NXM Autonomous Security protects against network-wide device hacks and defends against critical IoT vulnerabilities.

**June 30, 2022, Mountain View, CA** \- NXM Labs, Inc., a leader in advanced cybersecurity software for connected devices, today unveiled its NXM Autonomous Security(TM) platform that prevents hackers from gaining unauthorized access to commercial, industrial, medical, or consumer internet of things (IoT) devices. Tested in collaboration with the Jet Propulsion Laboratory (JPL), California Institute of Technology (Caltech), NXM successfully demonstrated the ability of its groundbreaking technology to enable future Mars rovers to automatically defend themselves and recover from cyberattacks. Caltech manages JPL on behalf of the National Aeronautics and Space Administration (NASA).

NXM's engineers worked with JPL's Artificial Intelligence, Analytics and Innovation Division, Information Technology and Solutions Directorate (ITSD), along with the Robotic Surface Mobility Group in Pasadena, CA to integrate the company's software with the navigation and ground control systems of JPL's self-driving Athena test rover. During testing, NXM's software successfully detected unauthorized attempts to gain access to the rover's autonomous navigation systems, automatically protecting the vehicle from harm in real-time without impacting normal driving operations.

Tests showed that NXM's platform was capable of securing millions of devices with virtually no impact on network latency and is able to operate up to 1000x faster than other decentralized platforms previously tested by the U.S. Department of Defense under simulated battlefield conditions.

"NXM's technology is game-changing," said Lt. General Harry D. Raduege, Jr., USAF (Ret), former Director, Defense Information Systems Agency and CIO for the North American Aerospace Defense Command and U.S. Space Command. "NXM provides a new layer of cybersecurity that enables unified command and control, as well as data interoperability, providing an unprecedented capability that we have long sought but until now wasn't possible." Lt. General Raduege serves as an advisor to NXM.

The Athena test rover was developed by JPL as part of NASA's High Performance Spaceflight Computing (HPSC) program to develop new computing technologies with vastly more capabilities than current spaceflight computers. JPL engineers harnessed the advanced computing power of the rover's off-the-shelf NVIDIA Jetson AI platform to develop innovative, machine learning-based applications for future Mars rovers. This includes artificial intelligence software that identifies objects of scientific interest as a vehicle traverses the Martian terrain, using vision-based navigation and path planning software to significantly increase the driving distances of energy-limited rovers.

"We're thrilled to have collaborated with NASA JPL to show how our security can protect critical assets in space as well as here on Earth," said Scott Rankine, NXM's President and Co-founder. "Our unique zero-trust and zero-touch security software is chip and cloud agnostic, enabling device manufacturers and their component suppliers to easily and cost-effectively develop the industry's most trustworthy products that can be deployed rapidly and remain secure for their entire operating lifetime."

**About NXM**  
NXM Labs, Inc. provides advanced security solutions for embedded devices that enable commercial, industrial and consumer products to automatically defend themselves and recover from cyberattacks. NXM offers the industry's first Zero-Trust and Zero-Touch product development software platform designed to streamline and automate security management throughout the entire OEM supply chain and product lifecycle. For more information, visit www.nxmlabs.com

NXM Announces Platform That Protects Space Infrastructure and IoT Devices From Cyberattacks

An unauthenticated remote code execution vulnerability found in Zoho’s compliance tool could leave organizations exposed to an information disclosure catastrophe, new analysis shows.

A critical vulnerability in Zoho’s widely used compliance tool, ManageEngine ADAudit Plus, which monitors changes to Microsoft Active Directory, leaves endpoints vulnerable to unauthenticated users. A successful exploit could allow an attacker to take over an entire enterprise network, Horizon3.ai researchers warn.  

ADAudit Plus offers a path into an organization’s workstations, servers, and file servers, giving IT admins access to a range of users, groups, permissions, and login credentials, as well as security policies. ADAudit Plus also enables users to collect security events from agents running on other machines in the domain through endpoints that agents use to upload events.

The platform’s ability to offer deep access into a company’s internal IT ecosystem heightens the potential for a nightmare-scenario level of data exposure in the event of a breach.

The CVE-2022-28219 vulnerability enables malicious actors to easily take over a network for which they already have initial access. Malicious actors could exploit this vulnerability to deploy ransomware, exfiltrate sensitive business data, or disrupt business operations.

They could also then go on to exploit XML External Entities (XXE), Java deserialization, and path traversal vulnerabilities to wreak additional havoc, according to an in-depth analysis this week by Horizon3.ai.

**Inside the Vulnerability**

Horizon3.ai discovered some of the ADAudit Plus endpoints used for reporting were unauthenticated.

“One of the first things that stood out was the presence of a /cewolf endpoint handled by the CewolfRenderer servlet in the third-party Cewolf charting library,” the analysis states. “This is the same vulnerable endpoint from CVE-2020-10189, reported against ManageEngine Desktop Central.”

