A sound cyber-risk management strategy analyzes all the business impacts that may stem from an attack and estimates the related costs of mitigation versus the costs of not taking action.

Source: Olekcii Mach via Alamy Stock Photo

COMMENTARY

Business risks encompass many overlapping categories, from operational and strategic risks to financial, legal, and compliance risks. Yet every category is affected by cyber-risks in some way. Operational problems such as equipment failures and supply chain disruptions should include the risks of a cyberattack disrupting IT networks. Similarly, the CFO's office manages credit risks, investment losses, and cash-flow issues. But the finance team should also recognize the ongoing threats of financial losses from ransomware attacks, or the reputational harm when private customer data gets leaked on the Internet.

Market research has repeatedly shown cybersecurity to be a key indicator of financial performance. In fact, companies with advanced cybersecurity performance create a 372% higher shareholder return compared with their peers that have basic cybersecurity performance. That's according to a recent report from Bitsight and Diligent that analyzed more than 4,000 mid- to large-cap companies in public indexes globally.

Nearly all chief information security officers (CISOs) and security leaders are adopting artificial intelligence as part of their strategy to defend against advanced cyberattacks. More than three-fourths of CISOs (78%) are already using AI to help their security teams, while 20% are waiting for more powerful models and better AI security tools before adopting, according to Bugcrowd's "Inside the Mind of a CISO 2024" report.

The global survey found that 91% of CISOs believe AI already outperforms security professionals, or will in the future, while 76% believe the AI threat landscape is evolving too quickly to adequately secure. However, the CISOs expressed mixed feelings about the risks of AI. More than half said the risks of AI are greater than the benefits (58%), while 42% indicated that there still is not yet a consensus on this issue.

Of course, cyber-risk is more than a technology problem to be solved solely through technical protections. The solution also requires people and policies to anticipate and prevent unforeseen events through advance preparations. Cyber-risks can have damaging impacts on important business decisions for mergers and acquisitions, supply chain partnerships, and third-party vendor transactions. That's why it's so important for leaders to raise awareness about cyber-risk management among their colleagues in less technical roles such as finance, sales, marketing, and human resources.

**Cyber Secure Practices Deliver Better Business Performance**

It's time for businesses to elevate cyber-risk management to an essential protocol that's managed as part of their overall risk management framework — all of which requires translating complex technical threats into clear financial contingency plans that will motivate the C-suite and board members to invest in security.

The impulse to improve cyber-awareness training and increase security is most prevalent among highly regulated industries such as healthcare and financial services. For these industries, noncompliance can lead to heavy fines, penalties, lawsuits, and damage brand reputation.

Faced with strict rules, these industries typically adopt cyber programs and best practices more quickly than other sectors, because they are familiar with, and better at, managing their risk. Their internal culture demands that they ensure compliance with specific regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) data privacy rules for healthcare providers. For such firms, accounting for cyber-risk is just one more compliance requirement to check off the list.

Similarly, companies that hold regular audit committee meetings have a culture that is more conducive to managing cyber-risks as a compliance issue. They use their regular reporting cadence and infrastructure to incorporate cyber into the larger discussion of regulatory compliance and business risk topics. Regulated industries have the highest cybersecurity ratings, and companies with either a specialized risk committee or audit committee achieve better cybersecurity performance compared with those with neither, according to the Bitsight report.

**It Pays to Support Smart Cyber-Risk Management**

Cyber incidents can have lasting impacts on business operations, workforce productivity, customer satisfaction, and brand reputation. For all these reasons, security should be the responsibility of the entire organization, not just the CISO or security operations center (SOC) team. Everyone must share a commitment to protect the organization's information and IT infrastructure, because that is what their customers and partners expect.

To do so, business leaders need to recognize and manage these cyber-risks just as they would manage any other business risk. Direct costs from cyberattacks can include data recovery and remediation to recover lost data and repair compromised systems. Making the decision to invest in preventative measures has proven to be much more cost-effective than addressing the fallout from a successful cyberattack after it happens.

As business leaders, we're asked to prioritize resources on a daily basis — for budgets, people, and facilities — based on the returns they provide to our business. Investing in cyber programs and best practices should be seen as a business enabler and force multiplier. After all, these investments can help drive revenue growth in the company by building and maintaining customer trust, in addition to protecting the business. In today's risk environment, the CISO should be elevated to be the peer to the rest of the C-suite and a direct report of the CEO — indicative of the strategic business importance of the role.

A sound cyber-risk management strategy is based on carefully analyzing all the business impacts that may stem from a potential attack and estimating the related costs of mitigation versus the costs of not taking action. In the end, as with all risk management, this process comes down to a basic dollars-and-cents financial decision.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

Managing Cyber-Risk Is No Different Than Managing Any Business Risk

The US government says outlets like RT work closely with Russian intelligence, and platforms have removed or banned their content. But they’re still influential all around the world.

In the lead-up to the 2024 elections, the Biden administration has taken aim at several Russian information operations. Earlier in September, the Department of Justice unsealed an indictment against two employees of RT, a Russian state-backed news network formerly known as Russia Today. At the heart of the indictment was Tenet Media, a company promoting content from right-wing influencers. RT, prosecutors say, largely funded Tenet, and its employees “edited, posted, and directed” content. (The individual influencers deny they knew about the company’s ties to Russia.)

Last week, Meta announced that it would ban RT and other media outlets backed by the Russian state from its platforms. Meanwhile, YouTube said it removed more than 230 channels with connections to Russian-backed media. Those decisions followed the US State Department imposing sanctions on Russian state media, saying that in addition to spreading disinformation about the war in Ukraine, RT was supporting a crowdfunding effort to support the Russian military’s invasion and had developed operations directly tied to Russia’s intelligence agencies.

“These Kremlin-backed media outlets are not only playing this covert influence role to undermine democracy in the United States, but also to meddle in the sovereign affairs of countries around the world,” said Secretary of State Antony Blinken at the time. “As part of RT’s expanded capabilities, the Russian government embedded within RT a unit with cyber operational capabilities and ties to Russian intelligence. RT’s leadership had direct, witting knowledge of this enterprise.”

“Meta's ban of RT and other Russian state media stings a lot because that has been a core channel for the spread of Russian propaganda,” says Samuel Woolley, associate professor and founder of the Propaganda Research Lab at the University of Pittsburgh.

In the US, RT pulled in former war reporter Chris Hedges and late night host Larry King before it lost most of its broadcast access following Russia’s 2022 invasion of Ukraine. But while the sanctions and deplatforming are certainly a blow to propaganda efforts directed at the US—Russian state media has seen some real success on social media—experts who spoke to WIRED say that it by no means will cap the outlets’ reach. RT is well regarded in other parts of the world, particularly in Africa and Latin America, and Spanish language speakers make up the outlet’s largest market outside Russia. It has also invested heavily in old school television infrastructure, with offices in Havana, Buenos Aires, Cairo, Delhi, Algiers, and many other locations that will likely continue to operate unhindered, and offers services in French, German, and Arabic, in addition to English.

“English language speakers haven't been the primary target of RT or Russian media's propaganda efforts,” says Woolley. “And they’ve been building capacity for nearly two decades across Latin America, portions of Africa, and elsewhere in the world. And that has meant in those places that RT and Sputnik have almost become like a fixture of everyday life.”

In Latin America alone, RT’s channels run 24/7, and reported 18 million viewers in 2018. African Stream, which was also named by the State Department as part of Russian state media’s influence architecture and later removed by YouTube and Meta, garnered 460,000 followers on YouTube in the two years it was up and running. And Woolley notes that in these markets, there is likely less competition for viewership than there is in the saturated US media landscape.

“\[Russian media\] made headway in limited media ecosystems, where its attempts to control public opinion are arguably much more effective,” he says. Russian media particularly hones in on anticolonial, anti-Western narratives that can feel particularly salient in markets that have been deeply impacted by Western imperialism. The US also has state-funded media that operates in foreign countries, like Voice of America, though according to the organization’s website, the 1994 US International Broadcasting Act “prohibits interference by any US government official in the objective, independent reporting of news.”

Rubi Bledsoe, a research associate at Center for Strategic and International Studies, says that even with Russian state media removed from some social platforms, its messages are still likely to spread in more covert ways, through influencers and smaller publications with which it has cultivated relationships.

“Not only was Russian media good at hiding that they were a Russian government entity, on the side they would seed some of their stories to local newspapers and local media throughout the region,” she says, noting that the large South American broadcasting corporation Telesur would sometimes partner with RT. (Other times, Russia will back local outlets like Cameroon’s Afrique Média). “All of these secondary and tertiary news outlets are a lot smaller, but can talk to parts of the local population,” she says.

Russian media has also helped cultivate local influencers who often align with its messaging. Bledsoe points to Inna Afinogenova, a Russian Spanish-language broadcaster who previously worked for RT but now has her own independent YouTube channel where she has more than 480,000 followers. (Afinogenova left RT after saying she disagreed with the war in Ukraine.)

And Bledsoe says that the ban from the US might actually be a boon for Russian media in the parts of the world where it’s actively trying to cultivate its image as a trusted media brand. “The narratives that were shared through RT and other Russian media and in Iranian media as well, it's a kind of anti-imperialist dig at the West, and the US,” she says. “Saying the US is the driving force behind this international system and they’re plotting, and they’re out to get you, to impose on other countries’ sovereignty.”

Though Meta was a key avenue for the spread of Russian state media content, it still has a home on other platforms. RT does not appear to have a verified TikTok account, but accounts that exclusively post RT content, like @russian\_news\_ and @russiatodayfrance have tens of thousands of followers on the app. African Stream’s TikTok is still live with nearly 1 million followers. TikTok spokesperson Jamie Favazza referred WIRED to the company’s policies on election-related mis- and disinformation.

A post on X from RT’s account on September 18, the day after the ban, linked to its accounts on platforms like right-wing video sharing platform Rumble, X, and Russian YouTube alternative VK. (RT has 3.2 million followers on X and 125,000 on Rumble.) “Meta can ban us all it wants,” the post read. “But you can always find us here.” X did not respond to a request for comment.

Russia-Backed Media Outlets Are Under Fire in the US—but Still Trusted Worldwide

SaaS applications contain a wealth of sensitive data and are central to business operations. Despite this, far too many organizations rely on half measures and hope their SaaS stack will remain secure. Unfortunately, this approach is lacking and will leave security teams blind to threat prevention and detection, as well as open to regulatory violations, data leaks, and significant breaches.
If

SaaS applications contain a wealth of sensitive data and are central to business operations. Despite this, far too many organizations rely on half measures and hope their SaaS stack will remain secure. Unfortunately, this approach is lacking and will leave security teams blind to threat prevention and detection, as well as open to regulatory violations, data leaks, and significant breaches.

If you understand the importance of SaaS security, and need some help explaining it internally to get your team's buy-in, this article is just for you — and covers:

*   Why SaaS data needs to be secured
*   Real-world examples of SaaS apps attacks
*   The attack surface of SaaS apps
*   Other types of less suitable solutions including CASB or manual audit
*   ROI of an SSPM
*   What to look for in the right SSPM

Download the full SSPM Justification Kit e-book or request the kit in presentation format with your logo!

**What Is in Your SaaS Data?**

Nearly all business operations run through SaaS. So does HR, sales, marketing, product development, legal, and finance, in fact, SaaS apps are central to nearly every business function, and the data that supports and drives those functions are stored in these cloud-based apps.

This includes sensitive customer data, employee records, intellectual property, budget plans, legal contracts, P&L statements – the list is endless.

It is true that SaaS apps are built securely, however, the shared responsibility model that ensures that SaaS vendors include the controls needed to secure an application, leaves their customers the ones who are ultimately accountable and in control of hardening their environments and making sure they are properly configured. Applications typically have hundreds of settings, and thousands of user permissions, and when admins and security teams don't fully understand the implications of settings that are unique to specific applications, it leads to risky security gaps.

**SaaS Applications ARE Under Attack**

Headlines have shown that SaaS applications are getting the attention of threat actors. An attack on Snowflake led to one company exposing over 500 million customer records. A phishing campaign in Azure Cloud compromised the accounts of several senior executives. A breach at a major telecom provider exposed files containing sensitive information for over 63,000 employees.

