Mozilla researchers identified accounts with millions of view spreading hate speech and disinformation

Last August the TikTok account @aironixon shared a video intercutting scenes from Netflix’s docuseries _How to Become a Tyrant_ with videos and screenshots of Kenyan deputy president and presidential candidate William Ruto. An added caption read, “Is Ruto a tyrant?”

The video is one of 130 identified by Mozilla Foundation fellow Odanga Madung, who has detailed his findings in a new report. Altogether, Madung found hate speech and disinformation in videos that accrued over 4 million views after being shared by 33 TikTok accounts. All of them appear to violate the company’s terms of service, and target Kenya’s upcoming August 9 elections.

“What we noticed is that there are very many cases where a certain page, for example, might have 5,000 followers, but the kind of the content that it posts ends up getting \[more than\] 500,000 views, because it has been supercharged by the platform itself,” says Madung.

Though Facebook, WhatsApp, and Instagram remain the most popular platforms in Kenya, TikTok’s popularity has risen steadily over the past two years, and it is among the most-downloaded social apps in the country.

For Kenyans heading into an election season, disinformation is hardly new, especially as millions of its citizens have come online over the past decade. Madung worries that the country’s history of electoral violence makes it particularly combustible. In 2007, a contested presidential election between Raila Odinga and Mwai Kibaki led to widespread violence that left more than 1,000 people dead and 600,000 displaced. The country’s current president, Uhuru Kenyatta, was accused of helping to incite the violence by charging armed groups of Kikuyus, the ethnic group to which he and Kibaki both belong, to target Luos, Odinga’s ethnic group.

Kenyatta ascended to the presidency in 2013. His reelection in 2017 also sparked protests that were met with swift police crackdowns. Human Rights Watch documented at least 42 people killed by police, though it estimated the real number to be higher.

Earlier this year, the country’s National Cohesion and Integration Commission, which was formed after the 2007 violence to ensure peaceful elections, warned of the “misuse of social media platforms to perpetuate ethnic hate speech and incitement to violence,” saying that in 2022 hate speech on social platforms had increased 20 percent. The commission also cited increasing communal conflict and personal attacks on politicians, in addition to other conditions that could make this year’s elections particularly tumultuous.

A TikTok video of a speech given by Ruto included the caption, “Ruto hates Kikuyus and wants to take revenge come 2022.” It has garnered more than 400,000 views.

“There's a very clear attempt to try and use the ghosts of 2007 to move voters one way or the other, to take advantage of or glorify past violence,” says Madung. “That’s something that is completely not taken into account in TikTok’s own hate speech content guidelines.”

Unlike Facebook or Twitter, TikTok serves users content based not on who they follow but what the platform believes their interests are. This can make it hard for researchers like Madung to map out how content spreads and to whom. “There's no tool like Crowdtangle for TikTok,” he says. “Doing research on TikTok is tiresome, sometimes gruesome, because I had to watch all the videos all the way through to perform content analysis.”

By its very nature, TikTok is harder to moderate than many other social media platforms, according to Cameron Hickey, project director at the Algorithmic Transparency Institute. The brevity of the videos, and the fact that many can include audio, visual, and text elements makes human discernment even more necessary when deciding whether something violates platform rules. Even advanced artificial intelligence tools, like using speech-to-text to quickly identify problematic words, is more difficult “when the audio that you're dealing with also has music behind it,” says Hickey. “The default mode for people creating content on TikTok is to also embed music.”

That becomes even more difficult in languages other than English.

“What we know generally is that platforms do best at the work of addressing problematic content in the places where they are based or within the languages in which the people who created them speak,” says Hickey. “And there are more people making bad stuff than there are people at these companies trying to get rid of the bad stuff.”

Many pieces of disinformation Madung found were “synthetic content,” videos created to look like they might be from an old news broadcast, or they use screenshots that appear to be from legitimate news outlets.

“Since 2017, we’ve noticed that there was a burgeoning trend at the time to appropriate the identities of mainstream media brands,” says Madung. “We are seeing rampant usage of this tactic on the platform, and it seems to do exceptionally well.”

Madung also spoke with former TikTok content moderator Gadear Ayed to get a better understanding of the company’s moderation efforts more broadly. Although Ayed did not moderate TikToks from Kenya, she told Madung that she was often asked to moderate content in languages or contexts she was not familiar with, and would not have had the context to tell whether a piece of media had been manipulated.

“It's common to find moderators being asked to moderate videos that were in languages and contexts that were different from what they understood,” Ayed told Madung. “For example, I at one time had to moderate videos that were in Hebrew despite me not knowing the language or the context. All I could rely on was the visual image of what I could see but anything written I couldn't moderate.”

A TikTok spokesperson told WIRED that the company prohibits election misinformation and the promotion of violence and is “committed to protecting the integrity of \[its\] platform and have a dedicated team working to safeguard TikTok during the Kenyan elections.” The spokesperson also said that it works with fact-checking organizations, including Agence France-Presse in Kenya, and plans to roll out features to connect its “community with authoritative information about the Kenyan elections in our app."

But even if TikTok removes the offending content, Hickey says that may not be enough. “One person can remix, duet, reshare someone else's content,” says Hickey. That means that even if the original video is removed, other versions can live on, undetected. TikTok videos can also be downloaded and shared on other platforms, like Facebook and Twitter, which is how Madung first encountered some of them.

Several of the videos flagged in the Mozilla Foundation report have since been removed, but TikTok did not respond to questions about whether it has removed other videos or whether the videos themselves were part of a coordinated effort.

But Madung suspects that they might be. “Some of the most egregious hashtags were things I would find researching coordinated campaigns on Twitter, and then I would think, what if I searched for this on TikTok?”

Disinfo and Hate Speech Flood TikTok Ahead of Kenya’s Elections

A successful attack against 5G networks could disrupt critical infrastructure, manipulate sensor data, or even cause physical harm to humans.

RSA CONFERENCE — San Francisco — While 5G security is not new as a topic of conversation, emerging attack vectors continue to come to the fore. Deloitte & Touche researchers have uncovered a potential avenue of attack targeting network slices, a fundamental part of 5G's architecture.

The stakes are high: Not just a faster 4G, next-generation 5G networks are expected to serve as the communications infrastructure for an array of mission-critical environments, such as public safety, military services, critical infrastructure, and the Industrial Internet of Things (IIoT). They also play a role in supporting latency-sensitive future applications like automated cars and telesurgery. A cyberattack on that infrastructure could have significant implications for public health and national security, and impact a range of commercial services for individual enterprises.

At the heart of any 5G network is a flexible, IP-based core network that allows resources and attributes to be assembled into individual "slices" — each of these network slices is tailored to fulfill the requirements requested by a particular application. For instance, a network slice supporting an IIoT network of sensors in a smart-factory installation might offer extremely low latency, long device battery life, and constricted bandwidth speed. An adjacent slice could enable automated vehicles, with extremely high bandwidth and near-zero latency. And so on.

Thus, one 5G network supports multiple adjacent network slices, all of which make use of a common physical infrastructure (i.e., the radio access network, or RAN). Deloitte collaborated on a 5G research project with Virginia Tech to explore whether it was possible to exploit 5G by compromising one slice, then escaping it to compromise a second. The answer to that turned out to be yes.

"Throughout our journey with Virginia Tech, our objective was uncovering how to make sure that appropriate security is in place whenever a 5G network is put in for any type of industry or any customer," Shehadi Dayekh, specialist leader at Deloitte, tells Dark Reading. "We saw network slicing as a core area of interest for our research, and we set about discovering avenues of compromise."

**Achieving Lateral Movement Via Network Slicing**

Abdul Rahman, associate vice president at Deloitte, notes that attacking one slice in order to get to a second could be seen as a form of container escape in a cloud environment — in which an attacker moves from one container to another, moving laterally through a cloud infrastructure to compromise different customers and services.

"When we look at the end-to-end picture of a 5G network, there's the 5G core, and then the 5G RAN, then there are the end devices and the users after the end devices," he says. "The core has really evolved to a point where a lot of the services are essentially in containers, and they've been virtualized. So there may then be a similar \[attack-and-escape\] process where we're able to influence or affect a device on network slice two from a device or a compromise within network slice one."

The research uncovered that an initial compromise of the first network slice can be achieved by exploiting open ports and vulnerable protocols, he explains. Or, another path to compromise would involve obtaining the metadata necessary to enumerate all of the services on the network, in order to identify a service or a set of services that may have a vulnerability, such as a buffer overflow that would allow code execution.

Then, to achieve "slice-escape," "there are capabilities in the wireless space to emulate tons of devices that can join networks and start causing some stress on the core network," Dayekh says. "It's possible to bring in some scanning capabilities to start exploiting vulnerabilities across slices."

A successful attack would have a number of layers and steps, and would be non-trivial, Deloitte found — but it can be done.

From a real-world feasibility perspective, "it's really dependent on how much money is spent," Dayekh says, adding that cyberattackers would likely make an ROI calculation when weighing whether an attack is worth the time and expense.

"It's about how serious \[and hardened\] the network is, if it's a mission-critical network, and how serious the target application is," he explains. "Is it an application for, say, shelf replenishment or cashierless checkout, or is it a military or government application?"

If the attacker is a well-funded advanced persistent threat (APT) interested in mounting destructive attacks on, say, an automated pipeline, the approach would be more convoluted and resource-intensive, Rahman adds.

"This sets the stage for a bad actor that utilizes advanced recon and surveillance-detection techniques, to minimize on the blue side being seen," he says. "You utilize observation to determine avenues of approach and key terrain, while ensuring concealment. If we're going to recon a network, we want to do it from a place where we can scan the network and obfuscate our reconnaissance traffic amongst all the other traffic that's there. And they're going to build this network topology, aka an attack graph, with nodes that have metadata associated with enumerative services around what we would like to attack."

**Real-World Risk**

When it comes to potential outcomes of a successful attack, Rahman and Dayekh used the example of a campaign against an industrial sensor network for a smart-factory application.

"Ultimately, we can deploy malware that can actually impact the data that's gathered from those sensors, whether it's temperature, barometric pressure, its line of sight, computer vision, whatever that may be," Rahman notes. "Or it may be able to occlude the image or maybe only send back a portion of the results by manipulating what the sensor has the ability to see. That could potentially cause false readings, false positives, and the impact is huge for manufacturing, for energy, for transportation — any of those areas that depend on sensors to give them near-real-time outputs for things like health and status."

The Internet of Medical Things (IoMT) is another area of concern, due to the ability to directly impact patients using remote health services such as kidney dialysis or liver monitoring, or those who have a pacemaker.

There's also another form of attacks that involve deploying malware on vulnerable IoT devices, then using them to jam or flood the air interfaces or take up shared computational resources at the edge. That can lead to denial of service across slices since they all share the same RAN and edge computing infrastructure, Deloitte found.

**Defending Against 5G Network-Slicing Attacks**

When it comes to defending against attacks involving network slicing, there are at least three broad layers of cybersecurity to deploy, the researchers note:

*   Convert threat intelligence, which consists of indicators of compromise (IOCs), into rules.
*   Use artificial intelligence and machine learning to detect anomalous behaviors.
*   Implement platforms that contain standard detection mechanisms, filtering, the ability to create automation, integration with SOAR, and alerting.

It's important, as ever, to ensure defense in depth. "The rules have a shelf life," Rahman explains. "You can't totally depend on rules because they get aged off because people create malware variants. You can't totally depend on what an AI tells you about probability of malicious activity. And you can't really believe in the platform because there may be gaps."

Much of the defense work also has to do with gaining a view into the infrastructure that doesn't overwhelm defenders with information.

"The key is visibility," Dayekh says, "because when we look at 5G, there's massive connectivity: A lot of IoT, sensors, and devices, and you also have containerized deployments and cloud infrastructure that scales up and down and gets deployed in multiple zones and multiple hybrid clouds, and some clients have more than one vendor for their cloud. It's easier when we don't have a lot of slices or we don't have a lot of device IDs or SIM cards or wireless connections. But there are potentially millions of devices that you may have to look at and correlate data for."

There's also ongoing management to consider, since the 5G standard is updated every six months with new features.

As a result, most operators are still scratching the surface on the amount of work they have to put into shoring up security for 5G networks, the researchers say, noting that the workforce shortage is also affecting this segment. And that means that automation will be required to handle tasks that need to be done in a repeatable manner.

"Automation from a source perspective can go out to these devices and reconfigure them on the fly," Rahman says. "But the question is, is do you want to do that in production? Or do you want to test that first? Typically, we are risk averse, so we test when we do change requests, and then we vote on it. And then we deploy those changes in production, and that takes a certain amount of time. But those processes can be automated with DevSecOps pipelines. Solving this will take some out-of-the-box thinking."

An Emerging Threat: Attacking 5G Via Network Slices

The Ransomware Task Force's five priority recommendations, issued last year, have all seen encouraging progress from governments.
The post Ransomware Task Force priorities see progress in first year appeared first on Malwarebytes Labs.

_This blog is part of our live coverage from RSA Conference 2022_:

US President Joseph R. Biden Jr., The White House, and law enforcement agencies across the world paid close attention last year when a group of more than 60 cybersecurity experts launched the Ransomware Task Force, heeding the group’s advice on how to defend against ransomware attacks and deny cybercriminals their ill-gotten riches.

Of the Ransomware Task Force’s initial 48 recommendations—published in their report last year—12 have resulted in tangible action, while 29 have resulted in preliminary action, said Philip Reiner, chief executive officer for the Institute for Security and Technology and member of the Ransomware Task Force.

The progress, while encouraging, is not the end, Reiner said.

“Not enough has been done,” Reiner said. “There is still a great deal of work that remains to be done on this front to blunt the trajectory of this threat.”

At RSA Conference 2022, Reiner moderated a panel of other Ransomware Task Force members which included Cyber Threat Alliance President and CEO Michael Daniels, Institute for Security and Technology Chief Strategy Officer Megan Stiflel, and Resilience Chief Claims Officer Michael Phillips. The four discussed how separate levels of the government responded and acted on the five priority recommendations made by the Ransomware Task Force last year.

In short, many promising first steps have been made, the panelists said.

“Look at what the US government has done in the past year—the impressive speed at which \[they’ve\] organized and focused on the ransomware threat,” Daniels said. “Everything from presidential statements, to work in the international area, to convening a ransomware task force inside the government to start working on this issue.”

He continued: “I think it’s clear that governments are really engaged in this issue in a way that they weren’t just a couple of years ago.”

Last year, governments across the world collaborated together in taking down ransomware threat actors. In June 2021, Ukrainian law enforcement worked with investigators from South Korea to arrest members affiliated with the Clop ransomware gang, and months later, members of the FBI, the French National Gendarmerie, and the Ukrainian National Police arrested two individuals—and seized about $2 million—from an unnamed ransomware group.

Around the same time as the undisclosed arrests, President Biden traveled to Switzerland to speak at a cybersecurity summit that was also attended by Russia President Vladimir Putin. When the two met, Biden reportedly told Putin that the United States was willing to take “any necessary action” to defend US infrastructure. The US President’s statement came shortly after the ransomware attack on Colonial Pipeline, which was attributed to the cybercriminal group Darkside, which is believed to be located in Russia.

“I’m gonna be meeting with President Putin and so far there is no evidence, based on our intelligence people, that Russia is involved,” President Biden said of the attack at the time, according to reporting from the BBC. But, Biden added, “there’s evidence that the actors’ ransomware is in Russia—they have some responsibility to deal with this.”

Separately, Stifel from the Institute for Security and Technology welcomed recent developments—which may take many more years to solidify—to create a standardized format and timeline for companies and organizations to report ransomware attacks.

“It will be some time, and some of you may be retired by the time it’s in place,” Stifel said, “but it’s there. You have to start somewhere.”

The panelists also acknowledged recent government efforts to appropriate cybersecurity recovery and response funds in the latest infrastructure bill. While the Ransomware Task Force specifically asked for funds for ransomware recovery and response, a broad package of millions of dollars for overall cybersecurity events is still considered a win.

One underdeveloped priority area that every panelist stressed was the need for faster, more accurate data on ransomware attacks and recovery costs. Without a centralized database—and without a requirement to report both attacks and ransom payments—the government and cybersecurity companies are working with limited information.

The panelists also lamented the difficulties posed in trying to remove safe havens for ransomware actors. As the governments that already provide cover for ransomware groups have little to no impetus to change their positions, it’s up to global governments to start working together.

“I can see the US government trying to, internationally, build a collation of countries—not just US agencies, but multiple agencies across multiple jurisdictions at the same time,” Daniels said.

He continued: “This threat has become so large that no government can really just ignore it.”

Ransomware Task Force priorities see progress in first year

By Owais Sultan
Let’s talk about how AI in cybersecurity protects the corporate networks of companies. Technological progress has not only…
This is a post from HackRead.com Read the original post: How to use AI in cybersecurity?

****Let’s talk about how AI in cybersecurity protects the corporate networks of companies.****

Technological progress has not only pleasing but also bad consequences. Together with the accelerated pace of corporate security systems development, new and more sophisticated types of cyber-attacks are emerging.

According to the World Economic Forum, the protection measures taken by enterprises become outdated instantly. Over the previous year, the number of attacks increased by 30%, and this alarming trend continues.

The market is short of about 2.72 million cybersecurity professionals to deal with the growing number of threats. This is where artificial intelligence can help businesses. Let’s talk about six AI use cases in cybersecurity.

**Statistics on AI use in cybersecurity**

Researchers contributing to the 2022 Cybersecurity Almanac predict that spending on fighting cybercrimes will rise to $10.5 trillion. This is three times more than in 2015 ($3 trillion). Given the fact that the amount of global data is growing, it becomes more difficult to track and prevent vulnerabilities.

For example, 80% of telecommunications organizations are confident that they will not be able to respond to cyber-attacks without AI. The professional sector is a target for cyber villains (934 incidents were recorded in 2020). The public sector, manufacturing, and healthcare suffer from cyberattacks.

In 2020, AI in cybersecurity was worth more than $10 billion, and by 2027, the price will increase by almost 4.5 times. IBM estimates that companies that lack AI spend three times as much to mitigate cyberattacks as companies with deployed automated tracking systems.

Nearly half of the managers surveyed by Capgemini say they use a smart algorithm to detect cyber threats. With its help, 34% of these professionals predict attacks and 18% respond to incidents.

Based on the above trends, Meticulous Research says that AI in cybersecurity will grow by 24% per year to reach $46 billion by 2027.

**Six main AI use cases in cybersecurity**

Imagine a campus that consists of several buildings. Getting inside is not difficult, because it is impossible to put a guard at each door. This is where AI helps: cameras read the faces of visitors and find those who “sit on someone’s tail” following employees with passes to enter buildings. This may be a worker who was too lazy to show a pass or a scammer.

The larger the office, the higher the risk of intrusion, and the more useful AI systems for face recognition are. In a video, an algorithm singles out people who violate the security policy. An image of a person’s face is compared with the database of staff members’ photographs; thus, the system defines if it is an employee or a stranger who decided to illegally enter the office.

If we consider the use of AI in a corporate network or on the Internet, we can talk about six main options for using a smart algorithm.

*   **Detection of malicious code and malicious activity in corporate networks**

AI automatically classifies domains by analyzing DNS traffic to identify C&C, malicious, spam, phishing and clone domains, and so on. Previously, to manage this environment, it was enough to have good blacklists. They coped with their task albeit with regular updates and with large volumes.

Today, domains are created in 1-2 minutes, used no more than 2-3 times within half an hour, and then criminals switch to other domains. To track them, blacklisting is not enough: you need to use AI technology. A smart algorithm learns to detect such domains and block them immediately.

*   **Encrypted traffic analysis**

According to Cisco, more than 80% of Internet traffic is encrypted. It needs to be analyzed. You can apply the “government man in the middle” scheme or use AI technology, which, without encryption and decryption, allows you to identify the following issues by metadata and network packets and without analyzing the payload:

*   Malicious code; 
*   Malware family;
*   Applications that are used;
*   Devices that work within the framework of an encrypted TLS session or SSL of one version or another.

These are technologies that work in practice and allow you to understand what is happening inside the encrypted traffic the volume of which is growing. And you needn’t invest much in it.  

*   **Detection of fake photos and substituted pictures.**

An algorithm recognizes whether the face of a person in the photo has been replaced with someone else’s picture. This feature is particularly useful for remote biometric authentication in financial services. It prevents scammers from creating fake photos or videos and presenting themselves as legal citizens who could be granted a loan. Thus, they won’t steal the money of others. 

*   **Recognition of voice, language, and speech.**

This AI feature is used to detect information leaks and read unstructured information in non-machine readable formats. This information enriches the data from firewalls, gateways, proxy systems, and other technical solutions that provide structured data.

Thus, you will know who and when accessed the Internet and whether they used corporate or departmental networks. AI helps enrich this information with data from news, company newsletters, and so on.

*   **Providing recommendations**

Based on statistics, AI makes recommendations on what protection tools to use or what settings need to be changed to automatically increase the security of a corporate network. For example, the Massachusetts Institute of Technology has created AI2, a system that detects unknown threats with a probability of up to 85%.

The more analyses the system performs, the more accurately it gives the next estimate due to the feedback mechanism. Moreover, a smart algorithm does this on such a scale and at such a speed that human defenders would not be able to handle.

*   **Automation of software vulnerability search**

A vulnerability is a bug in a program that allows someone to benefit from it (for example, extract data for sale, transfer money, steal private data from a phone, and so on). Thanks to AI, it has become possible to search for such errors automatically.

AI looks for vulnerabilities in a program and examines the application interface. If it finds ransomware on a computer, it immediately disconnects its user from the network, thereby saving the rest of the company from dangerous infection.

**Conclusion**

AI in cybersecurity has great prospects. But it must be handled reasonably, like any other technology. It is not a silver bullet and having even the most advanced technology does not mean 100% protection. AI will not save you from serious attacks caused by neglecting basic cybersecurity rules. A smart algorithm should be implemented if a clear ecosystem that can adapt to a changing corporate network has been built.

AI will be genuinely effective if it is developed, corrected, and tuned. This is time-consuming and difficult work, which will benefit if the technology is used carefully and not for the sake of being trendy.

**More AI Topics**

1.  Fields of application of artificial intelligence
2.  How Artificial intelligence (AI) Stops Cybercriminals
3.  ‘Optical Adversarial Attack’ uses a low-cost projector to trick AI
4.  Ways to Take Advantage of Artificial Intelligence in Technology
5.  Website uses Artificial Intelligence to create utterly realistic human faces

How to use AI in cybersecurity?

The innovative ransomware targets NAS devices, has a multitiered payment and extortion scheme as well as a flexible configuration, and takes a heavily automated approach.

The DeadBolt ransomware family is targeting QNAP and Asustor network-attached storage (NAS) devices by deploying a multitiered scheme aimed at both the vendors and their victims, and offering multiple cryptocurrency payment options.  

These factors make DeadBolt different from other NAS ransomware families and could be more problematic for its victims, according to an analysis from Trend Micro this week.

The ransomware uses a configuration file that will dynamically choose specific settings based on the vendor that it targets, making it scalable and easily adaptable to new campaigns and vendors, according to the researchers.

The payment schemes allow either the victim to pay for a decryption key, or for the vendor to pay for a decryption master key. This master key would theoretically work to decrypt data for all victims; however, the report notes less than 10% of DeadBolt victims actually paid the ransom.

"Even though the vendor master decryption key did not work in DeadBolt's campaigns, the concept of holding both the victim and the vendors ransom is an interesting approach," according to the report. "It's possible that this approach will be used in future attacks, especially since this tactic requires a low amount of effort on the part of a ransomware group."

Fernando Mercês, senior threat researcher at Trend Micro, points out that the actors also created a functional, nicely designed Web app to deal with ransom payments.

"They also know about the internals of QNAP and Asustor," he says. "Overall, it's an impressive job from a technical standpoint."

Mercês adds that ransomware actors in general are targeting NAS devices due to a combination of factors: low security, high availability, the high value of data, modern hardware, and common OS (Linux).

"It's like targeting Internet-facing Linux servers with all kinds of applications installed and no professional security in place," he says. “Additionally, these servers contain high-value data for the user. It sounds like the perfect target for ransomware."

For organizations to protect against attacks targeting internet-facing NAS devices, he says, they could use a VPN service, although the configuration may require a few technical skills.

"Suppose there's no other way other than exposing the NAS on the Internet," he says. "In that case, I'd recommend using strong passwords, 2FA, disabling/uninstalling all unused services and apps, and configuring a firewall in front of it to only allow the ports you want to access. This can be done in a router, for example."

Mercês notes that while it doesn't seem effective, it's interesting to see criminals trying to put some pressure on vendors to "fix the problem" for their customers.

"I think criminals thought the vendors would be worried about their image in front of their customers and maybe pay to get free decryptors for all of them," he says. "It could be interesting if customers started pushing vendors to pay on their behalf, but that didn't happen."

In May, QNAP warned its NAS devices are under active attack by DeadBolt ransomware, and in January, a report from attack surface solutions provider Censys.io noted that out of 130,000 QNAP NAS devices that were potential targets, 4,988 services showed signs of a DeadBolt infection.

Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, points out that the DeadBolt ransomware operation is interesting for several reasons, including the fact that victims do not need to contact the threat actors at any time.

"With most ransomware groups, victims need to negotiate with the threat actors, who are often in different time zones," she says. “These interactions can add a significant amount of time to the recovery process and a level of uncertainty because the outcome could rely on the success of the interaction."

However, she notes that from a technical perspective, DeadBolt ransomware attacks are different from ransomware attacks that target many enterprise devices, as initial access is gained by exploiting vulnerabilities in unpatched Internet-facing NAS devices.

"There are no social engineering or lateral movement techniques required to carry out their objectives," Hoffman says. "The threat actors do not need a lot of time, tools, or money to carry out these opportunistic attacks."

Multilevel Extortion: DeadBolt Ransomware Targets Internet-Facing NAS Devices

By using artificial intelligence to predict how an attacker would carry out their attack, we can deploy defenses and preemptively shut down vulnerable entry points.

Security teams can't protect what they don't know about. But it is not enough to just understand what they have within their organizations' environment. Defenders also need to put themselves in an adversary's shoes to understand which systems are likely to be targeted and how the attack would be carried out. Technologies such as attack surface management and attack path modeling make it possible for security teams to gain visibility into which assets adversaries can see and how they might gain access.

With attack surface management, organizations are continuously discovering, classifying, and monitoring the IT infrastructure. Unlike asset management, which looks for everything the organization has, attack surface management looks at the IT infrastructure from outside of the organization to determine what is exposed and accessible. Since new assets are always being created and cloud infrastructure can be spun up dynamically, this inventory needs to be updated continuously or the organization will have gaps in its knowledge of all the potential entry points, says Pieter Jansen, CEO of Cybersprint, which was acquired by Darktrace in February for $52.3 million (€47.5 million).

Cybersprint's attack surface management platform gives customers their own "hacker's lens" that they can use to determine where an attacker could strike next, Jansen says. Attack surface management goes beyond tracking Internet-accessible systems by considering how the assets are configured, what security controls are in place, and how the various tools and devices are connected.

Someone creating new infrastructure components within the DevOps environment may think they are working within the test environment, but an attacker doesn't care whether it is in testing or production. "It's an ideal way of getting in \[to the organization's environment\] early and to move to production systems," Jansen says.

Darktrace acquired Cybersprint for its external view of the organization's environment, says Jack Stockdale, CTO of Darktrace. Darktrace's artificial intelligence (AI) technology develops a comprehensive view of the organization's infrastructure, but it is an internal view, he says. Darktrace can see what the organization has within the IT environment — the network, email, cloud assets, and endpoints — as well as OT. Bringing Cybersprint's external view into Darktrace's platform makes it possible to find more threats earlier.

"It's essential to put all those different areas into one platform" instead of maintaining individual silos of information, Stockdale says. "Trying to infer what's happening and stop attacks by looking at individual silos — we truly believe that is not the way to go."

**A Shift to Proactive AI**

Up until now, Darktrace's self-learning AI technology has focused on detection and response, which means it is reactive, Stockdale notes. "Essentially, \[the AI\] sits there and waits for a problem," he says. Teaching the AI about the attacker shifts the balance, since the AI now doesn't have to wait for an attack to do something about the organization's security.

This is where attack path modeling comes in.

Security teams are beginning to think about attack path analysis. For the past few years, Verizon's "Data Breach Investigations Report" (DBIR) has devoted a section to analyzing attack paths. Understanding the paths adversaries are likely to take helps security teams identify places they can add more controls or tools to stop the attack.

"Our job as defenders is to lengthen that attack path. Attackers tend to avoid longer attack chains because every additional step is a chance for the defender to prevent, detect, respond to, and recover from the breach," Verizon's researchers wrote.

Attack path modeling uses the existing view of the environment to determine the most likely and most effective paths attackers would take through the organization, Stockdale says. After identifying the key assets and people, as well as the organization's crown jewels, it is possible to use both the internal and external views to identify the likely path the attacker would follow to reach the crown jewels. After analyzing the path, it is possible to run a simulation to see what would happen in the case of an incident.

"What happens if ransomware was detected on a particular laptop or a particular type of compromise started in a particular environment? How will the attacker most likely move through \[the\] organization to cause the damage or to reach the crown jewels or to sell information?" he asks.

Attack path modeling is more than a red team exercise of a penetration test, Jansen notes, because it allows security teams to identify the most likely steps an attacker would take in order to compromise the organization. AI shines here because it is capable of going down every path and seeing every permutation of possible attacker scenarios. Human teams, in contrast, would be able to run only a limited number of exercises.

Once they can see all the potential entry points, security teams can start testing defenses along those particular paths and determine whether additional resources are necessary. Perhaps they discover four or five most likely routes an attacker could take from a compromised email account or system login. At this point, the team can deploy additional controls or defenses to make those paths unfeasible for the attacker.

**Adding 'Prevent' to the Cybersecurity Loop**

Darktrace's Cyber AI Research Centre has been working on ways to apply AI to attack path modeling for almost two years, Stockdale says. The research is now being incorporated into Darktrace's new product family, Darktrace Prevent, which will be generally available by the summer.

"We're now taking \[attack path modeling\] out of the research center and building it into our next set of products that will go to our customers," he says. Several customers in the early adopter program already have the new technology in their production environments.

Darktrace views security as a continuous loop where the AI learns about the organization, identifies potential attack paths, and feeds those outcomes to detect and respond to harden the environment, Stockdale says. Eventually, the plan is for AI to learn to heal from the damage caused by attacks, as well.

"When we talk to our customers, we tend to look at the areas where human beings are doing lots of repetitive work, or challenging work, that we think AI is a perfect fit for," Stockdale says. There are areas where AI can help make these teams more efficient or allow companies that don't have the resources to hire human teams to add security capabilities.

"Our vision moving forward is to be much more proactive," Stockdale says.

Harnessing AI to Proactively Thwart Threats

Edge-based solution detects and blocks malicious files uploaded to Web apps and APIs.

CAMBRIDGE, Mass., June 6, 2022 /PRNewswire/ -- Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, today unveiled Malware Protection, which shields web applications and APIs from malicious uploads. The solution expands Akamai's web application and API protection (WAAP), detecting and blocking malware at the edge, preventing it from reaching targeted systems where it can detonate and spread.

Malware Protection addresses the growing problem of malware embedded in files uploaded to web applications such as travel & hospitality, financial sites, customer portals and content management systems. The solution provides a modern approach to protection, inspecting files uploaded to applications and APIs on the Akamai Intelligent Edge network, detecting and blocking malware at the edge.

Because the malware scanning engine is hosted completely on the Akamai Intelligent Edge, there is nothing for customers to install and no changes in application code are required. This makes it easier to deploy and maintain than alternative approaches, such as Internet Content Adaptation Protocol (ICAP)-integrated solutions. Because malware is blocked at the edge, Malware Protection also provides a better security outcome, isolating threats from targeted origins.

"Business processes across a variety of industries have shifted to web applications and users are uploading far more files than before," said Patrick Sullivan, CTO, Security Strategy for Akamai. "With Malware Protection, Akamai is helping customers to easily reduce risk resulting from files uploaded via Web Apps right at the Edge.. This addresses a growing concern among Akamai customers and provides added assurance that their online assets are protected."

**About Akamai**

Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. With the world's most distributed compute platform — from cloud to edge — we make it easy for customers to develop and run applications, while we keep experiences closer to users and threats farther away. Learn more about Akamai's security, compute, and delivery solutions at akamai.com and akamai.com/blog, or follow Akamai Technologies on Twitter and LinkedIn.

Akamai Launches New Malware Protection for Uploaded Files

The costs associated with a cyberattack can be significant, especially if a company does not have an Incident Response plan that addresses risk.

The costs associated with a cyberattack can be significant, especially if a company does not have an Incident Response plan that addresses risk.

The one-two punch of a cyberattack can be devastating. There is the breach and then the related mitigation costs. Implementing a comprehensive Incident Response (IR) gameplan into a worst-case-scenario should not be a post-breach scramble. And when that IR strategy includes insurance, it also must address a business’s level of cyber risk.

A 2021 study by NetDiligence analyzed over 5,700 claims and the average claim cost for an organization with less than $2 billion in revenue was $354,000. Larger organizations incurred on average over $16 million in costs.

The cost issue is compounded when ransom payments are included in the calculation, which can significantly increase insurance claim payouts. Unsurprisingly, this trend has led many cyber liability insurance carriers, as well as law firms who specialize in data breach, to encourage their clients to strengthen their cybersecurity controls and seek more formal relationships with digital forensics and incident response firms.

For most, an IR retainer will be a formal relationship to safeguard the organization if the worst was to happen. It grants firms expedited response under a pre-agreed service level agreement (SLA) and avoids potential delays around legal and financial decisions when every minute counts. It is incredibly valuable in a crisis but offers limited value when the organization manages to avoid incidents.

****IR Retainers Shouldn’t Just Be Another Insurance Policy****

While the majority of organizations do treat the “hardening” of their controls and the search for an IR retainer as separate projects, the biggest value would come from achieving both under a true “cyber risk” retainer. Pure IR retainers typically don’t offer security leaders flexibility to maximize their investment, but by being permitted to use credits toward preparedness, testing, simulations and so forth, cyber risk can be mitigated. There are three key elements to achieving an effective cyber risk retainer: negotiation, structure and  execution

****One: Negotiate with Transparency****

Identify a firm with experience beyond IR. Are they familiar with incident preparedness needs, such as tabletop exercises, breach and attack simulations, red team exercises, etc?

If gaps in your essential security controls (e.g. MFA, backups, email hygiene) are identified, would this firm have the capability to assist? If an incident leads to a breach of sensitive data, would this firm be able to help with breach notification needs? Would retainer credits cover the costs?

Once you identify an initial set of firms that can satisfy these criteria, it’s helpful to ask what sort of onboarding is needed. Experienced firms will run a thorough process of learning about the client’s IT security program, including what policies and plans they have, as well as to gain an overview of their IT environment. This leads us to step #2, where the fun starts with structuring retainers based on key requirements.

****Two: Structure Retainers According to Your Security Strategy****

Retainer structuring begins with mapping out the most effective allocation of retainer credits.

A cost estimate should be given for common IR scenarios (ransomware and Business Email Compromise, for example) and that becomes a set percentage of the retainer.

The remaining retainer allocation should be mapped to your security strategy. Perhaps the organization is moving to the cloud and will need to deploy MFA to the Azure active directory, for example. A portion of the retainer could be set aside for penetration testing that can identify MFA weaknesses. Simulations and tabletop exercises that are specific to the industry and / or risk appetite should also be conducted to ensure everyone from executives, PR to compliance teams are prepared should the worst happen.

****Three: Execute with Guidance from Your Retainer Partner****

The best cyber risk retainers are collaborative exercises. Keeping in constant contact with the retainer team can provide you with frontline threat intelligence and analysis of complex security issues being faced by organizations like yours. This ensures that investment is also well targeted to areas of potential vulnerability utilized by today’s threat actors.

With most infosec teams critically understaffed, those in your retainer team can become a valuable resource for advising on and prioritizing key cyber resilience issues.

In helping firms to become more secure, retainer teams often also take on the role of project manager. They are in a good position to bring stakeholders to the table, prepare necessary communications and seek appropriate technical permissions.

By encouraging firms to use their excess retainer credits for proactive services overall cyber resilience will be enhanced. More vulnerabilities, gaps in security policies, processes and technology will be identified. Organizations can do risk assessments, penetration tests and tabletop exercises, ensuring that security is not only improved but the wider business is assured of its maturity.

An additional benefit of a longer-term retainer relationship is that the cyber practitioners are afforded the opportunity to learn about a client’s cybersecurity program and the context in which it exists. Knowing the various policies and processes in place, the toolsets that are deployed, along with the configurations in their network can become vital contextual intelligence. With this in-depth knowledge, if a client suffers a cyberattack its on-hand practitioners will already have a solid understanding of the client’s IT environment which will allow them to expeditiously contain and remediate the issue.

In an ideal world incident preparedness and response should be tightly intertwined. True cyber risk retainers allow organizations to do this in a way that not only improves resilience in theory, but equips teams with the practical intelligence to do the very best job they can, both in a crisis and business-as-usual environment.

Cyber Risk Retainers: Not Another Insurance Policy

Acquisition will leverage Forescout’s automated cybersecurity with Cysiv's cloud-native platform to deliver data-powered analytics for 24/7 threat detection and response.

**SAN JOSE, Calif., June 6, 2022** – Forescout Technologies, Inc., the global leader in automated cybersecurity, today announced that it has signed a definitive agreement to acquire Cysiv, a cybersecurity innovator that uses its cloud platform to improve detection and response of true threats. With this acquisition, Forescout will leverage Cysiv’s threat detection engine to analyze a wealth of asset and network communications data automatically collected by Forescout’s platform. This comprehensive data across IT, IoT, OT and IoMT devices, as well as other essential data sources, enables better true threat detection and response so customers can operate more securely and efficiently. Upon the close of the acquisition, Cysiv will join Forescout.

“Organizations need to be able to reduce the billions of data points on their networks to a handful of actionable true threats – automatically. Together with Cysiv, Forescout will provide customers with the most powerful platform for automated cybersecurity across their digital terrains,” said Wael Mohamed, CEO of Forescout. “Upon close, the acquisition will help our customers leverage actionable threat intelligence from comprehensive data collected by Forescout and analyzed by Cysiv. We will receive far more than just great technology in this acquisition. The Cysiv team is exceptional, and our two organizations are highly complementary.”

Today, organizations are faced with the immense pressure to secure their networks. CIOs and CISOs have experienced rapid growth in the volume and diversity of managed and unmanaged devices, including IoT devices, that has given rise to increased risks and cybersecurity threats, coinciding with a drop in available cybersecurity resources. With the rapid adoption of cloud, and a cloud-first mindset that’s been accelerated by the work-from-anywhere shift of the past two years, enterprises are particularly concerned with managing threats to these fluid threat environments. This has resulted in organizations not being able to effectively manage the detection, investigation, escalation and response of true threats, particularly as the threat landscape and unmanaged device landscape have become more complex.

Existing solutions for threat detection and response, such as EDR, require the use of agents on managed devices. This means that organizations dependent on an agent-based approach for threat detection and response are not able to look for threats coming from the majority of their connected devices, particularly critical assets like IoT, IoMT and OT.

For over a decade, Forescout’s ability to deeply integrate into the fabric of customers’ networks has enabled it to collect real-time data for all connected assets and users, together with the communications among those assets and users. Customers have been asking Forescout to leverage this comprehensive data to provide greater insight into threats for all types of assets and to enable faster, more automated response and remediation.

“We have always been on a mission to provide better threat detection and faster response,” said Partha Panda, CEO and co-founder of Cysiv. “After successfully partnering together for the last year, we are thrilled to join Forescout as we continue on the next stage of our journey. The combination of Forescout and Cysiv will provide organizations with best-in-class threat detection together with automated incident prioritization and automated response.”

The acquisition is expected to close in July, 2022, subject to the satisfaction of closing conditions and receipt of applicable regulatory approvals and comes on the heels of its acquisition of CyberMDX which further strengthens Forescout’s industry-leading IT, IoT and OT device coverage with IoMT expertise.

**About Forescout**

Forescout Technologies, Inc. delivers cybersecurity automation across the digital terrain, maintaining continuous alignment of customers’ security frameworks with their digital realities, including all asset types. The Forescout Continuum Platform provides complete asset visibility, continuous compliance, network segmentation and a strong foundation for Zero Trust. For more than 20 years, Fortune 100 organizations and government agencies have trusted Forescout to provide automated cybersecurity at scale. Forescout arms customers with data-powered intelligence to accurately detect risks and quickly remediate cyberthreats without disruption of critical business assets. www.forescout.com

Tag

#intel