It added, “This gave us a large attack surface to work with because there’s a lot of business logic that was written to process these events. While looking for a file-upload vector, we found a path to trigger a blind XXE \[XML External Entity injection\] vulnerability in the ProcessTrackingListener class, which handles events containing Windows scheduled task XML content.”

The vulnerability was disclosed to Zoho in March, which released a new build, ADAudit Plus 7060, to fix the issue. The patch fixes the vulnerability by removing the /cewolf endpoint altogether, instead using a secure version of DocumentBuilderFactoryin the ProcessingTrackingListener class and requiring authentication in the form of an agent GUID between agents and ADAudit Plus.

**High Stakes, Plus Exploitation Difficult to Detect**

Horizon3.ai chief architect Naveen Sunkavally explains that ManageEngine products are very common in the enterprise and have been favorite targets of attackers over the years.

“ADAudit Plus is a tool that's used for compliance and auditing, which is a common need for many companies spanning different verticals,” he says. “This vulnerability has been found to be present in many types of environments, from healthcare and technology to construction and local governments.”

Just last fall, ManageEngine ADSelfService Plus, Desktop Central, and ServiceDesk Plus were all actively targeted by attackers using previously undisclosed zero days (CVE-2021-44515, CVE-2021-44077, and CVE-2021-40539) that are now part of the CISA Known Exploited Vulnerabilities (KEV) list.

The latest vulnerability is easy to exploit without any prior knowledge and can yield the "keys to the kingdom,  Sunkavally explains. To boot, exploitation is not that easy to detect because it makes use of the natural behavior of the ADAudit Plus application.

“ADAudit Plus is an attractive target for attackers because it integrates with Active Directory and stores high-privileged domain user credentials,” Sunkavally says.

He notes an attacker with initial access to a compromised network could exploit this vulnerability to extract these high-privileged credentials, move laterally, and take over the entire network.

“We've seen real-world environments where just exploiting this vulnerability alone is enough to take over the enterprise,” Sunkavally adds.

He advises businesses using ADAudit Plus to upgrade to build 7060 or later and ensure ADAudit Plus is configured with a dedicated service account with restricted privileges.

“This vulnerability is not one to hold off on patching,” he says.

**Buggy ManageEngine Has History of Vulnerabilities**

This is not the first time the ManageEngine suite was found to have vulnerabilities. Last September a joint advisory from the FBI and CISA warned of APT attackers exploiting a critical authentication bypass vulnerability in ManageEngine ADSelfService Plus.

While Zoho moved to fix the vulnerabilities, less than a month later Palo Alto Networks issued a warning that many companies are still vulnerable.

Most recently, an elusive attack targeting SolarWinds' Orion network management software, dubbed the Supernova cyberattack, exploited a ManageEngine flaw in the software running on a victim's server.

Critical ManageEngine ADAudit Plus Vulnerability Allows Network Takeover, Mass Data Exfiltration

There were a record number of zero-day attacks last year, but some basic cyber-hygiene strategies can help keep your organization more safe.

Few security exploits are the source of more sleepless nights for security professionals than zero-day attacks. Just over Memorial Day weekend, researchers discovered a new vulnerability enabling hackers to achieve remote code execution within Microsoft Office. Dubbing the evolving threat the Follina exploit, researchers say all versions of Office are at risk. And because blue teams have no time to prepare or patch their systems to defend against these software vulnerabilities, crafty threat actors can take advantage, taking their time after they've accessed an organization's environment to observe and exfiltrate data while remaining completely unseen.

And though sophisticated threat actors and nations have exploited zero-days for nearly two decades, last year saw a historic rise in the number of vulnerabilities detected. Both Google and Mandiant tracked a record number of zero-days last year, with the caveat that more zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal, though. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there's some basic cyber hygiene strategies that can keep your organization sufficiently prepared to mitigate zero-day exploits.

**How Do Zero-Days Work?**

Typically, what a zero-day will do is gain access to an environment through a vulnerability previously unseen, then it stealthily maps the environment and, when ready, launches the attack. This is far too late for an incident response team to prevent further damage. Staying alert for these slow-burn attacks requires an approach to security that prioritizes looking for certain techniques and behaviors that a hacker or known threat group may use, rather than scanning for specific pieces of malware. In other words, ensure that the technology your organization has is sufficient for protecting from the unknown. Many zero-days may never hit a hard drive, so pointing threat detection tools there could be fruitless.

While it might sound like a broken record, patching is integral to protection against exploits. As soon as a proof of concept (PoC) is made public on the Dark Web or more legitimate forums like GitHub, most vendors will develop a patch. Staying on top of guidance from industry organizations like (ISC)2 or federal authorities like the Cybersecurity and Infrastructure Security Agency is a good way to prioritize the exploits that are most relevant and most risky to your organization.

However, zero-day exploits are those that the vendor doesn't know exist, and therefore no patch is available. It's very difficult to defend against these without protections and detections that are broad enough to identify tactics, techniques, and procedures. In some cases, protection technologies can use behavioral detections to block certain activities, while in other cases, using detection technologies or human expertise in a security operations center is the only defense.

