Google last week reported seven vulnerabilities in the browser, four of which it rated as high severity.

The US Cybersecurity and Infrastructure Agency (CISA) Friday urged users and administrators to update to a new version of Chrome that Google released last week to fix a total of seven vulnerabilities in its browser.

In an advisory, Google described four of the flaws — three of which were reported to the company by external researchers — as presenting a high risk for organizations. The company said it had decided to restrict access to bug details until most users have updated to the new version of Chrome (102.0.5005.115).

One of the vulnerabilities is a so-called use after free issue in the WebGPU application programming interface for functions such as computation and rendering on a Graphics Processing Unit. The bug (CVE-2022-2007) is remotely exploitable and can have an impact on the confidentiality, integrity, and availability of affected systems, according to a description of the flaw on vulnerability database VulDB. "No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction," VulDB noted.

Google awarded $10,000 to the security researcher who reported the flaw to the company in May. VulDB estimated the price for an exploit for the flaw to be between $5,000 and $25,000 currently, though that could go up soon, it noted.

The second flaw is an out-of-bounds memory access use in the WebGL API for rendering 2D and 3D graphics. Two researchers from Vietnamese firm VinCSS Internet Security Services reported the bug (CVE-2022-2008) in April. VulDB described the flaw as being remotely exploitable but requiring at least some user interaction by the victim. The flaw appears to be easily exploitable and requires no authentication, VulDB said. Google's advisory noted the reward for disclosing the vulnerability had yet to be determined.

The third high-severity vulnerability that the new Chrome version addresses (CVE-2022-2010) is an out-of-bound read issue in compositing or in rendering Web page content. A security researcher with Google's own Project Zero bug hunting team discovered the vulnerability in May. Like the other two flaws, this one also affects the confidentiality, integrity, and availability of affected systems, VulDB said.

The fourth high severity vulnerability that Google disclosed is a use-after-free issue that an external security researcher reported to the company in May. The flaw (CVE-2022-2011) exists in ANGLE, a function that Google describes as an "almost native Graphics Layer engine" in Chrome. The memory corruption vulnerability has a near identical impact as the other three, based on VulDB's description of the issue.

**CISA: Flaws Allow Attackers to Take Control of Affected Systems**

CISA urged organizations to review Google's Chrome release note and apply the update to mitigate risk. "Google has released Chrome version 102.0.5005.115 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system," it said.

The seven flaws that Google addressed with its latest Chrome version is considerably smaller in number than some other recent Chrome-related bug disclosures from the company. A Chrome update that Google released on May 24 included fixes for 32 flaws, one of which was rated as being of critical severity while seven others were rated as being highly critical. Another update, also in May, contained fixes for 13 flaws, eight of which the company rated as being of high severity.

CISA Recommends Organizations Update to the Latest Version of Google Chrome

Employee email compromise potentially exposed patients' medical information, including lab test results and dates of services.

Kaiser Permanente recently revealed that an employee email compromise on April 5 left personal medical information on nearly 70,000 of its patients at risk of compromise.

Although Kaiser said the attacker had access for only a couple of hours and there is no evidence that sensitive data was breached, patient information including first and last name, medical record number, dates of service, and lab test results were involved, the company said in a notice about the incident. 

The US Department of Health and Human Services Office for Civil Rights is investigating the compromise, which took place at the Kaiser Foundation Health Plan of Washington and potentially impacted a total of 69,589 patients, its website said. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Kaiser Permanente Breach Exposes Data on 70K Patients

Public Travis CI logs loaded with GitHub, AWS, Docker Hub account tokens, and other sensitive data could be leveraged for lateral cloud attacks.

A security flaw in the Travis CI API has left tens of thousands of developers' user tokens and other sensitive information exposed to attack, as threat actors could use the credentials to wage attacks in cloud services, including GitHub, Amazon Web Services (AWS), and Docker Hub.

The issue was first reported as far back as 2015, but the vulnerability in the API can still be exploited to launch attacks laterally across the cloud, according to a new blog post from Team Nautilus, which notes that all free-tier users of Travis CI are at risk.  