Threats are real, and they are increasing. Cybercriminals are using brute force and password spray attacks with regularity, accessing applications that could withstand these types of attacks with an SSPM to harden access controls and an Identity Threat Detection & Response (ITDR) capability to detect these threats.

One breach by threat actors can have significant financial and operational repercussions. Introducing an SSPM prevents many threats from arising due to hardened configurations, and ensures ongoing operations. When coupled with a SaaS-centric ITDR solution, it provides full 360-degree protection.

You can read more about each breach in this blog series.

**What Is the SaaS Attack Surface?**

The attack surface includes a number of areas that threat actors use for unauthorized access into a company's SaaS applications.

**Misconfigurations**

Misconfigured settings can allow unknown users to access applications, exfiltrate data, create new users, and interfere with business operations.

**Identity-First Security**

Weak or compromised credentials can expose SaaS apps to attack. This includes not having MFA turned on, weak password requirements, broad user permissions, and permissive guest settings. This kind of poor entitlement management, especially in complex applications such as Salesforce and Workday, can lead to unnecessary access that can be exploited if the account is exposed.

The identity attack surface extends from human accounts to non-human identities (NHI). NHIs are often granted extensive permissions and are frequently unmonitored. Threat actors who can take control of these identities often have a full range of access within the application. NHIs include shadow applications, OAuth integrations, service accounts, and API Keys, and more.

Additionally, there are other attack surfaces within identity protection:

*   **Identity's Devices**: High-privileged users with poor hygiene devices can expose data through malware on their device
*   **Data Security**: Resources that are shared using public links are in danger of leaks. These include documents, repositories, strategic presentations, and other shared files.

**GenAI**

When threat actors gain entry into an app with GenAI activated, they can use the tool to quickly find a treasure trove of sensitive data relating to company IP, strategic vision, sales data, sensitive customer information, employee data, and more.

**Can SaaS Applications Be Secured with CASBs or Manual Audits?**

The answer is no. Manual audits are insufficient here. Changes happen far too rapidly, and there is too much on the line to rely on an audit conducted periodically.

CASBs, once believed to be the ideal SaaS security tool, are also insufficient. They require extensive customization and can't cover the different attack surfaces of SaaS applications. They create security blindness by focusing on pathways and ignoring user behavior within the application itself.

SSPM is the only solution that understands the complexities of configurations and the interrelationship between users, devices, data, permissions, and applications. This depth of coverage is exactly what's needed to prevent sensitive information from reaching the hands.

In the recent Cloud Security Alliance Annual SaaS Security Survey Report: 2025 CISO Plans & Priorities, 80% of respondents reported that SaaS security was a priority. Fifty-six percent increased their SaaS security staff, and 70% had either a dedicated SaaS security team or role. These statistics present a major leap in SaaS security maturity and CISO priorities.

**What Is the Return on Investment (ROI) with an SSPM Solution?**

Determining ROI on your SaaS application is actually something you can calculate.

Forrester Research conducted this type of ROI report earlier this year. They looked at the costs, savings, and processes of a $10B global media and information service company, and found that they achieved an ROI of 201%, with a net present value of $1.46M and payback for their investment in less than 6 months.

You can also begin to calculate the value of increased SaaS Security Posture by identifying the actual number of breaches that have taken place and the cost of those breaches (not to mention the unquantifiable measurement of reputational damage). Add to that the cost of manually monitoring and securing SaaS applications, as well as the time it takes to locate a configuration drift and fix it without a solution. Subtract the total benefits of an SSPM solution, to establish your annual net benefits from SSPM.

An ROI calculation makes it easier for those controlling the budget to allocate funds for an SSPM.

Request a demo to learn what SSPM is all about

**Selecting the Right SSPM Platform**

While all SSPMs are designed to secure SaaS applications, there can be quite a disparity between the breadth and depth of security that they offer. Considering that nearly every SaaS application contains some degree of sensitive information, look for an SSPM that:

*   covers a broader range of integrations out-of-the-box and also supports custom, homegrown apps. Make sure it even monitors your social media accounts.
*   has the ability to monitor users and their devices
*   gives visibility into connected applications
*   is able to detect shadow apps with capabilities to protect GenAI apps as the proliferation of GenAI within SaaS apps is a major security concern.
*   includes comprehensive Identity Threat Detection and Response (ITDR) to prevent unwanted activity while detecting and responding to threats.

SaaS applications form the backbone of modern corporate IT. When trying to justify SSPM prioritization and investment, be sure to stress the value of the data it protects, the threats encircling applications, and ROI.

Download the full SSPM Justification Kit E-Book or request the kit in presentation format with your logo!

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The SSPM Justification Kit

The latest version of the evolving threat is a multistage attack demonstrating a move away from ransomware to purely espionage activities, typically targeting Ukraine and its supporters.

Source: Peter Treanor via Alamy Stock Photo

The RomCom cyber-espionage malware that rampaged through the Ukraine military and its supporters last year has resurfaced with a new variant. It leverages valid code-signing certificates to fly under the radar, allowing attackers to execute commands and download additional malicious files onto a victim's system in a multistage attack.

The variant, called SnipBot by researchers at Palo Alto's Unit 42, appears to have been spreading since December, picking up where the last version of RomCom left off, they revealed in analysis published this week. The malware is based on RomCom 3.0., but it also shares techniques already seen in RomCom 4.0, making it version 5.0 of the original RomCom remote access Trojan (RAT) family.

Earlier attacks of the actor behind RomCom — which also targeted supporters of Ukraine — often included ransomware payloads in addition to cyber-espionage activities. However, Unit 42 now believes that the attackers behind the malware have pivoted away from financial gain to exclusively focusing on intelligence-gathering, according to the post.

Even so, "the attacker's intentions are difficult to discern given the variety of targeted victims, which include organizations in sectors such as IT services, legal, and agriculture," Unit 42's Yaron Samuel and Dominik Reichel wrote in the analysis.

Related:Dark Reading News Desk Live From Black Hat USA 2024

**Email Kicks Off Initial RomCom Attack**

SnipBot first appears in either an executable downloadable file masquerading as a PDF, or as an actual PDF file sent to a victim in a phishing email that leads to an executable. The malware includes "a basic set of features that allows the attacker to run commands on a victim's system and download additional modules," the researchers wrote.

The PDF file shows distorted text that states a font is missing that's needed to show it correctly.

"If the victim clicks on the contained link that’s purported to download and install the font package, they will instead download the SnipBot downloader," the researchers wrote.

The malware itself is composed of several stages, with the executable file followed by remaining payloads that are either further executables or DLL files. Moreover, the downloader for the malware is always signed with a legitimate and valid code-signing certificate, the researchers noted.

"We don’t know how the threat actors obtain these certificates, but it's likely they steal them or gain them by fraud," they observed, adding that subsequent modules of the initial SnipBot malware were not signed.

**SnipBot's Infection Vector**

Related:Meet UNC1860: Iran's Low-Key Access Broker for State Hackers

As mentioned, the downloader that delivers SnipBot is signed with a presumably stolen or spoofed certificate and also is obfuscated with a window message-based control-flow obfuscation algorithm; the malware's code is split up into multiple unordered blocks that are triggered by custom window messages.

The downloader also uses "two simple yet effective" anti-sandbox tricks, the researchers wrote. "The first one checks for the original file name by comparing the hashed process name against a hard-coded value," while the second one checks whether there are at least 100 entries in a particular Microsoft Windows registry, "which is usually the case on a regular user’s system but less likely to be the case in a sandbox system," they wrote.

Upon execution, the downloader contacts various command-and-control (C2) domains to retrieve a PDF file, and then subsequent payloads to the infected machine, the first of which provides spyware capability. Ultimately, the main module of SnipBot provides the attacker with command-line, uploading, and downloading capabilities on a victim’s system, as well as the ability download and execute additional payloads from C2.

Unit 42 also witnessed post-infection activity aiming to gather information about the company's internal network as well as attempts to exfiltrate a list of different files from the victim’s documents, downloads, and OneDrive folders to an external, attacker-controlled server.

Related:Mastercard's Bet on Recorded Future a Win for Cyber-Threat Intel

**RomCom Remains an Active Threat**

The threat actor wielding RomCom has been active since at least 2022, and engages in various nefarious activities, including ransomware, extortion, and targeted credential gathering, likely to support intelligence-gathering operations. As mentioned, the threat actor seems to now be moving away from its previous financially motivated activities to engage exclusively in cyber espionage.

As SnipBot demonstrates an evolution in threat capabilities with novel obfuscation methods as well as post-exploitation activity, Unit 42 stressed "the need for organizations to remain vigilant and adopt advanced security measures to protect their systems and data from evolving cyberthreats," the researchers noted in their analysis.

Given the RomCom threat actor's interest in cyber espionage against Ukraine and its supporters, the Computer Emergency Response Team of Ukraine (CERT-UA) also has published information about the threat group and how it operates.

"This group is actively attacking employees of defense enterprises and the Defense Forces of Ukraine, constantly updating its malware arsenal, but their malicious activities are not limited to Ukraine," the agency warned.

CERT-UA advised organizations that may be targeted to remain vigilant about emails from unknown senders, even if they present themselves as a government employee, and to refrain from downloading or opening suspicious files.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

RomCom Malware Resurfaces With SnipBot Variant

The group has used more than 30 custom tools to target high-value government and telecommunications organizations on behalf of Iranian intelligence services, researchers say.

Source: Christophe Coat via Alamy Stock Photo

An advanced persistent threat (APT) tied to Iran's Ministry of Intelligence and Security (MOIS) is providing initial access services to a bevy of Iranian state hacking groups.

UNC1860 has been the gateway for attacks by notorious groups like Scarred Manticore and OilRig (aka APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten). As Mandiant explained in a recent blog post, its focus is exclusively on breaching and establishing a foothold in potentially valuable networks across high-value sectors — government, media, academia, critical infrastructure, and particularly telecommunications — then handing over access to other Iranian nation-state actors.

Over the years, UNC1860 has teamed up for attacks against targets in Iraq, Saudi Arabia, and Qatar; aided in espionage of Mideast telecommunications companies; prepared the ground for wiper attacks in Albania and Israel; and more.

**UNC1860's Many Backdoors**

In March, Israel's National Cyber Directorate warned that wiper attacks were striking organizations across the country, including managed service providers, local governments, and academic institutions. Among the indicators of compromise (IoCs) were a Web shell called "Stayshante" and a dropper called "Sasheyaway," just two of around 30 custom malware tools managed by UNC1860, the Mandiant report explained.

UNC1860 isn't the one doing the wiping, or any other disruptive, destructive, or otherwise exploitative behavior in a target's network. Its job is merely to gain that initial foothold, primarily by scanning for vulnerabilities in public-facing assets at targeted organizations, then dropping a series of increasingly serious and sophisticated backdoors. 

Stayshante, Sasheyaway, and tools like it provide its first toe in the water, and can be used to download more substantial backdoors like "Templedoor," "Faceface," and "Sparkload." For its highest-value targets, UNC1860 will deploy its most sophisticated, main-stage backdoors like "Templedrop," or "Oatboat," which loads and executes payloads such as "Tofupipe" and "Tofuload," TCP-based passive listeners.

"To set up those listeners, they are not even leveraging regular Windows API calls — they actually leverage some undocumented tools of HTTP.sys, which is crazy," says Stav Shulman, senior researcher with Mandiant by Google Cloud.

"Most backdoors would leverage common API calling, so most engines would detect them," Shulman explains. "But if you are determined enough, and clever enough, and if you have extraordinary technical knowledge, you can leverage calls that are not documented by the Microsoft Developer Network (MSDN). So UNC1860 actually reverse engineered them themselves, so that you won't detect their calls."

**UNC1860's Trick to Staying Undetected**

Besides its lack of destructive behavior, there's another reason why you hear about Scarred Manticore, Oil Rig, and Shrouded Snooper, but rarely UNC1860: All of UNC1860s implants are entirely passive. It doesn't send any information out from target networks, and doesn't need to maintain any kind of command-and-control (C2) infrastructure.

"Most detections today are very focused on outbound communications, but UNC1860 just focuses on inbound requests," Shulman says. "That inbound traffic they listen to can come from any number of stealthy sources \[including\] VPN nodes in proximity to the target, other victims of prior attacks, and other locations in a target's network."