Above all, investing in the human element of security will place an organization in the best position to limit the financial and data losses zero-days can incur. By placing hands on keyboards and unlocking visibility into all aspects of an ecosystem, a security team can more readily detect hints that a zero-day might be targeted against them and deploy necessary patches. For example, if a robot you operate in the US randomly connects to a server in Ukraine without any other unusual behavior, it might signal that a zero-day has been leveraged. And while there may have been an initial access into your robot or environment through a zero-day, having a broad view of your IT security ecosystem, along with technologies like artificial intelligence, can alert an incident response team to create a patch for a vulnerability as soon as possible.

Thankfully, even though more zero-days are being discovered than ever before, they're still relatively rare in the world of cybersecurity. Up until the last several years, zero-day exploits were mostly identified and held closely by national governments, who wanted to save them to deploy whenever necessary. But the commercialization of hacking groups, including ransomware-as-a-service platforms, has created an ecosystem incentivizing the purchasing and selling of zero-days, often with the financial or technological resources of a nation-state in support.

With such capable attackers, virtually every business should be worried — from large companies that serve as final targets for hackers, to smaller companies that can serve as stepping stones in a sequence of attacks. The constant of security operations can detect and mitigate threat actors from lurking behind the scenes of an IT ecosystem through a zero-day exploit, no matter the origin. So, while patching is proper preparation, the investment in trained security professionals, in-house or outsourced, is the best defense against zero-days.

Zero-Days Aren't Going Away Anytime Soon & What Leaders Need to Know

Microsoft is urging organizations that don't have automatic updates enabled to update to the latest version of Linux Server Fabric to thwart the "FabricScape" cloud bug.

Microsoft this week disclosed a serious container-escape vulnerability in its widely used Azure Service Fabric technology, which gives attackers a way to gain root privileges on the host node and take over all other nodes in the cluster.

The privilege-escalation bug is only exploitable on Linux containers, though it is present in Windows container environments as well, Microsoft said in an advisory Tuesday. Security researchers from Palo Alto Networks reported the bug — which they have dubbed FabricScape — along with a fully operational exploit, on Jan. 30, 2022. Microsoft released a fix for the issue (CVE-2022-30137) on June 14, but details on the bug were just released this week.

The fix has been applied to all customers that are subscribed to Microsoft's automatic update service, but others will need to manually patch to the latest version of Service Fabric. "Customers whose Linux clusters are automatically updated do not need to take further action," the company said in its bug disclosure announcement.

**A Privilege-Escalation Issue**

Service Fabric is a Microsoft container-orchestration technology — like Kubernetes. Numerous organizations use it as a platform-as-a-service to deploy and manage containers and microservices-based cloud applications across a cluster of machines. Palo Alto Networks used Microsoft data to estimate that Service Fabric hosts more than 1 million applications daily across millions of cores.

The bug that Palo Alto Network discovered exists in a logging function with high privileges in a Service Fabric component called Data Collection Agent (DCA). Researchers from the security vendor's Unit 42 threat intelligence team found that an attacker with access to a compromised container could exploit the vulnerability to escalate privileges and gain control of the host node and, from there, escape it and attack the entire cluster.

"The vulnerability allows attackers to take over the entire Service Fabric environment if they get a hold of a single application," says Ariel Zelivansky, director of security research at Palo Alto Networks. This allows attackers to perform lateral movement and to steal, destroy, or manipulate data. Other actions that an attacker could take by exploiting FabricScape include deploying ransomware or hijacking systems for cryptomining.

"If an organization hosts all of its applications, and possibly credentials, on Service Fabric, an attacker can gain control of all of those," Zelivansky says.

For an attack to be successful, a threat actor would first need to find a way to compromise a containerized workload on a Linux Service Fabric cluster, Microsoft said. The attacker would then need to trigger the DCA to run the vulnerable function in a manner that results in a so-called "race condition" where malicious code can be introduced into the environment.

**PoC: Exploiting the Flaw**

Researchers at Palo Alto Networks were able to exploit the vulnerability on Azure Service Fabric using a container under their control and a simulated compromised workload. They found the attack only worked if the compromised container had access to Service Fabric runtime data — something that is granted by default in single-tenant environments but less common in multitenant setups.

"Any application that is powered by a Service Fabric Linux cluster with runtime access, which is granted by default, is affected," Zelivansky said. Last year, Palo Alto Networks discovered another set of vulnerabilities in the Azure Container Instances (ACI) platform that allowed for a similar container escape.

Microsoft urged organizations using Service Fabric to review containerized workloads in both Linux and Windows environments that had access to host clusters. "By default, a \[Service Fabric\] cluster is a single-tenant environment and thus there is no isolation between applications," Microsoft said. All applications running in these single tenant environments are considered trusted and therefore have access to Service Fabric runtime, Microsoft said.

Thus, organizations that want to run untrusted application in a Service Fabric cluster should take additional measures to create isolation between applications and should remove access to Service Fabric runtime for those untrusted apps, Microsoft said.

Zelivansky says the first layer of defense against vulnerabilities such as FabricScape is focusing on the application itself, limiting the possibility of an attack by remediating known vulnerabilities in their code. They can also limit exposure to the Internet.

However, he offers a caveat: "But the reality is that even if an application is safe from any known vulnerability, zero-day vulnerabilities could be discovered and exploited in any code. And \[software\] supply-chain attacks such as typosquatted or malicious packages are becoming more common than before," he says.

Zelivansky says organizations running Linux Service Fabric clusters should check their cluster version and verify the version is at least 9.0.1035.1. "An organization should check if they have Linux-based applications on Service Fabric. If the answer is yes, we recommend giving top priority to addressing this vulnerability now that its full details are out."

**Cloud Vulnerabilities in Cyberattackers' Sights**

Vulnerabilities in cloud products and services have become a growing concern for organizations — and not just because of the security risks associated with them. In many cases, organizations also have a hard time keeping track of cloud vulnerabilities because of the absence of a common vulnerability enumeration (CVE) program for cataloging them. Because many cloud-security issues are considered the service provider's sole responsibility, there often has been little disclosure of these issues, leaving organizations in the dark about whether they might have been exposed to a specific threat.

This week researchers at Wiz launched a new community-based cloud vulnerability database aimed at addressing this lack of information. The database currently contains information on some 70 previous security issues in cloud products and services. Anyone can add to the database going forward. The goal is to make it a central repository for information on cloud threats in the absence of a formal program like MITRE's CVE program for information security flaws.

Patch Now: Linux Container-Escape Flaw in Azure Service Fabric

The malware has been in circulation since 2020, with sophisticated, advanced malicious actors taking advantage of the vulnerabilities in SOHO routers as the work-from-home population expands rapidly.

Security researchers have discovered a multi-stage remote access Trojan (RAT) currently being used against a wide range of small office-home office (SOHO) routers in Europe and North America — potentially the work of a state-sponsored actor.

Researchers believe that at least 80 victims have been infected so far during the campaign.

The malware, known as ZuoRAT, has been active since 2020, according to the Black Lotus Labs, the threat intelligence arm of Lumen Technologies.

According to the report, the malware makes its way onto the routers through exploits for known vulnerabilities. It can also infect other devices in the network and introduce additional malware via DNS and HTTP hijacking.

"ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device, and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules)," Lumen's threat intelligence team wrote in a blog post on the malware.

**Trojan Targets Cisco, Netgear Routers**

The malware targets routers from Cisco, Netgear, Asus, and DrayTek.

"The device types consisted of, but were not limited to: Cisco RV 320, 325 and 420; Asus RT-AC68U, RT-AC530, RT-AC68P and RT-AC1900U; DrayTek Vigor 3900 and unspecified NETGEAR devices," according to the analysis.

The research team noted that while compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported.

"Reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are \[rare\] and a mark of a complex and targeted operation," the post continued. "The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization."

From the perspective of Danny Adamitis, principal information security engineer for Lumen Black Lotus Labs, the sophistication of this campaign cannot be overstated, especially the ability to enumerate infected devices and the LANs they are connected to, and packet-capture network traffic for additional targeting.

"Moreover, the multi-stage campaign includes multiple fully functional Trojans, as well as complex and covert C2 and proxy C2 infrastructure to obfuscate command-and-control and evade detection, which is why it went undetected for nearly two years," he adds.

**Other Trojans Found on Hacked Devices**

To Adamitis' point, the researchers found two other Trojans on the hacked devices. One was based on C++ and targeted Windows workstations. The other Trojan was based on the Go programming language and attacked Linux and macOS as well as Windows.

Among other things, they allowed the attackers to start new processes, gain permanent access to infected systems, intercept network traffic, and upload or download arbitrary files.

**Shift to Secure the Home Office**

According to a recent survey, nearly a quarter of the respondents (23%) named securing the remote workforce as their top priority for 2022. Routers are an important part of that, as they act as central waypoints for the rest of the home IT footprint.

"Once you are on the router you have a full trusted connection to poke and prod at whatever device is connected to it," Dahvid Schloss, offensive security team lead at Echelon, said via email. "From there, you could attempt to use proxychains to throw exploits into the network or just monitor all the traffic going in, out, and around the network."

So, as part of the work-from-home shift, some major vendors are moving their security focus, such as HP, which helps admins secure work-from-home endpoints by extending cloud security management that can remotely track, detect, and self-heal remote company devices.

"The consumer router space is ripe for targeting because these devices reside outside of the traditional security perimeter, and they are rarely monitored or patched," Adamitis adds. "This is only exacerbated by the rapid shift to remote work at the start of the pandemic."

Alex Ondrick, director of security operations at incident-response specialist BreachQuest, says a general lack of security controls for consumer-grade routers, and difficulties in "force" patching/update for them, makes SOHO routers particularly vulnerable.

"If a SOHO router is unpatched or vulnerable to known security flaws, ZuoRAT poses a dangerous combination of reconnaissance and authentication-bypass exploit script and lateral-movement capabilities," he explains.

**Bolstering the Human Firewall**

Ondrick adds that the SOHO router threat is an opportunity for organizations to expand their security awareness programs and spread valuable improved security measures among their users.

"Educating users on how to protect their home networks, their passwords, their financial information, and their families increases their engagement and builds cybersecurity hygiene and acumen they take back to the office, and reduces the organization's attack surface and builds the better human firewall," he says.

He says SOHO users should regularly update their router's firmware and ensure their devices are behind multiple layers of security (defense-in-depth) wherever possible.

For home routers, he says it's important to leverage the vendor's built-in security capabilities alongside host-based network security wherever possible.

"Think of your home router as 'yet another' device which should be regularly updated and think of it as the 'first line of defense' between you and the public-facing Internet," he says. "Pending any leaps forward in SOHO router security, consider adding a recurring biannual reminder on your phone or calendar to check for updates on your router's firmware."

ZuoRAT Hijacks SOHO Routers From Cisco, Netgear

The now-patched bug allows an attacker to gain full access to a user's Amazon files.

A high-severity flaw in the Amazon Photos Android App — which has more than 50 million downloads — could allow attackers to steal a user's Amazon access token and use it to access multiple Amazon APIs.

The team at Checkmarx alerted Amazon to the broken authentication vulnerability in the Amazon Photo App for Android, which allows users to share, print, and store mobile photos.

The analysts said the bug is due to a component misconfiguration in the app's manifest file.

"Whenever this activity is launched, it triggers an HTTP request that carries a header with the customer's access token," the team said. After receiving the request, the analysts found they could also gain control of the server.

The report added that, "with all these options available for an attacker, a ransomware scenario was easy to come up with as a likely attack vector. A malicious actor would simply need to read, encrypt, and re-write the customer’s files while erasing their history."

To protect themselves, users should update to the latest version of the app. Checkmarx researchers said that downloads made before Dec. 18 are affected if users haven't updated the app since then.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Broken Authentication Vuln Threatens Amazon Photos Android App

In the always-changing world of cyberattacks, preparedness is key.

What do militaries and hackers have in common? They both use structured techniques to achieve their goals. Just as generals draw up battle plans, cyberattackers follow steps to home in on their targets. In the industry, this is known as the cyber kill chain (CKC), and it has become a blueprint both for digital intruders and those trying to stop them.

Military contractor Lockheed Martin developed the CKC in 2011, basing it on a long-standing concept that the military applies to kinetic warfare.

The CKC applies this model to cyberattacks across several steps:

*   **Reconnaissance:** Attackers look for information that could help them launch an attack. This includes the technology a company uses, its employees' email address scheme and addresses, its leadership, and its suppliers. Mitigating measures include locking down unneeded network ports and webpages, warning employees about posting sensitive company information online, and protecting the personal information of employees and leadership.
*   **Weaponization:** An attacker uses a digital weapon to exploit weak spots. This typically includes an exploit targeting a vulnerability along with a digital payload.
*   **Delivery:** The attacker deploys the weapon. Delivery channels can include email, removable storage, an open RDP port, or a Web application vulnerability. Phishing is popular in this phase.
*   **Exploitation:** The digital weapon detonates. This usually involves the user clicking on an attachment. In some cases, malware may detonate without user interaction once it finds a "landing spot" during the delivery phase.
*   **Installation:** Initial exploits usually involve a dropper that gains access through techniques such as privilege escalation to install malware. This can include ransomware and/or software that lets an attacker control the victim's machine remotely, such as a remote access Trojan (RAT) or a weaponized legitimate tool like Cobalt Strike.
*   **Command and control (C2):** This is where the C2 phase comes in. The tool "phones home" to an attacker's server, sending back network information and executing instructions. The attacker uses the tool to move laterally through the network, gaining access to more assets until they find what they're looking for. The attacker might stay silent for months during this phase.
*   **Action taken:** At some point, the criminal executes their payload. The headlines are littered with the aftermath: encrypted data, stolen customer records and stalled control systems. After the kill chain is complete, the effects on the victim are often dire, including reputation damage, regulatory scrutiny, legal challenges, business disruption, and financial loss. Sometimes the victim doesn't survive.

**Complexity and Costs Increase Along the Kill Chain**

The difficulty and cost of disrupting the kill chain increases as the attack evolves through these steps. It's easier to stop a cyber weapon as it enters your infrastructure than it is to contain and remove it after it detonates.

Defenders face a perfect storm as they struggle to quash attacks in the early stages. Inadequate tools combined with a skills shortage have left many unprepared to stop these attacks.

Plenty of companies employ security information and event management (SIEM) as their main defense during the early and middle phases of the kill chain. This tool captures and correlates network events and might flag emerging incidents as potential attacks. However, these tools still require security analysts to stop attacks manually.

A worsening cybersecurity skills shortage makes that manual work difficult, with 57% of organizations reporting a direct impact on their cybersecurity operations. An increasing workload was the biggest ramification, affecting 62% of those who reported an impact, followed by unfilled open job requisitions and burnout. With risks like these, security operation centers (SOCs) need to stretch their people as far as possible.

As defenders struggle to cope, adversaries are becoming more sophisticated. Attack volume and velocity are increasing as intruders automate various kill chain steps. Focusing purely on monitoring leaves security professionals one step behind. It's time to meet this challenge in kind by automating incident response.

Appropriate tools and services, including managed detection and response (MDR), can automatically spot and neutralize well-known attacks early in the kill chain. Similarly, email defense today is largely an exercise in machine learning-based techniques that have increased detection accuracy.

This automation saves time and money by neutralizing attacks early. It also frees analysts to handle the more complex attacks, making maximum use of your team.

MDR and 24/7 expert services help with these attacks too. They use a mixture of automated detection and response with manual brain power to spot and mitigate both early and advanced attacks. \[Editor's note: The author's company is one of many that offers such services.\]

It's crucial to operate these defenses at all times, because cyberattackers don't stop working when you do. Full defense involves a combination of attack awareness, automation, and always-on response. It also requires cyber hygiene to close as many attack vectors as possible along the kill chain. Every measure, from employee security awareness through to software patching and strict identity and access control, will help you to get ahead and block intrusions early. In the evolving world of cyberattacks, preparedness is key.

How to Master the Kill Chain Before Your Attackers Do

It's time to decide which role to play to best serve your organization's security needs: an auditor, a lawyer, or a developer.

Your business relies on software, and attackers know that. To prevent your applications from being used against you, you need an application security (AppSec) program that delivers three crucial things:

*   **Secure code**: Your code has to be vulnerability-free and well-defended.
*   **Secure software supply chain**: Ditto for your libraries, products, and dev tools.
*   **Secure operations:** You must detect attacks and prevent exploits in production.

You can choose a number of paths to get to that level of protection. Which path you choose depends on your teams, processes, technology, and culture. How do they all work together? Keep in mind that an AppSec program isn't about eliminating risk. Business involves taking risks, and there's no way to completely eradicate it. But there's a big difference between taking blind risks while not knowing what could go wrong vs. being aware of how likely it is that an issue will be found and exploited, as well as how catastrophic (or not) the outcomes might be.

When it comes to risk decisions, choosing a strategy for your AppSec program is the most important one you'll face. Setting up an AppSec program is nuanced and varied, but consider which of the following three general types best fits your company. The wrong path could leave you with a massive weight of security debt, or even possibly breached, because time was wasted chasing vulnerabilities that weren't all that relevant and real risks got buried in the "never got to it" pile.

**1\. The Auditor: Checkbox AppSec**

In "minimal" AppSec programs, small teams do only what's required of them by either external standards or their customers. The goal is to simply check off the boxes for application security standards like OWASP, PCI, and NIST, all of which are, essentially, checklists. Many types of companies adopt this strategy — most commonly, small and midsize businesses — but the checklists don't bring them actual security.

It's not that minimal AppSec programs never succeed. They can by relying on free or very inexpensive tools, such as OWASP ZAP and DependencyCheck, to assess code. An inexpensive cloud web application firewall (WAF) for production might also be in the mix. But these tools can show false-negatives that miss real vulnerabilities, giving organizations a false sense of security. Such tools also tend to throw false-positives that lead to squandered resources and huge backlogs instead of actual remediation.

An upside to having a minimal AppSec program is that the budget for people and tools tend to be small. But because minimal AppSec programs don't offer a clear understanding of business risk, organizations are underinvesting in enterprise security based on incomplete information.

**2\. The Lawyer: Adversarial AppSec**

In adversarial AppSec programs, the development team tries to deliver code as fast as possible while the siloed security team wrestles for control. Development focuses on delivering features, while the security team tries to add more security activities. Large companies tend to adopt this approach, as do critical industries such as finance, banking, e-commerce, and insurance.

This approach requires a large security team to execute all of the activities. Most have various subteams focused on architecture, policy, threat modeling, policy, static scanning, dynamic scanning, WAFs, training, and more. Adversarial programs always have more analysis to do, but security teams don't actually fix code in this type of program. Organizations often adopt "champion" programs to help get all of the work done. But without a clear line of sight from activities desired outcomes, much of the busy work has little to no measurable effect.

Given a big enough team and a big budget, adversarial AppSec programs can be effective. But most programs struggle to handle the volume of tool output, particularly as development teams speed up their software releases. Most vulnerabilities wind up in an ever-growing pile of issues that are neither triaged nor remediated. Development teams are confronted with significant delays and bottlenecks due to these backlogs, which are coupled with security testing and gates. Innovation suffers because of these delays, which cause frustration and force development teams to seek exceptions and bypass security.

