Ransomware and other financially motivated threat actors joined nation-state-backed groups in leveraging unpatched flaws in attack campaigns, new data shows.

Threat actors exploited more zero-day vulnerabilities in 2021 than any prior year and mostly in software from Microsoft, Google, and Apple.

State-backed advanced persistent threat actors remained the most prolific users of these exploits as has always been the case to date. However, they were not the only ones: financially motivated groups — particularly ransomware operators — sharply ramped up their use of zero-days and accounted for one in three of attackers exploiting these vulnerabilities.

Two separate advisories this week — one from Mandiant and the other from Google's Project Zero security team — identified a big jump last year in software flaws that threat actors exploited before a patch became available. Mandiant counted a total of 80 such flaws in 2021, while Google identified 58 zero-days that were exploited in the wild before being patched.

By Mandiant's count, the 80 zero-day exploits in 2021 represented a 167% increase over the 30 it logged in 2020, and it more than doubled the previous highest number of 32 in 2019. The 58 zero-day exploits that Google counted represented more than double the 25 that company observed in 2020. It was also more than double Google's highest-ever total of 28 zero-days back in 2015.

Vulnerabilities in Microsoft, Google, and Apple accounted for 75% of the zero-days that threat actors exploited last year — a number likely tied to the broad use and popularity of technologies from these three vendors, Mandiant said. A spreadsheet of zero-day flaws that Google has maintained since 2014 shows that 16 of the 58 zero-day exploits the company observed last year were in its own technologies; 21 involved Microsoft products; and 13 were in Apple products. The remaining vulnerabilities involved products from a total of nine other vendors including Qualcomm, Trend Micro, Sonic Wall, Accellion (now Kiteworks), and Pulse Secure, Mandiant said.

    

Source: Mandiant

The data underscores how organizations cannot ignore the potential for threat actors to hunt for and exploit zero-days in less widely used technologies, says James Sadowski, principal analyst at Mandiant.

"While popular vendors remain popular targets for zero-day exploitation, we've gradually seen expansion of both technologies and vendors targeted by zero-day exploitation outside of main vendors," he says.

"Like we observed in the exploitation of Accellion FTA, threat actors can exploit vulnerabilities in these systems and cause significant damage," Sadowski says, referring to a zero-day flaw in a near obsolete Accellion product that led to breaches at multiple large companies.

**Many Reasons Why**  
Mandiant identified multiple potential reasons for the explosion in threat actor use of zero-day exploits last year. The company perceived the increased enterprise adoption of cloud, mobile, and IoT technologies as increasing the volume of software that organizations are using and therefore resulting in the discovery of more bugs. The increase in the number of so-called exploit brokers trading in zero-day vulnerabilities has also been a factor, as have increased investments in research and development by zero-day exploits threat groups. Google, meanwhile, attributed the surge to improved detection and disclosure of zero-day bugs — a factor that Mandiant too said was likely at play.

The security vendor's analysis showed that state-sponsored groups — especially those from China — continue to dominate zero-day exploit use. But there was a noticeable increase in the number of ransomware and other financially motivated threat groups leveraging zero-days in their attacks.

Sadowski says these threat actors are likely acquiring zero-day exploits via underground exploit brokers and criminal service providers. Or they could be recruiting the requisite talent in-house to research vulnerabilities and develop zero-day exploits, as appeared to be the case with the Conti ransomware group — leaked Conti chat files showed the threat actors discussing recently disclosed vulnerabilities and assigning members to build a scanner to identify potentially vulnerable systems.

"As ransomware groups collect increasingly large sums from their operations, we have observed them more frequently employ zero-day exploits in their operations," Sadowski says. Generally, though, it is extremely difficult to identify where a threat actor might have acquired a zero-day exploit, he says.

Bud Broomhead, CEO at Viakoo, says the increased use of zero-day exploits shows that threat actors are shifting their attack vectors away from vulnerabilities that traditional threat assessment and detection solutions would uncover. "That's why not just zero-day threats, but also exploiting IoT vulnerabilities and leveraging open source software, are rapidly growing enterprise threats," he says. The challenge for organizations is figuring out how to limit damage from a successful zero-day breach and figuring out how to protect against exploits targeting new attack vectors.

The growing use of zero-days highlights the need for organizations to have rapid, out-of-band patching capabilities, says John Bambenek, principal threat hunter at Netenrich.

"Organizations need to remain flexible and agile getting these into production," he says. "Remove as many barriers as possible to patching, including streamlining testing and change management."