The Travis CI API is commonly used by developers to test apps, and during their research the analysts were able to access more than 770 million cleartext logs, chock-full of the kind of sensitive data that threat actors could leverage to move laterally across cloud services for malicious activity. 

"We disclosed our findings to Travis which responded that this issue is 'by design', so all the secrets are currently available," according to the post on the Travis CI API vulnerability. "All Travis CI free tier users are potentially exposed, so we recommend rotating your keys immediately."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Exposed Travis CI API Leaves All Free-Tier Users Open to Attack

Cut away everything that costs more attention, storage, or time than its impact is worth.

One of my favorite quotes comes from John Naisbitt's book _Megatrends_: "We are drowning in information but starved for knowledge." This quote so accurately captures much of modern life. In particular, it succinctly describes the state of many enterprise security programs that, unfortunately, suffer from high levels of false-positives and other "noise" that reduce their effectiveness.

To understand why security teams are so held back by noise, we must first understand the consequences of noise for the security team. While not an exhaustive list, here are a few key repercussions.

**Wasted cycles****:** When security teams build a workflow around a centralized work queue, that work queue needs to be attended to — from triage and incident-handling to analysis, investigation, forensics, and recovery. That means that all events in the queue need to be prioritized and reviewed. Noise fills this queue with items to review that do not add value to the security program. In other words, noise wastes the security team's precious and valuable cycles.

**Missed true-positives**:**** The phrase "finding a needle in a haystack" is an apt one in security, and in security operations in particular. The needle represents true-positive security incidents, while the haystack represents false-positives. The more false-positives there are, the more difficult that makes finding the real security incidents that are buried in the noise.

**Increased infrastructure costs**:**** Noise also comes with an infrastructure cost. Each log, alert, and event, regardless of whether it adds value, must be retained. Thus, if the team is collecting a large amount of information that adds little to no value, they are merely using excess infrastructure. This comes with a cost that takes budget away from areas where it could add significantly more value. Identifying budget for a never-ending list of security priorities is always high on the list for security leaders.

**Skewed metrics**:**** False positives tend to skew metrics. Certain metrics, particularly those that focus on percentage of time spent on security incidents, ratios of true-positives to false-positives, volume of incidents, number of incidents handled, and analyst time per incident will be highly affected by the volume of noise. The lower the rate of false positives can be, the more accurately and favorably these metrics will turn out.

**How to Eliminate the Noise**

Knowing a few of the reasons why false-positives and noise negatively affect our security program helps us build a plan to address the problem. Here are nine suggestions that I've found helpful over the course of my career.

**1\. Begin with risk**:**** Not surprisingly, a firm understanding of and commitment to risk is the strongest of bases for building a strong security program. Assess the risks and threats to the enterprise, understand what within the enterprise they affect, and learn the potential cost and potential for damage and loss associated with each one.

**2\.** **Create goals and priorities**:**** Selecting when to address what is one of the most important strategic decisions a security team can make. Prioritize the risks and threats enumerated in the previous step and create goals and priorities that will be addressed both near-term and longer-term.

**3\. Assess impact**:**** Identifying critical assets, key resources, and important data stores, among other things, helps the team understand the potential impact of an incident. Knowing where the most sensitive and important assets, resources, and data are helps focus the team on where gaps in telemetry exist.

**4\. Identify data overkill and gaps**:**** Understand the existing telemetry collection in place and evaluate whether each data source contributes to improving detection for the security team. If it doesn't, then collecting it just adds infrastructure costs while not adding value. Identify gaps in telemetry that leave the team blind to potential security incidents and develop a plan to address those gaps.

**5\. Consider technology overkill and gaps**:**** Look closely at existing technology that is in place. Examine where technology is helpful, such as producing highly reliable security alerting, collecting valuable telemetry data, or making process and workflow more efficient. Keep a close eye on where technology is fighting, rather than helping, the security team, as well as where gaps exist in telemetry and detection.