**3\. The Developer: Developer-Centric AppSec**

Developer-centric AppSec programs strive to put application security directly into the hands of software development teams as part of their regular work. The goal: for the teams to eventually establish an automated pipeline that ensures strong security across the software development life cycle, starting with the developer and on into production. This type of program is often called "DevSecOps," or "shift left."

DevSecOps programs use the "big machinery" of software development to do security work, as opposed to smaller, siloed AppSec teams. Given that developers won't tolerate slowing down pipelines or wasting time on false-positives, developer teams automate security testing in pipelines, using fast and highly accurate tools that enable fast security feedback loops and reduce cost.

Developer-centric programs employ interactive application security testing (IAST) tools to simultaneously perform fully automated security and quality tests. Doing so aligns development and security interests, as the teams work together on expanding test coverage and strengthening the pipeline. Visibility into attacks with runtime application self-protection (RASP) also provides teams with threat intelligence that informs security priorities. RASP technology prevents vulnerabilities from being exploited, allowing teams to respond to new vulnerabilities without having to run a fire drill.

The developer-centric approach is ideal for projects regardless of their stage in DevOps transformation. That said, this approach may not be able to take advantage of automated pipelines, quality testing infrastructure, and DevOps culture if applied to completely traditional projects. Then again, adopting a developer-centric approach to security may be the perfect catalyst to spark or to speed a DevOps transformation.

**Software Security Has Changed**

Inspired by incidents like SolarWinds, Log4Shell, and Spring4Shell, the world's governments have been pushed into doing something about application security. New regulations and standards from NIST, PCI, and OWASP all require a more sophisticated approach to AppSec and real evidence that what you're doing is actually effective.

Those employing a "minimal" or "adversarial" AppSec program will likely have to respond by making some changes, including:

*   **Threat modeling:** The days of checklists are over. You're going to need to threat-model your applications and then demonstrate that you've implemented decent controls for each.
*   **AST****:** You're also going to be expected to do a much more thorough job of testing the security of your applications and APIs. You'll have to provide evidence that you're testing the effectiveness of your defenses and remediating any problems found.
*   **SBOMs****:** To really get a handle on your open source use, you're probably going to need sensors that report library data to an always-up-to-date database. But in the meantime, you'll also need to generate software bills of materials (SBOMs) for your customers.

Bear in mind that if you decide to change up your approach, transforming one team at a time is probably preferable to trying to change everything all at once.

The trend toward more transparent application security that goes beyond simply checking off boxes likely won't stop here. The US government, for one, is evaluating a software security labeling scheme to create visibility and drive better security from producers. Whether this becomes reality remains to be seen, but one thing's safe to say: Now is a fine time to make sure you've chosen the right strategy for application security.

What's Your AppSec Personality?

External attacks focused on vulnerabilities are still the most common ways that companies are successfully attacked, according to incident data.

Attackers continue to find significant success targeting unpatched servers and vulnerable remote-access systems, researchers say -- and these types of compromises cost victim organizations 54% more than compromises caused by user actions (i.e., falling for phishing and opening malicious documents).

According to a Wednesday report by security firm Tetra Defense, which analyzed incident data from the first quarter, unpatched vulnerabilities and exposing risky services—such as Remote Desktop Protocol (RDP)—account for 82% of successful attacks, while social-engineering employees to take some action accounted for just 18% of successful compromises.   

Incident data collected by the firm showed that the ProxyShell exploit for Microsoft Exchange servers accounted for about a third of external breaches, while insecure Remote Desktop Protocol (RDP) servers accounted for a quarter.

While the Log4Shell bug continued to see a great deal of media coverage, the attack vector was only used in 22% of breaches, says Nathan Little, senior vice president of digital forensics and incident response (DFIR) at Tetra Defense.

"We expect these tactics to continue—however, there is a finite amount of vulnerable Exchange servers," he says. "Over time—and we have seen this over the past five-plus years—the vulnerabilities that are used by threat actors will change, but \[in general\] externally accessible vulnerabilities will continue to be a favorite attack vectors for cybercriminals."

Healthcare topped the list of targeted industries, with nearly 20% of compromised organizations falling in that category. Finance and education tied for second at 13%, and manufacturing accounted for 12% of incidents, according to Tetra Defense's data.  

Tetra Defense also tracked the cybercrime actors responsible for most breaches, and found that four groups—Lockbit 2.0, BlackCat, Conti, and Hive—are responsible for about half of all compromises investigated by the firm.  

**Cloud Misconfiguration: Less Costly Than Other Cyber-Incidents**

While a common form of vulnerability, misconfigurations did not account for much of the cost of breaches, with few requests to investigate such compromises, Tetra Defense's Little says.  

"For misconfigurations—because they can range from an AWS S3 bucket being publicly accessible with sensitive information stored in it -- to a non-sensitive server being exposed with a default username and password — the costs can range drastically," he says. "Typically speaking, the costs of misconfiguration are lower than unpatched systems and accidental user action."

While damages are hard to estimate, Little sees the potential impact as a percentage of revenue, with a reasonable financial impact of a major cybersecurity incident accounting for 2% to 10% of annual revenue.

He also notes that two controls -- comprehensive patching and using multifactor authentication (MFA) -- could have prevented nearly 80% of the investigated incidents. That includes 57% of external compromises that used an unpatched vulnerability, and the 13% of successful attacks on virtual private networks that either exploited a vulnerability or used stolen credentials to gain access where there was not MFA enabled, Little says.

"This shows that these two controls alone would have a drastic impact in decreasing the risk of a ransomware incident," he says. "The cost savings for a company would be the difference between having a data breach and ransomware incident that could stop business for a week or more and cause reputational harm or not."

**Conflicting Data**

Data on successful compromises can help companies determine the most critical attack vectors to address, but it should be noted that the conclusions depend greatly on the specific incident-response firm.   

For instance, earlier this year, security-advisory firm Kroll saw phishing continue to grow, with 60% of the cases the company investigated using phishing attacks as the initial-access vector. Meanwhile, the exploitation of vulnerabilities dropped by half to 13% of all initial compromises, down from 27% in Q4 2021.

    

Source: Tetra Defense

"Despite a decrease in ransomware incidents and the disruption and exposure of a number of key threat groups ... 2022 is proving to be the year of attacker diversity, with actors exploiting new methods, such as email compromise, leading to extortion," Kroll stated in its latest quarterly threat landscape report.  

**Ransomware Spike**

By way of context, in February, incident-response firm CrowdStrike released its annual report on its own incident data from 2021 showing that breaches related to ransomware attacks had grown by 82%. In addition, the company's data showed that malware had only been used in only 38% of successful intrusions, with 45% of attackers manually conducting the attacks.  

The average time to move from an initial compromise to attacking other systems on the network—what CrowdStrike calls the "breakout time"—remained near 1.5 hours, according to the company's data.

Cyberattacks via Unpatched Systems Cost Orgs More Than Phishing

Embrace cyber-risk modeling and ask security teams to pinpoint the risks that matter and prioritize remediation efforts.

New cybersecurity vulnerabilities increased at a never-before-seen pace in 2021, with the number of vulnerabilities reaching the highest level ever reported in a single year. As a threat analyst that monitors security advisories daily, I also observed a 24% jump in new vulnerabilities exploited in the wild last year — indicating threat actors and malware developers are getting better at weaponizing new vulnerabilities. Not only are vulnerabilities proliferating at an unprecedented rate, but threat actors have also gotten better at racing to take advantage of them with a range of new malware and exploits.

These findings were reinforced by the Cybersecurity and Infrastructure Security Agency (CISA) alert issued in April 2022: "Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors."

**Focus on Active Threats and Exposure**

There is a silver lining to this compounding surge in vulnerabilities year-over-year: As counterintuitive as it may sound, fixing all vulnerabilities is likely unnecessary for most organizations. And with many large companies battling millions of vulnerabilities, immediately fixing all flaws identified by traditional vulnerabilities scanners is an impossible task.

Why does alert fatigue exist? Traditional approaches to understanding the severity of vulnerabilities rely almost exclusively on the Common Vulnerability Scoring System (CVSS). However, CVSS only provides a general picture and does not consider how the vulnerability would be exploited within a specific network. As a result, organizations are left dealing with a massive list of vulnerability alerts with little to no visibility into how they should be prioritized based on specific security controls and configurations.

**Risk-Based Approach**

While cybersecurity breaches rose sharply year-over-year, the good news is that 48% of organizations with no breaches took a risk-based approach. This risk-based approach includes five key ingredients:

*   Attack surface visibility and context
*   Attack simulation
*   Exposure management
*   Risk scoring
*   Vulnerability assessments

Actual risk reduction requires focusing on eliminating the threats that matter. Thankfully, cybersecurity leaders are now embracing the fact that not all vulnerabilities are created equally. This new way of thinking enables SecOps to ruthlessly prioritize the vulnerabilities that matter for remediation and quantifiably reduce risk.

**Modeling Cyber-Risk Management**

Risk management is an essential principle of cybersecurity, allowing security teams to prioritize threats based on their potential impact to an organization.

For a comprehensive risk score, consider adding these elements to the static CVSS:

**Exploitability:** Are threat actors exploiting the vulnerability in the wild?

**Exposure:** Are existing security controls protecting the vulnerable asset?

**Asset importance:** Is the asset mission-critical? Would it expose sensitive data?

**Financial impact:** How much will it cost your business per day if the system is compromised?

Now is the time to leverage the data you have to embrace breach prevention that will combat the side effects of digital transformation and modern cybercrime strategies. That means focusing on active threats that are accessible to adversaries and have the potential to devastate your business financially — instead of the millions of vulnerabilities that aren't even exposed.

Armed with cyber-risk modeling, security teams are empowered to pinpoint the risks that matter and prioritize remediation where it's genuinely needed. Telling a CISO that you've retired thousands of exploitable vulnerabilities and malware families in a single month will result in a happy executive.

Source

DARKReading