Almost every vendor, from email gateway companies to developers of threat intelligence platforms, is positioning themselves as an XDR player. But unfortunately, the noise around XDR makes it harder for buyers to find solutions that might be right for them or, more importantly, avoid ones that don't meet their needs. 
Stellar Cyber delivers an Open XDR solution that allows organizations to use

Almost every vendor, from email gateway companies to developers of threat intelligence platforms, is positioning themselves as an XDR player. But unfortunately, the noise around XDR makes it harder for buyers to find solutions that might be right for them or, more importantly, avoid ones that don't meet their needs.

Stellar Cyber delivers an Open XDR solution that allows organizations to use whatever security tools they desire in their security stack, feeding alerts and logs into Stellar Cyber. Stellar Cyber's "Open" approach means their platform can work with any product. As a result, a security team can make changes without wondering if the Stellar Cyber Open XDR platform will still work.

Stellar Cyber address the needs of lean enterprise security teams by providing capabilities typically found in NG-SIEM, NDR, and SOAR products in their Open XDR platform, managed by a single license. This consolidation enables customers to eliminate security stack complexity.

Stellar Cyber services customers in all major industries, with customers across Europe, Asia, Australia, Japan, South Korea, and Africa, providing security for over 3 million assets. In addition, Stellar Cyber claims after deployment, users see up to 20x faster mean time to respond (MTTR), a bold claim.

**Responding to an Incident from the Home page**

When logging into Stellar Cyber, the initial screen is the analyst home screen, showing stats such as top incidents and riskiest assets. An interesting piece on this screen is what Stellar Cyber calls the Open XDR Kill Chain. Clicking on any segment of the kill chain, such as "Initial Attempts," shows threats associated with that portion of the attack chain.

For example, the user can see these alerts with the stage "Initial Attempts" set by Stellar Cyber automatically. The user can see more information about the alert by clicking on "View" on any of the alerts. Then, scrolling down the screen, the user can click the "more info" hyperlink to see more information about the selected alert.

Here a user can read about the incident, review the details, and see the raw data behind this incident and the JSON, which is copiable to a clipboard if necessary. In addition, by clicking the "Actions" button, the user can see other powerful platform features.

The user can take response actions from this screen, such as "add a filter, trigger an email, or take external action. Clicking on external action shows an additional picklist. The user can click on Endpoint to see the action options from contain host to shutdown host.

When clicking on an action, like contain host, a configuration dialog displays where the user can select the connector to use, the target of the action, and any other options required to initiate the action chosen. In summary, security analysts, especially junior ones, will find this workflow very useful in that they can a) quickly review details of an incident from the home screen, b) see even more details by going further into the data, and c) take a remediation action from this screen without writing any scripts or code.

The enterprise can help onboard new analysts by having them work on this view to familiarize them with the platform, handling low-priority incidents so other analysts can work on the more critical incidents.

****Exploring Incidents****

Instead of clicking on the Open XDR Kill Chain, if the user clicks "Incidents," the screen below is shown.

When the user clicks on the carrot in the blue circle, a filtering list enables a user to hone in on a specific type of incident. The user can go directly to the details button to see what is in this detail view.

The user can see how this incident occurred and propagated across multiple assets. Further, the user can automatically see the files, processes, users, and services associated with the incident. So, for example, the user could switch to the timeline view to get a readable history of this incident.

And click the small "i" to get to the detail screen shown previously.

In summary, analysts who are used to working from a list of alerts may like to start their investigations from the incidents page. This view is also beneficial as it automatically shows all alerts associated with this incident in a single view.

****Threat Hunting in Stellar Cyber****

Users can initiate a threat hunt from the screen above. The stats on the screen change dynamically by typing in a term, such as "login," in the search dialog. Then, scrolling down the screen, users can see a list of alerts filtered based on the search term.

Users can create a "correlation search" under the search dialog box.

Users can load a saved query or add a new query. Clicking the add query, the user can see this query builder. This builder enables a search across the Stellar Cyber datastores for threats that went unnoticed. Here the user can also access the threat hunting library.

Finally, the user can create response actions that automatically execute if the query returns matches.

In summary, Stellar Cyber offers a simple threat-hunting platform that doesn't require users to build their own ELK stack or be a power scripter. This feature is an easy way to add a threat-hunting element to a security team without hiring a senior threat hunter.

