Upgrades to the Exostar platform promote secure, compliant collaboration and handling of controlled unclassified information.

**HERNDON, VA, July 12, 2022 –** Exostar, a leader in trusted, secure business collaboration in highly regulated industries including aerospace and defense, today announced the availability of updates to The Exostar Platform that allow small and medium-sized businesses (SMBs) to overcome the technology, time, and cost obstacles of preparing for and demonstrating compliance with Department of Defense (DoD) cybersecurity requirements.

Firms throughout the Defense Industrial Base (DIB), including SMBs deep in the DoD supply chain, will have to acquire Cybersecurity Maturity Model Certification (CMMC) 2.0 certification as soon as May 2023 to participate in subsequent DoD contract solicitations. According to CMMC version 2.0, any member of the DIB that stores or handles Controlled Unclassified Information (CUI) during program execution must meet the 110 practices defined at CMMC Maturity Level 2. Many SMBs simply do not possess the expertise, bandwidth, or budget to go it alone.

Exostar’s Managed Microsoft 365 for CMMC directly addresses these challenges. This managed solution, based on Microsoft Teams and hosted in a Microsoft 365 Government Cloud Computing (GCC) High environment, is designed specifically for SMBs and delivers benefits including:

*   A secure workspace for SMB users within GCC High – without the expense and burden of acquiring, setting up, and managing their own tenant.
*   Rapid onboarding – subscribe today and be working tomorrow.
*   Implementation of the security controls necessary to properly protect CUI – and facilitate compliance with CMMC 2.0 and other DoD cybersecurity standards.
*   Enterprise-grade security at a price SMBs can afford, with room to grow for an enterprise license.

In addition to the launch of Exostar’s Managed Microsoft 365 for CMMC, the company has updated and upgraded its CMMC Ready Suite within The Exostar Platform to provide out-of-the-box support to accelerate SMBs throughout their CMMC 2.0 accreditation journeys:

*   Certification Assistant – Offers plainspoken descriptions of CMMC practices at all three Maturity Levels, helping SMBs to conduct compliance self-assessments and scoring, gather documentation, and prepare for any necessary third-party audits ahead of accreditation.
*   Exostar PolicyPro – Evaluates existing policies (including gap analysis) and/or generates new ones in accordance with all policy requirements defined in CMMC 2.0 practices.
*   CMMC 2.0 Basic Assessment – Provides expert guidance from Exostar-vetted cybersecurity compliance specialist partners who use Exostar’s CMMC Ready Suite to address an SMB’s unique circumstances and accelerate the accreditation process.

“SMBs are the lifeblood of the DIB. While they must improve their cybersecurity capabilities to better protect CUI throughout the DoD supply chain, CMMC 2.0 represents a heavy lift for many of these companies,” said Tony Farinaro, Exostar’s Chief Revenue Officer. “We continue to enhance and expand our CMMC offerings to make it easier and more cost effective for SMBs to meet their obligations so they can stay in the DIB, win business, and keep innovating on behalf of the DoD.”

In addition to SMBs, enterprises also can subscribe to Exostar’s Managed Microsoft 365 for CMMC, as well as purchase the other applications and services in The Exostar Platform’s CMMC Ready Suite, today.

**About Exostar**

The Exostar Platform supports exclusive communities within highly regulated industries where organizations securely collaborate, share information, and operate compliantly. Within these communities, we build trust. More than 150,000 companies and agencies in 175 countries trust Exostar to strengthen security, reduce expenditures, raise productivity, and help them achieve their digital transformation initiatives. Nearly half of the Defense Industrial Base, including 98 of the top 100, transact business over The Exostar Platform. Eleven of the top twenty global biopharmaceutical companies rely on The Exostar Platform to help them speed new medicines and therapies to market. Exostar is a Gartner Cool Vendor. For more information, please visit www.exostar.com, and follow Exostar on LinkedIn and Twitter.

Exostar Empowers SMBs with Enhanced, Low-Cost, Easy-to-Use Microsoft 365 and CMMC 2.0 Solutions

Businesses receive an invoice via email with a credit card charge and are asked to call a fake number and hand over personal information to receive a refund.

Cybercriminals are posing as Intuit's popular accounting software package QuickBooks to target Google Workspace and Microsoft 365 small business users in a voice-phishing scam.

The campaign sends a false invoice via email containing a claim that a credit card has already been charged for an order. In order to dispute the charge, victims are directed to call the number included in the email, according to researchers with INKY. The scam was first uncovered in December 2021 and the frequency of attack has accelerated sharply, they said.

The threat actors have been leveraging QuickBooks' free 30-day trial offer to set up fake accounts from which to send fraudulent invoices, impersonating major IT companies including Amazon, Apple, PayPal, and McAfee. Once the victim calls, they are asked for bank account information, login credentials, or other personally identifiable information.

"These attacks were highly effective at evading detection because they were identical to non-fraudulent Quickbooks notifications, even when examining the emails' raw HTML files closely," the report noted. "All notifications originated from authentic Intuit IP addresses, passed email authentication (SPF and DKIM) tests for intuit\[.\]com, and only contained high-reputation intuit\[.\]com URLs."

One such scam in April impersonated an Amazon Prime shipping notification, which used the strings "amazn" and "amzn" to evade detection filters. By clicking on the "print or save" or "view invoice" buttons, the victim is then taken to Intuit's website and shown a fraudulent invoice, inducing the user to call the number and give up financial information.

"The natural response is to get right on the phone and try to back the order out, or, barring that, find a way to obtain a refund," the INKY report noted. "The phishers take advantage of this disrupted emotional state to extract personal or financial information before the victim realizes that something is off."

**Defense Requires Vigilance**

INKY recommends that recipients of these kinds of messages should refrain from calling any phone numbers they provide and be wary of requests for payment through the form of gift cards, a method unlikely to be used by businesses.

"If there is any doubt about a charge, it is best to contact the relevant credit card company to see if there really is a charge in that amount," the report noted. "Any real charge would be shown as 'pending'."

Small businesses are increasingly targets for cyberattacks, according to recent research; however, just 40% of small businesses have a cybersecurity policy. Among the key steps small businesses can take to improve their security posture is adopting strong security policies and training employees in best practices, along with tactical investments in cybersecurity software.

**Plenty of Phishing in the Sea**

Meanwhile, cybercriminals are deploying new vishing methods to defraud victims, according to a report from Kaspersky, including attacks carried out through popular social media sites or major IT service providers like PayPal. A recent vishing scam cited by Kaspersky was based on a widespread TikTok prank where friends use an automated answering-machine voice to warn them that a lot of money will soon be taken out of their bank account.

"When people are convinced to disclose their personal data during a phone call rather than on a phishing page, they often don't have the chance to consider that they are the target of a hoax — and the large number of TikTok videos with this prank is a prominent example of this," according to Kaspersky.

The security firm reports that the volume of vishing is on the rise, with 350,000 vishing emails between March and June 2022, with nearly 100,000 of these emails spotted in June alone.

QuickBooks Vishing Scam Targets Small Businesses

This Tech Tip outlines how system administrators can get started with automated continuous patching for their Windows devices and applications.

The Windows Autopatch service, which allows enterprises to automatically roll out updates for Windows 10, Windows 11, Microsoft Edge, and Microsoft 365 software, is now live, Microsoft said this week. Autopatch is intended to streamline updating operations and reduce the time it takes for systems to be patched. Originally announced in April, the feature has been in public preview since May.  

"Essentially Microsoft engineers use the Windows Update for Business client policies and deployment service tools on your behalf," wrote Lior Bela, senior product marketing manager at Microsoft, on the Microsoft IT Pro blog. "The service creates testing rings and monitors rollouts—pausing and even rolling back changes where possible."

This Tech Tip summarizes the prerequisites for using Autopatch and instructions on enabling the new feature.

