance controls. Context labels also make it easier for more team members to analyze incidents and answer audit questionnaires quicker.”

Netography Fusion customers also:

*   **Close Visibility Gaps:** From north-south to east-west and cloud to cloud only Netography Fusion provides the actionable visibility teams need.
*   **Analyze Incidents and Alerts with Context:** Context labels are provisioned by loading context from both cloud and on-prem infrastructure, allowing custom searches with Netography’s Query Language (NQL) to set up detections, alerts, and reports all with security or business context.
*   **Squash Silos Between Teams:** From security operations to IT to cloud operations, DevOps, threat hunters, forensics, and risk and compliance, all benefit from a single source of truth, the enriched Flow logs, and context.
*   **Lower Mean Time to Detect (MTTD):** Netography Fusion’s robust visualization and graphing interfaces combine with NQL and Netography Detection Models (NDM) to enable security teams to stop attacks quickly and limit the “blast zone” of those attacks.
*   **Lower Mean Time to Respond (MTTR):** Teams will have unprecedented control to limit downtime and the costs associated with remediating post intrusion. Regaining control of your network in the face of a successful breach is key to minimizing the cost of breaches and getting back to business.
*   **Supercharge Threat Hunting:** Forensics teams can achieve gap-free visibility and flexible data retention policies to investigate incidents, understand the attack path and implement proactive measures to prevent future intrusions and reduce attacker dwell time.
*   **Accelerate Audits and Improve Compliance:** Streamline audits and proof of network policy enforcement with context labeling, tagging, and flexible retention capabilities. Teams can isolate network traffic visibility and control by application, location, line of business (LOB), asset type, and more.
*   **Get More Out of Existing Tech Stack:** Extend endpoint visibility and control capabilities to devices and network points that do not support agents, or simply cannot do so cost-effectively. Teams gain comprehensive support for alerting platforms like PagerDuty, Slack, Teams, Twilio, and more via Webhook functionality.

To learn more about Netography Fusion, schedule a quick conversation with one of our engineers to explore visibility gaps and discuss use cases and benefits to your team.

**About Netography**

Netography® has created the first network-centric platform that reconstitutes capabilities disrupted by the combined impact of encryption and Atomized Networks across the security world. Enterprises have become functionally blind to the composition and activities of their networks, resulting in increased dwell time and more attackers leveraging the gaps between the capabilities of an organization’s other tools and the siloed operations teams who operate them.

Netography Fusion® is for enterprise security operations center (SOC) and cloud operations teams that need scalable, continuous network visibility across the Atomized Network – legacy, on-premises, hybrid, multi-cloud, and edge environments. With the Netography Fusion platform, these teams gain visibility and control of network traffic and context across users, applications, data, and devices, to see what they are, what they are doing, and what’s happening to them.

Netography is the only company that delivers Security for the Atomized Network®. Based in Annapolis, MD, Netography is backed by some of the world’s leading venture firms, including Bessemer Venture Partners, SYN Ventures, A16Z, and more. For more information, visit netography.com.

Netography Upgrades Platform to Provide Scalable, Continuous Network Security and Visibility

SOC metrics will allow stakeholders to track the current state of a program and how it's supporting  business objectives.

Given the current financial climate, cybersecurity budgets may be under review, along with all other expenditures, and, in some cases, on the chopping block. One of the best ways for security leaders to protect their security operations program is to ensure alignment with the business priorities of their executive teams and boards. An important part of this is providing metrics that demonstrate the effectiveness of the program. Developing metrics for your security operations will allow your stakeholders to track the current state of the program as well as how the program supports the business objectives.

The security operations center is a business-critical function, but measuring the effectiveness of the SOC isn’t easy. Organizations may choose from a wide variety of different approaches. Speed of response in security operations is one important aspect and can make all the difference between a compromise that’s quickly contained and a catastrophic data breach. 

Therefore, starting with basic metrics such as mean time to detect (MTTD) and mean time to respond (MTTR) will enable both you and your stakeholders to gain greater insight into the operations, and to make better investment decisions, as well as demonstrate value to the executive leadership and board.

**Improve Your Effectiveness**

The main objective of a resilient security operations program should be lowering an organization's MTTD and MTTR to limit any damage done by a cyber incident to your organization. 

MTTD measures the amount of time it takes to discover a potential security threat. This metric helps you understand the effectiveness of your organization's security operations and your team's speed and ability to recognize a threat. Therefore, the goal is to keep this metric as low as possible in order to reduce the impact of a compromise on your organization.

Meanwhile, MTTR helps you measure the time it takes to respond to a threat once it is detected. A higher response time indicates that a compromise could lead to a damaging data breach. The goal is to speed up your response and decrease your risk, just like MTTD. 

Both MTTD and MTTR are key metrics to measure and improve your team's capabilities since it is crucial to track the effectiveness of your team as your organization's maturity grows. Like any fundamental business operation, to mature your organization you should measure operational effectiveness to determine whether your organization is reaching its KPIs and SLAs.

In addition to MTTD and MTTR, there are other metrics you should monitor to make sure that you are effectively measuring and communicating operational effectiveness.

**Ensuring Security Operations Success**

Here are the seven metrics you should measure to help see where your security operations program may need improvements.

**Alarm time to triage (TTT):** Measures the team's ability to urgently inspect an alarm. It helps you understand the level of responsiveness to threats in real time. This could indicate that your team might need additional staff to narrow its monitoring focus or that you have enough staff to take on a larger monitoring load. 

**Alarm time to qualify (TTQ):** Measures and indicates how long it takes an alarm to be fully investigated and qualified. TTQ helps you spot blockages and understand your team's scope when it comes to qualifying threats. 

**Threat time to investigate (TTI):** Measures and indicates the number of hours it takes to thoroughly investigate a qualified threat. It enables you to identify bottlenecks and understand your team's capabilities when investigating threats in an efficient manner.

**Time to mitigate (TTM):** Measures the length of time it takes to mitigate an incident and address the immediate business risk. TTM helps you understand how quickly your team can mitigate the issue to stop or impede an active threat. 

**Time to recover (TTV):** Measures the amount of time it takes to fully recover from an incident. Measuring TTV helps you figure out how quickly your security team and others involved can completely restore operations back to normalcy. Bottlenecks in operations and collaboration can also be found. 

**Incident time to detect (TTD):** Measures the time it takes to confirm an Incident was initially detected and ultimately qualified. TTD is a crucial indicator of security operations effectiveness as it demonstrates the time it takes to identify threats that actually resulted in incidents.

**Incident time to response (TTR):** Measures the duration of time it takes to fully investigate as well as mitigate a confirmed Incident. TTR is an essential measure of security operations effectiveness given that it presents the time it takes to analyze and mitigate threats that resulted in an incident.

Metrics are designed to provide insights on information about your security program's effectiveness, performance and accountability through the collection, analysis, and reporting of data. They also give you the ability to surface bottlenecks in process as well as identify where tools or processes need reworking. All business processes need to be measured in order to improve, and security operations are no different in this regard. Demonstrating effectiveness through metrics is a necessary element in showing value to the wider business.

Source

DARKReading