**6\. Throw out the default rule set**:**** Rules, signatures, and other detection techniques that generate a large volume of noise do not add value to the security program. Instead, they bury the team in false-positives and actively work against timely and accurate detection of security incidents. It may sound radical, but there are far more benefits to throwing out the default rule set than there are disadvantages.

**7\. Implement tight detection****:** Truly embracing the "less is more" philosophy includes incisively interrogating the data to produce high-fidelity, high-reliability alerts and events. While implementing more sophisticated approaches to detection requires a significant time investment up front, it pays big dividends. The better the alerting and eventing, the more signal and the less noise the work queue will have.

**8\. Focus on process**:**** The highest quality work queue in the world won't help when there are broken or nonexistent processes. A world-class security team has mature, efficient, and effective processes that guide and govern how they work.

**9\. Continuously improve**:**** No security program is in an ideal state, and the best security teams are keenly aware of their weaknesses and opportunities for improvement. Taking lessons learned from each of the above points and using them to continuously improve the security program is critical to its long-term success.

The conventional wisdom that more data, more events, and more alerts make for better detection is outdated and misinformed. Through a strategic focus on risk and a methodical approach to reducing noise, enterprises can improve both the state of their detection capabilities and the maturity of their security programs. Improving the signal-to-noise ratio and embracing the "less is more" philosophy for security can help enterprises detect security incidents sooner and more accurately while wasting significantly fewer resources on false-positives and noise.

In Security, Less Is More

In this new episode of Tech Talks, Darktrace's Tony Jarvis and Dark Reading's Terry Sweeney discuss how to protect networks after the death of the perimeter.

The pandemic-propelled shift to work-from-home and bring-your-own-devices accelerated the already expanding move to the cloud. IDC predicts that global cloud spending will grow from $703 billion in 2021 to $1.3 trillion in 2025. Statista reports that the percentage of corporate data stored on the cloud rose from 30% in 2015 to 48% at the beginning of the COVID-19 crisis in 2019; so far in 2022, 60% of corporate data lives in the cloud rather than on-premises networks.

In this installment of Tech Talks, Tony Jarvis, director of enterprise security for Asia Pacific and Japan for Darktrace, and Dark Reading contributing editor Terry Sweeney discuss the rise of the cloud, the decline of on-premises, and the possible death of the traditional perimeter in the wake of those technological shifts. 

"There's a lot of digital transformation that's taken place virtually overnight," Jarvis says. "Some organizations are struggling with this. And for that reason, they're not going to fully abandon on-premise networks anytime soon."

Indeed, a recent InformationWeek report shows that while IT pros widely use cloud services, they believe the cloud is less secure than their traditional on-premises systems. Over half of respondents (55%) would keep sensitive data on-prem if they could, the report indicates.

As on-premises networks decline in favor of cloud resources, however, those IT departments need new security measures to accommodate the new IT environment. 

"There's no real perimeter anymore — not in the traditional sense — and that means that things can get in through a number of different ways. We need to get better at detecting that," Jarvis says.

New incursion paths require new ways to guard against invasion. At the beginning of 2022, the US Office of Management and Budget released a detailed blueprint for security measures it requires government agencies and vendors to implement, and zero-trust policies ranked prominently. Sweeney asked Jarvis whether he thinks zero-trust architectures can keep endpoint devices secure when they're away from VPNs.

"I think of zero trust almost like a new set of rules or a new perimeter. And we want to be looking for anomalies taking place within that perimeter," Jarvis says. That means looking for unusual behaviors that will give away an attacker's motivations, such as lateral movement and living-off-the-land techniques. Artificial intelligence tools can automatically look for deviations from the norm and cut off those actions.

Of course, cloud security means accepting that attackers don't care if they are targeting cloud or on-premises systems. Focusing on one at the expense of the other is a problem. The attacks will focus on wherever they see weakness.

"We're always thinking not in terms of good or bad per se, but more in terms of normal — Does this belong in the environment? — and then, by association, unusual," Jarvis said. "Attackers will always go after the weak spots; they'll go after whatever gives them the greatest chance of getting in, no matter where that is."

