Verizon's "2022 Data Breach Investigations Report" repeatedly makes the point that criminals are stealing credentials to carry out their attacks.

Credentials, phishing, exploiting vulnerabilities, and botnets "pervade all areas of the DBIR, and no organization is safe without a plan to handle them all," Verizon's team of researchers wrote in this year's "Data Breach Investigations Report."

Attackers don't have to bother with zero-day vulnerabilities or build out elaborate attack tools when they can just steal credentials and log right in. Whether the report is looking at Web application attacks, email scams such as business email compromise, or malware, the theme was consistent: Stolen credentials played a role. 

DBIR is chock-full of charts and visualizations, so it is difficult to pick just one -- though the chart about what types of data attackers are stealing is a particularly striking. For a long time, criminals were interested in personal data -- data that could be used for identity theft or other types of financial fraud. While that is still the case, that is not the complete story. Attackers are focusing heavily on obtaining stolen credentials, since those credentials make carrying out other attacks even easier and harder to detect. The report considers 180 different actions that lead to data breaches, and the use of stolen credentials is the most common.

"We've long held that credentials are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system," the report says.

Consider how ransomware gets onto the targeted system: 40% of ransomware incidents involve the use of desktop sharing software, such as remote desktop protocol. And the easiest way to access RDP is via weak passwords.

While third-party breaches represent just 1% of breaches in the 2022 dataset, about half of them involved the use of stolen credentials. 

Phishing and stolen credentials were the top two actions in data breaches involving social engineering attacks. The third is "pretexting," almost all of which are business email compromises. A quarter of BECs used stolen credentials against the victim organization, according to the report.

And finally, in the area of web application attacks, the vast majority of incidents use stolen credentials as their entry point. Over 80% of the breaches that was categorized under web application attacks in this year's DBIR can be attributed to stolen credentials. In comparison, the second most common action, exploiting vulnerabilities, is less than 20%.

"There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the last four years," the report says.

"Even if passwordless authentication isn't ready for prime time in your organization, the report findings can be used to help fund and implement multi-factor authentication," says Rick Holland, CISO and vice-president of strategy at Digital Shadows.

DBIR Makes a Case for Passwordless

Ransomware has become so efficient, and the underground economy so professional, that traditional monetization of stolen data may be on its way out.

The past year has seen a staggering acceleration in ransomware incidents, with 25% of all breaches containing a ransomware component.

That's the top-line finding in the 2022 Verizon Data Breach Investigations Report (DBIR), which found that ransomware events in conjunction with breaches ballooned 13% in the past year — last year's report found that just 12% of incidents were ransomware-related. That translates into a rate of increase that's more than the previous five years of growth combined.

The 15th annual DBIR analyzed 23,896 security incidents, of which 5,212 were confirmed breaches. About four in five of those were the handiwork of external cybercriminal gangs and threat groups, according to Verizon. And according to Alex Pinto, manager of the Verizon Security Research team, these nefarious types are finding it easier and easier to earn an ill-gotten living with ransomware, making other types of breaches increasingly obsolete.

"Everything in cybercrime has become so commoditized, so much like a business now, and it's just too darn efficient of a methodology for monetizing their activity," he tells Dark Reading, noting that with the emergence of ransomware as-a-service (RaaS) and initial-access brokers, it takes very little skill or effort to get into the extortion game.

"Before, you had to get in somehow, look around, and find something worth stealing that would have a reseller on the other end," he explains. "In 2008 when we started the DBIR, it was by and large payment-card data that was stolen. Now, that has fallen precipitously because they can just pay for access someone else established and install rented ransomware, and it's so much simpler to reach the same goal of getting money."

A corollary to this story is that any and every organization is a target — companies no longer need to have something worth stealing in the way of highly sensitive data to fall in the cybercrime crosshairs. That means that small- and midmarket organizations should beware, Pinto said, as well as very small, mom-and-pop organizations.

"You don't have to go for the big guys anymore," Pinto said. "In fact, going for the big guys might be counterproductive because those folks usually have their ducks more in a row as far as defenses. If a business has a handful of computers and they care about their data, you're potentially going to make a few bucks out of them."

Put into a different context, the DBIR found that around 40% of data breaches are due to the installation of malware, he said (what Verizon refers to as system intrusions), and the rise in RaaS has led to 55% of those specific breach incidents involving ransomware.

"Our concern is that really, there's no ceiling here," Pinto says. "I think we're not convinced anymore that it's going to stop — unless someone comes up with something that's even more efficient. I cannot imagine what that would be, but maybe this is why I'm not in the organized crime business."