In 2020, for example, the group was observed using one of its victims' networks as a launch point to scan for potentially vulnerable IP addresses in Saudi Arabia, vet various accounts and email addresses associated with domains in Saudi Arabia in Qatar, and target VPN servers in the same region.

And, as Shulman notes, "To escalate the operation, they only need to send one command at any random point in time to activate the backdoor." Because the group's implants utilize HTTPS-encrypted traffic, victims will not be able to decrypt its commands or payloads.

Shulman advises organizations to focus on how best to vet incoming network traffic.

"How do we detect \[malicious traffic\]? How do we decide if incoming traffic is malicious or not?" Shulman says. "Because even \[when UNC1860 is abusing\] documented API calls that cybersecurity engines would catch, there's plenty of legitimate software that use these same calls, so detecting malicious calls could be very confusing and have lots of false positives. Focusing on the incoming traffic is the key, I think, for detecting UNC1860's activity."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Meet UNC1860: Iran's Low-Key Access Broker for State Hackers

The company has jettisoned hundreds of thousands of unused apps and millions of unused tenants as part of its Secure Future Initiative.

Source: JeanLucIchard via Shutterstock

Microsoft so far has eliminated some 730,000 unused applications and 5.75 million inactive tenants within its cloud environment as part of its sweeping Secure Future Initiative (SFI), designed to shore up security following a couple of major intrusions into its network over the past year.

The company has also deployed 15,000 new, locked-down devices for software production teams over the past three months and implemented video-based identity verification for 95% of its production staff. In addition, Microsoft has updated its Entra ID and Microsoft Account (MSA) processes for generating, storing, and rotating access token signing keys for public and government clouds.

**Secure Future Initiative**

The changes are part of a broader Microsoft effort to reduce its attack surface, strengthen cloud identity and authentication mechanisms, and boost its ability to detect and respond to threats. "Since the initiative began, we've dedicated the equivalent of 34,000 full-time engineers to SFI — making it the largest cybersecurity engineering effort in history," said Charlie Bell, executive vice president of Microsoft Security in an update this week.

Microsoft launched SFI in November 2023, a few months after China's Storm-0558 breached the company's Exchange Online infrastructure and accessed email accounts across more than two dozen government agencies. Among those affected were senior officials working on US relations with China. In a second incident last year that Microsoft only discovered and reported in January 2024, Russia's Midnight Blizzard breached the company's corporate email accounts via a low-tech password spraying attack.

The US Department of Homeland Security's Cyber Safety Review Board (CSRB) conducted a fact-finding analysis of the Storm-0558 incident and concluded the intrusion stemmed from a "cascade of security failures at Microsoft" at a strategic and cultural level. The board made several recommendations for Microsoft to bolster cloud security, especially around identity and authentication.

Microsoft has identified six areas for improvement with SFI: identity and secrets; security around cloud tenants and production systems; protections for engineering systems; network security; threat detection and monitoring; and incident response and remediation.

**Sweeping Security Changes at Microsoft**

Bell's report this week provided an update on the progress the company has been making in each of those areas. The updates to Entra ID and Microsoft Account, for instance, are part of an effort to better protect critical signing keys for remote authentication, from misuse. Storm-0558 actors took advantage of a single, errant signing key and a vulnerability in Microsoft's authentication system to grant themselves the ability to access essentially any Exchange Online account around the world.

Similarly, the elimination of hundreds of thousands of unused apps and millions of inactive tenants are part of an effort to reduce the surface area for potential attacks against cloud tenants and production systems.

On the network security front, Microsoft has implemented mechanisms for improving visibility: The company now maintains a central inventory for more than 99% of physical assets on its production network. "Virtual networks with backend connectivity are isolated from the Microsoft corporate network and subject to complete security reviews to reduce lateral movement," Microsoft's Bell wrote.

To protect engineering systems, Microsoft has begun using centrally managed pipeline templates for 85% of its production builds for the commercial cloud, reduced the lifespan of personal access tokens to seven days, and disabled Secure Shell Access to internal Microsoft engineering repos. Proof of presence checks are now mandatory for critical points along Microsoft's software development process.

**Exec-Level Accountability**

This is the second update that Microsoft has provided on the progress the company has been making with SFI. A previous one in May focused largely on changes that Microsoft has been making at the organizational level to — among other things — hold executives directly responsible for security.

The changes the company has made at the organizational level include tying compensation for senior leadership to specific security goals and milestones, tying the threat intelligence team more tightly to the enterprise CISO's office, and requiring engineering and security teams to work together.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft Trims Cloud Cyberattack Surface in Security Push

The $2.65B buy validates the growing importance of threat intelligence to enterprise security strategies.

Source: incamerastock via Alamy Stock Photo

Mastercard's $2.65 billion acquisition of Recorded Future has focused attention on the increasing value of cyber-threat intelligence (CTI) to enterprise security strategies.

Security experts in the space perceive the deal as validating the business criticality of CTI and accelerating its mainstream adoption.

**A Multibillion-Dollar Bet**

Mastercard on Sept. 12 announced it had agreed to acquire Recorded Future for $2.65 billion — nearly equivalent to the cumulative amount it paid in nine previous purchases of cybersecurity vendors. Mastercard has said it will leverage Recorded Future's threat intelligence capabilities to bolster its own anti-fraud capabilities and to strengthen the third-party services it delivers via previous acquisitions such as RiskRecon.

The deal is expected to close in Q1 of 2025.

Fernando Montenegro, an analyst with Omdia, says Mastercard's acquisition aligns with the financial firm's efforts to integrate multiple capabilities around its suite of anti-fraud services. "One of the key components of successful anti-fraud initiatives is accurate threat intelligence, so it makes sense for Mastercard to improve their capabilities there," Montenegro says. "I think the deal shows that threat intelligence can be immensely valuable not only to pure-play cybersecurity efforts, but to broader anti-fraud initiatives as well."

The Business Research Company expects demand for cyber-threat intelligence services to hit some $11.5 billion in revenue in 2024, and to more than double to $25.68 billion in 2028, at a compound annual growth rate (CAGR) of 21.7%. The analyst firm identified the primary growth drivers as an increase in the volume and sophistication of cyberattacks, cloud adoption, a constantly expanding attack surface, and increasing regulatory pressures. Others, like Statista think the market is currently even larger — $14.59 billion in 2023 — but have a more modest annual growth rate expectation of 14.7% between now and 2030.

**Validation for CTI?**

Beenu Arora, CEO and co-founder of Cyble, sees the pending transaction as further cementing the role of threat intelligence in business strategies. The rapidly changing and increasingly sophisticated threat landscape has increased the importance of intelligence on emerging threats, threat groups, and their tactics, techniques, and procedures, Arora says. Now perceived as a highly technical component of SecOps, CTI has moved to front and center of security strategy at a growing number of organizations.

"If you speak to any seasoned CTO, CISO, or chief executive, there’s always concern about how they can make the right decisions" around what assets to protect, how, and against whom, Arora says. "Over the last 10 to 15 years, I think there has been much greater awareness with regard to how threat intelligence can sit at the center of day-to-day decision making for the business, whether that’s managing risk, safeguarding assets, or using external intelligence to help guide business decisions."

Analyst firm IT-Harvest, which maintains a dashboard tracking the performance of more than 4,050 cybersecurity vendors globally, counts 123 vendors as currently engaged in the cyber-threat intelligence space. Of that number, 63 have experienced headcount growth this year. Mastercard's recent acquisition underscores the value these vendors can bring to enterprise security strategies, says Richard Stiennon, chief research analyst at IT-Harvest.

"I think the acquisition is good for the 122 other threat intelligence vendors whose prospects will improve in the eyes of investors," Stiennon says.

The $2.65 billion that Mastercard has agreed to pay for Recorded Future is roughly 6.5 times the latter's annual revenue run rate. While that valuation is less than the 10-times valuations that cybersecurity firms garnered back in 2021 and 2022, it still is a healthy number, Stiennon says.

Many of the organizations that deliver CTI services, such as Recorded Future, Group-IB Flashpoint, and Digital Shadows, are what might be regarded as pure-play vendors in the space. Others, such as Mandiant, CrowdStrike, Kaspersky, IBM X-Force, Cisco Talos, and Palo Alto Networks, deliver threat intelligence as part of a broader portfolio of security services. All these vendors use a combination of open source intelligence (OSINT) and information from proprietary sources to deliver their CTI feeds.

"The acquisition validates the widespread, growing recognition that threat intelligence is no longer a complement to an organization's security posture," says Josh Lefkowitz, founder and CEO of Flashpoint. Organizations and government agencies are using threat intelligence to combat ransomware, protect data, lock down supply chains, prioritize critical vulnerabilities, and protect their people and assets.

"I’m constantly speaking with security leaders at organizations that consider these applications of threat intelligence critical to their daily operations," Lefkowitz notes.

He adds that Mastercard's Recorded Future purchase is bringing attention to the board level of the business criticality of CTI.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Mastercard's Bet on Recorded Future a Win for Cyber-Threat Intel

Cyber ranges are a great way for cyber professionals to keep up on emerging threats and new technologies — while having a little fun.

Source: dpa picture alliance via Alamy Stock Photo

Staying on top of the evolving cyber threat landscape can be a challenge for cybersecurity professionals. The daily grind of the job leaves little time for mastering the latest threats and tools, but cyber ranges offer a way to keep skills fresh — and maybe have a little bit of fun at the same time.

Governments, universities, and workplace training organizations have been running these simulated training environments, which give users a place to practice using the networks, systems, tools, and applications they will encounter on the job, for more than two decades. Yet cyber ranges remain a vital tool in the arsenal of the cyber professional looking to stay on top of emerging threats and new technologies.

Most recently, last month the National Aviation University in Ukraine launched the Cyber Range UA, a virtual platform dedicated to simulating real-world attacks, as part of an effort to provide cybersecurity training in Ukraine. And last October the US Navy announced the opening of the Department of Defense's fourth cyber range, the National Cyber Range at Naval Air Station Patuxent River, dedicated to testing and training initiatives for aircraft, their subsystems, and supportive technologies. Its other cyber range facilities focus on the Air Force, submarines and ships, and mission-force training.

"On top of being the most capable, defense technology is also required to be cyber-resilient," said John Ross, deputy director of the National Cyber Range, part of the Naval Air Warfare Center Aircraft Division (NAWCAD), in a statement. "We harden warfighter systems by performing vulnerability assessments and recommending mitigations — ultimately preventing adversaries from stealing our data or defeating our technology."

**Cyber Ranges as a Business**

But cyber ranges aren't all wargames. In the private sector, the SANS Institute has been running its NetWars cyber range competition since 2009 for the wider cybersecurity community, and its free Holiday Hack Challenge has about 20,000 participants annually. SANS holds a variety of cyber range competitions for individuals and teams, all focused on making sure cybersecurity professionals are at the top of their game.

"How do you maintain mission preparedness? How do you make sure that you're ready on a continuing basis? That's where ranges come in," says Ed Skoudis, president of the SANS Technology Institute, who leads the team that develops cyber ranges for SANS.

The organization designs its ranges to build real-world skills in a gaming environment. Some of the ranges are designed to be completed in three to six hours, while others can be accessed over the course of four months, depending on the complexity and time commitment users and companies are able to make. SANS also builds custom ranges for clients who are looking to bolster specific skill sets or experience business-relevant training simulations.

"Sometimes customers will come to us with a very specific need," Skoudis says. "They need something with certain specific content, maybe a particular mix of cloud providers, a particular SIEM solution, or particular challenges associated with certain applications or SaaS offerings. They'll come to us, and we will create custom ranges for them."

The team members make sure they're up-to-date on the current threat and technology environments by working as cybersecurity consultants or range designers.

"We'll learn things from the real world, build it in the range, see people attacking it and dissecting it, and doing all kinds of things with it, and then we can take that and apply it in our consulting services," Skoudis says. "So it's this virtuous cycle of consulting and range building."

At the same time, the designers are working to make participation as entertaining as it is practical, no matter how well they do, he adds.

"We try to make our ranges fun," Skoudis says. "I want the person who came in 92nd place ... to say, 'I really enjoyed that. I learned from it. I had a good time. I am a better cybersecurity professional for having participated in that range, even though I came in 92nd place.'"

**Gamification for National Security**

Singapore's Home Team Science & Technology (HTX) agency recently commissioned a custom cyber range from SANS to help boost the skills of its practitioners in an engaging way.

"The gamification of cybersecurity helps to raise awareness of new attack surfaces from emerging technologies, such as artificial intelligence (AI), in a more engaging manner," says Tay Sze Ying, head of cyber threat intelligence and hunting, xCybersecurity, at HTX. "It also allows the participants to better understand how such emerging technologies are used in the field of homeland security and the potential impact they have on daily lives. We also hoped that the participating teams could, through this initiative, explore how AI is useful in investigating cyber incidents on Internet of Things (IoT) devices, such as drones and networked cameras."

Leadership at the agency was looking for innovative ways to benchmark the team's cybersecurity competency on both a local and international level, and senior management was excited by the idea of gamification when it came to homeland security use cases, Tay says.

The team's biggest struggles came from finding ways to complete the project in the tight time frame.

"During this journey, we had to quickly adapt to the dynamics of organizing a large-scale physical event, articulate homeland security contexts to the challenge developers, and even validate each of the technical challenges within the cyber range," Tay says. "This was a truly enriching and memorable experience. Now that we have experience in doing this, we will explore creating more innovative competition formats in the future."

**Cyber Ranges Built Right In**

Companies are also dreaming up new ways to leverage cyber ranges for training and to differentiate their offerings from the competition. For example, managed detection and response provider Critical Start has worked a cyber range feature into its dashboard so that customers can practice responding to system alerts in real time. The cyber range feature is available to all of Critical Start's managed service customers for free, but it's also a valuable sales and onboarding tool, says Chris Carlson, chief product officer at Critical Start.

"While we hook them up to the security tools, and while we onboard their MDR service, their analysts now can start looking at curated and anonymized real-world alerts and get started right away," Carlson says. "Now they can start to practice and be prepared when these alerts start happening."

The offering is something the company hopes will be a highlight for customers, as it gives an easy way to keep training and learning how to combat emerging threats while on the job. The company will continue to update the range as threats develop in the wild.

"There's not a lot of training that kind of happens to cybersecurity professionals, right? They have certain credentials, they get the job, and they're doing the job 50 hours a week, and there's no time to learn," Carlson says. "This is now a built-in capability in the same platform where they do their day job."

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Target Practice: Honing Critical Skills on Cyber Ranges

This week on the Lock and Code podcast, we speak with San Francisco City Attorney David Chiu about his team's fight against deepfake porn.

_This week on the Lock and Code podcast…_

On August 15, the city of San Francisco launched an entirely new fight against the world of deepfake porn—it sued the websites that make the abusive material so easy to create.

“Deepfakes,” as they’re often called, are fake images and videos that utilize artificial intelligence to swap the face of one person onto the body of another. The technology went viral in the late 2010s, as independent film editors would swap the actors of one film for another—replacing, say, Michael J. Fox in Back to the Future with Tom Holland.

But very soon into the technology’s debut, it began being used to create pornographic images of actresses, celebrities, and, more recently, everyday high schoolers and college students. Similar to the threat of “revenge porn,” in which abusive exes extort their past partners with the potential release of sexually explicit photos and videos, “deepfake porn” is sometimes used to tarnish someone’s reputation or to embarrass them amongst friends and family.

But deepfake porn is slightly different from the traditional understanding of “revenge porn” in that it can be created without any real relationship to the victim. Entire groups of strangers can take the image of one person and put it onto the body of a sex worker, or an adult film star, or another person who was filmed having sex or posing nude.

  
The technology to create deepfake porn is more accessible than ever, and it’s led to a global crisis for teenage girls.

In October of 2023, a reported group of more than 30 girls at a high school in New Jersey had their likenesses used by classmates to make sexually explicit and pornographic deepfakes. In March of this year, two teenage boys were arrested in Miami, Florida for allegedly creating deepfake nudes of male and female classmates who were between the ages of 12 and 13. And at the start of September, this month, the BBC reported that police in South Korea were investigating deepfake pornography rings at two major universities.

While individual schools and local police departments in the United States are tackling deepfake porn harassment as it arises—with suspensions, expulsions, and arrests—the process is slow and reactive.

Which is partly why San Francisco City Attorney David Chiu and his team took aim at not the individuals who create and spread deepfake porn, but at the websites that make it so easy to do so.

Today, on the Lock and Code podcast with host David Ruiz, we speak with San Francisco City Attorney David Chiu about his team’s lawsuit against 16 deepfake porn websites, the city’s history in protecting Californians, and the severity of abuse that these websites offer as a paid service.

> “At least one of these websites specifically promotes the non-consensual nature of this. I’ll just quote: ‘Imagine wasting time taking her out on dates when you can just use website X to get her nudes.’”
> 
> David Chiu, San Francisco City Attorney

Tune in today for the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 San Francisco’s fight against deepfake porn, with City Attorney David Chiu (Lock and Code S05E20) 

Hold on tight, folks, because last week's cybersecurity landscape was a rollercoaster! We witnessed everything from North Korean hackers dangling "dream jobs" to expose a new malware, to a surprising twist in the Apple vs. NSO Group saga. Even the seemingly mundane world of domain names and cloud configurations had its share of drama. Let's dive into the details and see what lessons we can glean

Cybersecurity / Cyber Threat

Hold on tight, folks, because last week's cybersecurity landscape was a rollercoaster! We witnessed everything from North Korean hackers dangling "dream jobs" to expose a new malware, to a surprising twist in the Apple vs. NSO Group saga. Even the seemingly mundane world of domain names and cloud configurations had its share of drama. Let's dive into the details and see what lessons we can glean from the past week.

****⚡ Threat of the Week****

**Raptor Train Botnet Dismantled:** The U.S. government announced the takedown of the Raptor Train botnet controlled by a China-linked threat actor known as Flax Typhoon. The botnet consisted of over 260,000 devices in June 2024, with victims scattered across North America, Europe, Asia, Africa, and Oceania, and South America. It also attributed the Flax Typhoon threat actor to a publicly-traded, Beijing-based company known as Integrity Technology Group.

****🔔 Top News****

*   **Lazarus Group's New Malware:** The North Korea-linked cyber espionage group known as UNC2970 (aka TEMP.Hermit) has been observed utilizing job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN. The activity is also tracked as Operation Dream Job.
*   **iServer and Ghost Dismantled:** In yet another big win for law enforcement agencies, Europol announced the takedown of an international criminal network that leveraged a phishing platform to unlock stolen or lost mobile phones. The agency, in partnership with the Australian Federal Police (AFP), dismantled an encrypted communications network called Ghost that enabled serious and organized crime across the world.
*   **Iranian APT Acts as Initial Access Provider:** An Iranian threat actor tracked as UNC1860 is acting as an initial access facilitator that provides remote access to target networks by deploying various passive backdoors. This access is then leveraged by other Iranian hacking groups affiliated with the Ministry of Intelligence and Security (MOIS).
*   **Apple Drops Lawsuit against NSO Group:** Apple filed a motion to "voluntarily" dismiss the lawsuit it's pursuing against Israeli commercial spyware vendor NSO Group, citing a shifting risk landscape that could lead to exposure of critical "threat intelligence" information. The lawsuit was filed in November 2021.
*   **Phishing Attacks Exploit HTTP Headers:** A new wave of phishing attacks is abusing refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users' credentials. Targets of the campaigns include entities in South Korea and the U.S.

****📰 Around the Cyber World****

*   **Sandvine Leaves 56 "Non-democratic" Countries:** Sandvine, the company behind middleboxes that have facilitated the delivery of commercial spyware as part of highly-targeted attacks, said it has exited 32 countries and is in process of ceasing operations in another 24 countries, citing elevated threats to digital rights. Earlier this February, the company was added to the U.S. Entity List. "The misuse of deep packet inspection technology is an international problem that threatens free and fair elections, basic human rights, and other digital freedoms we believe are inalienable," it said. It did not disclose the list of countries it's exiting as part of the overhaul.
*   **.mobi Domain Acquired for $20:** Researchers from watchTowr Labs spent a mere $20 to acquire a legacy WHOIS server domain associated with the .mobi top-level domain (TLD) and set up a WHOIS server on that domain. This led to the discovery that over 135,000 unique systems still queried the old WHOIS server over a five day period ending on September 4, 2024, including cybersecurity tools and mail servers for government, military and university entities. The research also showed that the TLS/SSL process for the entire .mobi TLD had been undermined as numerous Certificate Authorities (CAs) were found to be still using the "rogue" WHOIS server to "determine the owners of a domain and where verification details should be sent." Google has since called for stopping the use of WHOIS data for TLS domain verifications.
*   **ServiceNow Misconfigurations Leak Sensitive Data:** Thousands of companies are inadvertently exposing secrets from their internal knowledge base (KB) articles via ServiceNow misconfigurations. AppOmni attributed the issue to "outdated configurations and misconfigured access controls in KBs," likely indicating "a systematic misunderstanding of KB access controls or possibly the accidental replication of at least one instance's poor controls to another through cloning." ServiceNow has published guidance on how to configure their instances to prevent unauthenticated access to KB articles.
*   **Google Cloud Document AI Flaw Fixed:** Speaking of misconfigurations, researchers have found that overly permissive settings in Google Cloud's Document AI service could be leveraged by threat actors to hack into Cloud Storage buckets and steal sensitive information. Vectra AI described the vulnerability as an instance of transitive access abuse.
*   **Microsoft Plans End of Kernel Access for EDR Software:** Following the massive fallout from the CrowdStrike update mishap in July 2024, Microsoft has highlighted Windows 11's "improved security posture and security defaults" that allow for more security capabilities to security software makers outside of kernel mode access. It also said it will collaborate with ecosystem partners to achieve "enhanced reliability without sacrificing security."

**🔥 **Cybersecurity Resources & Insights******— **Upcoming Webinars****

*   **Zero Trust: Anti-Ransomware Armor**: Join our next webinar with Zscaler's Emily Laufer for a deep dive into the 2024 Ransomware Report, uncovering the latest trends, emerging threats, and the zero-trust strategies that can safeguard your organization. Don't become another statistic – Register now and fight back!
*   **SIEM Reboot: From Overload to Oversight:** Drowning in data? Your SIEM should be a lifesaver, not another headache. Join us to uncover how legacy SIEM went wrong, and how a modern approach can simplify security without sacrificing performance. We'll dive into the origins of SIEM, its current challenges, and our community-driven solutions to cut through the noise and empower your security. Register now for a fresh take on SIEM!

**— **Ask the Expert****

*   **Q:** How does Zero Trust differ fundamentally from traditional Perimeter Defense, and what are the key challenges and advantages when transitioning an organization from a Perimeter Defense model to a Zero Trust architecture?

*   **A:** Zero Trust and perimeter defense are two ways to protect computer systems. Zero Trust is like having multiple locks on your doors AND checking IDs at every room, meaning it trusts no one and constantly verifies everyone and everything trying to access anything. It's great for stopping hackers, even if they manage to sneak in, and works well when people work from different places or use cloud services. Perimeter defense is like having a strong wall around your castle, focusing on keeping the bad guys out. But, if someone breaks through, they have easy access to everything inside. This older approach struggles with today's threats and remote work situations. Switching to Zero Trust is like upgrading your security system, but it takes time and money. It's worth it because it provides much better protection. Remember, it's not just one thing, but a whole new way of thinking about security, and you can start small and build up over time. Also, don't ditch the wall completely, it's still useful for basic protection.

**— **Cybersecurity Jargon Buster****

*   **Polymorphic Malware:** Imagine a sneaky virus that keeps changing its disguise (signature) to trick your antivirus. It's like a chameleon, making it tough to catch.
*   **Metamorphic Malware:** This one's even trickier! It's like a shapeshifter, not just changing clothes, but completely transforming its body. It rewrites its own code each time it infects, making it nearly impossible for antivirus to recognize.

**— **Tip of the Week****

**"Think Before You Click" Maze:** Navigate a series of decision points based on real-world scenarios, choosing the safest option to avoid phishing traps and other online threats.

****Conclusion****

"To err is human; to forgive, divine." - Alexander Pope. But in the realm of cybersecurity, forgiveness can be costly. Let's learn from these mistakes, strengthen our defenses, and keep the digital world a safer place for all.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel