Tune into Dark Reading's News Desk interviews with the industry’s leaders, discussing news and hot topics, such as this year’s "Transofrm" theme, at RSA Conference 2022 in San Francisco

RSA CONFERENCE 2022 -- San Francisco -- The tag line for RSA Conference is "Where the world talks security," and security leaders covered a whole gamut of topics at Dark Reading's News Desk last week. From new security frameworks and technologies such as secure service edge, extended detection and response (XDR), and confidential computing; to security best practices such as resilience and risk-based prioritization, these News Desk segments covered a lot of ground. There were conversations about automation and the cloud, as well. Check out the YouTube playlist of all the topics that came out of Dark Reading News Desk during RSA Conference 2022 in San Francisco.

Lookout on Getting It Right at the Secure Service Edge

By implementing Secure Service Edge technology, security pros can consolidate their cloud access security broker, secure Web gateway, and zero-trust offerings on to a single platform, according to Jim Dolce, CEO and chairman of Lookout Security.

Concentric AI on How To Maximize Your AI Returns, In and Out of the SOC

Artificial intelligence has transformed the security landscape and given security professionals powerful tools to do their jobs more efficiently, says Karthik Krishnan, CEO and founder of Concentric AI.

DeepSurface on Risk-Based Prioritization Adds New Depth to Vulnerability Management

DeepSurface’s CTO Tim Morgan talks about how context awareness and risk-based prioritization can fortify vulnerability management. Morgan also encourages security pros to look beyond CVSS scores when performing risk assessments.

Anjuna Security on Tapping ‘Confidential Computing’ to Secure Data, Users, and Organizations

Ayal Yogev, CEO and co-founder of Anjuna Security, describes the emerging model of Confidential Computing, as well as how it leverages enclaves and creates Trusted Execution Environments, which isolates data from unauthorized access. 

Seemplicity on Security Security & Productivity: The New Power Couple

Scanning and remediation are handicapped without some robust automation to power them, says Ravid Circus, co-founder and Chief Product Officer of Seemplicity, who’s looking to accelerate time-to-remediation and reducing risk.

ReliaQuest Bolsters Extended Detection With Threat Intelligence

Customers consistently struggle to get from reactivity to a proactive security strategy, but combining extended detection response (XDR) with threat intelligence is a big step in that direction, says ReliaQuest CTO Joe Partlow. 

Automox Adds Automation to Patching, Vuln Management

Patching and patch management remain among security pros’ biggest pain points; Paul Zimski, VP of product strategy for Automox, believes adding automation to the mix can make a serious dent in the patching equation for most organizations.

Uptycs on Observability Is Key to Cloud Security

Transformation is a key theme at RSAC 2022, and Uptycs founder Ganesh Pai weighs in on how cloud security teams can reduce risk and lock things down more tightly. He also talks about how security observability can drive innovation for organizations. 

Lacework Blends Artificial Intelligence and Automation To Bolster Cloud Security

Artificial intelligence is essential for endowing multicloud environments with greater visibility, insights and actions, according to Mark Nunnikhoven, distinguished cloud strategist for Lacework. 

BAE Systems on Want Better Security? Up Your Collaboration Game

"Information sharing and collaboration are essential to good security, says Peder Jungck, VP and general manager of BAE Systems Inc.’s Intelligence Solutions. That effect is compounded when info is shared across companies and industries, he adds. 

Sophos on Keeping Tabs on the Bad Guys Using Threat Research

John Shier, senior security advisor for Sophos, shares original research data on adversaries and the ongoing scourge of ransomware. Spoiler alert: Things aren’t getting better, as bad actors pivot to more sophisticated tactics to avoid detection. 

Cisco Makes Resilience a Cornerstone of Security Strategy

RSA keynoter and Cisco executive Jeetu Patel talks to the Dark Reading News Desk about the power of information sharing, an integrated approach to security, and how to give users controlled, trusted access to applications and services.

Okta on Identity-First Security Helps Reduce and Neutralize Enterprise Threats

Okta’s Marc Rogers and Auth0’s Jameeka Aaron discuss the biggest threats connected to identity, as well as how the move to hybrid work compounds the challenge of keeping users — and their data — secure. 

Darktrace on Prevent Breaches and Malware With Proactive Defenses

Pressure to reduce and manage risk — internally and externally — is more urgent than ever, according to Mike Beck, global CISO for Darktrace. That’s why organizations require more sophistication and integration in their security management platforms. 

Noname Security: Proactiveness Is the Name of the Game In App Security

Software code has come under attack in innovative and deeply troubling ways, says Noname Security’s Shay Levi. These attacks have altered the security landscape for developers and their organizations, as well as suppliers, partners, and customers. 

Sysdig Takes a Deeper Cut At Cloud Security

Cloud security can challenge security pros like nothing else, including workload security issues arising from app design patterns or DevOps practices, says Sysdig’s VP of research and development Omer Azaria. 

Raytheon on A Few Simple Ways To Transform Your Cybersecurity Hiring  

It was already tough to find good, experienced security professionals, then along the came the Great Resignation to make hiring even tougher, notes Jon Check, executive director of cyber protection solutions for Raytheon Intelligence and Space. 

Panther Labs on Mitigating the Security Skills Shortage

Migrating apps to the cloud has set off a hiring frenzy for security pros with expertise related to data analysis and monitoring, observes Jack Naglieri of Panther Labs. It’s also created a big need to make workloads more manageable, he adds.

