Edge-based solution detects and blocks malicious files uploaded to Web apps and APIs.

CAMBRIDGE, Mass., June 6, 2022 /PRNewswire/ -- Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, today unveiled Malware Protection, which shields web applications and APIs from malicious uploads. The solution expands Akamai's web application and API protection (WAAP), detecting and blocking malware at the edge, preventing it from reaching targeted systems where it can detonate and spread.

Malware Protection addresses the growing problem of malware embedded in files uploaded to web applications such as travel & hospitality, financial sites, customer portals and content management systems. The solution provides a modern approach to protection, inspecting files uploaded to applications and APIs on the Akamai Intelligent Edge network, detecting and blocking malware at the edge.

Because the malware scanning engine is hosted completely on the Akamai Intelligent Edge, there is nothing for customers to install and no changes in application code are required. This makes it easier to deploy and maintain than alternative approaches, such as Internet Content Adaptation Protocol (ICAP)-integrated solutions. Because malware is blocked at the edge, Malware Protection also provides a better security outcome, isolating threats from targeted origins.

"Business processes across a variety of industries have shifted to web applications and users are uploading far more files than before," said Patrick Sullivan, CTO, Security Strategy for Akamai. "With Malware Protection, Akamai is helping customers to easily reduce risk resulting from files uploaded via Web Apps right at the Edge.. This addresses a growing concern among Akamai customers and provides added assurance that their online assets are protected."

**About Akamai**

Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. With the world's most distributed compute platform — from cloud to edge — we make it easy for customers to develop and run applications, while we keep experiences closer to users and threats farther away. Learn more about Akamai's security, compute, and delivery solutions at akamai.com and akamai.com/blog, or follow Akamai Technologies on Twitter and LinkedIn.

Akamai Launches New Malware Protection for Uploaded Files

The costs associated with a cyberattack can be significant, especially if a company does not have an Incident Response plan that addresses risk.

The costs associated with a cyberattack can be significant, especially if a company does not have an Incident Response plan that addresses risk.

The one-two punch of a cyberattack can be devastating. There is the breach and then the related mitigation costs. Implementing a comprehensive Incident Response (IR) gameplan into a worst-case-scenario should not be a post-breach scramble. And when that IR strategy includes insurance, it also must address a business’s level of cyber risk.

A 2021 study by NetDiligence analyzed over 5,700 claims and the average claim cost for an organization with less than $2 billion in revenue was $354,000. Larger organizations incurred on average over $16 million in costs.

The cost issue is compounded when ransom payments are included in the calculation, which can significantly increase insurance claim payouts. Unsurprisingly, this trend has led many cyber liability insurance carriers, as well as law firms who specialize in data breach, to encourage their clients to strengthen their cybersecurity controls and seek more formal relationships with digital forensics and incident response firms.

For most, an IR retainer will be a formal relationship to safeguard the organization if the worst was to happen. It grants firms expedited response under a pre-agreed service level agreement (SLA) and avoids potential delays around legal and financial decisions when every minute counts. It is incredibly valuable in a crisis but offers limited value when the organization manages to avoid incidents.

****IR Retainers Shouldn’t Just Be Another Insurance Policy****

While the majority of organizations do treat the “hardening” of their controls and the search for an IR retainer as separate projects, the biggest value would come from achieving both under a true “cyber risk” retainer. Pure IR retainers typically don’t offer security leaders flexibility to maximize their investment, but by being permitted to use credits toward preparedness, testing, simulations and so forth, cyber risk can be mitigated. There are three key elements to achieving an effective cyber risk retainer: negotiation, structure and  execution

****One: Negotiate with Transparency****

Identify a firm with experience beyond IR. Are they familiar with incident preparedness needs, such as tabletop exercises, breach and attack simulations, red team exercises, etc?

If gaps in your essential security controls (e.g. MFA, backups, email hygiene) are identified, would this firm have the capability to assist? If an incident leads to a breach of sensitive data, would this firm be able to help with breach notification needs? Would retainer credits cover the costs?

Once you identify an initial set of firms that can satisfy these criteria, it’s helpful to ask what sort of onboarding is needed. Experienced firms will run a thorough process of learning about the client’s IT security program, including what policies and plans they have, as well as to gain an overview of their IT environment. This leads us to step #2, where the fun starts with structuring retainers based on key requirements.

****Two: Structure Retainers According to Your Security Strategy****

Retainer structuring begins with mapping out the most effective allocation of retainer credits.

A cost estimate should be given for common IR scenarios (ransomware and Business Email Compromise, for example) and that becomes a set percentage of the retainer.

The remaining retainer allocation should be mapped to your security strategy. Perhaps the organization is moving to the cloud and will need to deploy MFA to the Azure active directory, for example. A portion of the retainer could be set aside for penetration testing that can identify MFA weaknesses. Simulations and tabletop exercises that are specific to the industry and / or risk appetite should also be conducted to ensure everyone from executives, PR to compliance teams are prepared should the worst happen.