Tony Jarvis on Shifting Security Gears as We Move to the Cloud

The annual report is always filled with useful security information. Here are several of the most important lessons from this year's edition.

The data in the new Verizon "Data Breach Investigations Report" (DBIR) offers critical insights into the current state of cybersecurity. After a year of data breaches and cyberattacks consistently dominating headlines, this year's report closely examines what adversaries are looking for when they're trying to infiltrate businesses and organizations. This year's DBIR, the 15th edition, confirms what we assumed: Cyber threats are on the rise and we must work together to better our security posture. The findings collected in the report are timely for the trained security researcher, but here are three takeaways I think are the most important.

**Conducting the Symphony of Disruption**

The most common action that adversaries are taking to disrupt their target's IT ecosystem is launching denial-of-service (DoS) attacks that effectively flood a network with traffic or information in the pursuit of crashing it. The 2022 DBIR says that 46% of all incidents were DoS attacks, followed by remote access–led attacks, including backdoor and command-and-control-based attacks. Distracting and disrupting the IT and security teams in this way can help obfuscate and bury the other adversarial activities in their toolkit as they look for their initial access.

Ransomware, phishing, stolen credentials, and several other types of attacks round out the list, but one attack vector stands out from the rest. More than 60% of security incidents over the past year were conducted through a Web application, consistent with data collected by Verizon in past years.

Because Web applications — closely followed by email — are where your organization most frequently connects to the Internet, it makes sense that they'd be the primary vectors for threat actors trying to breach your environment. While a Web application may fall victim to a hacker proficient with SQL or with an exploit handy, email is the domain of virtually every employee at every organization. That's why social engineering played a role in nearly all 5,212 breaches recorded in the 2022 DBIR.

**Is Your Human Secure?**

The 2022 DBIR highlights the importance of maintaining a strong security awareness program, which I believe is a critical element of securing an organization. Just about 82% of all breaches recorded last year involved social engineering in some form, with threat actors preferring to phish their targets via email more than 60% of the time.

Though the DBIR found just 2.9% of employees actually clicked on phishing emails last year, that's more than enough for hackers to work with, especially if they're able to steal credentials or dump their malware of choice following the phish. For me, the important point is that there is a continuing trend for staff to report more phishing attempts – and even more importantly, to report them after they have responded to a phishing email.

Building an organizational culture that allows staff to be comfortable admitting they were duped is a difficult task because security awareness traditionally is a stick used to punish people and a metric to cover the company's compliance checkboxes.

Security leaders need to create a program that goes of their organization and doesn't just shame them for failing. For example, we need to create programs that don't automatically "fail" someone for clicking a link, because that's why links exist! A program that seeks to trick their own colleagues into failing is generally unproductive in the educational process and does almost nothing for the company's security posture.

A good security awareness training program is consistent, targeted, and limited in scope to allow employees to learn and practice one security skill at a time. Avoiding information overload will keep employees engaged and ready for emerging threats.

And lastly, security awareness is not just a corporate project. Strong awareness and education will help staff be more aware of digital risks in their personal lives as well. Well-implemented security awareness programs take advantage of this blurring to encourage their staff to care about security.

**The Ransomware Business Is Booming**

Ransomware, to nobody's surprise, is increasing in frequency by 13% over the prior year, with almost 70% of malware breaches involving some form of it. The dramatic increase in ransomware attacks — as large as the increases of the last five years combined, according to the report — makes sense, as hackers looking to make a quick buck need only encrypt their target's data rather than seek out specific financial information or credentials within their environment.

The report also states that 40% of ransomware incidents last year involved the use of desktop-sharing software. For example, cybercriminals used this tactic when exploiting vulnerabilities in Microsoft RDP, or just weak or stolen user credentials. On the other hand, 35% of ransomware incidents involved the use of email, leading to researchers recommending that organizations lock down their RDP and ensure their emails are scanned for potential phishing attempts. How we are in 2022 and still suffering from attacks over such a well-known attack vector as email is surely one of the biggest questions to come out of this report.

**Final Thoughts**

The DBIR is an excellent resource for the cybersecurity community to evaluate a tumultuous past 12 months, and the data within can be evaluated to predict the trends in attack types, vectors, and the motivations of hackers throughout the next year. In 2021, adversaries made it clear they were more focused on money than anything else, and with vulnerability exploits doubling from the previous year, it's a safe bet to say that once again the fundamentals of cybersecurity – across both IT hygiene and human engagement – will be the key to reducing the risk of damage and loss.

3 Big Takeaways From the Verizon DBIR 2022

The DoS vulnerability allows an attacker to create a Brotli "zip bomb," resulting in acute performance issues on Envoy proxy servers.

Researchers have discovered a denial-of-service (DoS) vulnerability in Envoy Proxy, which gives attackers the opportunity to crash the proxy server.

This could lead to performance degradation or unavailability of resources handled by the proxy, according to JFrog Security Research, which disclosed the vulnerability (CVE-2022-29225).

Envoy is a widely used open source edge and service proxy server designed for cloud-native applications and high-traffic websites. It can decompress both GZip and Brotli data (two compression formats), but it doesn't implement a size limit for the output buffer for the latter, JFrog found. This means that a near-unlimited amount of data could clog the buffer if attacked by a "zip bomb" — i.e., a malicious archive file designed to crash or render useless a program or system.

The vulnerability could thus be exploited by a malicious actor uploading a Brotli zip bomb to the server, resulting in acute performance issues.

"In most cases the machine's memory will not be able to handle such large amounts of data and the Envoy process will eventually crash," the JFrog blog post warned. "In most cases, before the process crashes, there will be severe performance issues due to the processor allocating a lot of resources to the decompression process."

The blog post advised users to upgrade to Envoy version 1.19.5, 1.20.4, 1.21.3, or 1.22.1, which it said would completely fix the issue. However, organizations that can't make the upgrade are advised to prohibit their configuration from allowing Brotli decompression. This can be done by removing the Brotli decompressor in its entirety, or otherwise replacing it with the Gzip decompressor.

Davis McCarthy, principal security researcher at Valtix, a provider of cloud-native network security services, explains that open source technology is often susceptible to vulnerabilities that can be exploited using older attack vectors — like a zip-bomb for exhausting memory.

“The cloud serves many always-on applications, which often leads to a lack of patching,” McCarthy says. "CVE-2022-29225 highlights the importance of cloud exploitation research, as this attack surface is growing."

He adds that when responsible disclosure occurs, virtual patching becomes an excellent mitigation option for attacks in the cloud.

DoS Vulnerability Allows Easy Envoy Proxy Crashes

Tune into Dark Reading's News Desk interviews with the industry’s leaders, discussing news and hot topics, such as this year’s "Transofrm" theme, at RSA Conference 2022 in San Francisco

RSA CONFERENCE 2022 -- San Francisco -- The tag line for RSA Conference is "Where the world talks security," and security leaders covered a whole gamut of topics at Dark Reading's News Desk last week. From new security frameworks and technologies such as secure service edge, extended detection and response (XDR), and confidential computing; to security best practices such as resilience and risk-based prioritization, these News Desk segments covered a lot of ground. There were conversations about automation and the cloud, as well. Check out the YouTube playlist of all the topics that came out of Dark Reading News Desk during RSA Conference 2022 in San Francisco.

Lookout on Getting It Right at the Secure Service Edge

By implementing Secure Service Edge technology, security pros can consolidate their cloud access security broker, secure Web gateway, and zero-trust offerings on to a single platform, according to Jim Dolce, CEO and chairman of Lookout Security.

Concentric AI on How To Maximize Your AI Returns, In and Out of the SOC

Artificial intelligence has transformed the security landscape and given security professionals powerful tools to do their jobs more efficiently, says Karthik Krishnan, CEO and founder of Concentric AI.

DeepSurface on Risk-Based Prioritization Adds New Depth to Vulnerability Management

DeepSurface’s CTO Tim Morgan talks about how context awareness and risk-based prioritization can fortify vulnerability management. Morgan also encourages security pros to look beyond CVSS scores when performing risk assessments.

Anjuna Security on Tapping ‘Confidential Computing’ to Secure Data, Users, and Organizations

Ayal Yogev, CEO and co-founder of Anjuna Security, describes the emerging model of Confidential Computing, as well as how it leverages enclaves and creates Trusted Execution Environments, which isolates data from unauthorized access. 

Seemplicity on Security Security & Productivity: The New Power Couple

Scanning and remediation are handicapped without some robust automation to power them, says Ravid Circus, co-founder and Chief Product Officer of Seemplicity, who’s looking to accelerate time-to-remediation and reducing risk.

ReliaQuest Bolsters Extended Detection With Threat Intelligence

Customers consistently struggle to get from reactivity to a proactive security strategy, but combining extended detection response (XDR) with threat intelligence is a big step in that direction, says ReliaQuest CTO Joe Partlow. 

Automox Adds Automation to Patching, Vuln Management

Patching and patch management remain among security pros’ biggest pain points; Paul Zimski, VP of product strategy for Automox, believes adding automation to the mix can make a serious dent in the patching equation for most organizations.

Uptycs on Observability Is Key to Cloud Security

Transformation is a key theme at RSAC 2022, and Uptycs founder Ganesh Pai weighs in on how cloud security teams can reduce risk and lock things down more tightly. He also talks about how security observability can drive innovation for organizations. 

Lacework Blends Artificial Intelligence and Automation To Bolster Cloud Security

Artificial intelligence is essential for endowing multicloud environments with greater visibility, insights and actions, according to Mark Nunnikhoven, distinguished cloud strategist for Lacework. 

BAE Systems on Want Better Security? Up Your Collaboration Game

"Information sharing and collaboration are essential to good security, says Peder Jungck, VP and general manager of BAE Systems Inc.’s Intelligence Solutions. That effect is compounded when info is shared across companies and industries, he adds. 

Sophos on Keeping Tabs on the Bad Guys Using Threat Research

John Shier, senior security advisor for Sophos, shares original research data on adversaries and the ongoing scourge of ransomware. Spoiler alert: Things aren’t getting better, as bad actors pivot to more sophisticated tactics to avoid detection. 

Cisco Makes Resilience a Cornerstone of Security Strategy

RSA keynoter and Cisco executive Jeetu Patel talks to the Dark Reading News Desk about the power of information sharing, an integrated approach to security, and how to give users controlled, trusted access to applications and services.

Okta on Identity-First Security Helps Reduce and Neutralize Enterprise Threats

Okta’s Marc Rogers and Auth0’s Jameeka Aaron discuss the biggest threats connected to identity, as well as how the move to hybrid work compounds the challenge of keeping users — and their data — secure. 

Darktrace on Prevent Breaches and Malware With Proactive Defenses

Pressure to reduce and manage risk — internally and externally — is more urgent than ever, according to Mike Beck, global CISO for Darktrace. That’s why organizations require more sophistication and integration in their security management platforms. 

Noname Security: Proactiveness Is the Name of the Game In App Security

Software code has come under attack in innovative and deeply troubling ways, says Noname Security’s Shay Levi. These attacks have altered the security landscape for developers and their organizations, as well as suppliers, partners, and customers. 

Sysdig Takes a Deeper Cut At Cloud Security

Cloud security can challenge security pros like nothing else, including workload security issues arising from app design patterns or DevOps practices, says Sysdig’s VP of research and development Omer Azaria. 

Raytheon on A Few Simple Ways To Transform Your Cybersecurity Hiring  

It was already tough to find good, experienced security professionals, then along the came the Great Resignation to make hiring even tougher, notes Jon Check, executive director of cyber protection solutions for Raytheon Intelligence and Space. 

Panther Labs on Mitigating the Security Skills Shortage

Migrating apps to the cloud has set off a hiring frenzy for security pros with expertise related to data analysis and monitoring, observes Jack Naglieri of Panther Labs. It’s also created a big need to make workloads more manageable, he adds.

Application Security Testing Is On the Mend With Automated Remediation

Software developers and security pros alike struggle with application security, and Arabella Hallawell, CMO of Mend, breaks down how automated remediation can improve software composition analysis and application security testing.

Cisco on How To Secure a High-Profile Event Like the Super Bowl

Whether you’re locking down a network or facing fourth down with mere inches, resilience is key, according to Cisco’s TK Keanini and Tomás Maldonado, CISO for the National Football League. In both cases, protection isn’t optional.

Halcyon on How to Blunt the Virulence of the New Ransomware

COVID’s had some company in the last couple years with another mutating scourge: Ransomware. Thanks to the Dark Web, ransomware has scaled up and become more heavily monetized, says Halcyon CEO and co-founder Jon Miller.

Security Leaders Discuss Industry Drivers at Dark Reading's News Desk at RSAC 2022

Humio for Falcon provides long-term, cost-effective data retention with powerful index-free search and analysis of enriched security telemetry across enterprise environments

**AUSTIN, Texas and RSA Conference 2022, SAN FRANCISCO – June 6, 2022 –** CrowdStrike (Nasdaq: CRWD), a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, today introduced Humio for Falcon, a new capability that extends data retention of CrowdStrike Falcon telemetry for up to one year or longer, enhancing threat analytics and threat hunting abilities for organizations while helping them meet compliance requirements.

Humio for Falcon brings together an industry-leading security platform in CrowdStrike Falcon, with the powerful search capabilities of CrowdStrike’s centralized logging offering, Humio. The new capability gives security teams the ability to store security and IT telemetry from the Falcon platform, which is enriched and contextualized across endpoints, workloads and identities to address the challenge of operationalizing the ever-growing volumes of data. Humio for Falcon helps security teams analyze and act on all data – both real-time and historical data – in their environment. With longer data retention due to advanced compression of ingested data, security teams can uncover and detect potential threats within their environments with deep, contextual analytics and sub-second search results at any scale through a modern, index-free architecture.

“While the data available to threat hunters and incident responders grows at an exponential rate, they are routinely forced to reduce the duration they can store this information,” said Michael Sentonas, chief technology officer at CrowdStrike. “Humio for Falcon solves this problem by delivering scalable and cost-effective data retention that enables threat hunters and incident responders to look back and see if and when an adversary was active in an IT environment and reconcile every system they touched. It’s truly a game-changer in the industry.”

Humio for Falcon provides:

*   **Threat hunting and troubleshooting at unprecedented scale:** By retaining Falcon data for extended periods of time, security teams can proactively search and uncover hidden threats in the environment with sub second speed, remove advanced persistent threats (APTs) by sifting through the data to detect irregularities that might suggest potential malicious behavior and better prioritize and address vulnerabilities before they can be weaponized.
*   **Longer data retention to help meet compliance requirements and reduced cost:** With scalable storage and advanced compression techniques, customers can store and manage Falcon data for one or multiple years, based on customer requirements. This wealth of real-time and historical data enables completeness and accuracy of investigation and analysis, resulting in faster threat remediation.
*   **New user interface (UI) dashboard visualization for fast and custom search:** Feature-rich query language and index-free searches allows security teams to run queries on Falcon data and get immediate answers. Get the ability to seamlessly ingest, aggregate and search through massive security and IT telemetry and gain valuable, contextual insights with sub-second latency searches for meeting real-world security requirements, including advanced threat and vulnerability investigations.

  
“With Humio for Falcon, we were able to save approximately $150,000 in the first year,” said Tom Sipes, director, IT security and compliance at Tuesday Morning. “Also, the ability to save data for an extended time period is critical. When we detect an indicator of compromise, we can go back in time and analyze the entire attack chain to accelerate investigations and pinpoint issues more quickly.”

**Additional Resources**

*   For more information on Humio for Falcon, please visit our blog.
*   To watch a Humio for Falcon demo, please visit this page.
*   Did you know? Humio can ingest over one petabyte of data per day. Humio was also named “Log Analytics Solution of the Year” by the Data Breakthrough Awards for 2022.

  
**About CrowdStrike**  
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike Introduces Humio for Falcon, Redefining Threat Hunting with Unparalleled Scale and Speed

A Linux-based banking Trojan is a master at staying under the radar.

A stealthy Linux threat called Symbiote is targeting financial institutions in Latin America, with all file, processes, and network artifacts hidden by the malware, making it virtually invisible to detection by live forensics.

The malware was first uncovered in November, according to a blog post by BlackBerry Research. What sets Symbiote apart from other Linux malware is its approach to infecting running processes, rather than using a stand-alone executable file to inflict damage.

It then harvests credentials to provide remote access for the threat actor, exfiltrating credentials as well as storing them locally.

"It operates as a rootkit and hides its presence on the machine. Once it has infected the machine fully, it allows you to see only what it wants you to see," Joakim Kennedy, security researcher at Intezer and author of the BlackBerry blog post, explains. "Essentially, you can't trust what the machine is telling you."

However, it can be detected externally, he says, since it exfiltrates stolen credentials via the DNS requests.

Kennedy says the domain names the malware uses impersonate big banks in Brazil, which also helps it stay under the radar.

"While we couldn't tell based on only what we found, attackers targeting financial institutions are often motivated by potential monetary gain," he says.

**Shared Object Library**

Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, points out that unlike most malware variants, the Symbiote malware is a shared object library, instead of an executable file.

Symbiote uses the LD\_PRELOAD variable that allows it to be pre-loaded by applications before other shared object libraries.

"This is a sophisticated and evasive technique that can help the malware blend in with legitimate running processes and applications, which is one of the reasons Symbiote is difficult to detect," she says.

The malware also has Berkeley Packet Filter (BPF) hooking functionality. Packet capture tools intercept, or capture, network traffic typically for the purposes of an investigation.

BPF is a tool embedded within several Linux operating systems that allows users to filter out certain packets depending on the type of investigation they are performing, which can reduce the overall results, making analysis easier.

"The Symbiote malware is designed to essentially filter its traffic out of the packet capture results," Hoffman explains. "This is just another layer of stealth used by the attackers to cover their tracks and fly under the radar."

Kennedy adds that this is the first time the BPF hooking functionality has been observed operating in this way, and points out that other malware variants have typically used BPF to receive commands from their command-and-control server.

"This malware instead uses this method to hide network activity," he says. "It's an active measure used by the malware to prevent being detected if someone investigates the infected machine — like covering up its footsteps so it's harder to track down.”

**Easier to Attack?**

Mike Parkin, senior technical engineer at Vulcan Cyber, says there may be a perception on the attacker's part that the targets in Latin America have a less mature security infrastructure and would thus be easier to attack.

He explains that the attackers went out of their way to hide their malware from anything that's running on the infected system, leveraging BPF to hide their communications traffic.

"While this will work on the local host, other network-monitoring tools will be able to identify the hostile traffic and the infected source," he says.

He explains that there are several endpoint tools available that should identify changes on a victim system.

"There are also forensic techniques that can use the malware's own behavior against it to reveal its presence," he notes. "The authors who created Symbiote went to great lengths hide their malware. They leveraged a combination of techniques, though in so doing delivered some indicators of compromise that defenders could use to identify an infection in-situ."

Kennedy says that the most important action is to focus on the techniques used by this malware to ensure that you can detect and/or protect against those, whether you're protecting against Symbiote or another attack that uses the same technique.

"I would say Symbiote, and other recently discovered undetected Linux malware, shows that operating systems other than Windows are not immune to highly evasive malware," he says. "Since it doesn’t get as much attention as Windows malware, we don't know what else is out there that hasn’t been discovered yet."

Source

DARKReading