****Conclusion****

Stellar Cyber is a solid security operations platform with many features that could help a security team improve productivity. If in the market for a new SecOps platform and open to adopting (in whole or part) a new approach to security, it is worth looking at what Stellar Cyber offers. To learn more about Stellar Cyber, try the 5-minute product tour.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Product Review: Stellar Cyber Open XDR Platform

A stacked combination of hardware and software protects the next version of Windows against the latest generation of firmware threats.

Microsoft on Tuesday released a hefty PDF detailing Windows 11's new security-focused features, with a heavy emphasis on supporting zero trust.

For a couple of years now, Microsoft, Google, and Amazon have been working with the US federal government on improving cybersecurity through zero trust, among other techniques. It's no coincidence that these are the big three cloud service providers, of course; they are best positioned to institute controls to prevent catastrophic cyberattacks.

But Microsoft is also moving security way down the stack to where cloud rivals can't follow: firmware.

**Hardware Security Under Attack**

While network-level security is mandatory, it is not sufficient to protect against attackers who target firmware and other low-level elements of a computer.

Flaws in firmware for CPUs, printers, and other hardware can open a door to a corporate network. Malware like TrickBot, MoonBounce, and LoJax that worms its way into the silicon is difficult to dislodge.

"These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors which store sensitive business information," Microsoft stated in the new report. "With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone." 

Besides the extra strength of the protection, Microsoft touts less slowdown using hardware-based protection versus running it in software.

The foundation of the built-in hardware security is a partnership between hardware root-of-trust and silicon-assisted security.

**Hardware Root-of-Trust**

Hardware root-of-trust is, by definition, "a starting point that is implicitly trusted." In the case of a PC, it's the part that checks BIOS code to ensure it's legitimate before it boots up. And anyone who's had to remove malware from a machine with infected BIOS knows how vital that is.

The new security measures include storing sensitive data such as cryptographic keys and user credentials isolated from the operating system within a separate secure area. Microsoft requires a Trusted Platform Module (TPM) 2.0 chip to be installed on both new and upgraded Windows 11 machines. The company had required TPM 2.0 capabilities on all new Windows 10 machines, but the latest version of Windows won't even run if the PC doesn't have a TPM 2.0 security chip.

"With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind additional barriers separated from the operating system," Microsoft wrote in its new report. "As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering."

To provide TPM 2.0 protection directly on the motherboard, Windows 11 machines include the Microsoft Pluton security processor on the system-on-chip. While Pluton is not brand new – it was previewed back in November 2020 – integrating TPM 2.0 capabilities in this way eliminates one attack vector: the bus interface between the CPU and the TPM chip.

Not all Windows 11 machines will have a Pluton chip, but they will all have a TPM 2.0 chip.

**Silicon-Assisted Security**

The silicon-assisted security measures in Windows 11 start with a secure kernel carved out using virtualization-based security (VBS). 

"The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory," Microsoft wrote. "Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment."

Hypervisor-protected code integrity (HCVI) uses VBS to check the validity of code within the secure VBS environment instead of in the main Windows kernel. Kernel mode code integrity (KMCI), as that's called, fends off attempts to modify drivers and the like. KMCI verifies that all kernel code is properly signed and has not been altered before it allows it to run. HVCI is supported in all versions of Windows 11 and enabled by default in most editions.

A further measure of protection against such attacks as memory corruption and zero-day exploits is offered by hardware-enforced stack protection. 

"Based on Controlflow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack," Microsoft explained. The OS does this by creating a "shadow stack," set apart from other stacks, for return addresses.

To protect against physical incursions where an intruder surreptitiously installs malware from a device, Microsoft's line of Secured-core PCs will only run executables signed by "known and approved authorities," keeping external peripherals from accessing memory without authorization.

Even more firmware protection comes from Windows 11's universal implementation of the Unified Extensible Firmware Interface (UEFI) Secure Boot standard. The TPM stores a boot audit log, the Static Root of Trust for Measurement (SRTM), to check whether any attempts to subvert the boot were made.

UEFI is not unique to Windows machines, of course, but Windows 11 adds Dynamic Root of Trust for Measurement (DRTM) that checks the UEFI boot process for suspicious activity before allowing it to continue. Non-PC devices such as the Surface tablet use Firmware Attack Surface Reduction in place of DRTM.

Silicon-assisted security is part of the Pro, Pro Workstation, Enterprise, Pro Education, and Education versions of Windows 11. The Home editions will have some of these protections but not the full slate. See Microsoft's website for comparisons.

Microsoft Brings Zero Trust to Hardware in Windows 11

Microsoft and VMware are warning that the malware, which first surfaced as a browser-hijacking credential stealer, is now being used to drop ransomware, steal data, and crash systems at enterprises.

Security researchers are sounding the alarm on the malware tool dubbed ChromeLoader. It first surfaced in January as a consumer-focused, browser-hijacking credential stealer but has now evolved into a widely prevalent and multifaceted threat to organizations across multiple industries.

In an advisory released Sept. 19, researchers from VMware's Carbon Black managed detection and response team said they have recently observed the malware being used to also drop ransomware, steal sensitive data, and deploy so-called decompression (or zip) bombs to crash systems.

The researchers said they have observed hundreds of attacks involving newer versions of the malware targeting enterprises in business services, education, government, healthcare, and multiple other sectors. 

"This campaign has gone through many changes over the past few months, and we don’t expect it to stop," the researchers warned. "It is imperative that these industries take note of the prevalence of this \[threat\] and prepare to respond to it."

**Ongoing & Prevalent Campaign**

VMware's warning echoed one from Microsoft's Security Intelligence team Friday about a threat actor they are tracking as DEV-0796, which is using ChromeLoader in an extensive and ongoing click-fraud campaign. In a series of tweets, the researchers said the cyberattackers were attempting to monetize clicks generated by a browser extension or browser node-webkit that ChromeLoader had secretly downloaded on numerous user devices.

"This campaign begins with an .ISO file that's downloaded when a user clicks malicious ads or YouTube comments," according to Microsoft's analysis. When opened, the .ISO file installs the aforementioned browser node-webkit (NW.js) or a browser extension. 

"We’ve also seen the use of DMG files, indicating multi-platform activity," Microsoft researchers added.

ChromeLoader (aka ChromeBack or Choziosi Loader) grabbed attention in January when researchers observed malware operators using it to drop a malicious browser extension as a payload on user systems. The malware targeted users who visited sites touting cracked video games and pirated torrents. 

Researchers from Palo Alto Networks' Unit 42 threat hunting team described the infection vector as starting with a user scanning a QR code on those sites with the intention of downloading pirated content. The QR code redirected the user to a compromised website, where they were persuaded to download an .ISO image purporting to be the pirated file, which contained an installer file and several other hidden ones.

When users launched the installer file, they received a message indicating that the download had failed — while in the background a PowerShell script in the malware downloaded a malicious Chrome extension on the user's browser, Unit 42 researchers found.

**Rapid Evolution**

Since arriving on the scene earlier this year, the malware's authors have released multiple versions, many of them equipped with different malicious capabilities. One of them is a variant called Bloom.exe that made its initial appearance in March and has since infected at least 50 VMware Carbon Black customers. VMware's researchers said they observed the malware being used to exfiltrate sensitive data from infected systems. 

Another ChromeLoader variant is being used to drop zip bombs on user systems, i.e. malicious archive files. Users who click on the weaponized compression files end up launching malware that overloads their systems with data and crashes them. And since August, the operators of the appropriately named CrashLoader variant have been using the malware to distribute a ransomware family called Enigma.

**ChromeLoader's Updated Malicious Tactics**

Along with the payloads, the tactics for getting users to download ChromeLoader have also evolved. For instance, VMware Carbon Black researchers said they have seen the malware's author's impersonating various legitimate services to lead users to ChromeLoader. 

One service they have impersonated is OpenSubtitles, a site designed to help users to find subtitles for popular TV shows and movies, VMware said in its report. Another is FLB Music Play, a site for playing music. 

"The impersonated software is used in conjunction with an adware program that redirects web traffic, steals credentials, and recommends other malicious downloads posed as legitimate updates," VMware said.

Often, consumers are the primary targets of malware such as ChromeLoader. But with many employees now working from home, and often using their personally owned devices to access enterprise data and applications, enterprises can end up being impacted as well. VMware's Carbon Black team, like Microsoft's security researchers, said they believe the current campaign is only a harbinger of more attacks involving ChromeLoader.  

"The Carbon Black MDR team believes this is an emerging threat that needs to be tracked and taken seriously," VMware said in its advisory, "due to its potential for delivering more nefarious malware."

ChromeLoader Malware Evolves into Prevalent, More Dangerous Cyber Threat

The evolving tactics increase the threat of ransomware operators, but there are steps organizations can take to protect themselves.

Cybercriminals are becoming more strategic and professional about ransomware. They increasingly are emulating how legitimate businesses operate, including leveraging a growing cybercrime-as-a-service supply chain.

This article describes four key ransomware trends and provides advice on how to avoid falling victim to these new attacks. 

**1\. IABs on the Rise**

Cybercrime is becoming more profitable, as evidenced by the growth of initial access brokers (IABs) that specialize in breaching companies, stealing credentials, and selling that access to other attackers. IABs are the first link in the cybercrime-as-a-service kill chain, a shadow economy of off-the-shelf services that any would-be criminal can purchase to construct sophisticated tool chains to execute almost any digital offense imaginable.

IABs' top customers are ransomware operators, who are willing to pay for access to ready-made victims while they focus their own efforts on extortion and improving their malware.

In 2021, there were more than 1,300 IAB listings on major cybercrime forums monitored by the KELA Cyber Intelligence Center, with nearly half coming from 10 IABs. In most cases, the price for access was between $1,000 and $10,000, with an average sale price of $4,600. Of all of the offerings available, VPN credentials and domain administrator access were among the most valuable.

**2\. Fileless Attacks Fly Under the Radar**

Cybercriminals are taking a cue from advanced persistent threat (APT) and nation-state attackers by employing living-off-the-land (LotL) and fileless techniques to improve their chances of evading detection to successfully deploy ransomware.

These attacks leverage legitimate, publicly available software tools often found in a target's environment. For example, 91% of DarkSide ransomware attacks involved legitimate tools, with only 9% using malware, according to a report by Picus Security. Other attacks have been discovered that were 100% fileless.

This way, threat actors evade detection by avoiding "known bad" indicators, such as process names or file hashes. Application-allow lists, which permit the usage of trusted applications, also fail to restrict malicious users, especially for ubiquitous apps. 

**3\. Ransomware Groups Targeting Low-Profile Targets**

The high-profile Colonial Pipeline ransomware attack in May 2021 affected critical infrastructure so severely that it triggered an international and top government response.

Such headline-grabbing attacks prompt scrutiny and concerted efforts by law enforcement and defense agencies to act against ransomware operators, leading to the disruption of criminal operations, as well as arrests and prosecutions. Most criminals would rather keep their activities under the radar. Given the number of potential targets, operators can afford to be opportunistic while minimizing the risk to their own operations. Ransomware actors have become far more selective in their targeting of victims, enabled by the detailed and granular firmographics supplied by IABs.

**4\. Insiders Are Tempted With a Piece of the Pie**

Ransomware operators also have discovered that they can enlist rogue employees to help them gain access. The conversion rate may be low, but the payoff can be worth the effort.

A survey by Hitachi ID taken between Dec. 7, 2021, and Jan. 4, 2022, found that 65% of respondents said their employees had been approached by threat actors to help provide initial access. Insiders who take the bait have different reasons for being willing to betray their companies, although dissatisfaction with their employer is the most common motivator.

Whatever the reason, the offers made by ransomware groups can be tempting. In the Hitachi ID survey, 57% of the employees contacted were offered less than $500,000, 28% were offered between $500,000 and $1 million, and 11% were offered more than $1 million.

**Practical Steps to Improving Protection**

The evolving tactics discussed here increase the threat of ransomware operators, but there are steps organizations can take to protect themselves:

*   **Follow zero-trust best practices,** such as multifactor authentication (MFA) and least-privilege access, to limit the impact of compromised credentials and increase the chance of detecting anomalous activity.
*   **Focus on mitigating insider threats,** a practice that can help limit malicious actions not only by employees but also by external actors (who, after all, appear to be insiders once they've gained access).
*   **Conduct regular threat hunting,** which can help detect fileless attacks and threat actors working to evade your defenses early.  
    

Attackers are always looking for new ways to infiltrate organizations' systems, and the new ploys we're seeing certainly add to the advantages cybercriminals have over organizations that are unprepared for attacks. However, organizations are far from helpless. By taking the practical and proven steps outlined in this article, organizations can make life very tough for IABs and ransomware groups, despite their new array of tactics.

How to Dodge New Ransomware Tactics

Protection mechanism failure in firmware for some Intel(R) SSD DC Products may allow a privileged user to potentially enable information disclosure via local access.

%PDF-1.7 %���� 1 0 obj <>/Metadata 511 0 R/ViewerPreferences 512 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/Annots\[ 19 0 R 20 0 R 23 0 R 24 0 R 25 0 R 26 0 R 27 0 R 28 0 R 29 0 R\] /MediaBox\[ 0 0 612 792\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��\[�n�H}7��#9XQ�{3(v��"�:�g��yPd�c �2�� ?�߸U�"EI�I�-/&d�"Y��}��5/�w7��2x�z8^.'�?�������ë߲����n6Y��g���/K��s6���Q���$��������\_�GI�࿔)hfc�<\`F��";>��O�����4H�?�e�8p7O���r���y� N�wo�AR �7��r~\_��|����$� Ț%B���i+#�,�\[p�LSk�@M'��Z�%'���������X\`���5L)x�L\`����W��0?hɴ�O,n /K������>D&�y40�W��Ï�kwt dxO��ӈ����y|��}ڌ�NZ�4��Y�:�AW�|FX{�� ���U�'�j�/#�+��3� O#�ߣgΣ�2�Id鶏��y���m�ÏW�@������~�����e݄�1�\_�-�zJ�r)��t� @\*��ls� ���(��Œ�V�ǋ��Dem�����4H:G�H6�jx��Aub����/c����o�U/�|�����b�qq�ļ��!������w�c߬�B+�� x�.�\*ϗM�:���\*\*���-A\]B��P���ix�w�B�S'T��^�l�Y��\`U����� ��\*������V�p�ᝳi~�:�a.��Pw���Ɣ�Z6�2�� �1\_6���l���{8��p��q ����&��~��n�0� ����#M{\]�������!٫�ɾ8SC!�&r�c V�3s�6 ��ڄ�v��$z4\` (�$��h �X�����.���T%#<���F�T�%�7��7

CVE-2021-33081

**Woburn, MA, September 20, 2022 —** With the latest version of Kaspersky EDR Optimum, users can access an advanced automated detection mechanism and tailored incident response recommendations. The updated solution also ensures protection from damaged to crucial OS files, and provides information on file reputation from Kaspersky’s Threat Intelligence portal.

To help IT security workers deal with increased attack surfaces and complexities, Kaspersky presents the new edition of Endpoint Detection and Response Optimum. The updated version gives users the opportunity to gain highly sought-after skills in incident investigation and response, and helps them tackle their responsibilities under conditions of limited time and attention.

Kaspersky Endpoint Detection and Response Optimum provides information to get up to speed quickly. In addition to the previously available YouTube video instructions, the product now offers a Guided Response section in the alert card where IT security specialists can see the recommended steps for investigation and response.

In addition, Kaspersky Endpoint Detection and Response Optimum contains integrated "quality of life" improvements such as Threat Intelligence file reputation in the alert card. When a response is performed, a special check will help avoid making a mistake and blocking a crucial OS file, which can lead to ruining the whole infrastructure.

File reputation from Kaspersky Threat Intelligence Portal is available directly in the console allowing users to understand what files are harmless, malicious or suspicious, and also gives users insight into known or new threats in a faster and easier way. It also shows information such as which regions or countries the file was observed most frequently, and provides a link to the threat intelligence portal with additional information about the file.

“When our team was working on the Kaspersky Endpoint Detection and Response Optimum enhancements, one of the goals was to make all the solutions’ capabilities accessible for all types of our users, even for those who are making their first steps in investigation and response,” said Pavel Petrov, senior product manager at Kaspersky. “We believe the new features will allow our customers not only to ensure the protection of their company against multiple types of threats, but also increase the EDR expertise of the internal IT security team.”

During the last year, Kaspersky Endpoint Detection and Response was repeatedly recognized for its outstanding protective capacity. The product has shown superb results according to various independent evaluations including SE-labs, IDC, Radicati and others.

More information about Kaspersky Endpoint Detection and Response Optimum is available via this link.

New Kaspersky EDR Optimum Further Simplifies Protection Against Evasive Threats

Focused on bringing ease of use to IT security automation, ThreatQ TDR Orchestrator addresses industry needs for simpler implementation and more efficient operations.

**London, UK, September 20, 2022** — ThreatQuotient™, a leading security operations platform innovator, today announced a new version of ThreatQ TDR Orchestrator, the industry’s first solution for a simplified, data-driven approach to security operations. Built on the ThreatQ Platform, the continued innovation of ThreatQ TDR Orchestrator includes enhanced automation, analysis, and reporting capabilities that accelerate threat detection and response across disparate systems.

The latest research from ThreatQuotient, planned for full release later in 2022, shows signs that adoption of security automation is advancing, as budgets in this area are increasing for 98% of companies. The data also indicates that organisations have become more confident in automation itself, with over 88% of companies having some level of trust in automation outcomes compared to only 59% in the year prior. However, 98% say they have experienced problems during implementation. To support organisations with security automation solutions that are easier to use, cheaper than traditional automation tools and learn over time, ThreatQuotient has prioritised the development of ThreatQ TDR Orchestrator to enable more efficient and effective operations that can be directly measured by time savings and FTEs gained, improved risk management, and greater confidence when detecting and responding to an event.

The latest version of ThreatQ TDR Orchestrator offers the following benefits:

*   **Prioritise automation on the most important events/alerts** with context from threat intelligence and other internal and external sources. A feedback loop captures results to improve the automation flow over time.

*   **Playbooks are easier to maintain** as a result of Smart Collections which are used to abstract automation logic. Atomic Automation allows for immediate action when a complex response is not needed; and Automation Packs for vulnerability prioritisation, indicator enrichment, XDR, and more use cases coming soon, help users get started with common use cases quickly.

*   **Less training is required up front** as a result of a no-code user interface which also delivers a lower total cost of ownership over time, and enables users to rely less on their organisation’s technical resources which can be a bottleneck (e.g. waiting for internal developers to work through their backlog and write the playbook automations requested).

“Leveraging automation to do the heavy lifting and cut through the noise is vital to helping cybersecurity teams thrive under pressure. ThreatQuotient continues to innovate in a way that drives meaningful operational benefits to customers,” says Leon Ward, Vice President of Product Management at ThreatQuotient. “Many process-based SOAR platforms are designed such that only security engineers and analysts have the skills necessary to use them directly; making these traditional platforms hard to implement and maintain which drives higher costs over time. This ThreatQ TDR Orchestrator release reinforces the need for no-code solutions that empower operators to adapt to dynamic threat landscapes faster, and focus their energy on security operations workflows that provide critical business context.”

In an environment where security operations employee turnover is high, ThreatQuotient’s platform is well suited for increasing the number of people who know how to develop and maintain automation playbooks. ThreatQ’s data-driven approach means that anyone with business context can understand and maintain workflows, making teams more nimble and resilient. Additionally, Atomic Automation works at the "atomic" or lowest level, allowing an analyst to automate a single action or string of a few simple actions without needing a complex playbook. This enables analysts to pull data or push actions without actually needing to pivot from UI to UI for each of the products involved.

To learn more about ThreatQ TDR Orchestrator, register for ThreatQuotient’s upcoming webinar, ThreatQ Cyber Forum on ROI, taking place live on Wednesday 21st September at 10:00 am GMT. For a first-hand look at how ThreatQ, ThreatQ TDR Orchestrator, and ThreatQ Investigations can support your organisation’s security goals, register for the ThreatQ Online Experience, a unique interactive tour.

**About ThreatQuotient**

ThreatQuotient improves security operations by fusing together disparate data sources, tools and teams to accelerate threat detection and response. ThreatQuotient’s data-driven security operations platform helps teams prioritise, automate and collaborate on security incidents; enables more focused decision making; and maximises limited resources by integrating existing processes and technologies into a unified workspace. The result is reduced noise, clear priority threats, and the ability to automate processes with high fidelity data. ThreatQuotient’s industry leading data management, orchestration and automation capabilities support multiple use cases, including incident response, threat hunting, spear phishing, alert triage and vulnerability prioritisation, and can also serve as a threat intelligence platform. ThreatQuotient is headquartered in Northern Virginia with international operations based out of Europe, MENA and APAC. For more information, visit www.threatquotient.com.

ThreatQuotient Enhances Data-Driven Automation Capabilities With New ThreatQ TDR Orchestrator Features

The balance of deploying secure applications vs. time to market continues to be the biggest risk to organizations.

AUSTIN, Texas, Sept. 20, 2022 /PRNewswire/ — Invicti Security™, an application security leader for over 15 years, today released a new white paper, "Automated Application Security Testing for Faster Development," from independent industry analyst firm Enterprise Strategy Group (ESG). The report covers how Invicti customers are cost-effectively incorporating security into their development processes to secure their applications.

Organizations have been challenged in adapting their application security strategies and solutions as they undergo digital transformation for faster development cycles. As organizations migrate workloads to the cloud, they speed up development but also increase the risk of security vulnerabilities as application development and security teams clash on priorities. In fact, an earlier ESG study found that 48% of developers push vulnerable code in order to meet deadlines.

Traditional application security solutions haven't worked well to scale with modern development because they are costly to deploy and manage, they raise too many alerts and false positives, and they don't work in modern development workflows.

_Download the report to **view the full findings and insights.**_

**Join Invicti Chief Product Officer Sonali Shah and on October 13 for a live webinar to discuss the report findings and insights. Register here.**

The report describes how:

*   With the move to the cloud, organizations need a seamless solution that gives them protection and coverage for all of their applications, not just certain business-critical applications. Otherwise, simple coding mistakes can leave them vulnerable to attacks that could compromise company or customer data.
*   A leading television service network serving 26 million viewers has deployed Invicti to help them deliver secure applications on time, enabling them to innovate while protecting information collected online, particularly the personally identifiable information (PII) of viewers and staff, as well as its own company data and intellectual property.
*   A global travel and vacations company uses Invicti to cost-effectively automate security testing for applications across its portfolio of companies, enabling developers to fix security issues within their workflows.
*   Invicti customers also reported time and cost savings with fewer security incidents and teams working more efficiently with security integrated with developer workflows.

"With the increasing speed of development, companies need fast, seamless security solutions that integrate extremely well with developer workflows and tools, so they can bridge the gap between developer and security team priorities and needs," said Sonali Shah, Chief Product Officer at Invicti. "Dynamic application security testing (DAST) is the best-positioned tool to reduce the risk of pushing out vulnerable web applications without burdening developer teams or slowing them down."

"The development lifecycle is an intricate process that requires many pieces and technologies to be successful. Adding security as an afterthought to this process is proven to create points of exposure for organizations," said Melinda Marks, Senior Analyst at ESG. "With Invicti's approach to application security, security experts can help developers infuse secure practices into their development processes so that security enables innovation instead of slowing things down or blocking it."

**About Invicti Security**

Invicti Security – which acquired and combined respective DAST leaders Acunetix and Netsparker – is transforming the way web applications are secured. An AppSec leader for more than 15 years, Invicti enables organizations in every industry to continuously scan and secure all of their web applications and APIs at the speed of innovation. Invicti provides a comprehensive view of an organization's entire web application portfolio, and powerful automation and integrations enable customers to achieve broad coverage of thousands of applications. Invicti is headquartered in Austin, Texas, and serves more than 3,600 organizations of all sizes in more than 70 countries. For more information, visit our website or follow us on LinkedIn.

Invicti Security and ESG Report on How Companies are Shifting for Higher Quality, Secure Application Code

A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show.
Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT.
The

A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show.

Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT.

The attacks are said to be an expansion of the same campaign that previously distributed DCRat (or DarkCrystal RAT) using phishing emails with legal aid-themed lures against providers of telecommunications in Ukraine.

Sandworm is a destructive Russian threat group that's best known for carrying out attacks such as the 2015 and 2016 targeting of Ukrainian electrical grid and 2017's NotPetya attacks. It's confirmed to be Unit 74455 of Russia's GRU military intelligence agency.

The adversarial collective, also known as Voodoo Bear, sought to damage high-voltage electrical substations, computers and networking equipment for the third time in Ukraine earlier this April through a new variant of a piece of malware known as Industroyer.

Russia's invasion of Ukraine has also had the group unleash numerous other attacks, including leveraging the Follina vulnerability (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to breach media entities in the Eastern European nation.

In addition, it was uncovered as the mastermind behind a new modular botnet called Cyclops Blink that enslaved internet-connected firewall devices and routers from WatchGuard and ASUS.

The U.S. government, for its part, has announced up to $10 million in rewards for information on six hackers associated with the APT group for participating in malicious cyber activities against critical infrastructure in the country.

"A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113's broadening but continuing use of publicly available commodity malware," Recorded Future said.

The attacks entail the fraudulent domains hosting a web page purportedly about "Odesa Regional Military Administration," while an encoded ISO image payload is stealthily deployed via a technique referred to as HTML smuggling.

HTML smuggling, as the name goes, is an evasive malware delivery technique that leverages legitimate HTML and JavaScript features to distribute malware and get around conventional security controls.

Recorded Future also said it identified points of similarities with another HTML dropper attachment put to use by the APT29 threat actor in a campaign aimed at Western diplomatic missions between May and June 2022.

Embedded within the ISO file, which was created on August 5, 2022, are three files, including an LNK file that tricks the victim into activating the infection sequence, resulting in the deployment of both Colibri loader and Warzone RAT to the target machine.

The execution of the LNK file also launches an innocuous decoy document – an application for Ukrainian citizens to request for monetary compensation and fuel discounts – in an attempt to conceal the malicious operations.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware

Categories: Business
EDR, MDR, and XDR can alleviate challenges most small business cybersecurity teams face, such as alert fatigue and limited resources. Let’s dive into the basics of three common detection and response solutions.



(Read more...)




The post EDR vs MDR vs XDR – What’s the Difference? appeared first on Malwarebytes Labs.

Cyberattacks are rapidly evolving, leaving businesses and their IT security teams to handle immense workloads.

Keeping up with today’s cyberthreats not only involves staying up to date in an ever-changing threat landscape, it also involves managing complex security infrastructure and technologies. Detection and response tools are designed to help security teams monitor, evaluate, and respond to potential threat actor activity.

EDR, MDR, and XDR can alleviate challenges most small business cybersecurity teams face, such as alert fatigue and limited resources.

Although detection and response tools share similar purposes, they are not all equal. Every threat detection and response capability has its own advantages when it comes to addressing the needs of your business and catching threats that have thwarted traditional security layers.

Let’s dive into the basics of three common detection and response solutions.

**Endpoint Detection and Response (EDR)**

Endpoint detection and response (EDR) solutions cover all endpoint monitoring and activity through threat hunting, data analysis, and remediation to stop a range of cyberattacks. These attacks include malware, ransomware, brute force, and zero-day intrusions.

**Managed Detection and Response (MDR)**

Managed detection and response (MDR) is a service that offers a suite of outsourced capabilities to deliver round-the-clock, 24/7/365 monitoring and detection, proactive threat hunting, prioritization of alerts, correlated data analysis, managed threat investigation, and remediation. MDR is popularly thought of as an in-house Security Operations Center (SOC) alternative. It blends a human element of highly-skilled experts with threat intelligence technologies.

**Extended Detection and Response (XDR)**

Extended detection and response (XDR) is a proactive cybersecurity solution that provides improved, unified visibility over endpoints, networks, and the cloud through aggregating siloed data across an organization’s security stack.

**What is the difference between EDR vs MDR vs XDR?**

Today’s industry-leading detection and response technologies rely on threat intelligence data pulled from different sources. This threat intel data varies in readability and usefulness depending on the tool and its intended audience, your security team, decision-makers, or key stakeholders. Not all businesses have the cybersecurity resources to interpret copious amounts of data, investigate alerts, and act on threats.

Let’s compare threat detection and response tools and the challenges they address.

**EDR vs MDR**

The difference between EDR and MDR is scale.

The needs of your organization, the number of assets and endpoint devices to protect, available resources, bandwidth, and in-house cybersecurity skill level are all factors to consider when it comes to MDR vs EDR. Addressing your business’ security challenges is crucial to understanding how much visibility your company really needs, doing so will help determine the detection and response technology best fit for your business and enhance your cybersecurity stack.

EDR has several benefits and provides holistic visibility into the attack surface of all your endpoints and can detect threats that circumvent legacy endpoint protection platforms (EPP). Endpoint Detection and Response is a staple for establishing a comprehensive security strategy and lays the groundwork for scalable cybersecurity maturity. Although fundamental, it generates a lot of alerts and endpoint telemetry data, adding to its complexity. It requires skilled cybersecurity talent who can readily handle high alert volume, interpret EDR alerts, and respond proficiently. The key takeaway is that standalone EDR products help businesses wanting to enhance their endpoint security posture but require a level of resources and advanced cybersecurity personnel.

MDR security is a managed service which merges human expertise with threat intelligence, offering advanced threat hunting, threat identification, alert prioritization, and incident response. MDR helps businesses obtain outsourced, high-skilled cybersecurity experts at an affordable cost. Regardless of size and level of expertise, your current IT team can leverage a turnkey experience with Managed Detection and Response to close the skill gap in specialized security talent. Small businesses seeking to build security maturity, handle complex threats, and relieve in-house alert fatigue, have everything to gain from Managed Detection and Response.

**MDR vs XDR**

XDR works to consolidate alerts and unify previously siloed data from a range of cybersecurity tools. Businesses struggling with an influx of alerts across multiple existing security tools have the most to benefit from XDR solutions. Providing extended visibility, the tool is centered on aggregating and correlating telemetry from various security tools and enhancing defense across the security ecosystem.

Extended Detection and Response addresses the challenges of businesses with multilayered security architecture.

**Tips for choosing a threat detection and response tool for your business**

Choosing the right detection and response tool starts with addressing your business’ security needs at scale. Simply put, your organization should consider the following questions:

• What does my company need to protect? What assets are most vulnerable to being compromised?  
• How much visibility does my organization need?  
• Does my security team have the skillset, time, and bandwidth to handle large security workloads?  
• What are the resource constraints of my organization?  
• Who will be analyzing, investigating, and responding to detected threats, alerts, and data?

**Featured articles **

What is Threat Hunting?

3 ways MDR can drive business growth for MSPs

Cyber threat hunting for SMBs: How MDR can help

What is Threat Intelligence?

What is MDR?

What is SIEM?

What is SOC?

Webinar: Malwarebytes EDR Product Demo

Tag

#intel