Application Security Testing Is On the Mend With Automated Remediation

Software developers and security pros alike struggle with application security, and Arabella Hallawell, CMO of Mend, breaks down how automated remediation can improve software composition analysis and application security testing.

Cisco on How To Secure a High-Profile Event Like the Super Bowl

Whether you’re locking down a network or facing fourth down with mere inches, resilience is key, according to Cisco’s TK Keanini and Tomás Maldonado, CISO for the National Football League. In both cases, protection isn’t optional.

Halcyon on How to Blunt the Virulence of the New Ransomware

COVID’s had some company in the last couple years with another mutating scourge: Ransomware. Thanks to the Dark Web, ransomware has scaled up and become more heavily monetized, says Halcyon CEO and co-founder Jon Miller.

Security Leaders Discuss Industry Drivers at Dark Reading's News Desk at RSAC 2022

Plus: Russia rattles its cyber sword, a huge Facebook phishing operation is uncovered, feds take down the SSNDOB marketplace, and more.

How do you smuggle information into the USSR right under the nose of the KGB? Create your own encryption system, of course. That’s exactly what saxophonist and music professor Merryl Goldberg did during the 1980s. This week Goldberg revealed that she used musical notation to hide the names and addresses of activists and details of meetings on a rare trip to the Soviet Union. To do so, she cooked up her own encryption system. Each musical note and marking represented letters of the alphabet and helped disguise the sensitive information. When Soviet officers inspected the documents, no suspicions were raised.

Goldberg’s story was retold at the RSA Conference in San Francisco this week, where WIRED’s Lily Newman has been digging up stories. Also coming out of RSA: a warning that as ransomware becomes less profitable, attackers may turn to business email compromise (BEC) scams to make money—BEC attacks are already highly profitable.

Also this week, dark-web marketplace AlphaBay is about to complete its journey back to the top of the online underworld. The original AlphaBay site—home to more than 350,000 product listings, ranging from drugs to cybercrime services—was purged from the dark web in July 2017 as part of a huge law enforcement operation. However, AlphaBay’s second-in-command, an actor going by the name of DeSnake, survived the law enforcement operation and relaunched the site last year. Now AlphaBay is growing quickly and is on the verge of resuming its dominant dark-web market position.

Elsewhere, Apple held its annual Worldwide Developers Conference this week and revealed iOS 16, macOS Ventura and some new MacBooks—WIRED’s Gear team has you covered on everything Apple announced at WWDC. However, there are two standout new security features worth mentioning: Apple is replacing passwords with new cryptographic passkeys, and it’s introducing a safety check feature to help people in abusive relationships. Database firm MongoDB also held its own event this week, and while it might not have been as high-profile as WWDC, MongoDB’s new Queryable Encryption tool may be a key defense against preventing data leaks.

Also this week we’ve reported on a Tesla flaw that lets anyone create their own NFC car key. New research from the ​​Mozilla Foundation has found that disinformation and hate speech are flooding TikTok ahead of Kenya’s elections, which take place at the start of August. Elon Musk reportedly gained access to Twitter’s “fire hose,” raising privacy concerns. And we dove into the shocking new evidence televised by the House January 6 committee.

But that's not all, folks. Each week we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there.

For the past two years, state-sponsored hackers working on behalf of the Chinese government have targeted scores of communications technologies, ranging from home routers to large telecom networks. That’s according to the NSA, FBI, and the Cybersecurity and Infrastructure Security Agency (CISA), which published a security advisory this week detailing the “widespread” hacking.

Since 2020, Chinese-backed actors have been exploiting publicly known software flaws in hardware and incorporating compromised devices into their own attack infrastructure. According to the US agencies, the attacks typically contained five steps. China’s hackers would use publicly available tools to scan for vulnerabilities in networks. They would then gain initial access through online services, access login details from the systems, get access to routers and copy network traffic, before finally “exfiltrating” victim data.

“Exploiting these vulnerabilities has allowed them to establish broad infrastructure networks to exploit a wide range of public- and private-sector targets,” the agencies say in their joint advisory.

Since the start of the war in Ukraine, Russia has been hacked at an unprecedented scale. Now, more than 100 days into the war, tensions around cyber activity are rising. On June 9, Russia’s Foreign Ministry said that its critical infrastructure and government bodies were being hit by cyberattacks and warned that it could lead to military confrontation with the West. “The militarization of the information space by the West, and attempts to turn it into an arena of interstate confrontation, have greatly increased the threat of a direct military clash with unpredictable consequences,” the Foreign Ministry said in a statement. From the moment Russian troops entered Ukraine, questions have been raised about the potential for escalation if people outside of Ukraine are involved in cyberattacks against Russia. Last week, the head of US Cyber Command told _Sky News_ that its military hackers have been involved in offensive operations that support Ukraine.

Phishing remains one of the most successful ways for criminals to break into people’s accounts and make money—and there’s no better example of this than a newly uncovered Facebook and Facebook Messenger phishing campaign. This week, security researchers at US firm PIXM revealed a huge network of at least 400 phishing pages that are raking in millions of views and have made its creators an estimated $59 million. The scam, which has been running since at least September 2021, directs people to false Facebook login pages where their credentials are hoovered up. What stands out, as noted by the Register, is that the phishing campaign has managed to avoid Facebook’s phishing detection methods more effectively than others.

So far in 2022, police and tech companies have been cracking down on cybercriminals with some success: Raidforums, ZLoader, and the dark-web market Hydra have all been shut down in recent months. That list got a little bit longer this week as the FBI and its international law enforcement took down a marketplace selling the personal information of around 24 million Americans, according to authorities. The SSNDOB marketplace, which was made up of four individual domains, was selling people’s names, dates of birth, and Social Security numbers. SSNDOB has existed for around a decade, and in 2013, details obtained from the organization were used in the takeover of Xbox Live accounts. It’s believed the website has made its unknown owners around $22 million since 2015.

How China Hacked US Phone Networks

On the eve of their federal criminal trial for allegedly stealing vast swaths of Internet addresses for use in large-scale email spam campaigns, three current or former executives at online advertising firm Adconion Direct have agreed to plead guilty to lesser misdemeanor charges of fraud and misrepresentation via email.

At the outset of their federal criminal trial for hijacking vast swaths of Internet addresses for use in large-scale email spam campaigns, three current or former executives at online advertising firm **Adconion Direct** (now **Amobee**) have pleaded guilty to lesser misdemeanor charges of fraud and misrepresentation via email.

In October 2018, prosecutors in the Southern District of California named four Adconion employees — **Jacob Bychak**, **Mark Manoogian**, **Petr Pacas**, and **Mohammed Abdul Qayyum** —  in a ten-count indictment (PDF) on felony charges of conspiracy, wire fraud, and electronic mail fraud.

The government alleged that between December 2010 and September 2014, the defendants engaged in a conspiracy to identify or pay to identify blocks of Internet Protocol (IP) addresses that were registered to others but which were otherwise inactive.

Prosecutors said the men also sent forged letters to an Internet hosting firm claiming they had been authorized by the registrants of the inactive IP addresses to use that space for their own purposes.

All four defendants pleaded not guilty when they were charged back in 2018, but this week Bychak, Manoogian and Qayyum each entered a plea deal.

“The defendants’ jobs with Adconion were to acquire fresh IP addresses and employ other measures to circumvent the spam filters,” reads a statement released today by the U.S. Attorney for the Southern District of California, which said the defendants would pay $100,000 in fines each and perform 100 hours of community service.

“To conceal Adconion’s ties to the stolen IP addresses and the spam sent from these IP addresses, the defendants used a host of DBAs, virtual addresses, and fake names provided by the company,” the statement continues. “While defendants touted ties to well-known name brands, the email marketing campaigns associated with the hijacked IP addresses included advertisements such as ‘BigBeautifulWomen,’ ‘iPhone4S Promos,’ and ‘LatinLove\[Cost-per-Click\].'”

None of the three plea agreements are currently available on PACER, the online federal court document clearinghouse. However, PACER does show that on June 7 — the same day the pleas were entered by the defendants —  the government submitted to the court a superseding set of just two misdemeanor charges (PDF) of fraud in connection with email.

Another document filed in the case says the fourth defendant — Pacas — accepted a deferred prosecution deal, which includes a probationary period and a required $50,000 “donation” to a federal “crime victims fund.”

There are fewer than four billion so-called “Internet Protocol version 4” or IPv4 addresses available for use, but the vast majority of them have already been allocated. The global dearth of available IP addresses has turned them into a commodity wherein each IP can fetch between $15-$25 on the open market.

This has led to boom times for those engaged in the acquisition and sale of IP address blocks, but it has likewise emboldened those who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

In May, prosecutors published information about the source of some IP address ranges from which the Adconion employees allegedly spammed. For example, the government found the men leased some of their IP address ranges from a Dutch company that’s been tied to a scandal involving more than four million addresses siphoned from the **African Network Information Centre** (AFRINIC), the nonprofit responsible for overseeing IP address allocation for African organizations.

In 2019, AFRINIC fired a top employee after it emerged that in 2013 he quietly commandeered millions of IPs from defunct African entities or from those that were long ago acquired by other firms, and then conspired to sell an estimated $50 million worth of the IPs to marketers based outside Africa.

“Exhibit A” in a recent government court filing shows that in 2013 Adconion leased more than 65,000 IP addresses from **Inspiring Networks**, a Dutch network services company. In 2020, Inspiring Networks and its director **Maikel Uerlings** were named in a dogged, multi-part investigation by South African news outlet **MyBroadband.co.za** and researcher Ron Guilmette as one of two major beneficiaries of the four million IP addresses looted from AFRINIC by its former employee.

Exhibit A, from a May 2022 filing by U.S. federal prosecutors.

The address block in the above image — 196.246.0.0/16 — was reportedly later reclaimed by AFRINIC following an investigation. Inspiring Networks has not responded to requests for comment.

Prosecutors allege the Adconion employees also obtained hijacked IP address blocks from **Daniel Dye**, another man tied to this case who was charged separately. For many years, Dye was a system administrator for **Optinrealbig**, a Colorado company that relentlessly pimped all manner of junk email, from mortgage leads and adult-related services to counterfeit products and Viagra. In 2018, Dye pleaded guilty to violations of the CAN-SPAM Act.

Optinrealbig’s CEO was the spam king Scott Richter, who changed the name of the company to Media Breakaway after being successfully sued for spamming by **AOL,** **Microsoft**, **MySpace**, and the New York Attorney General Office, among others. In 2008, this author penned a column for The Washington Post detailing how Media Breakaway had hijacked tens of thousands of IP addresses from a defunct San Francisco company for use in its spamming operations.

The last-minute plea deals by the Adconion employees were reminiscent of another recent federal criminal prosecution for IP address sleight-of-hand. In November 2021, the CEO of South Carolina technology firm **Micfo** pleaded guilty just two days into his trial, admitting 20 counts of wire fraud in connection with an elaborate network of phony companies set up to obtain more than 700,000 IPs from the **American Registry for Internet Numbers** (ARIN) — AFRINIC’s counterpart in North America.

Adconion was acquired in June 2014 by **Amobee**, a Redwood City, Calif. online ad platform that has catered to some of the world’s biggest brands. Amobee’s parent firm — Singapore-based communications giant Singtel — bought Amobee for $321 million in March 2012.

But as _Reuters_ reported in 2021, Amobee cost Singtel nearly twice as much in the last year alone — $589 million — in a “non-cash impairment charge” Singtel disclosed to investors. Marketing industry blog **Digiday.com** reported in February that Singtel was seeking to part ways with its ad tech subsidiary.

One final note about Amobee: In response to my 2019 story on the criminal charges against the Adconion executives, Amobee issued a statement saying “Amobee has fully cooperated with the government’s investigation of this 2017 matter which pertains to alleged activities that occurred years prior to Amobee’s acquisition of the company.”

Yet as the government’s indictment points out, the alleged hijacking activities took place up until September 2014, which was _after_ Amobee’s acquisition of Adconion Direct in June 2014. Also, the IP address ranges that the Adconion executives were prosecuted for hijacking were all related to incidents in 2013 and 2014, which is hardly “years prior to Amobee’s acquisition of the company.”

Amobee has not yet responded to requests for comment.

Adconion Execs Plead Guilty in Federal Anti-Spam Case

Humio for Falcon provides long-term, cost-effective data retention with powerful index-free search and analysis of enriched security telemetry across enterprise environments

**AUSTIN, Texas and RSA Conference 2022, SAN FRANCISCO – June 6, 2022 –** CrowdStrike (Nasdaq: CRWD), a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, today introduced Humio for Falcon, a new capability that extends data retention of CrowdStrike Falcon telemetry for up to one year or longer, enhancing threat analytics and threat hunting abilities for organizations while helping them meet compliance requirements.

Humio for Falcon brings together an industry-leading security platform in CrowdStrike Falcon, with the powerful search capabilities of CrowdStrike’s centralized logging offering, Humio. The new capability gives security teams the ability to store security and IT telemetry from the Falcon platform, which is enriched and contextualized across endpoints, workloads and identities to address the challenge of operationalizing the ever-growing volumes of data. Humio for Falcon helps security teams analyze and act on all data – both real-time and historical data – in their environment. With longer data retention due to advanced compression of ingested data, security teams can uncover and detect potential threats within their environments with deep, contextual analytics and sub-second search results at any scale through a modern, index-free architecture.

“While the data available to threat hunters and incident responders grows at an exponential rate, they are routinely forced to reduce the duration they can store this information,” said Michael Sentonas, chief technology officer at CrowdStrike. “Humio for Falcon solves this problem by delivering scalable and cost-effective data retention that enables threat hunters and incident responders to look back and see if and when an adversary was active in an IT environment and reconcile every system they touched. It’s truly a game-changer in the industry.”

Humio for Falcon provides:

*   **Threat hunting and troubleshooting at unprecedented scale:** By retaining Falcon data for extended periods of time, security teams can proactively search and uncover hidden threats in the environment with sub second speed, remove advanced persistent threats (APTs) by sifting through the data to detect irregularities that might suggest potential malicious behavior and better prioritize and address vulnerabilities before they can be weaponized.
*   **Longer data retention to help meet compliance requirements and reduced cost:** With scalable storage and advanced compression techniques, customers can store and manage Falcon data for one or multiple years, based on customer requirements. This wealth of real-time and historical data enables completeness and accuracy of investigation and analysis, resulting in faster threat remediation.
*   **New user interface (UI) dashboard visualization for fast and custom search:** Feature-rich query language and index-free searches allows security teams to run queries on Falcon data and get immediate answers. Get the ability to seamlessly ingest, aggregate and search through massive security and IT telemetry and gain valuable, contextual insights with sub-second latency searches for meeting real-world security requirements, including advanced threat and vulnerability investigations.

  
“With Humio for Falcon, we were able to save approximately $150,000 in the first year,” said Tom Sipes, director, IT security and compliance at Tuesday Morning. “Also, the ability to save data for an extended time period is critical. When we detect an indicator of compromise, we can go back in time and analyze the entire attack chain to accelerate investigations and pinpoint issues more quickly.”

**Additional Resources**

*   For more information on Humio for Falcon, please visit our blog.
*   To watch a Humio for Falcon demo, please visit this page.
*   Did you know? Humio can ingest over one petabyte of data per day. Humio was also named “Log Analytics Solution of the Year” by the Data Breakthrough Awards for 2022.

  
**About CrowdStrike**  
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike Introduces Humio for Falcon, Redefining Threat Hunting with Unparalleled Scale and Speed

CrowdStrike Asset Graph provides unprecedented visibility of assets in an IT environment to optimize cyber defense strategies and manage risk.

**AUSTIN, Texas and RSA Conference 2022, SAN FRANCISCO – June 6, 2022 –** CrowdStrike (Nasdaq: CRWD), a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, today introduced CrowdStrike Asset Graph, a new graph database powered by the CrowdStrike Security Cloud that provides IT and security leaders with a 360-degree view into all assets (both managed and unmanaged) alongside unprecedented visibility into their attack surface across devices, users, accounts, applications, cloud workloads, operational technology (OT) and more to simplify IT operations and stop breaches.

As organizations accelerate their digital transformation, they are expanding their attack surface exponentially. This has dramatically increased their risk exposure to adversaries who are discovering and exploiting these soft targets and vulnerabilities faster than IT and security teams can discover them. Visibility is one of the foundational principles of cybersecurity because you cannot secure and defend the assets you don’t know exist. This, in turn, creates a race between adversaries and companies’ IT and security teams to find these blind spots. According to a 2022 report from Enterprise Strategy Group (ESG), “69% of organizations have experienced a cyberattack in which the attack itself started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset.”

CrowdStrike Asset Graph solves this problem by dynamically monitoring and tracking the complex interactions between assets, providing a single holistic view of the risks those assets pose. While other solutions simply provide a list of assets without context, Asset Graph provides graphic visualizations of the relationships between all assets such as devices, users, accounts, applications, cloud workloads and OT, along with the rich context necessary for proper security hygiene and proactive security posture management to reduce risk in their organizations.

“Digital transformation has led to an equal and pronounced acceleration of security transformation in the modern enterprise. For companies furthest along on this journey, IT operations and security teams – once distinct silos – are converging, creating a far more proactive posture when it comes to security and risk management,” said Amol Kulkarni, chief product and engineering officer at CrowdStrike. “Built specifically to address this new dynamic, CrowdStrike Asset Graph lets organizations see the assets they have and how they interact with each other, helping them make informed, risk-based decisions – from security to IT performance, utilization, capacity, license management and more – to proactively protect and manage their IT environment.”

**Bridging the gap between IT operations and security**  
The CrowdStrike Falcon platform was purpose-built with a cloud-native architecture to harness vast amounts of high-fidelity security and enterprise data, and deliver solutions through a single, lightweight agent to keep customers ahead of today’s sophisticated adversaries.

CrowdStrike’s groundbreaking graph technologies, which started with the company’s renowned Threat Graph, form a powerful, seamless and distributed data fabric, interconnected into a single cloud – the Security Cloud – that powers the Falcon platform and CrowdStrike’s industry-leading solutions. Using a combination of AI and behavioral pattern-matching techniques to correlate and contextualize information in the vast data fabric, CrowdStrike’s graphs create a “collect data once, reuse it multiple times” approach to solving the biggest problems that customers face. With the introduction of Asset Graph, CrowdStrike is applying this same approach to solving customers’ hardest, unmet challenges with an eye to proactive security, as well as unprecedented IT visibility and risk management.

The three highly-advanced graph technologies underpinning the Falcon platform now include:

*   **Threat Graph:** CrowdStrike’s industry-defining Threat Graph takes trillions of security data points from millions of sensors, enriched by threat intelligence data and third-party sources, to identify and link threat activity together to provide full visibility of attacks and automatically prevent threats in real-time across CrowdStrike’s global customer base.
*   **Intel Graph:** By analyzing and correlating massive amounts of data on adversaries, their victims and their tools, Intel Graph provides unrivaled insights on the shifts in tactics and techniques, powering CrowdStrike’s adversary-focused approach with world-class threat intelligence.
*   **Asset Graph:** With this release, CrowdStrike is solving one of the most complex customer problems today: identifying assets, identities and configurations accurately across all systems including cloud, on-premises, mobile, Internet of Things (IoT) and more, and connecting them together in a graph form. Unifying and contextualizing this information will lead to powerful new solutions that transform how organizations enforce security hygiene and dynamically manage their security posture.

  
CrowdStrike Asset Graph will enable new Falcon modules and features built on top of it to define, monitor and explore the relationships between assets within an organization. The first Falcon module to use Asset Graph is Falcon Discover (Security Hygiene), which includes the following enhancements:

*   **Newly enhanced dashboards, highly customizable filters and sharing options:** IT teams can tailor their experience of Asset Graph’s map visualization and powerful search capabilities, all presented conveniently within the Falcon Discover console.
*   **New third-party data integration with ServiceNow:** Combining this integration with Asset Graph and Falcon Discover, IT teams gain another layer of asset visibility around devices in a single console, providing enhanced monitoring over unmanaged and unsupported assets.

  
“It’s a cliche for a reason. You can’t protect what you can’t see. The first step in wrangling shadow IT or shining a light on blind spots is understanding what assets you have to secure and how those are interacting with unforeseen insecure assets,” said Juan Jose Chang, CISO at Bladex. “We believe that Falcon Discover combined with CrowdStrike Asset Graph will be the difference between using a flashlight versus a row of street lamps to see where you’re going.”

**Additional Resources**

*   For more information on CrowdStrike Asset Graph and enhancements to Falcon Discover, please visit our blog.

  
**About CrowdStrike**  
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike Introduces CrowdStrike Asset Graph to Help Organizations Proactively Identify and Eliminate Blind Spots

New CrowdXDR Alliance partners include Menlo Security, Ping Identity, and Vectra AI.

**AUSTIN, Texas and RSA Conference 2022, SAN FRANCISCO – June 6, 2022 –** CrowdStrike (Nasdaq: CRWD), a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, today announced it has expanded the CrowdXDR Alliance to include key strategic partners across web and email security (Menlo Security), identity and access management (Ping Identity) and network detection and response (Vectra AI). CrowdStrike also introduced new capabilities for the Falcon XDR (Extended Detection and Response) module to speed up detections for security teams, including an integration with ServiceNow, an existing CrowdXDR Alliance partner, to dramatically simplify security operations workflows with automated ticket creation.

Falcon XDR’s new capabilities include:

*   **Falcon Fusion workflows based on XDR detections:** Natively integrated with Falcon XDR, Falcon Fusion (CrowdStrike’s SOAR framework) now automates numerous workflows directly from a Falcon XDR detection including:
    *   Ticket creation through ServiceNow, a CrowdXDR Alliance partner.
    *   Notifications through email, Slack or webhook.
    *   Incident details from status changes to team assignments and comments.
*   **XDR detections event timeline:** Speed triage and investigation with a timeline view that displays key events of a detection in chronological order to easily understand how activity progressed.
*   **Graph visualization of custom XDR detections:** Create custom XDR detections from queries written to hunt for threats in the environment. Falcon XDR graph explorer visualizes how the events and entities in a custom XDR detection are related, enabling security analysts to rapidly orient and explore connections in cross-domain data.

  
“CrowdStrike continues to bring together the best of both open and native approaches to XDR,” said Michael Sentonas, chief technology officer at CrowdStrike. “For organizations seeking an open approach, we continue to expand third-party support for the CrowdXDR Alliance, which is delivering a standardized schema for data sharing to enrich XDR detections. We welcome Menlo Security, Ping Identity and Vectra AI to the CrowdXDR Alliance and look forward to partnering with them to deliver third-party integrations. For organizations seeking a native approach, we continue to bolster Falcon XDR with new capabilities that speed up threat detection and response efforts across data sources and environments. Ultimately, we are offering a solution that allows customers to choose an XDR approach that best fits their needs.”

**Partner Quotes**

*   **Poornima DeBolle, Menlo Security co-founder and chief product officer:** “The Internet should be safe, seamless, and effective for all workers. However, cybercriminals are making this difficult by deploying increasingly sophisticated malware, including ransomware fueled by Highly Evasive Adaptive Threats. We need to stop such malware and zero-day exploits from ever getting to endpoints. Menlo Security is excited to join CrowdStrike’s CrowdXDR Alliance. Our integration with CrowdStrike Falcon XDR will enable organizations to offer a safe online experience, without having to sacrifice productivity for security.”

*   **Loren Russon, vice president of product management at Ping Identity:** “We are excited to join CrowdStrike’s CrowdXDR Alliance and continue to expand our joint solutions. Customers are demanding expansive partner ecosystems through easy-to-deploy integrations, and this partnership delivers that through enterprise-proven identity security along with comprehensive visibility and protection against threats.”
*   **Michael Porat, senior vice president, corporate and business development at Vectra AI:** “As the scale and intensity of cyberattacks continue to proliferate, it reminds us that prevention alone cannot protect organizations from today’s cultivated attacks. To successfully mitigate modern security threats, organizations must implement more advanced threat detection and response mechanisms that accurately pinpoint attacker behavior and stop attackers from navigating through hybrid clouds. We are excited to join CrowdStrike’s CrowdXDR Alliance and look forward to sharing our threat detection and response expertise with other esteemed security vendors as we all work together with one common goal – detecting and stopping malicious actors.”

  
**Additional Resources**

*   For more information on the CrowdXDR Alliance and Falcon XDR, please visit our blog.
*   CrowdStrike was named a Strong Performer in The Forrester New Wave for Extended Detection and Response (XDR) Providers, Q4 2021.1

  
**About CrowdStrike**  
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

1 The Forrester New Wave: Extended Detection and Response (XDR) Providers, Q4 2021

CrowdStrike Adds Strategic Partners to CrowdXDR Alliance and Expands Falcon XDR Capabilities

Cisco's TK Keanini and the NFL's Tomás Maldonado join Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to talk about end-to-end security.

Whether you're locking down a network or facing fourth down with mere inches, resilience is key, according to Cisco's TK Keanini and Tomás Maldonado, CISO for the National Football League. In both cases, protection isn't optional — it's critical to ensuring smooth operations and success. Keanini and Maldonado also talk about the elements of successful partnering where design, implementation, and operation of the NFL's end-to-end security platform are concerned.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

How to Secure a High-Profile Event Like the Super Bowl

Cloud migration, DevSecOps, cyber insurance, and more have emerged as important motivators for cybersecurity investment and focus.

RSA CONFERENCE — San Francisco — Security hygiene and software supply-chain/vendor risk have emerged as the top two security priorities for chief information security officers (CISOs) at medium-sized organizations, new research has revealed.

That's according to Forgepoint Capital, which surveyed CISOs across a spectrum of industries and sizes. For organizations with 50 to 1,000 employees, security hygiene is seen as particularly critical, according to the data.

"Most breaches are due to unpatched systems, misconfigurations, poor passwords, and other easily avoidable issues," the report, shared with Dark Reading at the 2022 RSA Conference this week, pointed out. "Typically, organizations of this size don’t have the budget to build multiple backups and failovers, with real scenarios where a security incident can put the company out of business."

That said, there was notable variance across industry segments. For instance, zero percent of respondents in the healthcare vertical cited security hygiene as a priority.

"It's not that they think that nurses don't need to worry about passwords," says Will Lin, managing director of Forgepoint. "It's that security responsibility is much more distributed than in other industries. If I'm, say, BlueCross BlueShield, I can't control the password requirements and security hygiene of all the subsidiaries I have. It's each one's own responsibility to do it. I have to prioritize what I can actually solve."

There's a different narrative for professional services firms, where more than 80% said security hygiene is a top focus.

"They're exactly the opposite from healthcare," Lin says. "They're responsible for the security of all their consultants. These are all my employees, I need to do it. So that's why it becomes the highest priority for this group."

**Cybersecurity Workforce Shortage**

Meanwhile, CISOs at organizations with less than 50 employees cited talent development and social-engineering awareness as their top two priorities, with the ongoing cybersecurity workforce shortage of particular concern.

"Talent departure and social-engineering attacks can have major ramifications," according to the report. "Due to the small size of their employee base, these companies can realistically affect more change by focusing on human capital than a large organization can. As companies grow larger, no matter how much access control is established, threat vectors will remain. Thus, the focus shifts from personnel to security automation and incident response."

When examining CISOs' views of security prioritization by industry, the survey found that all security professionals prioritize areas with the highest return on investment (ROI). For example, 50% of professional services companies marked security hygiene as an essential focus, but healthcare professionals are focused more on the software supply chain and third-party vendor risk, such as the security of connected medical devices, given its bigger tie to ROI in their field.

**Cloud Migration and Digital Transformation**

Forgepoint also found that cloud migration is driving security prioritization for medium-sized businesses in particular, with 73% of survey respondents noting that it's a factor in 75% or more of their efforts. In contrast, just 13% of very large businesses (more than 10,000 employees) and 43% of large businesses (1,000 to 10,000 employees) said the same. For businesses with fewer than 50 employees, half of them said the move to the cloud is driving 75% of their security choices.

"Very large companies, surprisingly enough, are actually the furthest behind cloud migration," Lin tells Dark Reading. "And the smaller companies are further along in cloud migration. The big companies have a lot of legacy infrastructure, so it's going to take them a much longer time to move to the cloud, while smaller companies are more cloud native, and they're trying to cut costs, which the cloud helps with."

Digital transformation also emerged as a top security motivator for CISOs in every industry except for professional services — likely due to the ongoing reality of remote working forcing businesses to embrace software-as-a-service and other corporate working apps.

This is driving a new security focus on securing application programming interfaces (APIs, cited by 62% of all respondents) and DevSecOps for embedding security into application development (cited by 54%).

**Areas of Control and Cyber Insurance**

Survey respondents said traditional access control areas like data security (40%) and identity (41%) are still top priorities for organizations. But more than a quarter (28%) of CISOs highlighted an emerging area, cyber insurance, as a top control area of interest.

With ransomware, malware, APTs, and other cyberattacks at all-time highs, organizations of all sizes are considering investing in cyber insurance — however, it's a painful process, Lin says, especially as many insurance firms don't cover ransomware incidents, and the application process can be onerous and dictate where precious security dollars are invested.

"The cost of cyber insurance is going up, and the coverage is going down," Lin says. "And perhaps most of all, the questionnaires that cyber insurance companies give companies to fill out in order to determine how expensive coverage will be don't provide a representational picture of how good of a bet insuring a company is."

For instance, many require companies to have multifactor authentication (MFA) on all accounts in order to qualify for affordable coverage — but its across-the-board implementation at the expense of other efforts (patching, for instance) may not be the best approach for defending the business.

"Companies themselves often don't know how effective their controls are, so how could a cyber insurance underwriter be predictive?" Lin says. "If the question is, do you have an MFA on everything, companies can never check yes to that. Because there are some places where you can't have MFA. It's just not physically possible. Or, in some cases the app that's doing all the authentication might not have an MFA feature enabled. So they have to click no, and when they do, they immediately see a premium increase."

Meanwhile, just 24% of all respondents cited monitoring threat intelligence as a priority — which is a function of it being perceived as difficult to operationalize, Lin says.

"The key issue is, even like organizations like Google have no idea what to do with all of the telemetry and data," Lin said. "Companies simply have a tough time figuring out what to do with their threat intel — it's just the actionability of it."

Overall, the survey also found that three-quarters (76%) of CISO survey respondents say they expect security budgets to increase this year.

"As cybersecurity budgets increase, it’s expected that budgets will become more flexible to accommodate new and emerging products that defy the limitations of the currently identified categories," Forgepoint concluded.

In a Quickly Evolving Landscape, CISOs Shift Their 2022 Priorities

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Another week, another conference. We’re heading a few miles southeast from San Francisco to Las Vegas for Cisco Live. I hope everyone had a safe, healthy and enjoyable RSA, but the fun isn’t over just...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

Another week, another conference. We’re heading a few miles southeast from San Francisco to Las Vegas for Cisco Live. I hope everyone had a safe, healthy and enjoyable RSA, but the fun isn’t over just yet. 

We’ve got another week chock full of talks, meet-and-greets, podcasts and much more at Cisco Live this week. Come find us at the center of the Cisco Secure booth where we have something awesome planned (it’s a surprise!). I’ve also got a few other highlights from Talos at Cisco Live to know about this week.  

I’ll personally be giving my first-ever talk at the Cisco Secure Pub on Wednesday, so come by and say hi and tell me how much you love the newsletter.  

**Cisco Secure Pub **

The best place to find us is at the Cisco Secure Pub on the show floor. The Pub will be serving coffee in the morning and alcoholic drinks in the afternoon. Every day, we’ll be represented in lightning talks at the booth on a wide variety of topics, including Talos’ work in Ukraine, securing industrial control systems and a look back at Log4j. 

And since this is my newsletter, I’m also going to plug my talk on Wednesday at 2:30 p.m. local time when I’ll be discussing disinformation and propaganda campaigns in the age of social media, especially as it relates to Russia’s invasion of Ukraine. 

**Talos Insights: The State of Cybersecurity **

This is our annual overview of the threat landscape, this year delivered by Nick Biasini from our Outreach team. In this talk on the 15th, Nick will talk about the threats and trends Talos has uncovered in the past 12 months and provide the technical details on how they operate. Use the Cisco Live Session Catalog for more details on location. 

**Interactive sessions **

Talos and Cisco Talos Incident Responses are hosting several interactive sessions throughout the conference where attendees will get a chance to work face-to-face with our researchers and work hands-on with Cisco Secure products. 

I’ve created a personal filter here in the Session Catalog so you can easily find all our interactive sessions throughout the week.    

**The one big thing **

Attackers are actively exploiting a zero-day vulnerability in Atlassian Confluence Data Center and Server to execute remote code on targeted machines. The attacks delivered several payloads, including the in-memory BEHINDER implant as well as web shells, including China Chopper. In addition to the initial attacks outlined in the report, researchers confirmed additional, continued exploitation is ongoing. There is now a Proof of Concept (PoC) available so exploitation could increase in the near term.  

> **Why do I care? **If an attacker exploited this vulnerability, they could completely take over the targeted host and execute remote code on the targeted machine. And although a patch is available for this vulnerability, many instances remain unpatched, and reports continue to pour in that attackers are using exploit code available in the wild. This is all a bad recipe for a vulnerability that I relatively easy for attackers to exploit and we know they’re scanning for. Attackers are also exploiting this issue to spread China Chopper, a longstanding malware that can act as a backdoor on targeted machines and essentially be a backup plan for threat actors to retain access.    
> **So now what? **Atlassian has released a set of patches to mitigate the vulnerability. Enterprises are encouraged to test and apply the patch immediately to mitigate the ongoing attacks, patched versions include: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1. Additionally, they have provided a series of steps to be performed to help mitigate the risk if the patches cannot be applied for any reason. Talos has also released several Snort rules that will detect attempts to exploit this vulnerability.  

**Other news of note**

Attackers are still exploiting the Follina vulnerability in the Microsoft Support Diagnostic Tool (MSDT) to deliver Qbot, AsyncRAT and other malware families. Attackers have used these malware families for many years and are not tied to one particular threat actor. If delivered successfully, Qbot can steal sensitive information from the targeted machine. Although no official patch is available still, Microsoft has provided several workarounds for users to disable MSDT. Office Pro Plus, Office 2013, Office 2016, Office 2019 and Office 2021 have been confirmed to be affected. (SecurityWeek, Security Boulevard)

Two million people could be affected by a data breach at a large Massachusets-based health care company. Shields Health Care, which provides management and imaging services, said it "became aware of suspicious activity" on its network on March 28 and immediately began investigating the incident. The company has not discovered any evidence that any information from the data breach has been used to commit identity theft or fraud. Potential at-risk information includes addresses, Social Security numbers, billing information, insurance information and other medical treatment information. (NBC 10 Boston, ABC News)

A new form of Linux malware known as "Symbiote" is "almost impossible" to detect, according to new research. Linux malware normally tries to compromise processes running on the machines, but Symbiote instead acts as a shared object library that gets loaded onto all running processes via LD\_PRELOAD. That library then acts as a parasite to compromise the target machine by embedding itself in the system, eventually providing attackers with rootkit functionality. (ZDNet, CSO Online)

**Can’t get enough Talos? **

*   Researcher Spotlight: Martin Lee, EMEAR lead, Talos Strategic Communications
*   Talos EMEA monthly update: Business email compromise
*   Threat Roundup for May 27 - June 3  
    

  

**Upcoming events where you can find Talos ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada **

**BlackHat** **U.S.** (Aug. 6 - 11, 2022)  
Las Vegas, Nevada 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  **MD5:** a087b2e6ec57b08c0d0750c60f96a74c  **Typical Filename:** AAct.exe  **Claimed Product:** N/A    **Detection Name:** PUA.Win.Tool.Kmsauto::1201 

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** b2ef49a10d07df6db483e86516d2dfaaaa2f30f4a93dd152fa85f09f891cd049   
**MD5:** 067f9a24d630670f543d95a98cc199df **Typical Filename:** RzxDivert32.sys **Claimed Product:** WinDivert 1.4 driver   
**Detection Name:** W32.B2EF49A10D-95.SBX.TG 

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 **MD5:** 8c69830a50fb85d8a794fa46643493b2   
**Typical Filename:** AAct.exe **Claimed Product:** N/A    
**Detection Name:** PUA.Win.Dropper.Generic::1201

Threat Source newsletter (June 9, 2022) — Get ready for Cisco Live

Cisco's Jeetu Patel joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss the power of information sharing.

RSA keynoter and Cisco executive Jeetu Patel talks to the Dark Reading News Desk about the power of information sharing, an integrated approach to security, and how to give users controlled, trusted access to applications and services. Patel also discusses the Security Poverty Line, how it impacts the state of cybersecurity, and how to elevate those who may fall below the line.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#cisco