**The SolarWinds Effect**

The fallout from the infamous SolarWinds supply-chain hack blew far and wide over the course of the year, with the "software updates" vector pushing the "partner breach" category up to being responsible for 62% of system-intrusion incidents (including ransomware incidents) — and that's way, way up, from a negligible 1% in 2020.

Pinto noted that despite the headlines and the interest in incidents like SolarWinds (and others, such as the Kaseya-related ransomware attacks), dealing with supply-chain breaches doesn't require an operational overhaul for most businesses.

"Protecting against the fallout of a supply-chain breach if you were one of the affected customers is not so different from protecting from several other types of malware, because your servers are beaconing out to somewhere they shouldn't be. If you're a CISO, the techniques you use should be fairly similar to the ones you already use because, quite frankly, trying to go after every single software supplier you have to try to make them secure will make you insane. It's a very big lift."

**Where to Start on Ransomware Defense**

In examining the entry paths for breaches, Pinto noted that attacks can reliably be boiled down to four different (and familiar) avenues: the use of stolen credentials; social engineering and phishing; vulnerability exploits; and the use of malware.

"The one thing when you close this report to do is, go look at those four things in your environment and what controls you have for them," Pinto says.

When it comes to ransomware-related breaches in particular, 40% of incidents analyzed involved the use of desktop sharing software such as Remote Desktop Protocol. And 35% involved the use of email (phishing, mostly).

"Locking down your external-facing infrastructure, especially RDP and emails, can go a long way toward protecting your organization against ransomware," Pinto says.

It's worth noting that overall, 82% of all breaches analyzed by Verizon relied on human error (misconfigurations, for example, accounting for 13% of breaches) or interaction (phishing, social engineering, or stolen credentials). Artur Kane, vice president of product at GoodAccess, says that this indicates a few best practices to take a look at.

First, there are the technical solutions, such as requiring multifactor authentication (MFA) and network segmentation by access privileges, along with implementing real-time threat detection capability, keeping continuous access logs, and running regular backups.

"However, security administrators also need to have solid response and recovery plans in place for these occurrences, and should conduct regular trainings and drills," Kane says. "\[And\] user training can greatly contribute to improving the overall company security posture. As a large part of ransomware attacks opens with a phishing lure, training employees in how to spot them can save millions of dollars in later breach recovery."

'There's No Ceiling': Ransomware's Alarming Growth Signals a New Era, Verizon DBIR Finds

But there was a substantial drop in the overall number of critical vulnerabilities that the company disclosed last year, new analysis shows.

The number of privilege escalation bugs in Microsoft's products increased for the second year in a row in 2021, highlighting the growing risk this vulnerability category poses for organizations.

BeyondTrust recently analyzed data from Microsoft vulnerability disclosures in 2021 and found that 588 — or 49% — of the total 1,212 bugs that the company disclosed gave attackers a way to elevate privileges on compromised systems and networks. The number represented a 5% increase from the 559 privilege escalation bugs in Microsoft products that BeyondTrust counted in 2020, when such bugs also eclipsed all other categories of vulns in the company's technologies.

The trend is important because organizations sometimes tend to pay less attention to privilege escalation vulnerabilities than other bugs because often, they can only be exploited after an attacker has already compromised a system. "Elevation of privilege bugs do not get the same attention from organizations" as some other vulnerabilities, says Tim McGuffin, director of adversarial engineering at LARES Consulting. Most organizations focus on preventing initial compromise, which can come from remote code execution vulnerabilities and other flaws, he says. "But \[they\] often de-prioritize patches for EoP vulns and wait until quarterly or annual patch cycles."

**A New Trend**

The number of privilege escalation vulnerabilities in Microsoft's technologies increased last year even as the overall number of reported bugs in the company's products declined for the first time in years. The 1,212 bugs that Microsoft disclosed in 2021 was about 5% lower than the 1,268 bugs it reported in 2020. That was in sharp contrast to the previous four years, which saw a near doubling in bugs — from 451 in 2016 to 858 in 2019.

BeyondTrust also observed a 47% decrease in the number of critical vulnerabilities that Microsoft disclosed in 2021 — 104 compared to 196 in 2020. The number of Windows OS vulnerabilities, too, dropped dramatically in 2021 — from a record 907 vulnerabilities across Windows 7, Windows RT, Windows 8/8.1, and Windows 10 to just 507 last year.