**Very Specific Prerequisites**

Customers must have Windows 10/11 Enterprise E3 or E5 licenses. The organization must also have Azure Active Directory Premium and Microsoft Intune. A proxy or firewall that uses TLS 1.2 is also required.

"Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join," Microsoft said in the deployment guide.

The endpoints that will be enrolled into Windows Autopatch must be managed by either Microsoft Intune or Configuration Manager Co-Management. Intune must be set as the mobile device management (MDM) authority or co-management must be turned on and enabled on the endpoints. The endpoints being enrolled must also have connected with Microsoft Intune within the last 28 days in order to be registered with Autopatch.

The endpoints, which must be corporate-owned (bring-your-own-device is not currently supported) should have 64-bit editions of Windows 10/11 Pro, Windows 10/11 Enterprise, or Windows 10/11 Pro for Workstations. However, Windows Autopatch will support updating of Windows 365 cloud PCs in mid-July.

**Configuring the Environment**

Since Autopatch is cloud-based, there are specific Microsoft services that must be available at all times. The four URLs that must be on the allowed list of the proxy or firewall are _mmdcustomer.microsoft.com_, _mmdls.microsoft.com_, _logcollection.mmd.microsoft.com_, and _support.mmd.microsoft.com_. 

The deployment guide lists other firewall configurations, IP ranges, and port requirements for Azure Active Directory, Microsoft Intune, Windows Update for Business, and individual Microsoft applications.

Azure Active Directory must have security defaults enabled and not have any user names that conflict with the ones Autopatch needs to use: _MsAdmin_, _MsAdminInt_, and _MsTest_. Azure AD must also be set so that conditional access policies and multifactor authentication aren’t assigned to all users. The point is that Autopatch can’t be required to have multifactor authentication enabled. 

"Your conditional access policies must not prevent our service accounts from accessing the service and must not require multi-factor authentication," Microsoft said.

**How Do I Get Started?**

Customers with Windows Enterprise E3 and E5 licenses will find Tenant Administration in the Microsoft Endpoint Manager administrator center. The option _Tenant enrollment_ in the Windows Autopatch section will begin the process to set up and configure Autopatch.

But first, Microsoft will run the online Readiness assessment tool to check the settings in Microsoft Intune and Azure Active Directory to ensure they are properly configured to work with Windows Autopatch. If issues are found, the administrator must fix them before continuing.

Once everything is ready, the tool will show an _Enroll_ button to kick off the enrollment. During the enrollment process, administrators will be guided to create the policies, groups, and accounts necessary to run Autopatch.

"Once you've enrolled devices into Autopatch, the service does most of the work. But through the Autopatch blade in Microsoft Endpoint Manager, you can fine-tune ring membership, access the service health dashboard, generate reports, and file support requests," Microsoft said.

**What Sysadmins Can’t Do**

*   It would not be possible to schedule the updates to roll out on certain days or times. The decision of when to move to the next ring is also not configurable.
*   Once a device is registered with Windows Autopatch, updates are rolled out to the devices according to its ring assignment. Currently, there is no support for individual device level control.
*   Windows Autopatch doesn't support managing update ring membership using your Azure AD groups.
*   There is currently no programmatic access via PowerShell to Autopatch

Getting Up and Running with Windows Autopatch

Python's most popular package manager is intent on securing the supply chain by requiring developers to enable two-factor authentication.

As part of the push to mandate two-factor authentication for critical projects, the Python Package Index will distribute 4,000 Google Titan security keys to developers.

PyPI, the largest package manager for Python libraries and software components, has decided to mandate two-factor authentication for maintainers of "critical" Python projects. Two-factor authentication must be enabled for developers to be able to publish, update, or modify their projects. This requirement would protect developers from account takeovers as a result of stolen credentials. There have been numerous instances of supply chain attacks where attackers took over code repositories and hijacked software libraries and modules hosted on popular package managers.

The "critical" designation is assigned to any PyPI project accounting for the top 1% of downloads over the past six months. According to the dashboard published by PyPI, over 3,800 PyPI projects and 8,200 user accounts have been identified as critical. There are currently 28,336 users who have voluntarily enabled two-factor authentication.

"Ensuring that the most widely used projects have these protections against account takeover is one step towards our wider efforts to improve the general security of the Python ecosystem for all PyPI users," PyPI's administrators announced.

The decision to mandate two-factor authentication is an attempt to improve the supply chain security of the Python ecosystem and echoes a similar decision by GitHub to mandate two-factor authentication earlier this year. Recognizing that attackers are increasingly targeting libraries on npm, PyPI's JavaScript equivalent, GitHub auto-enrolled maintainers of the top 100 npm packages with two-factor authentication back in February.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

PyPI Mandates 2FA, Plans Google Titan Key Giveaway

MINNEAPOLIS, July 12, 2022 /PRNewswire-PRWeb/ -- Core Security by HelpSystems, a leading provider of cyber threat solutions, today announced the addition of ransomware simulation to its penetration testing solution, Core Impact. Using an automated Rapid Pen Test, Core Impact users can now efficiently simulate a ransomware attack.

An Increased Need to Prepare for Ransomware Attacks

According to the 2022 Penetration Testing Report, ransomware is one of the top concerns for cybersecurity professionals. Also, a PhishLabs by HelpSystems report shows ransomware is booming, growing more than 100% year-over-year. The cost of ransomware attacks is also on the rise; the average ransom demand alone was $220,298 in 2021, with the recovery cost much steeper, averaging $1.8 million.

\- ADVERTISEMENT -

When employees open infected email attachments or click on malicious websites, they can inadvertently trigger a ransomware attack. With unwitting employees serving as one of the most common attack vectors, ransomware can be particularly difficult to avoid.

"Much like penetration testing, vulnerability management, and red teaming, ransomware simulation is an effective method of offensive (proactive) cybersecurity, helping organizations discover weaknesses before attackers find and exploit them," said Mark Bell, Managing Director of Infrastructure Protection at HelpSystems. "Adding ransomware simulation not only further enhances and centralizes the testing process, but helps employees better recognize ransomware infection methods. It can also uncover who is susceptible to these attacks, which can prompt additional training to teach employees how to be more vigilant before clicking another suspicious email.

"With ransomware here to stay, this simulation process should be considered a cybersecurity essential," said Bell. "The addition of ransomware simulation strengthens Core Impact's reputation as an all-in-one solution, providing multiple types of pen tests across vectors and other integrations."

For an in-depth demo of Core Impact and to see the ransomware simulation in action, visit: https://www.coresecurity.com/products/core-impact/demo-watch or visit: https://www.coresecurity.com/blog/core-impact-introduces-ransomware-simulation to learn more.

About HelpSystems  
HelpSystems is a software company focused on helping exceptional organizations secure and automate their operations. Our cybersecurity and automation software protects information and simplifies IT processes to give our customers peace of mind. We know security and IT transformation is a journey, not a destination. Let's move forward. Learn more at http://www.helpsystems.com.

Core Security by HelpSystems Introduces New Ransomware Simulator

July's security update included fixes for one actively exploited flaw, more than 30 bugs in Azure Site Recovery, and four privilege escalation bugs in Windows Print Spooler.

Microsoft today released patches for 84 vulnerabilities across its product categories, including one bug now actively exploited and four that the company rated as critical severity.

The July security update also includes fixes for four elevation of privilege vulnerabilities in the company's perennially buggy Windows Print Spooler technology, and more than 30 bugs in its Azure Site Recovery disaster recovery service. At least 12 of the 84 flaws disclosed today enable remote code execution, 11 were information disclosure-related, and four enable bypass of security features. Most of the remaining flaws enabled elevation of privilege.

**Priority One: CVE-2022-22047**

Security experts who reviewed Microsoft's latest update said the vulnerability that requires immediate attention is an elevation of privilege vulnerability (CVE-2022-22047) in the Windows Client Server Run-Time Subsystem (CSRSS) that is currently being exploited. Microsoft itself assessed the vulnerability as "Important," giving it a severity rating of 7.8 on a scale of 10. According to the company, the vulnerability — like every other bug in July's update — has not been publicly disclosed. Even so, Microsoft described the bug as being actively exploited, but did not provide any further information.

"The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target," an analysis on Trend Micro Zero Day Initiative's blog noted. "Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system." Attacks of this type often leverage macros, which is why Microsoft's recent decision to delay blocking all macros by default — like it announced in February — is disheartening, the blog noted.

Chris Goettl, vice president of product management for security products at Ivanti, says organizations should not be lulled by Microsoft's characterization of the flaw as important. The fact that attackers are actively exploiting the bug makes it a priority, he says. "Organizations prioritizing using legacy rating methods could miss prioritizing the urgency of the OS update this month," he says.

**Other Bugs That Need Urgent Attention**

Other bugs in Microsoft's July update that security experts described as priorities: CVE-2022-30216, CVE-2022-22038, CVE-2022-30221, and CVE-2022-30222.

CVE-2022-30216 is a low-complexity tampering vulnerability in Windows Server Service that would allow an authenticated attacker to remotely upload a certificate to the Server service. Microsoft described the vulnerability as one that is more likely to be exploited because it requires no user interaction and low-level privileges. "While this is listed at 'Tampering', an attacker who could install their own certificate on a target system could use this bug for various purposes, including code execution," Trend Micro's ZDI said. "Definitely test and deploy this patch quickly — especially to your critical servers.”

CVE-2022-22038 is a Remote Procedure Call Runtime remote code execution vulnerability that could allow an unauthenticated attack to execute malicious code on a vulnerable system. Microsoft identified the bug as being complex to exploit because it requires an attacker "to invest time in repeated exploitation attempts through sending constant or intermittent data." Trend Micro's ZDI assessed the bug as having properties that could potentially make it wormable. "If the exploit complexity were low, which some would argue since the attempts could likely be scripted, the CVSS would be 9.8. Test and deploy this one quickly," the security vendor noted.

CVE-2022-30221 is a remote code execution vulnerability in the Windows Graphics Component. An attacker can exploit the vulnerability by convincing a user to connect to a malicious RDP server. An adversary who succeeds in doing that would be able to execute code in the context of the affected system's user, Microsoft said.

"On the surface, this one looks nasty," Kevin Breen, director of cyber threat research at Immersive Labs, said in emailed comments to Dark Reading. Microsoft has marked the vulnerability as less likely to be exploited because an attacker would need to first run a malicious RDP server and then convince a victim to connect to it. "This is not as far-fetched as it first sounds, as RDP shortcut files could be emailed to target victims, and these file types may not flag as malicious by email scanners and filters," Breen said.

CVE-2022-30222 is another remote code execution vulnerability — this time in the Windows Shell graphical user interface. The flaw allows an unauthenticated attacker to execute code on a vulnerable system by interacting with the login screen in a specific manner, Microsoft noted. Attacks targeting the flaw likely involve little complexity and no user interaction.

"Whilst this is titled as a Remote Code Execution vulnerability, the description suggests that this is actually a Local Code Execution vulnerability," Breen said. It appears the flaw would allow an attacker to run arbitrary command from the login page as authentication is not required, he noted. "Microsoft has suggested this is less likely to be exploited. But if you use RDP, definitely prioritize this patch," Breen said.

**Windows Print Spooler Flaws Make a Comeback**

Microsoft's July update also contains fixes for four flaws in Windows Print Spooler (CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226). Flaws in Print Spooler have been a major problem for Windows users in recent years. One of the most notable recent flaws in the technology was PrintNightmare, a remote code execution bug that affected all Windows versions and prompted an advisory from the US government and others on the need for organizations to address it urgently.

"We have seen a steady stream of vulnerability disclosures in the Print Spooler Service since the original PrintNightmare flaws were disclosed in June (CVE-2021-1675) and early July of 2021 (CVE-2021-34527)," said Satnam Narang, senior staff research engineer at Tenable, in comments emailed to Dark Reading. The flaws that Microsoft has addressed in the technology are elevation of privilege flaws, which provide attackers the ability to gain system-level privileges on vulnerable systems, he said.

The risk with these four fixes is the potential to impact print functionality, Ivanti's Goettl says.

"Since PrintNightmare, there have been many Print Spooler fixes, and in more than one of those patch Tuesday events, the changes have resulted in operational impacts," he says. "This makes administrators a little gun-shy and warrants some extra testing to ensure no negative issues occur in their organization."

**Surfeit of Azure Site Recovery Bugs**

Goettl says Microsoft resolved 33 vulnerabilities in Azure Site Recovery that could allow attackers to take a variety of actions including remote code execution, privilege escalation, and information-stealing. None of the vulnerabilities have been publicly disclosed or are currently being exploited, but the concern is in the number of vulnerabilities that were fixed, Goettl notes. "They were identified by several independent researchers and anonymous parties, which means the knowledge of how to exploit these vulnerabilities is a bit more broadly distributed," he says.

And, resolution of these flaws is not simple: It requires signing into each process server as an administrator, then downloading and installing the latest version. "Vulnerabilities like this are often easy to lose track of, as they are not managed by the typical patch management process," he notes.

Microsoft Issues Fixes for 84 Vulnerabilities: Here's What to Patch Now

LONDON and BOSTON - July 12, 2022- Privitar, the leader in modern data provisioning, today announced it has acquired Kormoon, a software platform that helps organizations manage the complexities of data privacy regulations by analyzing data usage, assessing risk, and automating compliance. Kormoon’s powerful technology will be used to extend the functionality of Privitar’s market-leading data privacy and provisioning offerings, adding new capabilities to quickly enable organizations to understand and comply with the rules governing data.

“Using data in a lawful and compliant way is often complicated, slow, and expensive. Navigating the complex web of data privacy, data sovereignty, and industry-specific regulations is incredibly challenging,” said Jason du Preez, CEO and co-founder of Privitar. “With the acquisition of Kormoon, Privitar is reinforcing our commitment to helping organizations use all of their data safely, ethically and in a compliant manner. Kormoon makes navigating data compliance incredibly simple. By combining Kormoon with Privitar’s world-class data privacy and modern data provisioning solutions, we are enabling data executives to streamline and automate compliance to ever-changing privacy rules and regulations.”

Kormoon calculates, communicates, and automates the steps to comply with relevant data rules including data privacy and protection, data localization, and cross-border transfer requirements. These include data compliance rules and requirements from around the world including Europe’s GDPR, Brazil’s LGPD, USA’s HIPAA and CCPA, and also new and emerging laws in countries such as the UAE, Saudi Arabia, China, India, and beyond. Combining powerful automation technology and inputs from expert advisors to assess an organization's level of risk, the Kormoon solution provides a simplified workflow to ensure requirements are met. Kormoon’s prescriptive guidance makes it simple for users to provide details about the data an organization collects, where they collect, access, and use it, and the data’s purpose, then recommends clear steps and actions for achieving data compliance.

“Kormoon's platform aims to improve time and cost efficiency of providing data privacy and protection advice to businesses worldwide. We help organizations understand and keep on top of data compliance rules by providing them with a simple workflow, access to regularly updated knowledge, and a cost-effective way to understand what it is that they need to do,” said Paul McCormack, founder of Kormoon. “By uniting with Privitar, we are empowering organizations with a one-stop-shop that ensures that their data is safe, compliant, and accessible for decision making.”

**About Privitar**

Privitar empowers organizations to use their data safely and ethically. Our modern data provisioning solution builds collaborative workflows and policy-based data privacy and access controls into data operations. Only Privitar has the right combination of technology, domain expertise, and best practices to support data-driven innovation while navigating regulations and protecting customer trust.

Founded in 2014, Privitar is headquartered in London, with regional headquarters in Boston and locations throughout the US and Europe. For more information, visit www.privitar.com.

**About Kormoon**

Kormoon is a software platform that calculates, communicates, and automates the steps professionals need to take to comply with relevant data rules, including data privacy and protection, data localization, and cross-border transfer requirements.

Privitar Announces Kormoon Acquisition, Extending Data Privacy and Provisioning Capabilities

Data quality is key in an effective TDIR solution. Omdia's threat detection data life cycle highlights the considerations for effective data-driven threat detection.

Threat detection, investigation, and response (TDIR) solutions all rely on data to deliver accurate, consistent, and performant threat detection, prioritization, and analysis. Enterprises need good data from the right places, refined and applied in the right ways, to detect and ultimately mitigate threats.

For that reason, Omdia believes taking a data-driven life-cycle approach is the best strategy to ensure data-related elements of the TDIR process are effective.

Below is a brief review of the steps in the Omdia threat detection data life cycle, a multistage process through which enterprise cybersecurity operations (SecOps) leaders may consider the tactical implications of how data is utilized by their TDIR solutions for the purpose of threat detection.

*   **Acquisition:** Identify the relevant data types or sources pertinent to the threat detection process, confirm the location of the data, and identify the steps for acquiring this data, both technical and business.
*   **Ingestion:** Threat detection data must be confirmed as valid and permitted for the system where it will be utilized, and then ingested in streaming real-time mode or batched and ingested at intervals based on different factors.
*   **Processing:** Unprocessed logs are analyzed in detail to determine key characteristics, such as origin, source format or schema, and data values or elements. It is often necessary to reformat or parse the logs into a preferred format to ensure consistency and accelerate other steps in the life cycle. After parsing, data is validated to ensure it conforms to system parameters.
*   **Normalization:** Unnecessary, and redundant data is deduplicated, reduced, and/or removed; new solution-specific fields are added, and the output is further standardized with common metadata classifiers. Logs that enter the system with significant variances are adjusted to appear similar.
*   **Bypassing normalization:** Some threat detection data systems intentionally do not conduct a normalization stage. In this scenario, the normalization step is skipped, and data moves directly from processing into categorization.
*   **Categorization:** The contents of the data are further examined to identify which established system attributes should be assigned to the data. The purpose of categorization is to delineate the contextual relevance of the data during subsequent analysis.
*   **Enrichment:** New data is augmented with additional data attributes that add context or create logical connections to other data, system-defined attributes, or events. In nearly all instances effective enrichment is driven at least in part by analytics, technology that analyzes data over time, identifies patterns in the data, and creates a baseline of so-called "normal" or expected activity for a given use case.
*   **Indexing:** Data is added to an index that denotes where it is located within the storage system. An index exists to optimize the performance of the system when the data is accessed.
*   **Storage:** Data then enters the storage phase, typically for a definite period, based on policy. Contemporary TDIR solutions increasingly rely on cloud-based data-lake technology, residing either directly in a public cloud environment or in a third-party environment managed by the vendor or provider.
*   **Analysis:** Once added to the dataset, data is analyzed on an ongoing basis. Many TDIR solutions reanalyze the existing dataset when new data is added. Analysis also occurs on a per query basis, as well as for proactive threat hunting.
*   **Valuation:** Process by which the business value of all lifecycle data is evaluated on an ongoing basis in support of TDIR process improvement or desired business outcomes.

Omdia believes achieving different, better results from TDIR requires the implementation of different, better approaches within the threat detection data life cycle.

Though there are inherent challenges with the life cycle, especially in the areas of data processing and normalization, there are also fascinating innovations taking root, particularly customized categorization schemas (nonstandard indexing to accelerated data analysis) and security data lake-houses (storage environments that combine the best of data lakes and data warehouse).

Regardless, a process-centric approach to the threat detection data life cycle with careful attention to detail will provide better, more consistent TDIR results, and set the stage for further data life-cycle innovation.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Understanding the Omdia Threat Detection Data Life Cycle

Several pieces of Black Hat USA research will explore container design weaknesses and escalation of privilege attacks that can lead to container escapes.

In what's shaping up to be a summer of container escapes, a pair of talks slated for Black Hat USA next month will explore the kinds of architectural weaknesses in operating systems and in container platforms that can make it easy for attackers break down the barriers of container isolation and run roughshod over cloud infrastructure.

In one talk, "The COW (Container on Window) Who Escaped the Silo," the research will explore the inherent security architectural design problems in the way that Windows containers are isolated from the real host settings. Eran Segal, research team leader of SafeBreach, says he will delve into the technical details that show how Windows kernel architecture isn't built to handle containers with the same kind of native security capabilities as Linux kernel architecture. Some of the workarounds Windows has built in response to implement containers leaves Windows containers open to attack.

"Windows containers isolated as 'process isolation' are not isolated well and it is possible to impact the host from inside," Segal explains.

He's saving the technical details for his Black Hat presentation, but offers a tease that his demonstration will show how an attacker can create a malicious container with low privileges that can communicate with other containers and start wreaking havoc on the host.

"I can't share it before the talk, but I can say that I'll gain a permissions system inside the container, cause a DoS to the host, and manage to access the entire kernel memory, and it is highly possible that the kernel memory contains passwords," Segal says.

He hopes that the discussion will offer security practitioners and fellow researchers a glimpse into the mechanics behind how Windows containers are built, the vulnerabilities he found with them, and how to start rooting out flaws similar to the ones he'll recap.

"They will learn about the internals of process isolated Windows containers, the internals of the vulnerabilities I found, and a recipe for finding additional vulnerabilities such as the ones I found," he says.

**Attack Techniques**

The exploration of container escapes like the one Segal will demonstrate is not a new field of security research, but it is one that has been heating up considerably of late. Just last month at RSA Conference, executives with CrowdStrike detailed attack techniques that could take advantage of a bug they discovered in March in the CRI-O container engine that underpins Kubernetes. That demonstration showed how this cr8escape bug could be used by attackers to escape containers and gain root access on the host.

And last week, news broke of a flaw dubbed FabricScape that posed serious container escape risk from Linux containers within Microsoft's Azure Service Fabric technology. Discovered by security researchers from Palo Alto Networks, details of the flaw were released last week as a follow-on to Microsoft's patch that fixed the issue on June 14. The vulnerability was in a logging function with high privileges in Service Fabric's Data Collection Agent (DCA).

"The vulnerability could allow malicious actors to take over Linux hosting environments. It allows a compromised container to escape and take over the cluster running it," wrote Aviv Sasson and Ariel Zelivanski of Palo Alto's Unit 42 research team. “Containers could become malicious if they are broken into through either a known vulnerability or zero-day vulnerability, or through a supply-chain attack such as typosquatting or a malicious package."

Unit 42 researchers have been on a tear with container escape research this summer. A pair of researchers from the team, Yuval Avrahami and Shaul Ben Hai, will present the other big container escape talk at Black Hat next month. "Kubernetes Privilege Escalation: Container Escape == Cluster Admin?" will take a deep dive look into how attackers can abuse service account tokens in system pods to turn a single container escape into an attack that can take over an entire Kubernetes cluster. The researchers also will also present tools to help discover these pods within infrastructure and identify privilege escalation paths in a cluster. That will help security defenders better harden their container infrastructure from escapes and broader escalation of privileges on the host.

Don't Have a COW: Containers on Windows and Other Container-Escape Research

New data from security training provider shows half of untrained users in consulting, energy, and healthcare industries fall for phishing attacks.

Phishing attacks just won't die, and new data underscores their effectiveness among users who have not been provided security awareness training.

According to data pulled from security awareness training provider KnowBe4's clients, 32.4% of users will fall for a phish — clicking on a link or following a phony request — if those users have not had any official training. The disconnect is worse in some industry sectors, including consulting, energy and utilities, and healthcare and pharmaceuticals, where half of all untrained users fall for phishing attacks.

The data was pulled from 23.4 million simulated phishing tests conducted at more than 30,000 organizations, encompassing some 9.5 million users. According to KnowBe4, 90 days after monthly or more training, the number of phishing test fails dropped to around 17.6%, and to 5% after one year of regular awareness training.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading