Complex neural networks, including GPT-3, can deliver useful cybersecurity capabilities, such as explaining malware and quickly classifying websites, researchers find.

GPT-3, the large neural network created with extensive training using massive datasets, provides a variety of benefits to cybersecurity applications, including natural-language-based threat hunting, easier categorization of unwanted content, and clearer explanations of complex or obfuscated malware, according to research to be presented at the Black Hat USA conference next week.

Using the third version of the Generative Pre-trained Transformer — more commonly known as GPT-3 — two researchers with cybersecurity firm Sophos found that the technology could turn natural-language queries, such as "show me all word processing software that is making outgoing connections to servers in South Asia," into requests to a security information and event management (SIEM) system. GPT-3 is also very good at taking a small number of examples of website classifications and then using those to categorize other sites, finding commonalities between criminal sites or between exploit forums.

Both applications of GPT-3 can save companies and cybersecurity analysts significant time, says Joshua Saxe, one of the two authors of the Black Hat research and chief scientist for artificial intelligence at Sophos.

"We are not using GPT-3 in production at this point, but I do see GPT-3 and large deep-learning models — the ones you cannot build on commodity hardware — I see those models as important for strategic cyber defense," he says. "We are getting much better — dramatically better — results using a GPT-3-based approach than we would get with traditional approaches using smaller models."

The research is the latest application of GPT-3 to show the model's surprising effectiveness at translating natural-language queries into machine commands, program code, and images. The creator of GPT-3, OpenAI, has teamed up with GitHub, for example, to create an automated pair programming system, Copilot, that can generate code from natural-language comments and simple function names.

GPT-3 is a generative neural network that uses deep-learning algorithms' ability to recognize patterns to feed back results into a second neural network that creates content. A machine learning (ML) system for recognizing images, for example, can rank results from a second neural network used to turn text into original art. By making the feedback loop automatic, the ML model can quickly create new artificial intelligence (AI) systems, like the art-producing DALL-E.

The technology is so effective that an AI researcher at Google says one implementation of a large-language chatbot model has become sentient.

While the nuanced learning of the GPT-3 model surprised the Sophos researchers, they are far more focused on the utility of the technology to ease the job of cybersecurity analysts and malware researchers. In their upcoming presentation at Black Hat, Saxe and fellow Sophos researcher Younghoo Lee will show how the largest neural networks can deliver useful and surprising results.

In addition to creating queries for threat hunting and classifying websites, the Sophos researchers used generative training to improve the GPT-3 model's performance for specific cybersecurity tasks. For example, the researchers took an obfuscated and complicated PowerShell script, translated it with GPT-3 using different parameters, and then compared its functionality to the original script. The configuration that translates the original script closest to the original is deemed the best solution and is then used for further training.

"GPT-3 can do about as well as the traditional models but with a tiny handful of training examples," Saxe says.

Companies have invested in AI and ML as essential tools to improve the efficiency of technology, with "AI/ML" becoming a must-have term in product marketing.

Yet ways to exploit AI/ML models have jumped from whiteboard theory to practical attacks. Government contractor MITRE and a group of technology firms have created an encyclopedia of adversarial attacks on AI systems. Known as the Adversarial Threat Landscape for Artificial-Intelligence Systems, or ATLAS, the classification of techniques includes abusing the real-time learning to poison training data, like what happened with Microsoft's Tay chatbot, to evading the ML model's capabilities, such as what researchers did with Cylance's malware detection engine.

In the end, AI likely has more to offer defenders than attackers, Saxe says. Still, while the technology is worth using, it will not dramatically shift the balance between attackers and defenders, he says.

"The overall goal of the talk is to convince that these large language models are not just hype, they are real, and we need to find where they fit in our cybersecurity toolbox," Saxe says.

Large Language AI Models Have Real Security Benefits

Roman Sterlingov, accused of laundering $336 million, is proclaiming his innocence—and challenging a key investigative tool.

Tools to trace cryptocurrencies have, over just the past several years, allowed law enforcement agencies to convict dark-web black-market administrators, recover millions in ransomware payments, seize billions in stolen bitcoins, and even disrupt networks of child abuse. Now one criminal defendant claims those same tools have also unjustly put him in jail for more than 15 months.

In the spring of 2021, Roman Sterlingov, a 33-year-old Swedish-Russian national, was arrested by Internal Revenue Service criminal investigators at the Los Angeles airport and was accused of creating and operating Bitcoin Fog, a bitcoin “mixing” service on the dark web that took in coins from its users and returned others with the intention of preventing forensic accountants from following that money’s trail. The US Justice Department accuses Sterlingov of no less than $336 million in money laundering over Bitcoin Fog’s decade online.

Now, Sterlingov’s legal team, led by the well-known hacker defense attorney Tor Ekeland, has fired back: They’re claiming in a series of legal motions filed late yesterday that Sterlingov is innocent and vowing to take his case to trial. In doing so, Sterlingov’s defense says, they plan to show not only that he never ran Bitcoin Fog but also that the blockchain analysis techniques used to pin the case on him were faulty, leading to his wrongful arrest and a lost year of his life.

"I did not create Bitcoin Fog. I was never an administrator of Bitcoin Fog,” Sterlingov told WIRED, speaking from a Northern Virginia jail. "I’ve been here for more than a year now. I’m really perplexed at the system that could put me in here, at what they can do to an innocent man. It’s a Kafkaesque nightmare."

Unlike in some more-clear-cut investigations of criminal use of cryptocurrency, prosecutors in Sterlingov’s case haven’t pointed to any smoking-gun digital evidence retrieved from Sterlingov’s possessions or devices when he was arrested during his trip to the US last year. Instead, the statement of facts released when charges against Sterlingov became public in April 2021 detailed a combination of blockchain-based cryptocurrency tracing, IP address matching, and online account information links. The IRS says that collection of evidence ties Sterlingov to Bitcoin Fog’s creation in 2011 and shows—through Bitcoin tracing in particular—that he continued to receive profits from the service as late as 2019.

“Where’s the corroborating evidence?” asks Sterlingov’s defense attorney Ekeland. He runs through the inventory of items found on Sterlingov at the time of his arrest, which he says included laptops, hard drives, backup codes for his accounts, Bitcoin debit cards, and a customized smartphone for storing cryptocurrency. “But you know what’s not found when they catch him traveling? A shred of evidence that he operated Bitcoin Fog. No witnesses, no logs, no communications. They’re pinning it on a multi-layer guessing game.”

The Department of Justice did not yet respond to WIRED’s request for comment. The IRS declined to comment on pending litigation.

Sterlingov and his lawyers yesterday filed a motion to dismiss, a motion for a bill of particulars, a motion to free seized assets, and a motion to reconsider pretrial detention, among other items. The DOJ has produced more than three terabytes of data related to the case during discovery. The defense alleges that the sheer volume of information is difficult to parse but that nothing in it seems to establish a direct connection between Sterlingov and the creation or operation of Bitcoin Fog. And they further argue that the digital forensic analysis the prosecution has shared is flawed and opaque at best.

If the prosecution doesn’t produce clear evidence as Sterlingov’s case unfolds, it may have to rely on the more indirect digital connections between Sterlingov and Bitcoin Fog that it describes in the statement of facts assembled by the IRS’s criminal investigations division, much of which was based on cryptocurrency tracing techniques. That statement shows a trail of financial transactions from 2011 allegedly linking Sterlingov to payments made to register the Bitcoinfog.com domain, which was not Bitcoin Fog’s actual dark-web site but a traditional website that advertised it.

The funds to pay for that domain traveled through several accounts and were eventually exchanged from Bitcoin for the now-defunct digital currency Liberty Reserve, according to prosecutors. But the IRS says IP addresses, blockchain data, and phone numbers linked with the various accounts all connect the payments to Sterlingov. A Russian-language document in Sterlingov’s Google Account also described a method for obfuscating payments similar to the one he’s accused of using for that domain registration.

Sterlingov says he “can’t remember” if he created Bitcoinfog.com and points out that he worked at the time as a web designer for a Swedish marketing company, Capo Marknadskommunikation. “That was 11 years ago,” Sterlingov says. “It’s really hard for me to say anything specific."

Even if the government _can_ prove that Sterlingov created a website to promote Bitcoinfog.com in 2011, however—and Ekeland argues even that is based on faulty IP address connections that came from Stertlingov’s use of a VPN—Ekeland points out that’s very different from running the Bitcoin Fog dark-web service for the subsequent decade it remained online and laundered criminal proceeds.

To show Sterlingov’s deeper connection to Bitcoin Fog beyond a domain registration, the IRS says it used blockchain analysis to trace Bitcoin payments Sterlingov allegedly made as “test transactions” to the service in 2011 before it was publicly launched. Investigators also say that Sterlingov continued to receive revenue from Bitcoin Fog until 2019, also based on their observations of cryptocurrency payments recorded on the Bitcoin blockchain.

Ekeland counters that the defense hasn’t received any details of that blockchain analysis and points out that it was left out of the most recent superseding indictment against Sterlingov, which was filed last week. That means, he argues, that the government has based the core of its case on an unproven, relatively new form of forensics—one that he says led them to the wrong suspect. “Has it been peer-reviewed? No,” Ekeland says of blockchain analysis. “Is it generally accepted in the scientific community? No. Does it have a known error rate? No. It’s unverifiable. They can say total nonsense, and everyone has to take it on faith."

Ekeland says that discovery documents in the case show that the prosecution’s cryptocurrency tracing was performed with tools sold by Chainalysis, a New York–based blockchain analysis startup, along with consulting help from Excygent, a government contractor specializing in cybercriminal and cryptocurrency investigations, which Chainalysis acquired in 2021.

Ekeland argues that Chainalysis, valued at $8.6 billion in a recent investment round and frequently used in high-profile cybercriminal law enforcement investigations, had a conflict of interest in the case, given its financial dependence on US government contracts and a flow of former government investigators who have gone to work for Chainalysis. “This is a story of people profiteering and advancing their careers, throwing people in jail to promote their blockchain analysis tool that is junk science and doesn’t withstand any scrutiny,” says Ekeland. He adds that, based on the evidence provided in Sterlingov’s case, he believes “Chainalysis is the Theranos of blockchain analysis."

Chainalysis declined to comment about the motions filed yesterday, their broader implications, or Ekeland’s characterization of its work.

Sterlingov, for his part, says his cryptocurrency holdings—all of which were frozen at the time of his arrest—came not from Bitcoin Fog but from early investment in cryptocurrency. He concedes that he did send and receive payments to Bitcoin Fog as a user of the service seeking privacy, but says he didn’t use his bitcoins for anything illegal. “I think some of my transfers must have gotten mixed up with everything," he says.

Along with their motions, the defense filed two expert declarations with the court, one from cybersecurity researcher Chris Vickery and the other from intelligence analyst Eric Garland. The documents are meant to support Sterlingov and his lawyer’s accusations about the prosecution’s digital forensic analysis and Chainalysis and Excygent’s alleged conflicts of interest in investigating Sterlingov’s potential ties to Bitcoin Fog.

Sterlingov, who moved with his family from Voronezh, Russia, to Gothenburg, Sweden, when he was 14, also argues that as a Swedish citizen he should be tried in Sweden rather than the United States. He had flown to the US, he says, only to go to flight school to train as a commercial pilot. His defense has argued in Monday’s motions that the District of Columbia prosecutors charging Sterlingov have no venue to pursue the case, given that he has no connection to Washington, DC.

"I don’t understand how I’m in an American jail. I’ve never done business with America,” says Sterlingov. “I’m worried. I don’t know what’s going to happen. I’m thousands of miles from my home. If I were some kind of crypto criminal kingpin, which I’m not, Sweden could deal with me."

Furthermore, Sterlingov’s lawyers argue in their motion to dismiss that the statute of limitations has run out on the charges against him, since the alleged conduct at issue, including registering the Bitcoinfog.com domain and conducting particular Bitcoin transactions, occurred in 2011. The motion argues that three of the counts brought against Sterlingov have a five-year statute of limitations and that one has a six-year statute.

Given that blockchain analysis and cryptocurrency payment tracing techniques have matured over the past decade and have become central to many cybercriminal investigations in the US and worldwide, it is inevitable that their methodology and validity will be called into question and interrogated. Sterlingov’s case is taking the first step to establish that battleground.

Bitcoin Fog Case Could Put Cryptocurrency Tracing on Trial

Venafi investigation of 35 million Dark Web URLs shows macro-enabled ransomware widely available at bargain prices.

**SALT LAKE CITY, Aug. 2, 2022—** Venafi, the inventor and leading provider of machine identity management, today announced the findings of a Dark Web investigation into ransomware spread via malicious macros. Conducted in partnership with criminal intelligence provider Forensic Pathways between November 2021 and March 2022, the research analyzed 35 million Dark Web URLs, including marketplaces and forums, using the Forensic Pathways Dark Search Engine. The findings uncovered 475 web pages of sophisticated ransomware products and services, with several high-profile groups aggressively marketing ransomware-as-a-service.

*   87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.

*   30 different "brands" of ransomware were identified within marketplace listings and forum discussions.

*   Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.

*   Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was $1,262 for a customized version of Darkside ransomware, which was used in the infamous Colonial Pipeline ransomware attack of 2021.

*   Source code listings for well-known ransomware generally command higher price points; Babuk source code is listed for $950 and Paradise source code is selling for $593.

"Ransomware continues to be one of biggest cybersecurity risks in every organization," said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi. "The ransomware attack on Colonial Pipeline was so severe that it was deemed a national security threat, forcing President Biden to declare a state of emergency."

Macros are used to automate common tasks in Microsoft Office, helping people to be more productive. However, attackers can use this same functionality to deliver many kinds of malware, including ransomware. In February, Microsoft announced a major change to combat the rapid growth of ransomware attacks delivered via malicious macros, but it temporarily reversed that decision in response to community feedback.

"Given that almost anyone can launch a ransomware attack using a malicious macro, Microsoft's indecision around disabling of macros should scare everyone," said Bocek. "While the company has switched course a second time on disabling macros, the fact that there was backlash from the user community suggests that macros could persist as a ripe attack vector."

In addition to a variety of ransomware at various price points, the research also uncovered a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks. Services with the greatest number of listings include those offering source code, build services, custom development services, and ransomware packages that include step-by-step tutorials.

Generic ransomware build services also command high prices, with some listings costing more than $900. At the other end of the price spectrum, many low-cost ransomware options are available across multiple listings — with prices starting at just 99 cents for Lockscreen ransomware.

These findings are another example of the need for a machine identity management control plane to drive specific business outcomes, including observability, consistency, and reliability. In particular, code-signing is a key machine-identity management security control that eliminates the threat of macro-enabled ransomware.

"Using code-signing certificates to authenticate macros means that any unsigned macros cannot execute, stopping ransomware attacks in its tracks," Bocek concludes. "This is an opportunity for security teams to step up and protect their businesses, especially in banking, insurance, health care, and energy, where macros and Office documents are used every day to power decision making."

**About the research**

This research was carried out between November 2021-March 2022 by Venafi in partnership with Forensic Pathways, which has developed Dark Search Engine (DSE), an automated crawler/scraper of the Tor.Onion Dark Web. The intelligence tool contains more than 35 million URLs in the index.

Publicly available information, such as PC Risk, was used to determine if malicious macros were used in the initial attack vector.

For more information read the blog.

**About Venafi**

Venafi is the cybersecurity market leader in machine identity management. From the ground to the cloud, Venafi solutions manage and protect identities for all types of machines — from physical and IoT devices to software applications, APIs, and containers. Venafi provides global visibility, life cycle automation, and actionable intelligence for all machine identity types and the security and reliability risks associated with them.

Jetstack, a Venafi company, is a cloud native products and strategic consulting company working with enterprises using Kubernetes and OpenShift. An open source pioneer, Jetstack has achieved notable industry recognition as the creator of cert-manager, the open source industry standard for cloud native machine identity management.

Jetstack’s open source products and solutions protect the application environments and platform infrastructure of global banks, multinational retailing companies, and defense organizations by providing enterprise platform and security teams the power to build, scale, and secure their cloud infrastructure.

With more than 30 patents, Venafi delivers innovative machine identity-management solutions for the world's most demanding, security-conscious organizations and government agencies, including the top five U.S. health insurers; the top five U.S. airlines; the top four credit card issuers; three out of the four top accounting and consulting firms; four of the five top U.S. retailers; and the top four banks in each of the following countries: the US, the UK, Australia, and South Africa.

www.venafi.com

www.jetstack.io

**About Forensic Pathways**

Incorporated in 2001, Forensic Pathways provides innovative technologies within the criminal-intelligence arena.

Focused primarily on the provision of digital forensic technologies, Forensic Pathways offers its international clients unique technologies in the management of mobile phone data, image analysis, and ballistics analysis.

From Babuk Source Code to Darkside Custom Listings — Exposing a Thriving Ransomware Marketplace on the Dark Web

With the recent demise of several popular "proxy" services that let cybercriminals route their malicious traffic through hacked PCs, there is now something of a supply chain crisis gripping the underbelly of the Internet. Compounding the problem, several remaining malware-based proxy services have chosen to block new registrations to avoid swamping their networks with a sudden influx of customers.

With the recent demise of several popular “proxy” services that let cybercriminals route their malicious traffic through hacked PCs, there is now something of a supply chain crisis gripping the underbelly of the Internet. Compounding the problem, several remaining malware-based proxy services have chosen to block new registrations to avoid swamping their networks with a sudden influx of customers.

Last week, a seven-year-old proxy service called **911\[.\]re** abruptly announced it was permanently closing after a cybersecurity breach allowed unknown intruders to trash its servers and delete customer data and backups. 911 was already akin to critical infrastructure for many in the cybercriminal community after its top two competitors — **VIP72** and **LuxSocks** — closed or were shut down by authorities over the past 10 months.

The underground cybercrime forums are now awash in pleas from people who are desperately seeking a new supplier of abundant, cheap, and reliably clean proxies to restart their businesses. The consensus seems to be that those days are now over, and while there are many smaller proxy services remaining, few of them on their own are capable of absorbing anywhere near the current demand.

“Everybody is looking for an alternative, bro,” wrote a **BlackHatForums** user on Aug. 1 in response to one of many “911 alternative” discussion threads. “No one knows an equivalent alternative to 911\[.\]re. Their service in terms of value and accessibility compared to other proxy providers was unmatched. Hopefully someone comes with a great alternative to 911\[.\]re.”

**NEW SOCKS, SAME OLD SHOES**

Among the more frequently recommended alternatives to 911 is **SocksEscort\[.\]com**, a malware-based proxy network that has been in existence since at least 2010. Here’s what part of their current homepage looks like:

The SocksEscort home page says its services are perfect for people involved in automated online activity that often results in IP addresses getting blocked or banned, such as Craigslist and dating scams, search engine results manipulation, and online surveys.

But faced with a deluge of new signups in the wake of 911’s implosion, SocksEscort was among the remaining veteran proxy services that opted to close its doors to new registrants, replacing its registration page with the message:

“Due to unusual high demand, and heavy load on our servers, we had to block all new registrations. We won’t be able to support our proxies otherwise, and close SocksEscort as a result. We will resume registrations right after demand drops. Thank you for understanding, and sorry for the inconvenience.”

According to Spur.us, a startup that tracks proxy services, SocksEscort is a malware-based proxy offering, which means the machines doing the proxying of traffic for SocksEscort customers have been infected with malicious software that turns them into a traffic relay.

Spur says SocksEscort’s proxy service relies on software designed to run on Windows computers, and is currently leasing access to more than 14,000 hacked computers worldwide. That is a far cry from the proxy inventory advertised by 911, which stood at more than 200,000 IP addresses for rent just a few days ago.

Image: Spur.us

SocksEscort is what’s known as a “SOCKS Proxy” service. The SOCKS (or SOCKS5) protocol allows Internet users to channel their Web traffic through a proxy server, which then passes the information on to the intended destination. From a website’s perspective, the traffic of the proxy network customer appears to originate from a rented/malware-infected PC tied to a residential ISP customer, not from the proxy service customer.

These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they make it difficult to trace malicious traffic to its original source.

The disruption at 911\[.\]re came days after KrebsOnSecurity published an in-depth look at the long-running proxy service, which showed that 911 had a history of incentivizing the installation of its proxy software without user notice or consent, and that it actually ran some of these “pay-per-install” schemes on its own to guarantee a steady supply of freshly-hacked PCs.

That story also showed once again that the people who are building and leasing these botnets are surprisingly easy to identify in real life, particularly given that they operate malware-based anonymity services that enable a great deal of cybercrime activity.

Such was the case again with SocksEscort. Hilariously, the common link that exposed the real-life identities of the people running this SOCKS service was that _they all worked for the same online shoe store_.

**ANGRY CODERS**

SocksEscort\[.\]com was originally registered to the email address “**michdomain@gmail.com**,” which according to DomainTools.com was used to register a handful of related domains, including its previous incarnation — super-socks\[.\]biz. Cached versions of the site show that in 2010 the software which powers the network was produced with a copyright of “**Escort Software**.”

Super-socks\[.\]biz came online around the same time as another domain registered to that “michdomain” email: **ip-score\[.\]com**, which soon became shorthand on several cybercrime forums for a service that could tell visitors whether their Internet address  — or more precisely, the proxy they were using —  was flagged by any security software or services as compromised or malicious.

IP-score offered a revenue sharing program for websites that chose to embed its IP-scoring code, and the copyright on that userbar program was “**Angry Coders**.”

A copy of ip-score.com, as indexed by Archive.org.

A review of the Internet addresses historically used by Super-socks\[.\]biz and SocksEscort\[.\]com reveals that these domains at various times over the years shared an Internet address with a small of other domains, including **angrycoders\[.\]net**, **iskusnyh\[.\]pro**, and **kc-shoes\[.\]ru**.

Cached copies of angrycoders\[.\]net from the Wayback Machine don’t reveal much about this particular group of irate programmers, but a search on the domain brings up several now-dormant listings for an Angry Coders based in Omsk, a large city in the Siberian region of Russia. The domain was registered in 2010 to an **Oleg Iskushnykh** from Omsk, who used the email address **iboss32@ro.ru**.

According to Constella Intelligence \[currently an advertiser on KrebsOnSecurity\], Oleg used the same password from his iboss32@ro.ru account for a slew of other “iboss” themed email addresses, one of which is tied to a LinkedIn profile for an Oleg Iskhusnyh, who describes himself as a senior web developer living in Nur-Sultan, Kazakhstan.

Iskusnyh’s Github profile shows he has contributed code to a number of online payment-related technologies and services, including Ingenico ePayments, Swedbank WooCommerce, Mondido Payments, and Reepay.

**DON’T JUDGE A MAN UNTIL YOU’VE WALKED A MILE IN HIS SOCKS**

The various “iboss” email accounts appear to have been shared by multiple parties. A search in Constella’s database of breached entities on “iboss32@gmail.com” reveals someone using the name Oleg Iskusnyh registered an online profile using a phone number in Bronx, New York. Pivoting on that phone number — **17187154415** — reveals a profile exposed in the breach at sales intelligence firm Apollo with the first name “Dmitry” who used the email address **chepurko87@gmail.com**.

That email is connected to a LinkedIn profile for a **Dmitry Chepurko** in Pavlodar, Kazakhstan. Chepurko’s resume says he’s a full stack developer, who most recently worked in the Omsk offices of a German shoe company called **KC Shoes** (the aforementioned kc-shoes.ru\]. Chepurko’s resume says before that he worked on his own for a decade using the freelancing platform **Upwork.**

The Upwork profile listed in Chepurko’s LinkedIn C.V. is no longer active. But that same now-defunct Upwork account link is still listed as the profile of a “Dmitry C.” in an UpWork profile page for the Angry Coders team in Omsk, Russia.

The UpWork profile page for the Angry Coders programming team from Omsk, RU.

Who is the “**Alexander S**.” listed above under the “Agency members” heading in the Upwork profile for Angry Coders? Historical DNS records from Farsight Security show angrycoders.net formerly included the subdomain “smollalex.angrycoders\[.\]net”.

A simple Internet search on “kc-shoes” reveals a Github account for a user from Omsk with the first name Alexander and the account name “Smollalex.” Alexander’s Github account indicates he has contributed code to the kc-shoes website as well.

Constella’s service shows that “Smollalex” was a favorite handle chosen by an **Alexandr Smolyaninov** from Omsk. The Smollalex Github account associates this individual with a company in Omsk that sells parts for oil and gas pipelines.

That shoes are apparently the common link among the Angry Coders responsible for SocksEscort is doubly amusing because — at least according to the posts on some cybercrime forums — one big reason people turn to these proxy services is for “shoe botting” or “sneaker bots,” which refers to the use of automated bot programs and services that aid in the rapid acquisition of limited-release, highly-sought-after designer athletic shoes that can then be resold at huge markups on secondary markets.

It’s not clear if the Angry Coders team members remain affiliated with SocksEscort; none of them responded to requests for comment. There were certain connections made clear throughout the research mentioned above that the Angry Coders outsourced much of the promotion and support of their proxy service to programmers based in India and Indonesia, where apparently a large chunk of its customers currently reside.

Further reading:

July 29, 2022: 911 Proxy Service Implodes After Disclosing Breach

July 28, 2022: Breach Exposes Users of Microleaves Proxy Service

July 18, 2022: A Deep Dive Into the Residential Proxy Service ‘911’

June 28, 2022: The Link Between AWM Proxy & the Glupteba Botnet

June 22, 2022: Meet the Administrators of the RSOCKS Proxy Botnet

Sept. 1, 2021: 15-Year-Old Malware Proxy Network VIP72 Goes Dark

No SOCKS, No Shoes, No Malware Proxy Services!

Launches industry’s first ZTNA migration tool and ZTNA buyback program, setting the stage for migration away from ZTNA 1.0.

**SAN MATEO, CA, August 2, 2022** – Axis has announced a host of new enhancements to one of its four key Security Service Edge (SSE) modules – the Atmos ZTNA solution, which secures access between authorized users and specific internal applications. The company also announced a slew of new tools to help companies easily migrate away from cumbersome ZTNA 1.0 solutions.

When remote work became the new normal in early 2020, Zero Trust Network Access (ZTNA) emerged as the premier solution for remote access, and the first step in the zero-trust journey for most organizations. According to Gartner, ZTNA captured a 60% YoY growth rate (Source: Forecast: Enterprise Network Equipment by Market Segment, Worldwide, 2019-2025, 4Q21 update). Despite this, the constant challenge has been that many of the first ZTNA solutions, ZTNA 1.0, were rushed to market to meet the work-from-home moment. They lacked support for many legacy protocols (VOIP, ICMP, AS400, etc.), it was extremely difficult to set up policies, and many did not even inspect traffic. This left companies longing for more simplicity and stronger security controls.

"Cybersecurity has never been more important, so it's no surprise that zero trust, and ZTNA solutions, have become a critical focus area for enterprises. What is surprising is how clunky, complex, and underwhelming most of the ZTNA 1.0 solutions are. With help from 50+ CISOs, we designed Atmos ZTNA to be a Modern Day ZTNA service that is smart, yet incredibly simple — so that on day one, IT security leaders can embrace true zero trust, without the headache," said Dor Knafo, Axis co-founder and CEO.

**New Atmos ZTNA Features**

· **Free ZTNA 1.0 Migration Tool + ZTNA BuyBack Program —** To make it easy for enterprise teams to migrate from ZTNA 1.0 to the Atmos ZTNA service, Axis launched the **industry's first ZTNA migration tool**. The migration tool takes application segments developed in Zscaler Private Access (ZPA) and converts them to Atmos ZTNA applications. The customer then uses the service's simple policy system to define policy — all within just a few minutes. In conjunction with the migration tool, Axis has also launched the **industry's first ZTNA buyout program** where ZTNA 1.0 customers receive up to 6 months of free service when they replace their ZTNA service and agree to a three-year Atmos Core Edition subscription. Any enterprise that signs up will also receive the Atmos Web Gateway module, as well.

· **Hyper-intelligence for adaptive access —** A new multicloud PoP resolution capability allows Atmos to automatically select the most optimal connectivity path, and auto-select the AWS, Google, or Oracle PoP for brokering — by using latency telemetry. So if AWS goes down, either of the other two cloud providers can be used to broker connectivity — or vice versa. Axis also added in auto-session termination, where Atmos uses its continuous monitoring capability to terminate live sessions if identity, or user group, changes take place. Lastly, the company added enhanced telemetry to its Atmos Agent. Within the unified Atmos Dashboard, IT admins can now view a "Live" device posture status, as well as auto-detect jailbroken end-user devices. Each of these are critical in the world of work-from-anywhere, and are industry firsts.

· **Protective surface discovery & security —** Axis added a new Additional Domain Discovery tool that auto-discovers all unknown related domains when onboarding internal applications, like Outlook, and allows IT to easily add to the application's policy. Axis also added an industry-first User group pairing capability, which allows IT to easily define the IP ranges and destinations specific user groups have access to in a way that overrides all previous access policies — for simplified least-privilege access.

· **"Edgier" —** The Atmos platform is designed to artfully extend secure connectivity out to the user's location through 350 Atmos edge locations running on the global backbone of AWS Global Accelerator, Google Cloud Platform, and Oracle Cloud. Axis announced that it added new PoPs in San Jose, Phoenix, North Virginia, London, Frankfurt, Jerusalem, Hong Kong, and Sydney, based on increased customer demand. Axis also launched its "PoP Desert Initiative." The company works with prospects/customers, as design partners, to discover geographic areas where latency exists and works with them to deploy new Atmos PoPs, which can be done in under one hour, with no hardware required. The goal is to constantly deliver the industry's fastest user-connectivity experience.

**Availability**

All of these Atmos ZTNA capabilities and announcements are generally available today.

**Atmos SSE Platform**

Short for "Atmosphere," Atmos is the modern alternative to legacy hub-and-spoke network architectures, and Security Service Edge (SSE) platforms that have data center-based architectures. Atmos helps IT avoid the need to connect users to the corporate network, drastically reduce exposure to ransomware threats, and spend less time on costly, and complex, firewall-based network segmentation. Atmos artfully integrates the four key SSE modules — Zero Trust Network Access, Secure Web Gateway, Cloud Access Security Broker, and Digital Experience monitoring — into one platform with one pane of glass.

**About Axis Security**

Axis' vision is to bring harmony to workplace connectivity and that the sooner IT adopts zero trust, the sooner we can witness a world where the exchange of information is always fast, seamless, and secure. With 350 Axis cloud service edges across the world, Axis helps IT leaders enable their employees, partners, and customers to securely access business data without the pitfalls of network-centric solutions or application limitations that every other zero trust service faces. Through its world-class research and development and founding team, which hails from Israel’s acclaimed Unit 8200, Axis aims to accelerate the world's transition to a modern workplace where hybrid work is made simple, digital experience becomes a competitive advantage, and business data remains protected from cyber threats even as it moves to the cloud. For more information, visit www.axissecurity.com. Follow us on Twitter and on Linkedin.

Axis Raises the Bar With Modern-Day ZTNA Service that Boasts Hyper-Intelligence, Simplicity, and 350 Global Edges

Microsoft says the new tools will give security teams an attacker's-eye view of their systems and supercharge their investigation and remediation efforts.

Microsoft announced two new capabilities to its Defender security tools — threat intelligence and external attack surface management.

With Microsoft Defender Threat Intelligence, security teams will have additional context, insights, and data to find attacker infrastructure and move to investigate and remediate faster, the company said in an announcement. Security teams will have access to real-time data from both Microsoft Defender and Microsoft Sentinel to proactively hunt for threats.

"Microsoft Defender Threat Intelligence maps the internet every day, providing security teams with the necessary information to understand adversaries, and their attack techniques," the company said in its announcement of the new security solutions. "Customers can access a library of raw threat intelligence detailing adversaries by name, correlating their tools, tactics, procedures (TTPs), and can see active updates within the portal as new information is distilled from Microsoft's security signals and experts."

Microsoft's Defender External Attack Surface Management helps defenders find previously invisible and unmanaged resources that can be seen and attacked from the Internet. The system scans the Internet daily to create a catalog of the environment and uncover unmanaged resources that could be potential entry points for an attacker.

"Continuous monitoring, without the need for agents or credentials, prioritizes new vulnerabilities," the company explained in a post on the Microsoft Threat Intelligence blog. "With a complete view of the organization, customers can take recommended steps to mitigate risk by bringing these unknown resources, endpoints, and assets under secure management within their SIEM and XDR tools."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Intros New Attack Surface Management, Threat Intel Tools

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 2 Aug 2022 11:53:25 +0300
From: EGE BALCI <ege@...daft.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-29154: Rsync client-side arbitrary file write vulnerability.

Date reported           : July 25, 2022
CVE identifiers         : CVE-2022-29154.
------------------------------------------------------------------------
Rsync client-side arbitrary file write vulnerability. (CVE-2022-29154)
------------------------------------------------------------------------

 >>>> We have discovered a critical arbitrary file write vulnerability 
in the
 >>>> rsync utility that allows malicious remote servers to write arbitrary
 >>>> files inside the directories of connecting peers. The server chooses
 >>>> which files/directories are sent to the client. Due to the 
insufficient
 >>>> controls inside the
 >>>> \[do\_server\_recv\](
 >>> 
https://github.com/WayneD/rsync/blob/85c56b2603d97c225889175797ffff6745a4d305/main.c#L1118
 >>> )
 >>>> function, a malicious rysnc server (or Man-in-The-Middle attacker) can
 >>>> overwrite arbitrary files in the rsync client target directory and
 >>>> subdirectories. An attacker abusing this vulnerability can overwrite
 >>>> critical files under the target rsync directory and subdirectories 
(for
 >>>> example, to overwrite the .ssh/authorized\_keys file). This issue 
is very
 >>>> similar with the
 >>>> \[CVE-2019-6111\](https://www.youtube.com/watch?v=fcesKgfSPq4).
 >>>>
 >>>> Best regards, Ege BALCI, Taha HAMAD.

The vulnerability was addressed with the developer of the rsync project 
and necessary patches are made. Related commit and details can be found 
in the following links,
- https://download.samba.org/pub/rsync/NEWS
- https://download.samba.org/pub/rsync/rsync.1#MULTI-HOST\_SECURITY
- 
https://github.com/WayneD/rsync/commit/b7231c7d02cfb65d291af74ff66e7d8c507ee871

We recommend updating to the latest stable versions of rsync.

-- 
\*Ege BALCI\*
Threat Intelligence Team Lead

\*PRODAFT Cyber Security Technologies INC.\*
\*CH:\* Y-Parc, rue Galilée 7, 1400 Yverdon-les-Bains, Switzerland
\*NL:\* Wilhelmina van Pruisenweg 104, 2595 AN Den Haag, Netherlands
\*E.:\*ege\[at\]prodaft.com
\*IN:\*/egebalci

In case you think you’re not the designated recipient of the e-mail 
hereby; please delete it accordingly. \*This e-mail may have been sent 
from a mobile device. Please contact me from my mobile, in case you 
notice an error in the content. PS. Feel free to contact me via Signal, 
Threema or Telegram; or ask for my public PGP key for high-profile cases 
that may require higher confidentiality.

**Content of type "**text/html**" skipped**

**Download attachment "**OpenPGP\_0xCDCA0F4B4445AA39.asc**" of type "**application/pgp-keys**" (649 bytes)**

**Download attachment "**OpenPGP\_signature**" of type "**application/pgp-signature**" (237 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-29154: security - CVE-2022-29154: Rsync client-side arbitrary file write vulnerability.

Series C investment from BuildGroup and Gula Tech Adventures, along with appointment of Kevin Mandia to the board of directors, will propel a new chapter of company growth.

COLLEGE PARK, Md., Aug. 2, 2022 /PRNewswire/ — Cybrary, the leading training platform for cybersecurity professionals, today announced it has secured $25 million in a Series C funding round led by current investors, BuildGroup and Gula Tech Adventures.

This latest investment brings Cybrary's total funding to date to $48 million, following its $15 million Series B round announced in November 2019, and will be used to support additional company growth by bolstering research and development (R&D) across its engineering, product, and marketing teams as well as continuing to grow the new CybraryThreat Intelligence Group (CTIG).

"Our continued investment in Cybrary is a testament to our belief in the important work they're doing to address the current cyber skills gap and how they plan to evolve their training programs in the future," said Jim Curry, Co-Founder and Managing Partner at BuildGroup. "We can't wait to see what this next chapter holds for Cybrary and fully support Kevin and his team every step along the way."

Additionally, Cybrary has officially announced that Kevin Mandia, CEO at Mandiant, has now joined its board of directors following Mandiant's announcement in March that it entered into a definitive agreement to be acquired by Google for $5.4B. He joins current members Jim Curry, Ron Gula, Ryan Kruizenga, as well as Cybrary co-founder Ryan Corey and current CEO Kevin Hanes, on the company board.

"I am excited to be joining Cybrary's board of directors during this exciting chapter of growth and momentum for the company," said Mandia. "Its mission to elevate the workforce and narrow the cybersecurity skills gap is inspirational. I am looking forward to helping Cybrary have an even greater impact to elevate the workforce to better defend the cyber domain."

With more than three million cybersecurity professionals using their training courses and certifications to up-skill themselves within the industry and helping to bridge the persistent cyberskills gap, Cybrary has been on a strong growth trajectory since its inception in 2015. This funding news also comes on the heels of the company's appointment of CEO Kevin Hanes in June 2021, recruitment of four new executive leaders in March 2022, and the recent additions of David Maynor and Chloé Messdaghi as the Head of CTIG and Chief Impact Officer, respectively, in May 2022.

"We can't thank BuildGroup and Gula Tech Adventures enough for their continued belief and contributions towards our mission to provide individuals, cybersecurity teams, and organizations with the knowledge, skills, and resources they need to grow careers and defend against the latest cyber threats," said Hanes. "I'm here because we have a tremendous opportunity to make an impact on a problem that matters to millions of people and these added resources will help us accelerate innovation that is centered around our core mission."

To learn more about the latest investment, as well as the company's plans for the rest of this year and beyond, stop by Cybrary's booth (#1381) at Black Hat in Las Vegas, Nevada, from August 10-11. 2022.

**About Cybrary  
**Cybrary is the industry-leading training platform that provides the right training at the right time to fully equip cybersecurity professionals at every stage in their careers. Cybrary offers threat-informed training and certification preparation to help industry professionals build the skills and knowledge to confidently mitigate the threats their organizations face and bridge the persistent cybersecurity skills gap. Cybrary enables more than 3 million learners, from service providers and government agencies to Fortune 1000 organizations and individuals alike, to be armed and ready to respond in the fight against constantly evolving cybersecurity threats. For more information on Cybrary and our offerings, visit www.cybrary.it.

**About BuildGroup  
**BuildGroup is a company that selectively invests in leadership teams with staying power. We back founders who are ambitious enough to want to make a dent in the universe and humble enough to realize they can't do it alone. By providing permanent capital from aligned investors and avoiding forced exits, BuildGroup frees entrepreneurs to focus on serving customers instead of raising the next round. We believe that great businesses are built, not bought, and that's why our team works side-by-side with founders to create conditions for long-term growth. BuildGroup was founded in Austin, Texas, by a team of proven builders who love nothing more than helping build and grow extraordinary companies.

**About Gula Tech Adventures  
**Gula Tech Adventures, a cybersecurity and technology-focused venture capital firm, was founded by cyber industrialists Ron and Cyndi Gula. Gula Tech Adventures seeks to increase the pervasiveness of cybersecurity in critical infrastructure and industries, improve awareness of cybersecurity risks, and provide opportunities for recruitment and training of the cybersecurity workforce. For more information about Gula Tech Adventures, please visit https://Gula.Tech.

Source: Cybrary

Cybrary Lands $25 Million in New Funding Round

In conjunction with Black Hat 2022, pioneer of digital executive protection also announces new security innovations and SOC 2 Type II certification.

In conjunction with Black Hat 2022, pioneer of digital executive protection also announces new security innovations and SOC 2 Type II certification.

ORLANDO, Fla., Aug. 2, 2022 /PRNewswire-PRWeb/ -- BlackCloak, the leading provider of digital executive protection for corporate executives, board members, and high-access employees and their families, today announced the addition of three new mobile device security features to its award-winning Concierge Cybersecurity & Privacy Platform (TM).

Post-pandemic, the attack surface has greatly expanded; and the personal digital lives of company leaders have become the soft underbelly of enterprise security. Attacking executives as a conduit to breach the company has evolved from an occasional nuisance into a mainstream threat. BlackCloak's SaaS-based Platform helps reduce risk to both individuals and their organization by protecting the digital privacy, personal devices, and home networks of key company personnel.

New digital executive protection features unveiled at Black Hat 2022:

— QR Code Scanner - An additional layer of malware protection on personal devices, BlackCloak's QR Code Scanner will automatically validate the legitimacy of a QR codes' underlying URL, and proactively alert members to navigate away from websites determined to be malicious.  
— Malicious Calendar Detection - Using proprietary anti-malware technology, the BlackCloak mobile app will automatically determine the legitimacy of invitations or newly added calendars, giving members the opportunity to delete potentially malicious events before malicious code can be injected.  
— VPN - To reduce the risk of both network and endpoint-driven threats, BlackCloak's enterprise-grade VPN will provide members with the opportunity to establish a secure internet connection from within the app when and where connectivity is suspect or compromised.

The QR Code Scanner, Malicious Calendar Detection feature, and VPN will be available in Q3 on the BlackCloak Platform. Book a meeting with BlackCloak executives at Innovation City Booth 52. 

"Today's announcement reinforces BlackCloak's core value of innovating with speed, passion, and curiosity," said Chris Pierson, BlackCloak founder and CEO. "We have an extensive pipeline of product updates and continue to solicit our clients for additional innovation ideas as well as research and development for new threats. Cyber and Privacy threats are always-evolving, and we will continue to keep pace to help our members beyond expectations — protecting them and their companies — both now and in the future."

BlackCloak also announced today that it successfully completed its System and Organization Controls (SOC) 2 Type II audit for the second year in a row. This distinction ensures that the organization is in compliance with the leading industry standards for managing enterprise data, reports on security controls across key areas relevant to the safe handling of customer data.

Meet BlackCloak at Black Hat 2022. BlackCloak will be exhibiting at Black Hat's Innovation City Booth 52. Schedule a one-on-one meeting or drop by to:

— Learn about the use cases and benefits for digital executive protection  
— See a demo of the platform in action  
— Flop a winning poker hand in a raffle for cash prizes and swag

Learn more at BlackCloak.io and follow the brand on social media @BlackCloakCyber.

About BlackCloak  
BlackCloak protects corporate executives, high-access employees, and high-net-worth individuals and families from targeted cyberattacks, online fraud, and other risks to them and their companies through their personal digital lives. Used by Fortune 1000s and mid-market organizations across all industries, BlackCloak's SaaS-based digital executive protection solution protects the digital privacy, personal devices, and home networks of people with little time and a lot to lose. Executives and high-profile individuals get peace of mind knowing that their family, wealth, reputation, and finances are secured.

Corporate security teams rest easy knowing that their organization is protected from threats to IP, finances, physical security, data and other digital assets that originate in their executives' personal digital lives.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

Webinars

*   Understanding Machine Learning, Artificial Intelligence, & Deep Learning, and When to Use Them
*   Malicious Bots: What Enterprises Need to Know

Reports

*   Breaches Prompt Changes to Enterprise IR Plans and Processes
*   Implementing Zero Trust In Your Enterprise: How to Get Started

Editors' Choice

Robert Lemos, Contributing Writer, Dark Reading

Jai Vijayan, Contributing Writer, Dark Reading

Ericka Chickowski, Contributing Writer, Dark Reading

Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5

Webinars

*   Understanding Machine Learning, Artificial Intelligence, & Deep Learning, and When to Use Them
*   Malicious Bots: What Enterprises Need to Know
*   How Supply Chain Attacks Work - And What You Can Do to Stop Them
*   Ransomware Resilience and Response: The Next Generation
*   Assessing Cyber Risk

White Papers

*   Breaches Prompt Changes to Enterprise IR Plans and Processes
*   Five Best Practices for AWS Security Monitoring
*   Gartner, Quick Answer: How Can Organizations Use DNS to Improve Their Security Posture?
*   Understanding DNS Threats and How to Use DNS to Expand Your Cybersecurity Arsenal
*   AppSec Considerations For Modern Application Development

Events

*   SecTor - Canada's IT Security Conference Oct 1-6 - Learn More
*   Black Hat USA - August 6-11 - Learn More
*   \[FREE Virtual Event\] The Identity Crisis

More Insights

Webinars

*   Understanding Machine Learning, Artificial Intelligence, & Deep Learning, and When to Use Them
*   Malicious Bots: What Enterprises Need to Know

Reports

*   Breaches Prompt Changes to Enterprise IR Plans and Processes
*   Implementing Zero Trust In Your Enterprise: How to Get Started

BlackCloak Bolsters Malware Protection With QR Code Scanner and Malicious Calendar Detection Features

From adopting zero-trust security models to dynamic environments to operating under an "assumed breach" mentality, here are ways IT departments can reduce vulnerabilities as they move deliberately to become more secure.

Over the last few years, the modern office has evolved rapidly, with workforces becoming more mobile and geographically distributed than ever before. Even before COVID-19, modern enterprises were embracing the remote work model, and the average Fortune 500 company had more than 300 global office locations. Over the last few years — to attract and retain top talent who often list hybrid work as a priority — innovative companies have added even more emphasis on flexible workplaces. As we move past the worst of COVID-19, it doesn't seem we'll ever see a return to the pre-pandemic office. In fact, it's been estimated that by 2025, 70% of the workforce will work remotely at least five days a month.

To remain productive while working remotely, employees utilize many different cloud-based apps, such as Microsoft Teams and Monday.com. Though these apps are a boon for employee efficiency, their use has created challenges for IT departments and has opened new security vulnerabilities. To improve understanding of what's happening in their networks, IT professionals often rely on an increasing number of monitoring and management tools. Simultaneously, they must defend against hackers who relentlessly pursue new and dangerous attacks.

Even before the swift global adoption of remote work, enterprises faced rapidly rising cyber threats, including professionalization of hacking groups and increased ransomware and phishing attacks. Today, dispersed workforces have expanded threat surfaces, with highly sophisticated threat actors constantly exploiting challenges posed by remote work for financial gain, such as stealing intellectual property, carrying out supply chain attacks, and more.

**Five Ways to Reduce Vulnerabilities**

At SolarWinds, we've seen firsthand how the threat landscape has evolved. Below are just five steps we've taken as an organization we hope can help other IT departments reduce vulnerabilities and become secure by design:

**1\. Limit Shadow IT**

Having control over and visibility into all parts of a network is critical. It means understanding what employees do and what data and resources they access. Unfortunately, dispersed modern workforces make this a particular challenge due to "shadow IT." Shadow IT essentially entails employees who use technologies or services — such as Dropbox or Google Workspace — the company IT department hasn't approved. Though using productivity apps like these may seem like a harmless practice on the surface, shadow IT inherently prevents teams from having control and visibility into their systems, which can result in loss of data and increased apps and services for attackers to target.

**2\. Adopt Zero Trust**

As businesses embrace long-term hybrid and remote work policies, it's critical to monitor and secure not only a company's workforce but its resources and data. At its core, the zero-trust security model closely guards company resources while operating under the "assumed breach" mentality. This means every request to access company information or services is verified to prevent any unauthorized network access. Through policy management, multifactor authentication, and consistent network monitoring, enterprises can leverage zero-trust principles to prevent or flag unusual or unauthorized access to company resources based on user identity, location, and other key criteria. At a time when more employees are accessing more information in more geographies than ever, zero trust is a powerful tool to help improve visibility, effectively identify threats, and mitigate vulnerabilities.

**3\. Strengthen Software Development Processes**

Though the majority of cyberattacks are aimed at stealing data, money, or intellectual property, software development companies must also defend against another unique threat: supply chain attacks. These attacks occur when hackers access and manipulate code capable of impacting users of the affected software. To help prevent and ensure resilience against attacks, the integrity of the software build process and environment must be of the utmost importance for software development companies.

At SolarWinds, we prioritized upgrading and strengthening our own software build process. One thing we learned and we believe other enterprises should adopt involves developing portions of software in multiple separate environments, each of which requires different security credentials to access. Creating code in these parallel, secure environments makes it more difficult for threat actors to obtain or corrupt a complete product. Companies can further strengthen their software development process by implementing dynamic environments, which are build locations automatically destroyed once their use is complete. These dynamic environments are key, as they eliminate the opportunity for attackers to infiltrate and remain inside a network.

**4\. Leverage Red Teams**

Identifying vulnerabilities and assessing threats doesn't need to be a burdensome practice. One strategy enterprises can adopt to reduce the need for IT departments to identify each and every threat is employing the use of red teams, which hunt for vulnerabilities in a network and simulate attacks in real time. Some of these simulations include phishing campaigns or brute-force attacks. These red teams help keep IT employees' skills sharp, ensuring they're ready to adapt, stay a step ahead of bad actors, and thwart breach attempts. In addition to attempting intrusions, red teams also document each step of their process to break down attack methods and implement prevention techniques.

**5\. Make Your People Part of Your Defense**

There's no doubt the technology and automated processes an enterprise employs are a huge part of remaining secure and preventing hacks and breaches. The many proven solutions security experts have developed to stop hackers are nothing short of extraordinary, but regardless of the technology available, a large amount of risk is still produced by humans and our behavior. To create a truly secure network environment, enterprises must treat every employee as though they're part of the security team. Companies should hold regular training sessions to ensure employees practice good cyber hygiene and keep up to date on the latest hacking methods.

Becoming "secure by design" is now a C-level priority and is no longer only a responsibility of the IT department. With the threat landscape rapidly evolving and the new reality that any business — large or small — can and will face new and sophisticated threats, community vigilance across the entire organization and industry at large is required to defend against these challenges.

Tag

#intel