Remote code execution vulnerabilities, which were the most common type of security issue in Microsoft products until 2019, ranked second last year at 326, followed by information disclosure vulnerabilities (119), spoofing (66), and denial of service bugs (55). Microsoft reported a total of 44 security bypass vulnerabilities last year and 3 issues related to tampering. BeyondTrust observed declines in other vulnerabilities such as in overflow, memory corruption, and cross-site scripting flaws in Microsoft technologies. Cumulatively, there were 215 fewer vulnerabilities across these three categories in 2021 compared to the prior year.

The vendor ascribed several likely reasons for the Microsoft vulnerability reductions last year, including better security and coding practices on Microsoft's part; end of life of Windows 7 and other products: and the shift of more enterprise workloads and services to the cloud.

**Fewer Critical Vulnerabilities**

"A drop in critical vulnerabilities reported from 196 to 104 is great news," says Richard Stiennon, chief research analyst at IT-Harvest. "Yet it's hard to derive insights from just the numbers."

The increase in privilege escalation vulnerabilities, for instance, is significant because it indicates that researchers are looking harder for these flaws in Microsoft products. "These are critical because an attacker will use them to ultimately get admin privileges and thus complete control of a system," Stiennon says. "APT groups usually have some sort of escalation exploits in their toolboxes to compromise their targets."

Microsoft's late-2021 adoption of the industry-standard CVSS format for reporting vulnerabilities also made it impossible to determine how many of the critical vulnerabilities it disclosed last year could have been mitigated by removing admin rights on user systems, BeyondTrust said.

The CVSS is derived from data that is designed to produce a numerical score relative to the severity of a vulnerability, says Christopher Hills, chief security strategist at BeyondTrust. "This is great for the overall audience in seeing which vulnerabilities have the highest severity," he says. "But it provides camouflage for those vulnerabilities that leverage privilege elevation because those are now buried in the report."

Between 2015 and 2020, some 75% of critical Microsoft vulnerabilities could have been mitigated by removing admin rights on user systems. There's little reason to believe that the situation has changed a whole lot now, according to BeyondTrust.

"With end user systems and remote access being the top attack vector for bad actors, there truly is no valid reason why users should have standing rights or admin rights on end user systems," Hills says. Removal of admin rights has the potential to impact end user productivity and foster a bad user experience, he admits: "But with today’s technology and the solutions available, there is no amount of end user productivity that could outweigh the cost of a breach or compromise."

McGuffin says the decline in reported Microsoft vulnerabilities last year could also have to do with other reasons. Some countries have modified their vulnerability disclosure processes so that newly discovered vulnerabilities must be reported to the government first — and only then can be reported to the vendor, he notes. "Those same countries have also restricted citizens' ability to participate in competitions like Pwn2Own, where vulnerabilities would be publicly disclosed after the competition," he notes.

And because researchers sometimes focus on specific areas and technologies, that also can have an impact on the number of vulnerabilities discovered in a particular category, McGuffin says. "As an example, one vulnerability in the \[Windows\] print spooler service prompted several other researchers to dig deeper, and we're up to over a dozen RCE and PrivEsc vulns in the spooler now," he says.

Microsoft Elevation-of-Privilege Vulnerabilities Spiked Again in 2021

Notable new infection chain uses PDF to embed malicious files, load remote exploits, shellcode encryption, and more, new research shows.

When it comes to packaging malware, the file format of choice remains Microsoft Word or Excel, but a recent attack using a PDF file to lure in victims caught the attention of researchers.

The campaign _—_ observed by HP Wolf Security _—_ sent the malicious PDF as an email attachment. Once opened, it used a variety of tactics to evade detection, embed malicious files, load remote exploits, and shellcode encryption, according to the researchers.

"Embedding files, loading remotely hosted exploits, and encrypting shellcode are just three techniques attackers use to run malware under the radar," the HP Wolf team reported on the malicious PDF attack in a recent blog post. "The exploited vulnerability in this campaign (CVE-2017-11882) is over four years old, yet continues being used, suggesting the exploit remains effective for attackers."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Attack Shows Weaponized PDF Files Remain a Threat

Decentralized finance lost $1.8 billion to cyberattacks last year — and 80% of those events were the result of vulnerable code, analysts say.

Decentralized finance (DeFi) platforms — which connect various cryptocurrency blockchains to create a decentralized infrastructure for borrowing, trading, and other transactions — promise to replace banks as a secure and convenient way to invest in and spend cryptocurrency. But in addition to attracting hordes of new users with dreams of digital fortune, cybercriminals have discovered them to be an easy target, wiping out wallets to zero balances in a moment, tanking whole markets while profiting, and more, according to a new report.  

Analysts with Bishop Fox found that DeFi platforms lost $1.8 billion to cyberattacks in 2021 alone. With a total of 65 events observed, 90% of the losses came from unsophisticated attacks, according to the report, which points to the lax cybersecurity practices of the sector.  

DeFi averaged five attacks per week last year, with most of the them (51%) coming from the exploitation of "smart contracts" bugs, the analysts found. Smart contracts are essentially records of transactions, stored on the blockchain.  

Other top DeFi attack vectors include cryptowallets, protocol design flaws, and so-called "rug-pull" scams (where investors are lured to a new cryptocurrency project that is then abandoned, leaving targets with a worthless currency). But taken together, 80% of all events were caused by the use (and re-use) of buggy code, according to the report.

"The desire to develop quickly and save time, or perhaps just the lazy disinclination to review or recreate one's own code, too often leads to the use of untested, and therefore ultimately vulnerable, code," the report says. 

And indeed, as users and DeFi platforms themselves try to reinvent banking — and a complex new infrastructure to support it — administrators can't overlook the importance of security basics, Dylan Dubeif, senior security consultant at Bishop Fox tells Dark Reading.   

"No matter how innovative or sophisticated your project is, don't forget about security by ignoring what seems minor or basic," he says. "A trivial vulnerability can end up costing you the most."

**DeFi Smart-Contract Vulns** A prime example is the May 28 BurgerSwap Dex smart-contract-related DeFi breach, which led to a $7.2 million loss. That attack leveraged vulnerabilities that are so well known that their use here seemed confounding, according to the report. These included exploiting a missing x\*y≥k check\*\* and mounting re-entrancy attacks, according to the report. The weaknesses allowed attackers to leverage well-known tactics such as flash-loan abuse and the use of fake tokens.

"We can't emphasize it enough — maintain a recurring audit process and test each piece of code before it goes into production," the report says. "In decentralized finance, even the shortest line of vulnerable code can lead to a total loss of project tokens and the collapse of the project." 

Last August, Cream Finance took a major financial hit at the hands of cybercriminals, losing nearly $29 million before the attack was discovered (418,311,571 in Amp Coin and 1,308.09 in Ethereum cryptocurrency).

The hack was made possible due to a re-entrancy bug in its smart-contracts function, introduced by the $AMP tokens used by the exchange.

“The … breach of the Cream Finance platform was facilitated by the latest in a long chain of smart-contract vulnerabilities introduced by human error (or possibly insider attacks),” Joe Stewart, a researcher with PhishLabs, noted at the time. "It is very easy to shoot yourself in the foot by something as simple as failing to include the correct function modifier in your code — exactly what happened to the author of the Cream Finance smart contract.”

Smart contracts become trickier to code-audit as well after they start interacting with each other, Stewart added.

“The increasing complexity of DeFi contracts that interact with one another (possibly even across different blockchains) make it difficult to predict all possible code paths that could lead to privilege escalation and loss of funds locked in the contract,” Stewart said.

**Front-End DeFi Attacks  
**The code used to create DeFi digital wallets and website interfaces has also proved to be an easy attack vector for scammers. 

In one attack on BadgerDAO last December, analysts said that attackers exploited a CloudFlare vulnerability to get an API key, which then allowed them to tweak the site's source code to divert funds to wallets in their control, the report explains. 

"In late September, users on a Cloudflare community support forum reported that unauthorized users were able to create accounts and were also able to create and view (Global) API keys (which cannot be deleted or deactivated) before email verification was completed," Badger said in a post-mortem statement about the breach. "It was noted that an attacker could then wait for the email to be verified, and for the account creation to be completed, and they would then have API access."  

**Flash-Loan DeFi Attacks  
**As mentioned earlier, another type of DeFi attack involves flash loans. A flash loan is an unsecured loan for buying and then selling a certain cryptocurrency; it can be requested by building a smart contract on the blockchain. Then the contract executes the loan and the trades, all in a flash.

In an attack, cybercriminals can use this function for price manipulation. For instance, last May the DeFi project PancakeBunny fell victim to this after an attacker mined a large amount of $Bunny tokens and then turned around and immediately sold them off. Not only can the cybercriminals make a fortune in this way, they can also tank the value of an entire cryptocurrency market in minutes.  

"Although \[this\] may seem painfully simple in retrospect, it _did_ occur, with not-insignificant consequences," the report says.   

The PancakeBunny DeFi project became prey on May 19. Attackers used a bug in the platform and a flash loan to throw the pool out of balance and miscalculate the exchange in the threat actor's favor. Worse yet, just days later, two forks (i.e., new DeFi communities developed from the same blockchain), MerlinLabs and Autoshark, were targeted using the same code and attack methodology. 

"Even though the teams from both projects were aware of having copied the PancakeBunny code with very few modifications, they nevertheless suffered the same attack five and seven days, respectively, after the initial project," the report says. 

**DeFi Servers  
**Servers storing private keys for cryptowallets are also a prime target for cybercriminals, the researchers warn. In several instances, wallets were swiped with stolen keys, the report says, sometimes with devastating losses; one wallet had a balance of about $60 million, for instance.

"Financial loss could have been avoided by auditing the companies’ underlying servers and adding technical and organizational measures (such as multisignature wallets) with zero-trust and least-privilege principles," the report states.

**Preventing the DeFi Pwn-apalooza  
**With so much cybercrime activity, what should be done? To answer that, the Bishop Fox team offered two important pieces of advice for users trying to navigate this new digital financial frontier. One, don't trust any system to be secure; and two, recognize that investments can evaporate in a second. 

The risk to users varies; in some cases, like the PolyNetwork breach, an attacker stole, then returned, $610 million in cryptocurrency and everyone recouped their losses. In other instances, hacked DeFi platforms weren't so lucky. 

Since there's no standard for responsibility, users should be prepared for the worst. "When we talk about DeFi, we are talking about investing in the fledgling cryptocurrency financial system that has yet to learn from its mistakes," the report states.

The researchers acknowledge that with so many parts of the business, defending DeFi platforms is particularly difficult.

"As the attack surface in DeFi projects is larger than usual," the report says, "teams must ensure that adequate precautions are taken to protect all assets."

DeFi Is Getting Pummeled by Cybercriminals

As states address privacy with ad-hoc laws, corporate compliance teams try to balance yet another set of similar but diverging requirements.

Connecticut became the fifth state to pass a consumer data privacy law with the signing of SB 6, titled "An Act Concerning Personal Data Privacy and Online Monitoring." The law, which goes into effect July 1, 2023, is similar to privacy laws in Virginia, Colorado, and Utah, but it falls short of some of the provisions and protections in California's California Consumer Privacy Act (CCPA) and its update, the California Privacy Rights Act (CPRA).

This latest state law on privacy further intensifies the pressure on corporate compliance departments to attempt to address the increasingly difficult task of meeting the reporting and coverage requirements of various privacy laws, and it puts pressure on the federal government to come up with a national law that clarifies consumer privacy rights, says Lisa Sotto, partner and chair of the privacy and cybersecurity practice at Hunton Andrews Kurth LLP, a Richmond, Va.-based law firm.

"It's completely insane complying with all of these \[privacy\] laws; it's virtually impossible," she says. There is no "highest common denominator" that permits organizations to comply with a given set of privacy regulations to ensure compliance with all of them. 

"It's a mess," Sotto says.

While all of the privacy laws have a lot in common, no two are identical. When you layer additional laws — such as those directed at privacy related to minors, healthcare, financial services, and other areas — on top of the five statewide laws, the matrix of compliance requirements becomes unwieldy.

**Ever-Growing Thicket of Privacy Laws**

Currently there is no national privacy law in the United States, but there is a patchwork of laws at the national and state levels that address varying areas of privacy. Among the federal laws are the Gramm-Leach-Bliley Act (GLBA), the Privacy Act of 1974, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH).

There are also industry rules, such as the Payment Card Industry Data Security Standard (PCI DSS), that dictate how companies should handle consumer privacy. Sometimes laws and industry rules are in direct conflict, such as when a data breach needs to be reported and to whom, forcing companies to choose which regulations to follow.

Add to those state and local laws, such as the New York State Personal Privacy Protection Law, as well as international laws, such as the European Union's General Data Protection Regulation (GDPR) — which holds individuals across the globe liable for mishandling the personally identifiable information (PII) of EU citizens — and compliance becomes unmanageable.

One huge challenge companies face when trying to manage compliance is determining exactly what the laws require and how they define privacy, which is open to interpretation. Forrester analyst Stephanie Liu says the Colorado law, for example, does not permit the sale of personal information for "valuable consideration." It explicitly does not say selling only for cash but rather anything of value.

However, Liu says, she has "talked to a couple of data brokers who said that they do not sell data. If a data broker is making that argument, then you've got a loophole there."

Comparing the Utah, Colorado, Virginia, and Connecticut laws, the "definition of sale" is where they tend to differ, Liu says. "It's a huge headache," she adds.

**Exactly the Same, Only Different**

While the Connecticut law specifically talks about guarding consumers' privacy rights from those who sell products directly to the state's citizens, not all privacy rights are covered by the law. Insurance, for example, is a huge part of the state's economy, but insurance companies are not covered by this new law. Instead, says Sotto, those companies are covered by the federal GLBA regulations.

Boards of directors have a fiduciary duty of oversight when it comes to cyber, she says, and that is forcing them to take a much closer look at privacy as well. Boards are taking a much more personal interest in privacy and compliance, especially now that recent laws can hold board members personally liable if a company is breached or if PII is stolen and made public.

Protecting personal privacy could have an impact on cyber insurance rates as well. Ransomware attacks that steal PII and threaten to make it public are very common today, and cyber insurance policies often include coverage for paying those ransom demands.

For cyber insurance carriers, notes Forrester senior analyst Jess Burn, that means very high legal costs are included under the premiums. Companies that are breached "need to work with their outside counsel on data breach notifications for every single affected state," Burns says. "In addition, if it's a B2C company, \[you have\] consumer notifications, credit monitoring, and all of those different fees that come along with it. Oh, and then the fines are going to come in as well."

Not every privacy issue is addressed in privacy legislation, and not all non-PII is addressed directly in state privacy laws. Data that might contain personal data about investors, for example, is often addressed under other legislation that is not privacy-specific. The Fair Credit Reporting Act, for example, covers some consumer privacy issues that overlap the state privacy laws, as do HIPAA and other healthcare legislation, but these do not necessarily contradict other laws.

"Connecticut exempts employee data from its law entirely," Burn says. "That's another area where it's interesting to see \[that\] sort of the uncertainty, if we're being honest about how states are approaching it."

New Connecticut Privacy Law Makes Path to Compliance More Complex

Company to debut its AD capabilities at the 2022 RSA Conference.

HERZLIYA, Israel, May 24, 2022 /PRNewswire/ -- XM Cyber, the multi-award-winning attack path management company, announced today a new security capability for Microsoft's Active Directory (AD). XM Cyber is the first in the industry to link the use of AD into the entire attack path, bringing multiple attack techniques together and offering a complete and accurate view of an organization's cybersecurity risk, across on-prem and cloud environments. With this new capability, enterprises gain end-to-end attack path visualization for easy understanding and prioritized remediation of all weaknesses before an attack can take place.

A chain of attack vectors (vulnerabilities, misconfigurations, user privileges, human errors, etc.) that enables lateral movement through an organization's network is called an attack path. Once an attacker is inside the network, they can move laterally, escalating their privileges and targeting systems to gain access to sensitive data and business-critical resources, and even gain access to the cloud environment by moving from a compromised enterprise AD user to the associated Azure AD user.

AD is widely used by enterprises around the world (including approximately 90% of Global Fortune 1000 companies) to connect and manage endpoints inside corporate networks. This makes it an attractive target for hackers seeking to obtain domain admin-level access. An attacker that has compromised an AD user can elevate privileges, conceal malicious activity in the network, execute malicious code, and gain access to the cloud environment to compromise assets. The XM Cyber Research team recently reported that 73% of the top attack techniques used to compromise critical assets in 2021 involved mismanaged or stolen credentials; and according to EMA research, at least 50% of organizational attacks are due to AD compromise.

"It is critical to make concentrated efforts to comprehensively secure and monitor AD, proactively look for threats and misconfigurations, and remediate to prevent dangerous actions from taking place," according to Gartner®. \[1\]

The XM Cyber Attack Path Management platform demonstrates how AD abuse comes into play across the entire attack path, bringing together multiple attack techniques to pinpoint the riskiest credentials and permissions across users, endpoints and services managed in AD. This enables organizations to direct resources to remediate the most impactful risks first using step-by-step guidance. The platform's comprehensive security posture analysis surfaces AD weaknesses in real time, correlating the likelihood of attacks that can compromise critical assets.

"Existing solutions provide security teams with limited visibility into which users can expose critical assets," said Boaz Gorodissky, CTO, XM Cyber. "Our unique ability to chain together AD attack techniques gives organizations the edge against attackers, enabling them to reduce their risk before the attack ever happens. We are committed to providing proactive security so CISOs can focus on maximizing resources to protect their most business-critical applications and data."

XM Cyber will debut its AD capabilities at the 2022 RSA Conference, taking place June 6-9 in San Francisco. Interested parties can book a personal demo here or visit us at booth #4328 at the Moscone North Expo. Learn more about XM Cyber Active Directory security here.

\[1\] Gartner, "Emerging Technologies and Trends Impact Radar: Security", Ruggero Contu, Mark Driver, et al, 12 October 2021. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

**About XM Cyber  
**XM Cyber is a leading hybrid cloud security company that is changing the way innovative organizations approach cyber risk. Its attack path management platform continuously uncovers hidden attack paths to businesses' critical assets across cloud and on-prem environments, enabling security teams to cut them off at key junctures and eradicate risk with a fraction of the effort. Many of the world's largest, most complex organizations choose XM Cyber to help eradicate risk. Founded by top executives from the Israeli cyber intelligence community, XM Cyber has offices in North America, Europe, and Israel.

XM Cyber Adds New Security Capability for Microsoft Active Directory

New analysis reveals basic regulatory password requirements fall far short of providing protection from compromise.

A new look at a database of more than 800 million known-breached passwords reveals that 83% of them met basic security standards set by five different standards agencies. 

Minimum password lengths prescribed by NIST, HITRUST for HIPPS, PCI, ICO for GDPR, and Cyber Essentials for NCSC ranged from seven to 10 and included requirements for password complexity, special characters, and numbers — but none were enough to keep compliant passwords off the breached list, according to a new report from Specops Software. 

"What this data really tells us is that there is a very good reason why some regulatory recommendations now include a compromised password check," said Darren James, product specialist at Specops Software, in a statement about the new password policy research. "Complexity and other rules might help but the most compliant password in the world doesn’t do anything to protect your network if it's on a hacker's compromised password list."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Strong Password Policy Isn't Enough, Study Shows

New features include context-aware, zero-trust data protection on local peripherals and devices.

SANTA CLARA, Calif. – May 24, 2022 – Netskope, the leader in Security Service Edge (SSE) and zero trust, today announced a key expansion of data protection capabilities to endpoint devices and private apps. The introduction of a patented endpoint data loss prevention (DLP) solution will enable Netskope Intelligent SSE customers to protect data everywhere it moves across the hybrid enterprise.

Zero trust principles are critical to SSE, which describes the security stack needed to enable a modern Secure Access Service Edge (SASE) architecture. Data protection is of utmost importance throughout a SASE architecture—specifically, the need for security to move with data wherever it is accessed, and apply zero trust to determine the right level of access. Additionally, legacy and endpoint DLP offerings have failed enterprises by being siloed, complicated, and intrusive, hindering user productivity.

Netskope has been consistently recognized by top industry analysts for its advanced data protection capabilities. With today’s continued expansion of the Netskope Intelligent SSE platform, Netskope customers will be able to protect data across SaaS, IaaS, private applications, web, e-mail, and endpoint devices from a single converged data protection solution, leveraging machine learning, user and entity behavior analytics (UEBA), and insider threat mitigation capabilities to improve security efficacy, efficiency, and agility.

  
Notable features of Endpoint DLP include:

· Context-aware, zero trust data protection on local peripherals and devices, such as USB drives and printers

· Unified data classification, policy enforcement, and incident management for DLP across SaaS, IaaS, private apps, web, e-mail, and endpoint devices

· A patented lightweight endpoint agent with cloud-based inspection and contextual data protection policies that enhance the user experience

· Machine learning and Advanced Analytics to help simplify data classification and policy definition, lowering operational overhead

· UEBA, which makes it possible to identify and stop complex data loss scenarios such as insider risk, where users are unintentionally or even maliciously abusing their access to data

“No SASE or zero trust journey will be successful without data protection capabilities that can address all critical use cases in a way that is easy to deploy and doesn’t slow down users,” said John Martin, Chief Product Officer, Netskope. “The introduction of Endpoint DLP extends Netskope’s award-winning data protection capabilities that much further, to critical use cases with endpoint devices. While some competitors may offer unified policy and management or provide data protection for certain vectors, Netskope is the only vendor that can provide truly converged data protection across the full IT environment. We are very excited to deliver Endpoint DLP to customers as another Netskope game-changer.”

“With Netskope’s new eDLP, we can now offer single-pass data protection —across all vectors, from the cloud to the endpoint —with unified policies, within a single management console,” said Mick Coady, Global Vice President CyberSecurity Solutions, World Wide Technology. “As a Platinum Partner in Netskope’s Evolve partner program, we’re seeing the huge growth opportunity that Netskope’s Intelligent SSE approach represents. This new addition will accelerate that growth.”

A work-from-anywhere, or “hybrid,” environment makes it increasingly difficult to maintain security models based on implicit trust in any entity that wants to connect. Zero trust principles enable organizations to govern access to data based on behavior by users, devices, networks, and applications— increasing confidence in policy enforcement everywhere. By evaluating several contextual elements—user identity, device identity and security posture, time of day, geolocation, business role, sensitivity level of the data, and more—the resource itself can determine an appropriate level of confidence, or trust, only for that specific interaction and only for that specific resource. Using Netskope Intelligent SSE with zero trust principles applied throughout the environment, businesses become more agile, reduce risk, and streamline solution deployment and maintenance.

"DLP has been extremely complicated and cumbersome, and that's before you factor in cloud, web, email, private apps, and endpoints,” said Frank Dickson, IDC Group Vice President, Security & Trust. “Netskope looks to address complexity with integration, providing a unified cloud delivered solution. Compared to old school network and endpoint-based DLP solutions, having DLP in this integrated solution makes it dramatically easier to protect data wherever it may be and in a manner that is frictionless for end users. It is a win-win.”

Visit Netskope and take a demo of Intelligent SSE at Booth #S449 at RSA Conference, June 6-9, 2022, in San Francisco. For more on today’s announcement, read the Netskope blog.

**About Netskope**  
Netskope, a global cybersecurity leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. The Netskope Intelligent Security Service Edge (SSE) platform is fast, easy to use, and secures people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

Netskope Expands Data Protection Capabilities to Endpoint Devices and Private Apps

New funding led by global cyber investor Paladin Capital Group, alongside existing investors Columbia Capital and Skylab Capital.

**ALEXANDRIA, Va., May 24, 2022**\--(BUSINESS WIRE)--Nisos, The Managed Intelligence CompanyTM, today announced $15 million in Series B funding led by global cyber investor Paladin Capital Group alongside existing investors Columbia Capital and Skylab Capital. The new funding will be leveraged to accelerate company growth with investments in the company’s Managed Intelligence services, the Nisos Intelligence PlatformTM, and additional staff to meet client’s increasing intelligence needs.

"Nisos provides a level of intelligence that is timely, relevant, and actionable. Their monitoring, analysis, and investigation services have been a critical component of our diligence process, enabling us to quickly quantify risk and accelerate acquisitions," said Jason Button, Lead for Security, Integration, and Mergers, Cisco Systems, Inc.

To date, the company has secured over $33 million in funding and experienced tremendous momentum, with a 140 percent increase in Q1 bookings year-over-year. In the last year, the company expanded internationally with the opening of its first European office, increased its headcount by 60 percent, and issued prominent, high visibility research that reveals cybersecurity issues and disinformation campaigns throughout the globe.

"While threat intelligence holds the promise of making protection efforts more precise, in many cases it does the exact opposite, overwhelming teams with terabytes of unorganized information. Managed Intelligence is addressing these shortcomings and empowering security teams with the right information at the right time so that they can effectively combat today's sophisticated adversaries," said Christopher Steed, Chief Investment Officer and Managing Director at Paladin Capital Group. "In this emerging space, Nisos is pioneering an innovative new approach with its unique ability to connect cyber and physical risk for more effective threat intelligence, enabling the company to triple its valuation in two years while also positioning itself for continued rapid growth."

As part of the company’s client enablement strategy, the new funding will be used to expedite product management and development, drive market awareness and elevate customer services and success. This includes plans to refine the Nisos Intelligence Platform to improve analyst and client experiences and build a foundation for additional growth ahead.

"Over the last year, Nisos has grown tremendously as we’ve expanded our platform and continued to add talented experts to address the needs of our growing client base, positioning us at the forefront of the Managed Intelligence market," said David Etue, CEO at Nisos. "This funding helps us expand our offerings and the company to meet accelerating demand from clients who increasingly understand the value of intelligence, and discover that the more they learn, the more resources and expertise they require."

**About Nisos**

Nisos is The Managed Intelligence CompanyTM. Our services enable security, intelligence, and trust & safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyberattacks, disinformation and abuse of digital platforms. For more information visit: www.nisos.com

**About Paladin Capital Group**

Paladin Capital Group was founded in 2001 and has offices in Washington DC, New York, London, Luxembourg, and Silicon Valley. As a multi-stage investor, Paladin Capital Group’s core strength is identifying and supporting innovative companies that develop promising, early-stage technologies to address the critical cyber and advanced technological needs of both commercial and government customers.

Combining proven investment experience with deep expertise in global security, cyber technology, and cutting-edge research, Paladin has invested in more than 60 companies and has been a trusted partner to investors, entrepreneurs, and governments for over two decades. Follow the firm on Twitter @Paladincap and visit www.paladincapgroup.com.

Source

DARKReading