****Three: Execute with Guidance from Your Retainer Partner****

The best cyber risk retainers are collaborative exercises. Keeping in constant contact with the retainer team can provide you with frontline threat intelligence and analysis of complex security issues being faced by organizations like yours. This ensures that investment is also well targeted to areas of potential vulnerability utilized by today’s threat actors.

With most infosec teams critically understaffed, those in your retainer team can become a valuable resource for advising on and prioritizing key cyber resilience issues.

In helping firms to become more secure, retainer teams often also take on the role of project manager. They are in a good position to bring stakeholders to the table, prepare necessary communications and seek appropriate technical permissions.

By encouraging firms to use their excess retainer credits for proactive services overall cyber resilience will be enhanced. More vulnerabilities, gaps in security policies, processes and technology will be identified. Organizations can do risk assessments, penetration tests and tabletop exercises, ensuring that security is not only improved but the wider business is assured of its maturity.

An additional benefit of a longer-term retainer relationship is that the cyber practitioners are afforded the opportunity to learn about a client’s cybersecurity program and the context in which it exists. Knowing the various policies and processes in place, the toolsets that are deployed, along with the configurations in their network can become vital contextual intelligence. With this in-depth knowledge, if a client suffers a cyberattack its on-hand practitioners will already have a solid understanding of the client’s IT environment which will allow them to expeditiously contain and remediate the issue.

In an ideal world incident preparedness and response should be tightly intertwined. True cyber risk retainers allow organizations to do this in a way that not only improves resilience in theory, but equips teams with the practical intelligence to do the very best job they can, both in a crisis and business-as-usual environment.

Cyber Risk Retainers: Not Another Insurance Policy

Acquisition will leverage Forescout’s automated cybersecurity with Cysiv's cloud-native platform to deliver data-powered analytics for 24/7 threat detection and response.

**SAN JOSE, Calif., June 6, 2022** – Forescout Technologies, Inc., the global leader in automated cybersecurity, today announced that it has signed a definitive agreement to acquire Cysiv, a cybersecurity innovator that uses its cloud platform to improve detection and response of true threats. With this acquisition, Forescout will leverage Cysiv’s threat detection engine to analyze a wealth of asset and network communications data automatically collected by Forescout’s platform. This comprehensive data across IT, IoT, OT and IoMT devices, as well as other essential data sources, enables better true threat detection and response so customers can operate more securely and efficiently. Upon the close of the acquisition, Cysiv will join Forescout.

“Organizations need to be able to reduce the billions of data points on their networks to a handful of actionable true threats – automatically. Together with Cysiv, Forescout will provide customers with the most powerful platform for automated cybersecurity across their digital terrains,” said Wael Mohamed, CEO of Forescout. “Upon close, the acquisition will help our customers leverage actionable threat intelligence from comprehensive data collected by Forescout and analyzed by Cysiv. We will receive far more than just great technology in this acquisition. The Cysiv team is exceptional, and our two organizations are highly complementary.”

Today, organizations are faced with the immense pressure to secure their networks. CIOs and CISOs have experienced rapid growth in the volume and diversity of managed and unmanaged devices, including IoT devices, that has given rise to increased risks and cybersecurity threats, coinciding with a drop in available cybersecurity resources. With the rapid adoption of cloud, and a cloud-first mindset that’s been accelerated by the work-from-anywhere shift of the past two years, enterprises are particularly concerned with managing threats to these fluid threat environments. This has resulted in organizations not being able to effectively manage the detection, investigation, escalation and response of true threats, particularly as the threat landscape and unmanaged device landscape have become more complex.

Existing solutions for threat detection and response, such as EDR, require the use of agents on managed devices. This means that organizations dependent on an agent-based approach for threat detection and response are not able to look for threats coming from the majority of their connected devices, particularly critical assets like IoT, IoMT and OT.

For over a decade, Forescout’s ability to deeply integrate into the fabric of customers’ networks has enabled it to collect real-time data for all connected assets and users, together with the communications among those assets and users. Customers have been asking Forescout to leverage this comprehensive data to provide greater insight into threats for all types of assets and to enable faster, more automated response and remediation.

“We have always been on a mission to provide better threat detection and faster response,” said Partha Panda, CEO and co-founder of Cysiv. “After successfully partnering together for the last year, we are thrilled to join Forescout as we continue on the next stage of our journey. The combination of Forescout and Cysiv will provide organizations with best-in-class threat detection together with automated incident prioritization and automated response.”

The acquisition is expected to close in July, 2022, subject to the satisfaction of closing conditions and receipt of applicable regulatory approvals and comes on the heels of its acquisition of CyberMDX which further strengthens Forescout’s industry-leading IT, IoT and OT device coverage with IoMT expertise.

**About Forescout**

Forescout Technologies, Inc. delivers cybersecurity automation across the digital terrain, maintaining continuous alignment of customers’ security frameworks with their digital realities, including all asset types. The Forescout Continuum Platform provides complete asset visibility, continuous compliance, network segmentation and a strong foundation for Zero Trust. For more than 20 years, Fortune 100 organizations and government agencies have trusted Forescout to provide automated cybersecurity at scale. Forescout arms customers with data-powered intelligence to accurately detect risks and quickly remediate cyberthreats without disruption of critical business assets. www.forescout.com

Forescout Announces Intent to Acquire Cysiv to Deliver Data-Powered Threat Detection and Response

Basic Pen Tests support rapid, basic vulnerability discovery, while Standard Pen Tests provide compliance-driven testing to meet requirements for Web apps, APIs, and networks.

SAN FRANCISCO, June 6, 2022 /PRNewswire/ -- Bugcrowd, the leader in crowdsourced security, today announced a significant expansion of its Penetration Testing as a Service (PTaaS) product line to include new offerings—Basic Pen Test and Standard Pen Test—purpose built for today's digital business where continuous testing must keep pace with continuous and agile development. These strategic additions expand the use cases covered by Bugcrowd's PTaaS suite to cover the gamut of customer needs, from basic assurance for simple web apps and networks to continuous, crowd-powered testing of complex apps, cloud services, mobile apps, APIs, and IoT devices for maximum risk reduction.

Most pen test providers today offer cumbersome, ad hoc consulting offerings that do not identify all risks and are hard to execute at scale in a consistent and configurable way for buyers as well as pentesters themselves. PTaaS solutions have emerged to address these issues, but most don't go far enough—only Bugcrowd delivers a modern, platform-powered approach, enabling organizations to keep innovating without compromising security.

With Bugcrowd's expanded PTaaS product line, pen test buyers now have an option for meeting every requirement, and for every asset type:

*   **Basic Pen Tests** for rapid, basic vulnerability discovery and reporting
*   **Standard Pen Tests** for easy-to-launch, compliance-driven testing packaged to meet most customer requirements for common use cases for simple web apps, APIs and networks
*   **Plus Pen Tests** for meeting special needs around targets, testing times, geographic requirements, etc.
*   **Max Pen Tests** for continuous, maximum risk reduction

"We have a diverse set of use cases for pen testing, ranging from basic vulnerability discovery for very simple web apps to intensive and continuous risk reduction for business-critical ones," said Jason Frost, Manager, Security Assessment, Paychex. "These new additions to the Bugcrowd PTaaS product line fulfill all our needs in one platform."

The Bugcrowd Security Knowledge Platform™ enables pen tests to run alongside Bugcrowd's managed bug bounty, vulnerability disclosure programs, and other solutions as a fully integrated and orchestrated experience blending data, technology, and human intelligence, with all findings flowing directly into the software development lifecycle. Bugcrowd's PTaaS suite allows customers to:

*   Activate precisely the right crowd at the right time leveraging the platform's CrowdMatch ML technology, delivering a 2x increase in high-impact findings versus manual matching methods
*   Launch tests in days instead of weeks and continually get fresh eyes-on-target from Bugcrowd's broad and diverse crowd
*   Utilize historical information to create standardized tests that reduce the need for contracted SOW discussions, while getting the intelligence of the aggregated experience of the platform, customer needs, and researchers to conduct the most relevant pen test scope
*   Get high-impact results that go beyond compliance checkboxes
*   See prioritized results and methodology progress in real-time via a rich PTaaS Dashboard experience

"Traditional penetration testing often delivers noisy, low-impact results, often takes weeks or even months to produce results, and offers no visibility into test progress," said Ashish Gupta, CEO, Bugcrowd. "We provide real-time visibility into pen testing results and vulnerabilities being found that allow our customers to continuously reduce risk and secure their environments, helping them stay ahead of a breach with solutions tailored to meet their needs."

Click here to learn more about these additions to Bugcrowd's PTaaS.

Click here to learn more about the Bugcrowd Security Knowledge Platform.

"Bugcrowd", "CrowdMatch", and "Bugcrowd Security Knowledge Platform" are trademarks of Bugcrowd Inc. and its subsidiaries. All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

**About Bugcrowd  
**Bugcrowd is the leading provider of crowdsourced cybersecurity solutions purpose-built to secure the digitally connected world. Today's enterprise demands an offensive approach to cybersecurity—and Bugcrowd offers the only solution that orchestrates data, technology, and human intelligence to expose blind spots. The Bugcrowd Security Knowledge Platform™ enables businesses to do everything proactively possible to protect their organization, reputation, and customers with products like Bug Bounty, Penetration Testing-as-a-Service, and more. Trusted by organizations across the globe, Bugcrowd uncovers and remediates vulnerabilities before they interrupt business by leveraging expert ingenuity and the knowledge of world-class security researchers. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at www.bugcrowd.com.

Bugcrowd Expands Pen Testing Solutions with New Platform Services

MongoDB claims its new “Queryable Encryption” lets users search their databases while sensitive data stays encrypted. Oh, and its cryptography is open source.

After years of data breaches, leaks, and hacks leaving the world desperate for tools to stem the illicit flow of sensitive personal data, a key advance has appeared on the horizon.

On Tuesday, MongoDB is announcing “Queryable Encryption,” a feature that will allow database users to search their data while it remains encrypted. The tool, which is debuting in preview as part of MongoDB 6.0, attempts to bridge academic cryptography findings and real-world environments so users can adopt the feature without needing advanced theoretical expertise. Crucially, Queryable Encryption is built to work with existing databases rather than requiring users to re-architect their systems before they can take advantage of it.

Institutions from businesses to governments, health care facilities, and critical infrastructure already lean on encryption to render data unintelligible (and therefore not worth stealing) when it's traveling across networks or sitting in storage. But none of that protects data when it's actively being used for legitimate reasons—looking up a patient's medical records, say, or setting up a car rental reservation. That means an attacker—including a rogue employee—could potentially gain access to data the same way a doctor or customer service agent does. This is a nut everyone wants to crack, and the database maker MongoDB has been working on possible solutions for years. Now, the company says, it has one.

“This is exactly the kind of thing that customers are wanting. We work with the biggest banks, pension systems, treasury exchanges, payment networks, pizza chains—and everyone wants better assurances,” says Kenn White, MongoDB's security principal. “And because of some practical engineering breakthroughs, it went from an academic kind of thing to something that actually could work on big databases.”

Queryable Encryption could let a bank agent investigate your account for possible fraud on a range of dates without knowing which dates specifically flagged the system. Or it could allow a customer service rep to type the first few letters of a name and start a claims process while leaving the name encrypted and indecipherable. 

Many of these breakthroughs came from Brown University cryptographer Seny Kamara and his longtime collaborator Tarik Moataz. Several years ago, the pair cofounded a searchable encrypted database startup known as Aroki Systems along with entrepreneur John Partridge. Aroki collaborated with MongoDB on a database security feature, announced in 2019, and Kamara and Moataz continued working on a prototype of a truly searchable encrypted database. In 2021, MongoDB acquired Aroki.

The Queryable Encryption system is built with a combination of established cryptographic protocols and conceptual advances Kamara and Moataz have been working on for years in an area of cryptography known as structured encryption. The approach involves encrypting data with a specific architecture so it can be searched with special tokens specific to each query without data ever being decrypted. Other techniques such as homomorphic encryption allow users to do computations on encrypted data, like adding two columns in an encrypted spreadsheet. But structured encryption is specifically focused on organizing encrypted data so it can be found without exposing the data itself.

“What we focus on is not how to do arithmetic operations on encrypted data, but how to find information fast—like really, really fast,” says Kamara, who is currently on leave from his associate professor role at Brown.

Speed is a challenge in encrypted operations, where every extra key check and computation add complications to basic operations. But MongoDB claims that searches performed with Queryable Encryption are impressively fast and won't cause unreasonable performance losses—a claim that customers will be able to test for themselves with the new preview. MongoDB is also open-sourcing much of the Queryable Encryption system, so users and other researchers can vet its underlying cryptography.

“A lot of the work is very theoretical in nature, algorithms, crypto security definitions, but for me at the end of the day I want to see something come out of it,” Kamara says. “There is a social imperative behind the work that scientists do. Working with a company at the scale of Mongo, this will be available to a huge number of people, a huge number of work loads.”

Moataz and Kamara say the big breakthrough that allowed them to move their concept from the academic world toward the real world was emulation, which enabled them to use the properties of structured encryption with existing databases that have different architectures. Like emulating Super Nintendo games on your PC or emulating Windows on a Mac, the approach creates a liminal space in which structured encryption can run on top of traditional databases.

Still, Kamara and Moataz emphasize that it's been a challenge and a learning process to collaborate with MongoDB engineers and turn the Aroki Systems prototype into something that can actually be deployed at scale around the world.

“Seny and I have been learning a lot about the constraints of real-world deployments that academics know nothing about,” Moataz says. “Models in academia are less restrictive. So we are enjoying being exposed to that and improving our models and our designs with respect to these constraints.”

Though Tuesday's release will be the first time that the public can vet Queryable Encryption in the wild, Aroki Systems had cryptographer JP Aumasson conduct technical due diligence on the cryptographic underpinning of their prototype system. And MongoDB invited University of Chicago cryptographer and searchable encryption researcher David Cash to take an early look as well. Both told WIRED that while they haven't audited the entire system deployment, the underlying cryptography appears sound. And they both emphasize that it's exciting to see a real-world searchable encryption scheme take shape after so long.

“A lot of crypto research since the 1980s has sort of been centered on how do we do this stuff, so this is a long time coming," Cash says. “Everything in cryptography is about trade-offs, and the world is complicated, so it's important to be careful about absolute statements, but that this vision is realized in some form is very exciting. And this is not at all snake oil or security theater. They're going deep on this and thinking about the important stuff carefully.”

Aumasson says that many others have claimed to offer searchable encryption without the technical depth or capability. “There have been other products advertising encrypted search, but academics would really laugh at those,” he says. “What Mongo is doing is something that is academic-compliant, and I’m very happy to see it.”

A Long-Awaited Defense Against Data Leaks May Have Just Arrived

The tool underpins cybersecurity capabilities including SIEM, SOAR, compliance automation, and vulnerability management.

Cybersecurity teams can now use Snowflake as their data platform for a range of critical use cases, making it possible for security teams to deploy a security data lake and unify their security data in one place.

Snowflake's Cybersecurity workload offers customers access to cybersecurity capabilities including security information and event management (SIEM), security orchestration, automation, and response (SOAR), compliance automation, and vulnerability management through connected applications that run on top of their existing Snowflake environmentx.

Snowflake serves as the security data lake, providing scalable storage, while analytics enable security metrics for live insights into an organization's security posture.

Partners including Hunters, Panther Labs, and Securonix offer security capabilities on top of Snowflake accounts through connected applications, removing the need for the homegrown tools security teams used to rely on to build for scale.

**Context Is Key**

"Whether it's spotting risky configurations or catching threat actors in the act, security insights depend on available data," explains Omer Singer, Snowflake's head of cybersecurity strategy. "Less obvious is the need for context and cross-source correlation."

He says many risks and attacks cannot be identified just by looking at a single finding or event log, with unified visibility the key to fewer false positives and false negatives.

For example, a vulnerability may have a CVSS score of 8.0 and be not so concerning if it's affecting a test system without Internet access. "The same issue may be super critical, on the other hand, if it affects a publicly facing Web server that handles customer financial transactions," he adds.

Another example is around user deprovisioning, which Singer calls "a real scourge" for many security compliance teams.

"Has access been revoked from all systems for all terminated employees? If not, has a terminated employee taken advantage of their access?" he asks. "It takes unified visibility to answer these questions."

**Consolidated Data Shows the Whole Picture**

Singer explains that Snowflake is enabling an alternative to typical security tools that operate in a silo and place the burden of connecting the dots on overstretched security teams.

"Our customers kept telling us that their traditional SIEM solutions didn't consolidate security logs — the legacy SIEMs actually create silos since their cost for comprehensive ingest and retention is prohibitively high," he says. "The result has been that security teams struggle to achieve necessary prevention, detection, and response outcomes."

Prabhath Karanth, senior director of security, compliance, and trust at TripActions, says that Snowflake has helped the company with log aggregation, better triaging, removing noisy alerts, faster threat detection and response, applying new threat intelligence to data, and continuous compliance.

"All of this ultimately results in better security assurance and building customer trust," Karanth says. He adds that the adoption of Cybersecurity workload is central to most of the company's data and strategic security initiatives.

"The platform allows us to leverage one single source of truth for multiple use cases," Karanth explained. "It helps us collect all data sources in a centralized location and run analytics on top, both for our business and security use cases."

In addition, integrations with Snowflake partner tools like the autonomous threat monitor Hunters and the compliance program Anecdotes on top of the Snowflake security data lake has helped TripActions further enhance some security use cases.

**The Importance of Compliance**

On the security compliance side, Karanth says TripActions is looking to achieve near-real-time controls automation using Snowflake's Cybersecurity workload and continuous compliance.

"We push all security tooling data into Snowflake data lake," he says. "This includes tools like cloud security posture management, application security posture management, and endpoint security tooling. Most of the compliance controls belong to one of these domains."

He adds that the company can get a unified view of the controls posture to meet compliance requirements like SOC2, ISO, PCI, and others by integrating with Anecdotes.

"This helps us identify control effectiveness from an audit perspective, quicker metrics reporting to leadership, and remediation activities," he says. "From a threat detection and response standpoint, again security tooling is the basis for all of this."

Karanth explains that the deviation from the desired state of assets can be identified from the data the platform collects, and integrations with autonomous tools like Hunters help his company respond with corrective action in a timely manner using custom-built and prebuilt alerts.

"Our ultimate goal as a security team is to enable our business and protect our customers' data," he says. "The need of the hour is to enable our business and at the same time reduce risk. We need to protect our customers' travel data both from a security and privacy perspective. We take customer trust very seriously. It's the foundation for how we do business."

Snowflake Debuts Cybersecurity Workload to Aid Visibility, Automation

FortiRecon combines machine learning, automation, and human intelligence to continually monitor an organization’s external attack surface.

**SAN FRANCISCO, Calif., – RSAC 2022 - Jun 6, 2022**

**John Maddison, EVP of Products and CMO at Fortinet**

“The sooner in the attack cycle you identify and stop an adversary, the less costly and damaging their actions. Employing a powerful combination of human and artificial intelligence, FortiRecon provides organizations with a view of what adversaries are seeing, doing and planning. FortiRecon’s vendor agnostic SaaS delivery model combined with an intuitive interface and easily digestible reports enable executives across the organization to quickly understand the risks posed to their company, data, and brand reputation, while our team of FortiGuard Labs cybersecurity experts enhance the offering with takedown services, guidance on prioritization of remediation efforts, and targeted threat research and intelligence.”

**News Summary**

Fortinet® (NASDAQ: FTNT), a global leader in broad, integrated, and automated cybersecurity solutions, today announced FortiRecon, a complete Digital Risk Protection Service (DRPS) offering that uses a powerful combination of machine learning, automation capabilities, and FortiGuard Labs cybersecurity experts to manage a company’s risk posture and advise meaningful action to protect their brand reputation, enterprise assets, and data. FortiRecon uniquely delivers a triple offering of outside-in coverage across External Attack Surface Management (EASM), Brand Protection (BP), and Adversary-Centric Intelligence (ACI) to counter attacks at the reconnaissance phase – the first stage of a cyberattack – to significantly reduce the risk, time, and cost of later stage threat mitigation.

**Organizations are Overwhelmed in the Fight to Protect their Network, Data, and Reputation and Mitigate Risk Early**

Before attacking an organization, a cybercriminal’s primary objective is to gather as much intelligence about their target as possible. This phase of early reconnaissance arms the adversary with everything they need to determine if and how they would exploit an organization. They will test a company’s defense and response tactics, look for unpatched systems, use social media to learn more about its employees and their normal behavior, and go as far as researching business partners, recent acquisitions, and any other third-party affiliation that could lead to a successful compromise. As organizations digitally accelerate their businesses and deploy hybrid IT architectures that expand the attack surface, identifying and mitigating these threats has become increasingly more difficult. In response to the velocity of threats, cybersecurity best practices have evolved from point-in-time evaluations to continual monitoring, ongoing reviews, and continuous enhancements to an organization’s security posture.

**Taking a Page Out of the Adversary Playbook to Mitigate Risk**

With the introduction of FortiRecon, Fortinet provides enterprise organizations with a powerful tool to understand how the adversary views an organization from the outside to help inform cybersecurity teams, the C-Level, and risk and compliance management on how to prioritize risk and improve the company's overall security posture. FortiRecon offers companies consistent and comprehensive coverage across three areas:

*   **External Attack Surface Monitoring:** Empowers organizations to understand their risk profile and mitigate risks early. Provides an outside-in view of an organization and its subsidiaries to identify exposed known and unknown enterprise assets and associated vulnerabilities, and prioritize the remediation of critical issues. EASM identifies servers, credentials, public cloud service misconfigurations, and even third-party partner software code vulnerabilities that could be exploited by malicious actors.
*   **Brand Protection:** Enables organizations to protect their brand and identify risks to their customers. Proprietary algorithms detect web-based typo-squatting, defacements, and phishing impersonations, as well as rogue mobile apps, credential leaks, and brand impersonation on social media, all common techniques used by cyber threat actors. The early detection of malicious activity allows teams to quickly take action (such as website or application takedown) to stop and prevent damage.
*   **Adversary-Centric Intelligence:** Increases the security awareness of an organization’s SOC team with industry and geography specific coverage to better understand their attackers and protect assets. FortiGuard Labs cybersecurity experts assess the underground and imminent threat risks posed by active cybercriminals to an individual company by proactively monitoring public and private forums, open-source, dark web, and other cybercriminal domains. By engaging in human intelligence collection, FortiGuard Labs experts assess and curate custom threat intelligence, providing recommendations specific to the company, industry, and geography.

For partners, FortiRecon can be sold on top of the Fortinet Security Fabric or as a stand-alone, vendor-agnostic solution that delivers easily digestible reports and enables their customers to quickly understand the risks posed to their company, data, and brand reputation. FortiRecon also extends the categories of risk for which partners can provide insight to customers and increases the opportunity to land new customers that have only invested in more traditional security solutions.

**Enhancing Fortinet’s Early Detection and Response Portfolio and Industry Leading Security Services**

FortiRecon complements Fortinet’s robust portfolio of early detection and advanced response products, including FortiNDR, FortiXDR, FortiDeceptor, in-line sandboxing, as well as advanced automation with FortiAnalyzer, FortiSIEM and FortiSOAR.

Fortinet is firmly committed to the success of SOC teams and the protection of organziations and offers an extensive portfolio of outsource services ranging from cybersecurity assessments and readiness, playbook development, tabletop training, Incident Response, MDR and SOC-as-a-service. This combined offering, alongside the many enhancements across the Fortinet Security Fabric and extended ecosystem deliver simplification and automation to help SOC teams regain focus, control, and speed by strengthening an organization’s SOC with FortiGuard Labs cybersecurity tools and experts.

**Get a demo of FortiRecon in the Fortinet booth at RSAC 2022**

Fortinet will be a Platinum Sponsor at this year’s RSA Conference and will feature product demos, a live theater, and a Fortinet Expert Bar at booth #5855 in the Moscone Center North Hall. Stop by the booth to get a demo of FortiRecon and other recent product, solution, and services innovations from Fortinet. Learn more about Fortinet at RSA and presentations featuring Fortinet executives in the media alert.

**Additional Resources**

*   Read our blog to learn more about the value security services can bring to any organization and find out more about Fortinet’s robust portfolio of AI-powered Security Services.
*   Learn more about Fortinet’s advanced detection offerings for the SOC: FortiNDR, FortiDeceptor, FortiXDR, and FortiGuard In-line Sandbox Service
*   Learn more about Fortinet SOC-as-a-Service.
*   Learn more about how the Fortinet Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital infrastructure.
*   Learn more about FortiGuard Labs threat intelligence and research or Fortinet’s AI-powered FortiGuard Security Services portfolio.
*   Learn more about Fortinet’s free cybersecurity training which includes broad cyber awareness and product training. As part of the Fortinet Training Advancement Agenda (TAA), the Fortinet Training Institute also provides training and certification through the Network Security Expert (NSE) Certification, Academic Partner, and Education Outreach programs.
*   Read more about how Fortinet customers are securing their organizations.
*   Engage in the Fortinet User Community (Fuse). Share ideas and feedback, learn more about our products and technology, and connect with peers.
*   Follow Fortinet on Twitter, LinkedIn, Facebook, and Instagram. Subscribe to Fortinet on YouTube.

**About Fortinet**

Fortinet (NASDAQ: FTNT) makes possible a digital world that we can always trust through its mission to protect people, devices, and data everywhere. This is why the world’s largest enterprises, service providers, and government organizations choose Fortinet to securely accelerate their digital journey. The Fortinet Security Fabric platform delivers broad, integrated, and automated protections across the entire digital attack surface, securing critical devices, data, applications, and connections from the data center to the cloud to the home office. Ranking #1 in the most security appliances shipped worldwide, more than 580,000 customers trust Fortinet to protect their businesses. And the Fortinet NSE Training Institute, an initiative of Fortinet’s Training Advancement Agenda (TAA), provides one of the largest and broadest training programs in the industry to make cyber training and new career opportunities available to everyone. Learn more at https://www.fortinet.com, the Fortinet Blog, or FortiGuard Labs.

Fortinet Unveils New Digital Risk Protection Offering

The threat cluster dubbed UNC2165, which shares numerous overlaps with a Russia-based cybercrime group known as Evil Corp, has been linked to multiple LockBit ransomware intrusions in an attempt to get around sanctions imposed by the U.S. Treasury in December 2019.
"These actors have shifted away from using exclusive ransomware variants to LockBit — a well-known ransomware as a service (RaaS) —

The threat cluster dubbed UNC2165, which shares numerous overlaps with a Russia-based cybercrime group known as Evil Corp, has been linked to multiple LockBit ransomware intrusions in an attempt to get around sanctions imposed by the U.S. Treasury in December 2019.

"These actors have shifted away from using exclusive ransomware variants to LockBit — a well-known ransomware as a service (RaaS) — in their operations, likely to hinder attribution efforts in order to evade sanctions," threat intelligence firm Mandiant noted in an analysis last week.

Active since 2019, UNC2165 is known to obtain initial access to victim networks via stolen credentials and a JavaScript-based downloader malware called FakeUpdates (aka SocGholish), leveraging it to previously deploy Hades ransomware.

Hades is the work of a financially motivated hacking group named Evil Corp, which is also called by the monikers Gold Drake and Indrik Spider and has been attributed to the infamous Dridex (aka Bugat) trojan as well as other ransomware strains such as BitPaymer, DoppelPaymer, and WastedLocker over the past five years.

UNC2165's pivot from Hades to LockBit as a sanctions-dodging tactic is said to have occurred in early 2021.

Interestingly, FakeUpdates has also, in the past, served as the initial infection vector for distributing Dridex that then was used as a conduit to drop BitPaymer and DoppelPaymer onto compromised systems.

Mandiant said it noted further similarities between UNC2165 and an Evil Corp-connected cyber espionage activity tracked by Swiss cybersecurity firm PRODAFT under the name SilverFish aimed at government entities and Fortune 500 companies in the E.U and the U.S.

A successful initial compromise is followed by a string of actions as part of the attack lifecycle, including privilege escalation, internal reconnaissance, lateral movement, and maintaining long-term remote access, before delivering the ransomware payloads.

With sanctions used as a means to rein in ransomware attacks, in turn barring victims from negotiating with the threat actors, adding a ransomware group to a sanctions list — without naming the individuals behind it — has also been complicated by the fact that cybercriminal syndicates often tend to shutter, regroup, and rebrand under a different name to circumvent law enforcement.

"The adoption of an existing ransomware is a natural evolution for UNC2165 to attempt to obscure their affiliation with Evil Corp," Mandiant said, while also ensuring that sanctions are "not a limiting factor to receiving payments from victims."

"Using this RaaS would allow UNC2165 to blend in with other affiliates, the company added, stating, "it is plausible that the actors behind UNC2165 operations will continue to take additional steps to distance themselves from the Evil Corp name."

The findings from Mandiant, which is in the process of being acquired by Google, are particularly significant as the LockBit ransomware gang has since alleged that it had breached into the company's network and stole sensitive data.

The group, beyond threatening to release "all available data" on its data leak portal, didn't specify the exact nature of the contents in those files. However, Mandiant said there is no evidence to support the claim.

"Mandiant has reviewed the data disclosed in the initial LockBit release," the company told The Hacker News. "Based on the data that has been released, there are no indications that Mandiant data has been disclosed but rather the actor appears to be trying to disprove Mandiant's June 2, 2022 research on UNC2165 and LockBit."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Evil Corp Cybercrime Group Shifts to LockBit Ransomware to Evade Sanctions

Prometheus ransomware contained a weak random number generator that inspired researchers to try and build a one-size-fits-all decryptor. 
The post RSA 2022: Prometheus ransomware’s flaws inspired researchers to try to build a near-universal decryption tool appeared first on Malwarebytes Labs.

Prometheus—a ransomware build based on Thanos that locked up victims’ computers in the summer of 2021—included a major “vulnerability” that led security researchers at IBM to try and build a one-size-fits-all ransomware decryptor that could work against multiple ransomware variants, including Prometheus, AtomSilo, LockFile, Bandana, Chaos, and PartyTicket.

Though the IBM researchers managed to undo the work of multiple ransomware variants, the panacea dream decryptor never materialized.

IBM global head of threat intelligence Andy Piazza said that the team’s efforts revealed that even though some ransomware families can be reverse-engineered to develop a decryption tool, no company should rely on decryption itself as a response to a ransomware attack.

“Hope is not a strategy,” Piazza said at RSA Conference 2022, held in San Francisco in person for the first time in two years.

IBM security research Aaron Gdanski, who was aided by security researcher Anne Jobman, said his interest in building a Prometheus decryption tool began after one of IBM Security’s clients was hit with the ransomware. He began by trying to understand the ransomware’s behavior: Did it persist in the environment? Did it upload files anywhere? And how, specifically, did it generate the keys that were used to encrypt files?

By using the DS-5 debugger and disassembler, Gdanski found that Prometheus’ encryption algorithm relied on both “a hardcoded initialization vector which did not change between samples” and the uptime of the computer. Gdanski also learned that Prometheus created its seeds by relying on a random number generator that, by default, used Environment.TickCount.

These discoveries revealed a key vulnerability in Prometheus, Gdanski said. If he could find when Prometheus encrypted files on the system, he could then likely generate the same seed that Prometheus used for that decryption.

“If I could obtain the seed at the time of encryption, I could use the same algorithm Prometheus did to regenerate the key it uses,” Gdanski said.

Equipped with the boot time on an affected machine and the recorded timestamp on an encrypted file, Gdanski then had a starting point to narrow down his work. After some additional calculations, Gdanski generated a seed from Prometheus and he tested it on portions of encrypted files.

With some fine-tuning, Gdanski’s work paid off.

Gdanski also learned, though, that the seed changed depending on the time when a file was encrypted. That meant that one single decryption key would not work, but by sorting the encrypted files by the last write time on the machine, he was able to slowly build a series of seeds that could be used for decryption.

The success, Gdanski said, could be applied to other ransomware families that similarly relied on flawed random number generators.

“Any time a non-cryptographically secure random number generator is used, you’re probably able to recreate a key,” Gdanski said.

But Gdanski emphasized that this flaw is rare from what he’s seen. As Piazza reiterated, the best defense to ransomware isn’t hoping that the ransomware involved in an attack has a sloppy implementation—it’s preventing a ransomware attack before it happens.

For the latest on current ransomware activity, read our May ransomware review here. You can also read about some lessons from the real-life ransomware attack on Northshore School District here.

Tag

#intel