Zero-Day Exploit Use Exploded in 2021

Security has benefited from shifting many late-cycle disciplines left or earlier in the cycle.

**Question: What does it mean to shift left in security? What steps do I take to start?**

**Vishal Jain, Co-Founder and CTO at Valtix:** Shift left in security should go deeper than just code.

Security has always been an afterthought and was often improved only in reaction to a vulnerability or incident. With app developers shifting many late-cycle disciplines left or earlier in the cycle, security has benefited. Developers now test and scan code earlier, deploying many more secure applications; proactive processes reduce risk by creating robust applications that are less expensive to maintain and secure over time.

However, we are constantly reminded that there is no such thing as an invulnerable application. Log4j is a perfect example. You have ubiquitous code that turns into a _severity 10_ vulnerability. Even with secure development practices, many organizations are still grappling with the impact of the Log4j vulnerability. This highlights another important aspect of shifting security left: depth.

If we assume that there is no such thing as an invulnerable application, then we acknowledge the need for defenses that work outside of the app. And while there are many ways to deploy such defenses (network-based, agent-based, etc.), they all have one thing in common: It's much easier and cheaper to put them in place if we shift left. What does that mean for an organization? It means deploying these controls, the policies using as-code, and constructs like Terraform. In other words, think about, plan, and build these layered defenses when planning and building the app, and you'll skip the scramble when your app becomes vulnerable for a time (i.e., when the next Log4j hits).

These controls are not new, conceptually, but can be implemented in a variety of ways. In layman's terms, we should manage _who_ we are talking to, _how_ we are speaking, and what we are talking about. In other words, these controls (defenses) work outside the app and might look at:

*   **Who:** Controls that look at identification and authentication of users, what organizations they come from, and what countries their traffic originates from. These access controls might go deeper and include various segmentation schemes.
*   **How:** Controls that limit the methods and protocols that access the application, and the kinds of trustworthy/untrustworthy spaces (e.g., unregulated service accessing a compliance-impacted application or service).
*   **What:** Controls that look at the content of the conversation — whether sensitive/confidential information and data that indicates a threat or attack at any level (e.g., network, app).

Organizations react to vulnerable applications by deploying web application firewall (WAF) solutions, installing endpoint protection, and monitoring logs for cyberattacks. Where these defensive capabilities should have already been in place, the app remains vulnerable, and time is spent managing the risk instead of improving processes that secure it. Organizations need to make a hard shift-left on the proactive security processes they need to secure their app.

The practical advice is to think about the depth of your security at each layer of the application's stack. As you shift security left, with depth, you'll have a better, more secure application.

What Steps Do I Take to Shift Left in Security?

Acquisition will blend autonomous threat hunting with cloud-native security analytics for automating security tasks.

Cloud-native logging and security analytics company Devo Technology has acquired Kognos, a provider of autonomous threat hunting tools.

According to Devo, the deal will help the company provide an "autonomous SOC" tool to automate the threat lifecycle, including detection, triage, investigation, and hunting — boosting efficiency and minimizing burnout among security teams.

"For analysts to have any chance of keeping up with today's adversaries, we need to shift the SOC's focus from weeding through thousands of alerts every day to actionable attack stories — the full sequence of steps taken to carry out an attack and an understanding of its impact," Devo CEO Marc van Zadelhoff said in a statement. "Kognos does exactly this with AI that understands attack scenarios in real-time and anticipates the questions analysts ask of their data. Pairing Kognos with Devo enables analysts to move beyond focusing on just alerts and empowers them to take quick, decisive action against threats."

Financial details of the deal were not disclosed.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Devo Acquires Threat Hunting Company Kognos

Biometric measurements should be part of any multifactor authentication (MFA) strategy, but choose your methods carefully: Some only establish trust at the device level.

As the world continues to move essential functions to digital environments, companies need trustworthy methods for verifying who is behind the screen. Multifactor authentication (MFA) has become the standard for preventing cyberattacks, with the US National Cyber Security chief saying it could prevent 80% to 90% of attacks. MFA works by requiring multiple layers of authentication, such as one-time passwords (OTPs), physical hardware tokens, or soft tokens.

While these do a better job of securing access and data than traditional passwords, what are they really verifying? In the case of SMS-delivered OTPs, the system is verifying your access to a phone; with hardware tokens, it's access to a physical card or device. But none of these require the actual person to confirm they are who they say they are. These methods rely on the assumption that the only person accessing these devices is their owner. Clearly, it's a device, rather than a person, that is being verified. So what can organizations do to improve on traditional MFA methods and build trust with the people behind each digital interaction?

Some methods for MFA verification, including hardware tokens and SMS-based OTPs, have been widely adopted, but they present clear challenges for organizations. Phone-based options require access to a smartphone — not something everyone has and not something companies want out in all environments. Token-based systems are not much better; tokens can be lost, forgotten, or easily handed to another user. The clear solution is to have a biometric measurement that is entirely unique to the user as part of any MFA strategy. But not all biometric methods are created equal, and some still only establish trust at the device level.

**Limitations of Device-Based Biometrics**  
Device-based biometrics, such as a fingerprint captured using the built-in sensor on a phone, PC, or dongle, are stored within the device that they are captured on. These systems offer a high level of convenience for the user, as well as strong security for personal use cases. However, device-based biometrics fall into the same trap as other MFA methods — it is still the device, and oftentimes an encrypted key, being verified, rather than the individual person.

Another security concern is that a device-based biometric authentication method unwittingly places the high-trust function of enrollment, or determining access privileges, into the user's control. This opens the possibility for unauthorized delegation where access is granted to someone other than the original person it was assigned to. For example, if a user goes into their iPhone and has TouchID enabled, they can enroll any fingerprints they'd like, including one that isn't theirs. This fundamentally removes an organization's ability to trust who is using the device.

Once again we see that this method confirms a device, not a user. Device-based biometrics are convenient but still don't provide the level of security necessary for completing critical tasks with trust on both sides.

**Benefits of Identity Vetting Using Biometrics**  
Identity verification and binding with biometrics takes a different approach. It endeavors to verify the precise, unique individual human rather than the holder of a device. The first step here is creating a biometric measurement to use like a signature for a person — a piece of data that is uniquely tied to them and can confirm their presence at the authentication step. By first establishing a biometric signature and then storing that centrally rather than on a device, organizations can have something to compare biometric data to.

For example, our company's technique, identity-bound biometrics (IBB), has organizations enroll and store biometric data centrally so that it remains immutable. This returns to the organization the power of determining access privileges instead of leaving device access open to the user. IBB offers high integrity and trust that someone is who they say they are and has the capacity to positively identify the individual — not just their device, token, phone, or anything else. In the digital world we live in, this is how to establish trust.

By utilizing a centrally stored biometric method, organizations are able to support people who need to have access across multiple devices and locations without any additional enrollment or process. They can simply walk up to a workstation, scan their biometric, and quickly login. Storing the encrypted biometric data centrally allows access to be granted for multiple places and devices across the organization.

Lastly, with better sensors and larger sets of data points captured about the user's biometric, IBB is more accurate than most device-based biometric methods.

**How IBB Works as a Centralized Biometric Method**  
IBB utilizes hardware, such as a camera on a mobile device or a fingerprint scanner, to scan the user's biometric input, confirming thousands (rather than hundreds) of data points. Once the biometric is scanned, it is sent through an end-to-end encrypted process and algorithmically altered to create a biometric template. This means that there are no actual fingerprints or measurements stored on the company's server — rather, a unique template that acts like a lock with an individual's biometric data as the key.

Besides the end-to-end encryption, IBB eliminates bad actors who threaten other places in the process as well. Using isolated, non-recreatable single sessions for each interaction eliminates the threat of a man-in-the-middle style interception and replay of the data. This allows for biometric data to be safely stored and managed centrally, rather than tied to individual devices.

Consider, for example, a bank teller who works in multiple branches. They deal with highly sensitive financial data on a regular basis but still need to be able to work from multiple locations and at different workstations throughout their day. Rather than enrolling them on a series of individual devices, the bank can employ IBB to allow the teller to work across devices companywide, while verifying who specifically is gaining access and completing transactions. The bank knows who is enrolled in the system, it knows that enrollment hasn't changed, and it has the flexibility to allow access only where required. This setup makes it extremely convenient for the teller to log into the system but also provides a higher level of integrity and trust for the employer.

In a digital world where access is happening from everywhere, and people are all "behind the screens," being able to trust that a specific individual has completed a login or transaction is critical. The standard MFA methods many organizations employ can only establish trust through something the user knows (a password) or has (a smartphone). Identity verification and binding using biometrics should be part of every MFA strategy so that the organization can maintain security and control while users enjoy a convenient biometric authentication experience. With higher integrity and convenience, organizations can streamline operations and build trust for themselves, their employees, and their customers.

Exploring Biometrics and Trust at the Corporate Level

Annual ThreatLabz Report reveals phishing-as-a-service as the key source of attacks across critical industries and consumers globally; underscores urgency to adopt a zero-trust security model.

**Key Findings**

· Phishing attacks rose 29% globally to a new record of 873.9M attacks observed in the Zscaler**TM** cloud last year

· Retail and wholesale were the most targeted industries, experiencing over a 400% increase in phishing attacks over the last 12 months

· The United States, Singapore, Germany, Netherlands, and the United Kingdom were the most frequently targeted by phishing scams

· Emerging phishing vectors, such as SMS phishing, are increasing faster than other methods as end users become more wary of suspicious emails

· Rising phishing activity is directly linked to “phishing- as-a-service” options, which provide a marketplace of pre-built attack tools that reduce technical barriers to entry for criminals

**SAN JOSE, Calif. – April 20, 2022** – Zscaler, Inc. (NASDAQ: ZS), the leader in cloud security, today released the findings of its 2022 ThreatLabz Phishing Report that reviews 12 months of global phishing data from the Zscaler security cloud to identify key trends, industries and geographies at risk, and emerging tactics. According to the FBI Internet Crime Complaint Center (IC3), phishing attempts are the most frequently-reported cyberattack. Zscaler’s ThreatLabz research team analyzed data from more than 200 billion daily transactions, and 150 million daily blocked attacks in order to identify emerging threats and track malicious actors from across the globe. This year’s report showed dramatic 29% growth in overall phishing attacks compared to previous years, with retail and wholesale companies bearing the brunt of the increase. The report also showed an emerging reliance on phishing-as-a-service methods, as well as new attack vectors, such as SMS phishing, becoming one of the more prevalent methods of intrusion.

“Phishing attacks are impacting businesses and consumers with alarming frequency, complexity, and scope - with the rise in phishing-as-a-service making it easier than ever for non-sophisticated actors to launch successful attacks. Our annual report highlights how cybercriminals continue to escalate their usage of phishing as a starting point to breach organizations to deliver ransomware or steal sensitive data,” said Deepen Desai, CISO and VP of Security Research and Operations at Zscaler. “To defend against advanced phishing attacks, organizations must leverage a multi-pronged defensive strategy anchored on a cloud native zero trust platform that unifies full SSL inspection with AI/ML-powered detection to stop the most sophisticated phishing attempts and phishing kits, lateral movement prevention and integrated deception to limit the blast radius of a compromised user, proactive controls to block high risk destinations such as newly registered domains that are often abused by threat actors, and in-line DLP to safeguard against data theft.”

Phishing has always been one of the most pervasive cyberthreats, with various methods used to steal private information. One of the reasons this type of attack grows in prevalence every year is its low barrier to entry. Cybercriminals use current events, such as the COVID-19 pandemic or cryptocurrency, to convince unwitting victims to hand over confidential data, such as passwords, credit card information, and login credentials.

The 2022 ThreatLabz Phishing Report found that phishing attacks lure victims by posing as top brands or promoting topical events. The top phishing themes in 2021 included categories such as productivity tools, illegal streaming sites, shopping sites, social media platforms, financial institutions, and logistical services.

**A Global Problem**

In 2021, the U.S. was the most-targeted country globally, accounting for over 60% of all phishing attacks blocked by the Zscaler security cloud. The next most frequently attacked countries include Singapore, Germany, the Netherlands, and the United Kingdom.

Not all countries experienced the same attention from phishing attacks. For example, the Netherlands experienced a decrease of 38 %, which may have resulted from recently-passed legislation that increased the penalties for online fraud.

Phishing attacks were also not evenly distributed across different industries. Retail and wholesale businesses experienced an increase of over 400% in phishing attempts - the most out of all tracked industries. These businesses were followed by financial and government sectors, with organizations in these industries seeing over 100% increases in attacks on average. However, some industries experienced partial relief from phishing attacks last year. Healthcare saw a notable drop of 59 %, while the services industry saw a decline of 33 %.

**Phishing-as-a-Service - The Growing Threat**

While phishing has long been one of the most common tactics used in cyberattacks by sophisticated threat actors, it's becoming more accessible to non-technical cybercriminals due to a maturing underground marketplace for attack frameworks and services. By selling their pre-built phishing tools and services on the dark web, cybercriminals are making it easier to deploy phishing scams at scale, creating a greater chance for more phishing activity in 2022.

**Countering Phishing Attacks**

According to the Zscaler ThreatLabz research team, an average-sized organization receives dozens of phishing emails every day. This means that employees at all levels must be aware of the most common phishing tactics and empowered to spot phishing attempts that can result in financial losses and damage to the business’ brand.

Facing the threats outlined in the 2022 ThreatLabz Phishing Report can be daunting, and while it's impossible to eliminate phishing risk, effective management can prevent business-critical information from falling into the hands of cybercriminals. Among other recommendations, Zscaler suggests the following tactics for countering phishing growth:

· Learning and understanding the risks posed by phishing to better inform policy and technology decisions

· Leveraging automated tools and actionable intelligence to empower employees with the tools needed to reduce phishing incidents

· Delivering timely employee training to build security awareness and promote user reporting

· Simulating phishing attacks to identify gaps in security policies and procedures

· Evaluating security infrastructure to ensure access to the latest research and system capabilities

**How the Zscaler Zero Trust Exchange****TM Can Mitigate Phishing Attacks**

User compromise is one of the most difficult security challenges to defend against. The Zscaler Zero Trust Exchange incorporates phishing prevention controls into a holistic zero trust architecture that disrupts every stage of attacks and minimizes damages. Capabilities include:

· **Preventing compromise** with full SSL inspection at scale, threat analysis using natively integrated threat intel and IPS signature detection, AI/ML phishing detection, and policy-defined high-risk URL categories commonly used for phishing such as newly observed and newly registered domains.

· **Eliminating lateral movement** by connecting users directly to apps, not the network, to limit the blast radius of a potential incident.

· **Shutting down compromised users and insider threats** with in-line application inspection and integrated deception capabilities to trick and detect attackers.

· **Stopping data loss** by inspecting data both in motion and at rest to prevent theft by an active attacker.

To download the full report, see the ThreatLabz 2022 Phishing Report.

**Methodology**

The ThreatLabz team evaluated data from the Zscaler security cloud, which monitors over 200 billion transactions daily across the globe. ThreatLabz analyzed a year’s worth of global phishing data from the Zscaler cloud from January 2021 through December 2021 to identify key trends, industries and geographies at risk, and emerging tactics.

New Zscaler Research Shows Over 400% Increase in Phishing Attacks With Retail and Wholesale Industries at Greatest Risk

Cybereason MalOp Detection Engine augmented with Nuanced DFIR Intelligence reduces the mean-time-to-detect and remediate incidents.

BOSTON, April 21, 2022 /PRNewswire-PRWeb/ -- Cybereason, the XDR company, today launched Cybereason DFIR (Digital Forensics Incident Response), a solution designed to automate incident response (IR) investigations by incorporating nuanced forensics artifacts into threat hunting, reducing remediation time by enabling security analysts to contain cyberattacks in minutes.

Today, many organizations find themselves vulnerable to breaches because security analysts lack the tools to quickly investigate and remediate all aspects of a threat. By offering incident response solutions driven by forensics, Cybereason can extend deeper value to Defenders. With the Cybereason MalOp™ Detection Engine augmented by Cybereason DFIR, security analysts can leverage the industry's most comprehensive detections from root cause across every impacted asset.

With forensics data added to the MalOp, security analysts have instant visibility into a wider range of intelligence sources to enable rapid decisions and remediate threats more efficiently. Cybereason DFIR includes the following capabilities:

Forensic Data Ingestion: Feed a treasure trove of forensic data to the MalOp™ Detection Engine for deeper insights, enrichment and contextualization.

Live File Search: Search for any suspicious file in the environment based on a wide variety of search criteria without the need for prior collection.

IR Tools Deployment: Streamline cumbersome IR investigations and work seamlessly with similar DFIR tools by deploying them via the Cybereason Sensor.

ExpressIR: IR Partners and large customers with internal DFIR teams can deploy a pre-provisioned IR environment to begin the investigation within hours of an incident.

"Cybereason DFIR enhances the performance of the Cybereason XDR Platform in our customers' environments enabling security analyst teams to detect, identify, analyze and respond to sophisticated threats before adversaries can inflict harm, and when needed, conduct a thorough post-mortem analysis of a complex incident. The merging of our powerful Cybereason XDR Platform with Cybereason DFIR provides the industry with the most powerful tools available," said Cybereason Chief Technology Officer and Co-founder Yonatan Striem-Amit.

Anything connected to the internet is part of an organization's attack surface, yet Defenders are forced to use multiple siloed solutions producing uncorrelated alerts to try to find and end these complex malicious operations. Now, Defenders can leverage Cybereason DFIR to centralize DFIR investigative work and end sophisticated attacks with the only solution on the market to deliver:

\--Comprehensive Response: Cybereason DFIR has a number of tailored remediation actions analysts can perform directly from the investigation screen. The solution empowers analysts to reduce Mean-Time- To-Detect and Mean-Time-To-Remediate. Cybereason DFIR also allows Defenders to contain attacks by executing commands directly on the host in question with remote shell and real-time response actions.

\--Uncover Advanced Adversaries: Fully reveal sophisticated adversaries and analyze complex TTP's by tracing the attacker path back to root cause. Defenders will have a better understanding of the full scope and timeline of an incident using enriched forensics to identify all impacted systems and users. Security analysts can investigate relevant files and forensic artifacts of interest through wide-ranging criteria to collect files as needed.

\--Fully Supported Technology: With a shortage of Tier III qualified security analysts, many security teams are understaffed and lack in-house IR expertise. Cybereason automates most aspects of a DFIR investigation and up-levels the capabilities of Level 1 and 2 analysts to perform complex forensic tasks. In addition, the Cybereason Services Teams fully supports investigations, breach recovery, forensic audits and deep-dive analysis.

About Cybereason  
Cybereason is the XDR company, partnering with Defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem. Only the AI-driven Cybereason XDR Platform provides planetary-scale data ingestion, operation-centric MalOp™ detection, and predictive response that is undefeated against modern ransomware and advanced attack techniques. Cybereason is a privately held international company headquartered in Boston with customers in more than 40 countries.

Learn more: https://www.cybereason.com

Cybereason Launches Digital Forensics Incident Response

Seedrs Ltd. deployed and configured Alert Logic Intelligent Response in minutes, and immediately began blocking critical threats.

HOUSTON, April 21, 2022 /PRNewswire/ -- Alert Logic by HelpSystems today announced general availability of its new intelligent response capabilities. The innovations, including simple mode and a mobile application, relieve IT and security departments of repetitive response tasks and the need for constant administration through human-guided and fully automated workflows. Seedrs, Europe's leading online private investment platform, is among the first adopters of the new capabilities, now available at no additional cost to Alert Logic MDR® customers.

Alert Logic Intelligent Response™ is designed to minimize the impact of a breach via embedded SOAR capabilities with workflows to enable response actions across network, endpoints, and cloud environments. This provides a backstop if attacks bypass prevention tools, improving an organization's security posture while allowing them to adopt automation at their own pace. As part of a holistic response strategy, the solution addresses detection, notification, and containment with multiple actions and use cases in a simplified user experience, making it easy for any organization to create automated response actions.

"The wizard-based user interface of Alert Logic's simple mode made the whole intelligent response configuration possible in just minutes," said Jonas Pereira, Senior DevOps Engineer, Seedrs. "I also have full visibility of our infrastructure, and our safety, literally in my pocket with the Alert Logic mobile application, ensuring we can effectively respond to any potential threat instantly."

Intelligent response simple mode focuses on the three most commonly needed actions:

*   **Shun an attacker** at the edge of a network, for Alert Logic and AWS WAFs
*   **Isolate a host** for SentinelOne or Microsoft Defender for Endpoint users
*   **Disable user** credentials that may be compromised, via AWS IAM or Azure Active Directory (including Office 365)

These three use cases are vital for preventing attacks or reducing the impact of successful attacks. Organizations may introduce the human touch anywhere in the process and increase the level of automation to suit their needs. Customizable response playbooks also save time by helping security experts integrate automated response actions into their business processes.

In addition to simple mode, the Alert Logic mobile application streamlines human-guided response, allowing security teams to remotely execute decisions for response actions immediately. Using the mobile application, CISOs can instantly approve response actions from anywhere, for a more flexible work environment.

"The beta customers who helped guide development of Alert Logic Intelligent Response told us they needed a flexible solution that allowed them to adopt automation at their own pace to increase their security posture," said Onkar Birk, Managing Director, Alert Logic by HelpSystems. "We're putting response in front of people in an intuitive way, getting them involved in the process, taking security actions to contain problems, and enabling resource-stretched teams to deploy best practice security."

To learn more about Alert Logic Intelligent Response, visit https://www.alertlogic.com/why-alert-logic/intelligent-response/.

**About Alert Logic** **by HelpSystems  
**Alert Logic by HelpSystems is the only managed detection and response (MDR) provider that delivers comprehensive coverage for public clouds, SaaS, on-premises, and hybrid environments. Since no level of investment prevents or blocks 100% of attacks, you need to continuously identify and address breaches or gaps before they cause real damage. With limited expertise and a cloud-centric strategy, this level of security can seem out of reach. Our cloud-native technology and white-glove team of security experts protect your organization 24/7 and ensure you have the most effective response to resolve whatever threats may come. Founded in 2002, Alert Logic is headquartered in Houston, Texas and has business operations, team members, and channel partners located worldwide. Learn more at alertlogic.com. Alert Logic – unrivaled security for your cloud journey.

**About HelpSystems  
**HelpSystems is a software company focused on helping exceptional organizations secure and automate their operations. Our cybersecurity and automation software protects information and simplifies IT processes to give our customers peace of mind. We know security and IT transformation is a journey, not a destination. Let's move forward. Learn more at www.helpsystems.com.

© HelpSystems, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners.

Alert Logic®, Alert Logic MDR®, and Alert Logic Managed Detection and Response® are registered trademarks of Alert Logic, Inc.

Alert Logic Intelligent Response™ is a trademark of Alert Logic, Inc.

Alert Logic Releases MDR Incident Response Capability for Addressing a Breach

To better manage risks, companies can concentrate on resilience, sharing information to protect from cyber threats, and making the cybersecurity tent bigger by looking at workers with nontraditional skill sets.

As we look ahead, there are many reasons for optimism in cybersecurity. Defenders are maturing in their approach, we're getting better at articulating cyber threats in the language of business risk, and we're continually improving cross-sector collaboration.

But we still face a challenge navigating the changing threat landscape, something I discussed with industry peers on an HP-hosted CISO panel. I believe the cybersecurity industry needs to build on the positives by understanding cyber strategy more clearly in the context of good corporate governance, and by addressing the growing diversity and skills gap within our cybersecurity talent pool.

**When Change Is the Only Constant  
**As IT modernizes to support remote work, new customer experiences and evolving business processes, we're seeing attack surfaces expand exponentially. On the one hand, this contributed to a record number of compromises in 2021, while the number of published vulnerabilities surged to an all-time high.

Yet there's another story behind the headlines. For years, we've been talking about the same old paradigm of attacker and victim. In this one-to-one relationship, the attacker targets a victim and either succeeds or doesn't. Today, we're seeing more of what I would call "one-to-many" attacks. Supply chain attacks are nothing new, but we're seeing an uptick in their sophistication and ambition. Attackers have realized they don't need to constantly go one-to-one. They can find a common hub that connects hundreds or even thousands of potential victims and compromise it. For close to the same effort expelled, they have a significant step up in ROI.

As organizations look to manage supplier risk, spiraling costs, and geopolitical tension in the post-pandemic world, the complex web of interdependencies upon which they rely is growing. This is most apparent in the airline industry. It was fascinating to hear United Airlines VP and CISO, Deneen DeFiore, explain how the mindset in cyber is shifting from data protection to resilience. Understanding these supplier dependencies is critical to managing risk effectively, to minimize the operational impact of cyber threats.

**Collaboration Will Be Key  
**This mounting complexity also makes industry collaboration more important. It's only via collaboration with the right public and private sector organizations that we can understand how attackers are operating. Part of this involves organizations thinking about what is and isn't helpful to disclose around breaches. We can all agree that indicators of compromise (IoCs) are out of date as soon as they're published. So, what is relevant that can be shared between organizations?

Today's conversation is too centered around whether an organization was breached or not. If breaches are close to inevitable, we should focus more on sharing breach findings and post-mortem results that will help others.

The way CISA coordinated information sharing during the early days of the Log4Shell saga offers a useful model. The agency did an amazing job organizing and sharing information from different industry sources. Let's learn from it. Because as Ian Pratt, HP's global head of security for personal systems, explained, cybercriminal organizations are run like businesses now. They've become masters at sharing intelligence, information, and tooling to further their objectives.

**A People Problem  
**This touches on another critical point. The industry is short of more than 2 million cybersecurity professionals globally. In this moment of crisis, we should nurture the beginnings of something far bigger and better by growing our talent pool and breaking down the barriers to joining our sector.

There's an opportunity to make the cybersecurity tent bigger by looking outside of the industry. We could bring in more nontraditionally educated people, as we don't necessarily need college degrees for every role. We could target workers mid-to-late in their careers who have a rich set of skills in areas such as risk management or communication.

Diversity is also critical, but much work needs to be done. According to findings in an HP-commissioned study, 30% of women in the US applied for a promotion last year. However, of those that applied, only 40% of women were successful, vs. 52% of men. Cybersecurity, like the tech industry as whole, has a diversity issue, particularly with getting women into senior roles. We must understand how to best support women and their careers, as this is key for fostering a diverse workforce and attracting new talent.

Employers must do better at harnessing this large pool of untapped talent. As Siemens USA Chief Cybersecurity Officer Kurt John explained, diversity is the No. 1 way to drive creativity in response to the threats that we all face.

The good news is that boardrooms are starting to appreciate the importance of diversity and cybersecurity — just as CISOs are beginning to talk about cyber in the language of business risk. That offers definite grounds for optimism.

What has increasingly dawned on me is that, as cybersecurity leaders, we're much more likely to make the right decisions for the enterprise by viewing cyber in the context of effective corporate governance. I believe that's the way to craft an enterprise-specific strategy. Let's make the "G" in _environmental, social, and governance_ (_ESG_) really mean something for cybersecurity and get ourselves onto the front foot.

3 Ways We Can Improve Cybersecurity

Intel, FiVerity, and Fortanix team up to launch an AI-driven fraud detection platform into a confidential computing environment.

A new partnership will bring confidential computing to financial services companies in their fight against digital identity fraud.

Confidential computing tackles the challenge of securing data during processing or runtime by using hardware-based trusted execution environments (TEE), an environment that focuses on data integrity, data confidentiality, and code integrity. The data, as well as the application processing that data, are isolated within secure enclaves so that nothing else can access that data, even if the infrastructure is compromised. This way, enterprises can run sensitive applications on public clouds or other hosted environments without worrying about the possibility of data exposure.

The partnership is between Intel, digital fraud prevention platform FiVerity, and Fortanix, a cloud security company. FiVerity's anti-fraud platform relies on artificial intelligence (AI) to detect fraud and incorporates the latest data privacy technologies. FiVerity will rely on Intel Software Guard Extensions to protect the data and control access, while Fortanix will deliver the confidential computing environment for FiVerity's fraud-detection models and transaction data from financial institutions.

Financial institutions would be able to analyze intelligence on fraud activity without exposing personally identifiable information, keeping banks in compliance with security and privacy requirements and reducing their exposure to digital fraud, the three companies said in a joint statement.

The confidential computing market is estimated to grow to $54 billion by 2026, according to a recent report from the Linux Foundation and Confidential Computing Consortium and conducted by the Everest Group.

"We believe that digital fraud detection is a particularly important and timely challenge for the industry which can be addressed with this technology," said Fortanix CEO Ambuj Kumar in a statement.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Anti-Fraud Partnership Brings Confidential Computing to Financial Services

New research shows threat actors increasingly leveraging social networks for attacks, with LinkedIn being used in 52% of global phishing attacks.

Shipping, retail, and tech companies are no longer the most popular brands used to hide phishing attacks. Instead, social media platforms have become the brands of choice used to dupe victims and steal their personal data, with LinkedIn-related lures accounting for a full 52% of all global phishing attacks during January, February, and March of 2022, according to new data.

LinkedIn phishing-lure use exploded by 44% over the previous quarter, when it was used in just 8% of phishing attempts, according to Check Point's latest Brand Phishing Report.

"As well as LinkedIn being the most targeted brand by a considerable margin, WhatsApp maintained its position in the top ten, accounting for almost 1 in 20 phishing-related attacks worldwide," the report said.

Shipping is still a draw, even though LinkedIn overtook DHL as the brand most often used in phishing attacks. DHL is now the second-most abused brand, behind 14% of attempts during the same time period. FedEx moved up from seventh place to fifth over the past quarter, with 6% of all phishing attempts spoofing its brand.

**Check Point's List of Top 10 Abused Brands**  

1.  LinkedIn (accounting for 52% of all global phishing attacks over the quarter)
2.  DHL (14%)
3.  Google (7%)
4.  Microsoft (6%)
5.  FedEx (6%)
6.  WhatsApp (4%)
7.  Amazon (2%)
8.  Maersk (1%)
9.  AliExpress (0.8%)
10.  Apple (0.8%)

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading