Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
SS7 Vulnerability 4G_LTE IMSI Catcher Attack Updates OsmocomBB
https://m.youtube.com/watch?v=Tq5TNr0k3zs&feature=youtu.be
Tomi Engdahl says:
Näkökulma: Ensin oli vain Trump – nyt republikaanit jäytävät demokratiaa joka puolella
Tuomo Hyttinen
https://www.iltalehti.fi/ulkomaat/a/1150858e-aa6b-48d4-8411-bbe574c1cd71
Kuusi vuotta sitten vaalivilppiin ei uskonut kuin presidentti Donald Trump. Nyt Yhdysvalloissa on kansalaisjärjestöjä, jotka kylvävät epäluottamusta vaaleihin, kirjoittaa Yhdysvaltojen politiikkaa seuraava Iltalehden uutispäällikkö Tuomo Hyttinen.
Tomi Engdahl says:
https://www.securityweek.com/apple-paid-out-20-million-bug-bounty-program
Tomi Engdahl says:
Apple announced a private bug bounty program for iOS in 2016 and a public program covering all of its major software and operating systems in 2019.
In comparison, Microsoft has been paying out more than $13 million every year for the past three years, totaling more than $40 million between July 2019 and July 2022. Google said in July 2021 that it had paid out more than $29 million in the past 10 years and this year it reported awarding a record $8.7 million in 2021 alone.
Facebook has not shared any data recently, but in 2020 it reported paying out a total of $11.7 million since 2011. Zoom awarded approximately $1.8 million through its bug bounty program in 2021.
https://www.securityweek.com/apple-paid-out-20-million-bug-bounty-program
Tomi Engdahl says:
https://www.securityweek.com/white-house-adds-chemical-sector-ics-cybersecurity-initiative
Tomi Engdahl says:
Exposing A Compilation Of Stolen Credit Cards Selling Domains – An Analysis https://ddanchev.blogspot.com/2022/10/exposing-compilation-of-stolen-credit.html
I’ve decided to share with everyone a currently active portfolio of E-Shops selling access to stolen credit cards including the necessary technical information to assist everyone in their cyber attack and cyber
Tomi Engdahl says:
Joka verkkosivu huutaa monimutkaista salasanaa hakkeri kertoo, voiko muistin avuksi keksittyihin ohjelmiin luottaa https://www.is.fi/digitoday/art-2000009167598.html
TIETOTURVAVIRANOMAISET suosittelevat suomalaisia käyttämään salasanan hallintaohjelmia. STT:n haastatteleman tietoturva-asiantuntijan Benjamin Särkän mukaan palveluiden käytössä on myös huonot puolensa.
Tomi Engdahl says:
Innofactorin kyberturvallisuusyksikön johtaja Jarno Limnéll lähtee ehdolle eduskuntaan ja toimii jatkossa Senior Advisorina Innofactorissa https://www.epressi.com/tiedotteet/teknologia/innofactorin-kyberturvallisuusyksikon-johtaja-jarno-limnell-lahtee-ehdolle-eduskuntaan-ja-toimii-jatkossa-senior-advisorina-innofactorissa.html
Innofactorin Suomen kyberturvallisuusyksikön johtaja Jarno Limnéll on valittu Kokoomuksen eduskuntavaaliehdokkaaksi Uudenmaan vaalipiirissä.
Eduskuntavaalit pidetään sunnuntaina 2. huhtikuuta 2023.
Tomi Engdahl says:
Pelottava löytö suomalaisista verkkokaupoista: “Merkittävä muutos saavutetaan vasta sakkojen jälkeen”
https://www.is.fi/digitoday/art-2000009151016.html
SUOMALAISTEN verkkokauppaa harjoittavien yritysten tietosuojassa on parantamisen varaa. Tunnistamispalvelujen toimittaja Identisuren vertailun mukaan Suomessa vain joka toinen yritys suojasi asiakkaidensa tiedot asianmukaisesti. Identisure tutki, miten asiakkaan henkilöllisyys varmistetaan sähköpostitse, asiakaschatissa tai puhelimitse tapahtuvassa yhteydenotossa. Usein keinot asiakkaan henkilöllisyyden todentamiseen luotettavasti verkossa puuttuivat kokonaan.
Tomi Engdahl says:
So long and thanks for all the bits
https://www.ncsc.gov.uk/blog-post/so-long-thanks-for-all-the-bits
Ian Levy, the NCSC’s departing Technical Director, discusses life, the universe, and everything.
Tomi Engdahl says:
New open-source tool scans public AWS S3 buckets for secrets
https://www.bleepingcomputer.com/news/security/new-open-source-tool-scans-public-aws-s3-buckets-for-secrets/
A new open-source ‘S3crets Scanner’ scanner allows researchers and red-teamers to search for ‘secrets’ mistakenly stored in publicly exposed or company’s Amazon AWS S3 storage buckets.
Amazon S3 (Simple Storage Service) is a cloud storage service commonly used by companies to store software, services, and data in containers known as buckets.
Unfortunately, companies sometimes fail to properly secure their S3 buckets and thus publicly expose stored data to the Internet.
A new open-source ‘S3crets Scanner’ scanner allows researchers and red-teamers to search for ‘secrets’ mistakenly stored in publicly exposed or company’s Amazon AWS S3 storage buckets.
Amazon S3 (Simple Storage Service) is a cloud storage service commonly used by companies to store software, services, and data in containers known as buckets.
Unfortunately, companies sometimes fail to properly secure their S3 buckets and thus publicly expose stored data to the Internet.
https://github.com/Eilonh/s3crets_scanner
Tomi Engdahl says:
Gordon Corera / BBC:
Inside the US Cyber National Mission Force, which has been deployed to 20 countries since 2018 to battle state-backed Russian, Chinese, and North Korean hackers
Inside a US military cyber team’s defence of Ukraine
https://www.bbc.com/news/uk-63328398
Russia failed to take down Ukrainian computer systems with a massive cyber-attack when it invaded this year, despite many analysts’ predictions. The work of a little-known arm of the US military which hunts for adversaries online may be one reason. The BBC was given exclusive access to the cyber-operators involved in these global missions.
In early December last year, a small US military team led by a young major arrived in Ukraine on a reconnaissance trip ahead of a larger deployment. But the major quickly reported that she needed to stay.
“Within a week we had the whole team there ready to go hunting,” one of the team recalls.
They had come to detect Russians online and their Ukrainian partners made it clear they needed to start work straight away.
“She looked at the situation and told me the team wouldn’t leave,” Maj Gen William J Hartman, who heads the US Cyber National Mission Force, told the BBC.
“We almost immediately got the feedback that ‘it’s different in Ukraine right now’. We didn’t redeploy the team, we reinforced the team.”
Since 2014, Ukraine has witnessed some of the world’s most significant cyber-attacks, including the first in which a power station was switched off remotely in the dead of winter.
By late last year, Western intelligence officials were watching Russian military preparations and growing increasingly concerned that a new blizzard of cyber-attacks would accompany an invasion, crippling communications, power, banking and government services, to pave the way for the seizure of power.
The US military Cyber Command wanted to discover whether Russian hackers had already infiltrated Ukrainian systems, hiding deep inside. Within two weeks, their mission became one of its largest deployments with around 40 personnel from across US armed services.
The infiltration of computer networks had for many years been primarily about espionage – stealing secrets – but recently has been increasingly militarised and linked to more destructive activities like sabotage or preparation for war.
This means a new role for the US military, whose teams are engaged in “Hunt Forward” missions, scouring the computer networks of partner countries for signs of penetration.
“They are hunters and they know the behaviour of their ‘prey’,” explains the operator who leads defensive work against Russia.
Since 2018, US military operators have been deployed to 20 countries, usually close allies, in Europe, the Middle East and the Indo-Pacific region. – although not countries like the UK, Germany or France, which have their own expertise and are less likely to need or want outside help.
Most of their work has been battling state-hackers from China and North Korea but Russia has been their most persistent adversary. Some countries have seen multiple deployments, including Ukraine, where for the first time cyber attacks were combined with a full-scale war.
Inviting the US military into your country can be sensitive and even controversial domestically, so many partners ask that the US presence remains secret – the teams rarely wear uniform. But increasingly, governments are choosing to make missions public.
Even countries allied to the US can be nervous about allowing the US to root around inside sensitive government networks. In fact, revelations from former intelligence contractor Edward Snowden 10 years ago suggested that the US spied on friends as well as enemies.
That suspicion means the young men and women arriving on a mission are often faced with a stern test of their diplomatic skills. They show up at an airport hauling dozens of boxes of mysterious technical equipment and need to quickly build trust to get permission to do something sensitive – install that equipment on the host country’s government computer networks to scan for threats.
“That is a pretty scary proposition if you’re a host nation,” explains Gen Hartman. “You immediately have some concern that we’re going to go do something nefarious or it’s some super-secret kind of backdoor operation.”
Put simply, the Americans need to convince their hosts they are there to help them – and not to spy on them.
“I’m not interested in your emails,” is how Mark, who led two teams in the Indo-Pacific region, describes his opening gambit. If a demonstration goes well they can get down to work.
Local partners sometimes sit with US teams around in conference rooms observing closely to make sure nothing untoward is going on. “We have to make sure we convey that trust,” says Eric, a 20-year veteran of cyber operations. “Having people sit side-saddle with us is a big factor in developing that.”
And although suspicion can never be totally dispelled, a common adversary binds them together.
“The one thing that these partners want is the Russians out of their networks,” Gen Hartman recalls one of his team telling him.
US Cyber Command offers an insight into what the Russians, or others, are up to, particularly since it works closely with the National Security Agency, America’s largest intelligence agency which monitors communications and cyberspace.
In one case, proof of infiltration came in real-time
“Is that you?” Chris asked.
“That is my computer, but I swear that’s not me,” the administrator responded, transfixed as if watching a movie. Someone had stolen his online identity.
The US teams say they share what they find to allow the local partner to eject Russians (or other state hackers) rather than do it themselves. They also use commercial tools so that local partners can continue after the mission is over.
A good relationship can pay dividends.
Each mission is different
A cat-and-mouse game is often played with hackers from Russian intelligence agencies who are particularly adept at changing tactics.
In 2021, it emerged the Russians had used software from a company called SolarWinds to infiltrate the networks of the customers who bought it, including governments.
US operators began looking for traces of their presence.
Hunting is not an altruistic act by the US military. As well as providing hands-on experience for its teams, it can also help at home. In one mission, a young enlisted cyber operator found the same malware they had discovered in a European country was also present on a US government agency. The US has often struggled to identify and root out vulnerabilities domestically, whether in industry or government, because of overlapping responsibilities between different agencies even as it sends out its operators abroad.
This January, the team in Ukraine were trying to avoid slipping on icy pavements when a series of major cyber-attacks hit. “Be afraid and expect the worst,” read a message posted by hackers on the Foreign Ministry website.
The US team watched in real-time as a wave of so-called wiper software, which renders computers unusable, hit multiple government websites.
“They were able to assist in analysing some of the ongoing attacks, and facilitate that information being shared back to partners in the United States,” Gen Hartman says.
The aim was to destabilise the country ahead of the February invasion.
By the time Russian troops flooded over the border, the US team had been pulled out. Knowledge of the physical risk for their Ukrainian partners who remained weighed heavily on them.
Hours before the invasion began on 24 February, a cyber-attack crippled a US satellite communications provider that supported the Ukrainian military. Many predicted this would be the start of a wave of attacks to take down key areas like railways. But that did not happen.
“One of the reasons the Russians may not have been so successful is that the Ukrainians were better prepared,” says Gen Hartman.
“There’s a lot of pride in the way they were able to defend. A lot of the world thought they would just be run over. And they weren’t,” says Al, a senior technical analyst who was part of the Ukrainian deployment team. “They resisted.”
Ukraine has been subject to continued cyber-attacks which, if successful, could have affected infrastructure. But the country has continued to defend itself better than many expected. Ukrainian officials have said that this has been in part thanks to help from allies, including US Cyber Command and the private sector as well as their own growing experience. Now, the US and other allies are turning to the Ukrainians to learn from them.
“We continue to share information with the Ukrainians, they continue to share information with us,” explains Gen Hartman. “That’s really the whole idea of that enduring partnership.”
Tomi Engdahl says:
DHS Develops Baseline Cybersecurity Goals for Critical Infrastructure
https://www.securityweek.com/dhs-develops-baseline-cybersecurity-goals-critical-infrastructure
The DHS on Thursday announced Cybersecurity Performance Goals (CPGs) to help organizations — particularly in critical infrastructure sectors — prioritize cybersecurity investments and address critical risks.
The CPGs were developed by the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) in collaboration with NIST based on feedback from partners in public and private sectors.
They are a result of the White House’s efforts to improve the US’s cybersecurity, and the DHS says the goals are unique in that they address risk not only to individual entities, but also the aggregate risk to the nation.
Tomi Engdahl says:
Leveraging Managed Services to Optimize Your Threat Intelligence Program During an Economic Downturn
https://www.securityweek.com/leveraging-managed-services-optimize-your-threat-intelligence-program-during-economic-downturn
With financial pressure falling on business leaders, cutting costs can be necessary for survival. Being understaffed and ignoring critical business operations is not an option, particularly with security and intelligence. With security and intelligence investments tied up in expensive technology and resources, leaders know they must evaluate alternatives to advance operations and mitigate risk. However, the “firehose of noise” delivered by intelligence products obscures intelligence’s value and overwhelms security teams with meaningless alerts. It’s time for security leaders to consider managed services for their threat intelligence needs.
Managed services have a history of well-executed delivery while providing cost savings and flexibility. Unsurprisingly, managed services adoption grew roughly 60% faster from 2008-2010 than in years prior. During these periods of economic challenges, particularly for regulated industries, managed services enabled security teams to harden their defenses despite financial constraints. Managed service providers (MSPs) filled a critical need by providing technology, IT expertise, and resources as a service. Not only did businesses upgrade expertise, technology and tools, but they reduced upfront costs and capital expenditures (CAPEX) in exchange for committing to a sustainable contract with their MSP.
However, geopolitical conflict and economic turbulence are interconnected, particularly in physical and cyber intelligence domains. Consider an array of cyber, physical and executive intelligence focuses a company must address on a given week:
Digital Threats to the Company: Vulnerabilities discovered every week
Social Media and Tech Forums: Negative commentary discussing ways to bypass controls
Hacking Forums and Dark Web Marketplaces: Leaked credentials and account takeovers happen every day
Threats to Executives: Hate language against C-Suite
Insider Threats and Complaints: Users claiming inside access for sale
Subsidiaries: Above threats toward subsidiaries owned by the company
Threats to Employees: Threats to employees via social media and closed forums
Foreign Influence Campaigns: Company assets in foreign countries are exposed to China’s control, and intellectual property theft exposes company assets in foreign countries
Threats to Wider Industry: Relevant attacks against competitors
For security teams to have coverage of many of these threats across intelligence domains, threat intelligence as a managed service should be considered. After all, threat intelligence is a critical element of any serious security strategy, but few security teams have the expertise or resources to tackle all the threats they face.
Managed intelligence providers fill a crucial gap by combining people, process and technology to deliver threat intelligence as a service, allowing organizations to offload resource-intensive tasks to an experienced provider, including:
Generation of intelligence specific to your organization
Delivery of analyst-led intelligence with access to analysts
Utilization of multi-source collection and analysis capabilities
Access to multilingual data sources and analysis
Discovery and understanding of the adversarial mindset (motivations and intended outcomes)
Attribution and unmasking of adversaries
Providing intelligence advice and threat actor engagement guidance
Understanding all disruption outcomes enterprises can leverage across all stakeholders (legal, HR, engineering, etc)
Unfortunately, cyber threat “intelligence” (CTI) vendors have hijacked the meaning of threat intelligence, creating confusion about its real value. While the CTI market exceeds $10 billion, it generally consists of data feeds using the broadest data lakes and AI and ML to detect known threats. While it makes sense to buy a feed to address one specific pain point, often customers want more return on their investment specific to a wider array of risks.
Tomi Engdahl says:
Näin Elon Muskista tuli maailmanpolitiikan kaaosagentti
Elon Musk on ennen näkemättömällä tavalla sotkeutunut maailmanpolitiikkaan massiivisen omaisuutensa ja valtavan vaikutusvaltansa siivellä.
https://www.iltalehti.fi/ulkomaat/a/b8a9bff7-3a67-4ea6-a7d2-e2f0e4cc3142
Tomi Engdahl says:
Näkökulma: Ensin oli vain Trump – nyt republikaanit jäytävät demokratiaa joka puolella
Tuomo Hyttinen
Kuusi vuotta sitten vaalivilppiin ei uskonut kuin presidentti Donald Trump. Nyt Yhdysvalloissa on kansalaisjärjestöjä, jotka kylvävät epäluottamusta vaaleihin, kirjoittaa Yhdysvaltojen politiikkaa seuraava Iltalehden uutispäällikkö Tuomo Hyttinen.
https://www.iltalehti.fi/ulkomaat/a/1150858e-aa6b-48d4-8411-bbe574c1cd71
Tomi Engdahl says:
Psykoterapeutti kertoo: Näin joukkopaniikki syntyy
Ihmisjoukossa paniikki leviää nopeasti, sillä ihminen on sosiaalinen eläin, johon tarttuvat lajitoverin suuret tunteet.
https://www.iltalehti.fi/ulkomaat/a/b5359b78-dec6-452c-b6cf-87e041e3b56b
Ihminen on sosiaalinen eläin, joka matkii laumaa suojautuessaan vaaralta. Peilisolujemme ansiosta suuret tunteet tarttuvat ihmiseen nopeasti, ja hengenvaaran tunnistaessaan ihminen automaattisesti alkaa puolustautua esimerkiksi juoksemalla pakoon muiden mukana, kertoo kriisi- ja traumapsykoterapeutti Päivi Tervamaa kysyttäessä, miten paniikki syntyy väkijoukossa.
Etelä-Korean Soulissa ainakin 151 ihmistä kuoli ja kymmeniä loukkaantui väkijoukossa syntyneessä paniikissa lauantaina. Suuri joukko ihmisiä oli kerääntynyt juhlimaan halloweenia yöelämästään tunnetulle Itaewon alueelle.
Tapahtumien tarkkaa kulkua ei tiedetä. Onnettomuus sattui alamäkeen viettävällä katuosuudella, joka oli noin neljä metriä leveä. Itaewon alueelle oli kerääntynyt noin 100 000 ihmistä ja kadut olivat täynnä.
Vaiston varassa
Ihmisaivojen havaitessa hengenvaaran ottaa henkiinjäämisvaisto ohjat.
– Sellaisessa tilanteessa jokainen tekee kaikkensa selviytyäkseen. Järjellä ei ole mitään tekemistä asian kanssa, vaan mennään selviytymisvaistolla, Tervamaa sanoo.
Se tarkoittaa sitä, että jos väkijoukossa joku esimerkiksi kaatuu, ei ihminen välttämättä voi auttaa. Auttamaan pysähtyminen voisi tarkoittaa omaa kuolemaa.
– Yksilö ei valitse sitä, ettei auta, vaan se tulee selkäytimestä. Teemme ratkaisuja, jotka auttavat meitä selviytymään tilanteesta pois. Jos siinä jää auttamaan, jää itsekin jalkoihin eikä selviä.
Jatkuvaa arviointia
Kun tilanne ei vielä ole hengenvaarallinen, pystyy ihminen arvioimaan sitä logiikan voimin. Sitä meistä jokainen tekee jatkuvasti arjessa, esimerkiksi tavanomaisessa arkiruuhkassa kulkiessaan.
– Me ennakoimme koko ajan niin paljon kuin mahdollista, esimerkiksi kun ruuhkassa liikkuessa yritämme etsiä omaa tietämme, Tervamaa sanoo.
Uhkaavat tilanteet tulevat kuitenkin usein yllättäen. Ihmisen on vaikea ennakoida, missä vaiheessa vaikkapa suuri väkijoukko on sellainen, että sen keskellä alkaa olla vaarallista.
– Se hahmotetaan vasta, kun ollaan jo siinä tilanteessa.
Paniikki tarttuu
Väkijoukossa uhkaava tilanne ei synny vielä yhden mennessä paniikkiin. Mutta jos samassa tilanteessa useampi hätääntyy, alkavat ympärillä olevat ihmiset etsiä tilanteesta syitä paniikille.
Jos useamman ihmisen kasvoista näkyy paniikki tai hätä, tarttuu se katsojaan. Seurauksena on muita matkiva toiminta, vaikkei edes tiedettäisi mihin muut ovat reagoineet.
– Mitä useampi ihminen reagoi paniikkiin, sitä enemmän se tarttuu.
Tomi Engdahl says:
US Agencies Issue Guidance on Responding to DDoS Attacks
https://www.securityweek.com/us-agencies-issue-guidance-responding-ddos-attacks
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released joint guidance for responding to distributed denial-of-service (DDoS) attacks.
A type of cyberattack targeting applications or websites, denial-of-service (DoS) attacks aim to exhaust the target system’s resources to render it inaccessible to legitimate users.
DDoS attacks may target server vulnerabilities to overload network resources or to consume these resources through the reflection of a high volume of network traffic to the target, or may attempt to overload connection (protocol) or application (compute or storage) resources of the target.
When the overloading traffic originates from more than one source operating in concert, the attack is considered DDoS. Botnets, which are networks of compromised devices – including computers, IoT devices, and servers – are the most common source of DDoS attacks.
DDoS attacks that produce high volumes of traffic are difficult to respond to and recover from, CISA, the FBI, and MS-ISAC note in their advisory. Such attacks may lead to degradation of service, loss of productivity, extensive remediation costs, and reputational damage.
“Organizations should include steps to address these potential effects in their incident response and continuity of operations playbooks,” the three agencies say.
DDoS attacks, the advisory notes, typically do not impact the confidentiality and integrity of systems and data, but such attacks may be used to divert attention from other types of assaults, including malware deployment and data exfiltration.
Understanding and Responding to Distributed Denial-of-Service Attacks
https://www.cisa.gov/sites/default/files/publications/understanding-and-responding-to-ddos-attacks_508c.pdf
Tomi Engdahl says:
Deepfakes – Significant or Hyped Threat?
https://www.securityweek.com/deepfakes-significant-or-hyped-threat
There have been many warnings of the rising cybersecurity threat from deepfakes, but little hard evidence that the threat is current. SecurityWeek spoke to Nasir Memon, an IEEE Fellow and NYU professor to understand the current state and future significance of deepfakes.
‘Deepfake’ refers to the synthetic generation of a human being in an environment that is able to interact in a live manner with a real human, probably over a video communication channel. With this definition, true deepfakes do not yet exist.
The current state of deepfakes
Menon believes the quality of deepfakes is growing but is not good enough to be a significant threat today. “But we’re getting there,” he said. “We could be talking on Zoom, but the technology is making me look far more presentable than I am – so you don’t see that I haven’t shaved for a couple of days and am wearing a ragged tee-shirt.”
The next level, he suggested, is where he is sitting in Hawaii while one of his graduate students, looking and sounding exactly like himself, is actually conducting the interview. “We’re getting there, as well,” he said.
The reason that deepfakes are not yet being used by the cybercriminals is threefold: the technology is still in development, the bad guys haven’t yet figured a way to monetize the process, and criminals are lazy. “They just go and steal money from the bank that can be most easily broken into – but don’t underestimate their ingenuity for the future,” he added.
Driving forces behind development
The two driving forces behind any technological advance are nation state intelligence and defense agencies, and the businesses who do see a way to monetize technology. When the technology is adequate and works, crime follows.
“It’s hard to lock technology in a bottle,” said Memon. “The genie gets out. Technology spreads easily. Digital technology, especially when it’s in the form of code and data, spreads very, very rapidly.”
We don’t know what use the intelligence agencies have in mind, but private businesses and agencies are already coming together. Memon mentioned a presentation by Nvidia to DARPA, where Nvidia would use a tool to clean up images to provide better appearance in realtime videoconference calls.
The entertainment industry is another business driving the development of deepfake technology, although for now this is not primarily realtime, live deepfakes. “But, instead of editing I can just clean things up. I can do so many things that will make content creation so much easier if I don’t have to retake and retake and retake. I just clean up what I’ve got.”
So, with legitimate business driving the technology at the core of deepfakes, and with the inevitable leakage of that data, Memon is confident that criminals will get and use deepfake technology in the future.
Adversarial use
The most common, shall we say non-legitimate, use of deepfakes is for parody and misinformation. In some jurisdictions this may be illegal and possibly criminal, but is not what we consider cybercriminal behavior. Nor does it display the final evolution of deepfake technology – it tends to be pre-recorded and not realtime.
A relatively short step from this is the use of celebrity deepfakes for scamming purposes. The deepfake could be a pre-recording of the celebrity image using social engineering to fool the victim into sending money to a fake charity bank account controlled by the scammer. The same process could be used in attempted business scams similar to BEC attacks. But in neither case is the full, eventual capability of realtime interaction involved.
Detection, defense and the future
If high quality realtime deepfakes are close, the question then becomes one of defense – how can business detect and defend against such deepfakes? Memon believes there are some helpful tactics. One is to break the deepfake itself, using a captcha-like challenge/response mechanism.
“Captchas are based on the premise that certain tasks that humans can do very easily, are difficult if not impossible for an algorithm to do – at least without a huge amount of computation and sophistication. It’s hard because human vision is a miracle that cannot yet be matched by technology. Although AI is getting us closer to that, the way things stand, if I just do this…”
He waved his hand across his face.
“… all current deepfakes just totally break. So, there’s certain, what we call challenge response mechanisms, that we could develop. If you asked me to stand up and sit down again, deepfake will die.” But going back to the bank’s Tom Cruise hypothesis, it would be difficult for the bank clerk to ask ‘Tom Cruise’ to jump up and down to prove himself.
There are other mechanisms that could be used. “Adobe,” said Memon, “is developing mechanisms for embedding digital signatures into content that says it hasn’t been changed. Videoconferencing companies can develop proofs of source that might not tell you whether the image is genuine, but at least confirms it is coming from the location you expect. Cameras could embed some kind of watermark or fingerprint at the time of filming, which says, ‘Hey, I’m putting some secret in here. And if your end doesn’t receive it, you know there’s a problem.”
But there is no silver bullet. “I think we need a very holistic approach to address the problem of interactive deepfakes,” he continued. This will require a combination of technology, regulation and user awareness. “It will evolve over time. We’re not simply going to sit down and let deepfakes destroy our world. We will develop these techniques over time.”
But here we should remember the ingenuity of the criminals. With the current state of semi-static deepfakes, it’s not worth their time when there are so many easier targets and techniques. This will change as realtime deepfakery becomes feasible. So, the big question is whether at that time, will we be able to get ahead and stay ahead of deepfake criminality?
“No,” said Memon. “If you want a blunt answer, we will see greater deepfake crimes. I don’t think the good guys can stay ahead with just what they are doing today.”
Tomi Engdahl says:
How to Prepare for New SEC Cybersecurity Disclosure Requirements
https://www.securityweek.com/how-prepare-new-sec-cybersecurity-disclosure-requirements
Many organizations used to hit the mute button whenever discussions about cybersecurity came up, but this silence has been breaking more frequently as more businesses are victimized by hackers and experience effects that hit their bottom line in ways that require them to share the information with regulators. But changes are coming to the rules of the Securities and Exchange Commission that will bring new standards for how to communicate the security position at most businesses.
In early 2022, the SEC issued a proposal to amend its cybersecurity rules that set out new ways to report and disclose security incidents. The SEC claims it wants to better inform investors about organizations’ risk management strategy and cyber governance, but to some organizations, the proposal can feel like yet another regulatory workload.
SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies
https://www.sec.gov/news/press-release/2022-39
Tomi Engdahl says:
US Gov Issues Supply Chain Security Guidance for Software Suppliers
https://www.securityweek.com/us-gov-issues-supply-chain-security-guidance-software-suppliers
The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) this week released the second part of a three-part joint guidance on securing the software supply chain.
Created by the Enduring Security Framework (ESF), a cross-sector working group seeking to mitigate the risks threatening the critical infrastructure and national security, the guidance provides recommendations for developers, suppliers, and organizations.
In September, the three US agencies released the first part of the series, which included recommendations for developers looking to improve the software supply chain’s security.
The second part of the series, Securing the Software Supply Chain: Recommended Practices Guide for Suppliers (PDF), contains information on the best practices and standards that software supplies should adopt to ensure software security from production through delivery.
https://media.defense.gov/2022/Oct/31/2003105368/-1/-1/0/SECURING_THE_SOFTWARE_SUPPLY_CHAIN_SUPPLIERS.PDF
Tomi Engdahl says:
Engineering Workstations Used as Initial Access Vector in Many ICS/OT Attacks: Survey
https://www.securityweek.com/engineering-workstations-used-initial-access-vector-many-icsot-attacks-survey
Organizations are more confident in their ability to detect an OT breach
While the risk to industrial control systems (ICS) and other operational technology (OT) environments continues to be high, organizations are increasingly confident in their ability to detect malicious activity, and only a small percentage of organizations admit suffering a breach, according to a survey conducted by the SANS Institute on behalf of industrial cybersecurity firm Nozomi Networks.
The 2022 OT/ICS Cybersecurity Report (PDF) is based on a survey of 332 individuals representing organizations of all sizes across every continent.
Less than 11% of respondents said they had experienced a cyber intrusion in the last year, down from 15% in 2021, and 24% were confident that their systems were not breached, up from 12% in 2021. Thirty-five percent did not know whether their organization’s systems had been compromised, which is still a significant improvement from the 48% in the previous year.
More than half of respondents said they were confident that they could detect an intrusion within 24 hours and over two-thirds believe they can move from detection to containment within 6-24 hours.
The State of ICS/OT
Cybersecurity in 2022
and Beyond
https://www.nozominetworks.com/downloads/US/SANS-Survey-2022-OT-ICS-Cybersecurity-Nozomi-Networks.pdf
Tomi Engdahl says:
US Gov Issues Supply Chain Security Guidance for Software Suppliers
https://www.securityweek.com/us-gov-issues-supply-chain-security-guidance-software-suppliers
The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) this week released the second part of a three-part joint guidance on securing the software supply chain.
Created by the Enduring Security Framework (ESF), a cross-sector working group seeking to mitigate the risks threatening the critical infrastructure and national security, the guidance provides recommendations for developers, suppliers, and organizations.
In September, the three US agencies released the first part of the series, which included recommendations for developers looking to improve the software supply chain’s security.
US Gov Issues Guidance for Developers to Secure Software Supply Chain
https://www.securityweek.com/us-gov-issues-guidance-developers-secure-software-supply-chain
Three U.S. government agencies — Cybersecurity and Information Security Agency (CISA), the National Security Agency (NSA) and the Office of the Director of National Intelligence (ODNI) — have announced the release of the first part of a three-part joint guidance on securing the software supply chain.
Tomi Engdahl says:
Engineering Workstations Used as Initial Access Vector in Many ICS/OT Attacks: Survey
https://www.securityweek.com/engineering-workstations-used-initial-access-vector-many-icsot-attacks-survey
While the risk to industrial control systems (ICS) and other operational technology (OT) environments continues to be high, organizations are increasingly confident in their ability to detect malicious activity, and only a small percentage of organizations admit suffering a breach, according to a survey conducted by the SANS Institute on behalf of industrial cybersecurity firm Nozomi Networks.
The 2022 OT/ICS Cybersecurity Report (PDF) is based on a survey of 332 individuals representing organizations of all sizes across every continent.
https://www.nozominetworks.com/downloads/US/SANS-Survey-2022-OT-ICS-Cybersecurity-Nozomi-Networks.pdf
Tomi Engdahl says:
Tailoring Security Training to Specific Kinds of Threats
https://www.securityweek.com/tailoring-security-training-specific-kinds-threats
Faced with the daily barrage of reports on new security threats, it is important to keep in mind that while some are potentially disastrous, many are harmless or irrelevant to individual organizations.
CISOs often find themselves needing to prioritize the specific threats they need to defend against. In addition, they must take stock of their security strengths and weaknesses so they can focus their efforts on relevant threats.
A major challenge to staying focused is media-driven distraction. CISOs who understand their security posture can ignore the media noise knowing that threat X is not a risk — either because it has been patched or because such an attack is highly unlikely to target an organization of their size or type.
The benefits of tailoring security skills training to specific threats are transparent and ongoing. It enables an organization to address relevant risks with vigor and focus, to craft clearly defined training goals, and to ensure all team members acquire the right skills to identify and defend against the most dangerous threats.
Tomi Engdahl says:
World leaders make fresh vows to fight global ransomware threat https://therecord.media/world-leaders-make-fresh-vows-to-fight-global-ransomware-threat/
A coalition of government cybersecurity leaders from nearly 40 countries on Tuesday reaffirmed to work together to stamp out ransomware attacks, launching several new efforts meant to better combat the rising global threat. In addition to leaders from 37 countries, a group of 13 private companies such as tech giant Microsoft and cybersecurity firms Mandiant and CrowdStirke participated in the event.
Tomi Engdahl says:
CISA Urges Organizations to Implement Phishing-Resistant MFA
https://www.securityweek.com/cisa-urges-organizations-implement-phishing-resistant-mfa
The US Cybersecurity and Infrastructure Security Agency (CISA) has published guidance on how organizations can protect against phishing and other threats by implementing phishing-resistant multi-factor authentication (MFA) and number matching in MFA applications.
A security control meant to make it more difficult for attackers to access networks and systems using compromised login credentials, MFA requires users to present a combination of two or more different authenticators to verify their identity.
According to CISA, implementing MFA is an essential practice to reduce the threat of unauthorized access via compromised credentials, and all organizations should adopt it for their users and services, including email, financial, and file sharing accounts.
“CISA strongly urges all organizations to implement phishing-resistant MFA as part of applying Zero Trust principles. While any form of MFA is better than no MFA and will reduce an organization’s attack surface, phishing-resistant MFA is the gold standard and organizations should make migrating to it a high priority effort,” CISA notes in its Implementing Phishing-Resistant MFA (PDF) guide.
https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
Tomi Engdahl says:
US Electric Cooperatives Awarded $15 Million to Expand ICS Security Capabilities
https://www.securityweek.com/us-electric-cooperatives-awarded-15-million-expand-ics-security-capabilities
The US Department of Energy has awarded $15 million to the National Rural Electric Cooperative Association (NRECA) in an effort to help electric cooperatives expand their cybersecurity capabilities for industrial control systems (ICS).
Specifically, electric cooperatives can use the money to identify and deploy cyber monitoring technologies for ICS. The money will be awarded over a period of three years, with $10 million disbursed in 2022 and the remaining amount over the next years.
NRECA represents nearly 900 local electric cooperatives in the United States, serving a combined 42 million Americans.
“As threats and threat actors evolve, electric cooperatives consistently work to improve their cyber defenses. Funding like this helps co-ops stay ahead of the curve,” said NRECA CEO Jim Matheson. “Our longstanding partnership with DOE makes the electric grid more resilient, reliable and secure.
Tomi Engdahl says:
https://www.securityweek.com/microsoft-patches-azure-cosmos-db-flaw-leading-remote-code-execution
Tomi Engdahl says:
https://www.securityweek.com/fortinet-patches-6-high-severity-vulnerabilities
Tomi Engdahl says:
Why Egypt became one of the biggest chokepoints for Internet cables https://arstechnica.com/information-technology/2022/11/the-most-vulnerable-place-on-the-internet/
Look at Egypt on a map of the world’s subsea Internet cables and it immediately becomes clear why Internet experts have been concerned about the area for years. The 16 cables in the area are concentrated through the Red Sea and touch land in Egypt, where they make a 100-mile journey across the country to reach the Mediterranean Sea.
(Cable maps don’t show the exact locations of cables.)
Tomi Engdahl says:
Tunnista turvallinen verkkosivu osoitteen perusteella!
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/tunnista-turvallinen-verkkosivu-osoitteen-perusteella
Nettisivuja ja sähköpostia käyttäessä tärkeintä on säilyttää arkijärki ja pitää pää kylmänä. Hätiköityjä päätöksiä ei pidä tehdä, vaikka sinulle luvattaisiin satumaisia voittoja tai uhattaisiin “pankkitilin jäädyttämisellä” tai syytteellä laittomuudesta (joita et edes ole tehnyt).
Tomi Engdahl says:
Police Must Prepare For New Crimes In The Metaverse, Says Europol https://www.forbes.com/sites/emmawoollacott/2022/11/03/police-must-prepare-for-new-crimes-in-the-metaverse-says-europol/
A new report from the Europol Innovation Lab, Policing in the Metaverse, encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. “I believe it is important for police to anticipate changes to the reality in which they have to provide safety and security, ” says Europol executive director Catherine De Bolle. Report (PDF):
https://www.europol.europa.eu/cms/sites/default/files/documents/Policing%20in%20the%20metaverse%20-%20what%20law%20enforcement%20needs%20to%20know.pdf
Tomi Engdahl says:
The future starts now: 10 major challenges facing cybersecurity https://www.welivesecurity.com/2022/11/03/future-starts-10-major-challenges-facing-cybersecurity/
To mark Antimalware Day, we’ve rounded up some of the most pressing issues for cybersecurity now and in the future
Tomi Engdahl says:
Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild https://unit42.paloaltonetworks.com/cobalt-strike-team-server/
As Cobalt Strike remains a premier post-exploitation tool for malicious actors trying to evade threat detection, new techniques are needed to identify its Team Servers. To this end, we present new techniques that leverage active probing and network fingerprint technology. This is a fundamental change from previous passive traffic detection approaches.
Tomi Engdahl says:
Stopping C2 communications in human-operated ransomware through network protection https://www.microsoft.com/en-us/security/blog/2022/11/03/stopping-c2-communications-in-human-operated-ransomware-through-network-protection/
Command-and-control (C2) servers are an essential part of ransomware, commodity, and nation-state attacks. They are used to control infected devices and perform malicious activities like downloading and launching payloads, controlling botnets, or commanding post-exploitation penetration frameworks to breach an organization as part of a ransomware attack. Blocking these communications can mitigate attacks, sometimes before they’re even started.
Tomi Engdahl says:
Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
Our research indicates that the individuals behind Black Basta ransomware develop and maintain their own toolkit and either exclude affiliates or only collaborate with a limited and trusted set of affiliates, in similar ways to other private’ ransomware groups such as Conti, TA505, and Evilcorp. SentinelLabs’ full report provides a detailed analysis of Black Basta’s operational TTPs, including the use of multiple custom tools likely developed by one or more FIN7 (aka
Carbanak) developers. In this post, we summarize the report’s key findings.
Tomi Engdahl says:
Ukraine war, geopolitics fuelling cybersecurity attacks -EU agency https://www.reuters.com/world/europe/ukraine-war-geopolitics-fuelling-cybersecurity-attacks-eu-agency-2022-11-03/
Geopolitics such as Russia’s invasion of Ukraine has led to more damaging and widespread cybersecurity attacks in the year to July, EU cybersecurity agency ENISA said in its annual report on Thursday.
also:
https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022
Tomi Engdahl says:
Could a digital Red Cross emblem’ protect hospitals from cyber warfare?
https://therecord.media/could-a-digital-red-cross-emblem-protect-hospitals-from-cyber-warfare/
The International Committee of the Red Cross (ICRC) is proposing applying a “digital Red Cross” marker to certain websites and systems used for medical and humanitarian purposes to protect them from attack, similar to the physical emblems worn by ICRC volunteers and facilities during armed conflicts. also:
https://www.icrc.org/sites/default/files/topic/file_plus_list/icrc_digitalizing_the_rcrc_emblem_1.pdf
Tomi Engdahl says:
Ransomware cost US banks $1.2 billion last year
Up 188% on 2020 but could be because financial institutions were encouraged to report incidents
https://www.theregister.com/2022/11/02/ransomware_cost_us_banks/
Tomi Engdahl says:
Hyvä hakkeri löytää aukkosi ensin “Ei tätä kannata pelätä”
[TILAAJILLE]
https://www.tivi.fi/uutiset/tv/72213710-22dd-319c-9c23-ab9f5a7b9698
Bug bountyt eli haavoittuvuuspalkkio-ohjelmat valjastavat hyväntahtoiset hakkerit testaamaan organisaatioiden tietojärjestelmiä.
Hakkereiden hyödyntäminen saattaa jopa vähentää tietoturvatestauksen kustannuksia.
Tomi Engdahl says:
Microsoft Digital Defense Report 2022
https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2022
Illuminating the threat landscape and empowering a digital defense.
Tomi Engdahl says:
FBI: Hacktivist DDoS attacks had minor impact on critical orgs https://www.bleepingcomputer.com/news/security/fbi-hacktivist-ddos-attacks-had-minor-impact-on-critical-orgs/
The Federal Bureau of Investigation (FBI) said on Friday that distributed denial-of-service (DDoS) attacks coordinated by hacktivist groups have a minor impact on the services they target. “Coinciding with the Russian invasion of Ukraine, the FBI is aware of Pro-Russian hacktivist groups employing DDoS attacks to target critical infrastructure companies with limited success, ” the agency said.
“These attacks are generally opportunistic in nature and, with DDoS mitigation steps, have minimal operational impact on victims; however, hacktivists will often publicize and exaggerate the severity of the attacks on social media. “As a result, the psychological impact of DDoS attacks is often greater than the disruption of service.”
Tomi Engdahl says:
Harva tajuaa, että viestien vastaanottaja voi olla tietoturvauhka – onko arkaluontoiset asiat syytä keskustella kasvotusten?
https://yle.fi/uutiset/74-20002895
Onko meidän syytä pelätä rikollishakkereiden lisäksi omia läheisiä?
Toisaalta asiantuntijan mukaan henkilökohtaisen yhteydenpidon merkitys katoaa ilman luottamusta.
Tomi Engdahl says:
LinkedIn Adds Verified Emails, Profile Creation Dates https://krebsonsecurity.com/2022/11/linkedin-adds-verified-emails-profile-creation-dates/
Responding to a recent surge in AI-generated bot accounts, LinkedIn is rolling out new features that it hopes will help users make more informed decisions about with whom they choose to connect. Many LinkedIn profiles now display a creation date, and the company is expanding its domain validation offering, which allows users to publicly confirm that they can reply to emails at the domain of their stated current employer.
Tomi Engdahl says:
Windows Malware with VHD Extension
https://isc.sans.edu/diary/rss/29222
Tomi Engdahl says:
Näin Facebook ja Instagram keräävät tietoja ihmisiltä, jotka eivät niitä käytä – näytämme, miten tarkistat ja poistat tietosi https://www.is.fi/digitoday/tietoturva/art-2000009178384.html
Sosiaalisen median jätti Meta myöntää, että sen Facebook- ja Instagram-palvelut keräävät nimiä, puhelinnumeroita ja sähköpostiosoitteita ihmisiltä, jotka eivät käytä sen palveluita.
Numerot päätyvät Metalle, kun muut ihmiset luovuttavat puhelintensa yhteystiedot Facebookille tai Instagramille.
Tomi Engdahl says:
Multi-factor auth fatigue is real – and it’s why you may be in the headlines next https://www.theregister.com/2022/11/03/mfa_fatigue_enterprise_threat/
According to Microsoft, between December 2021 and August, the number of multi-factor MFA attacks spiked. There were 22, 859 Azure Active Directory Protection sessions with multiple failed MFA attempts last December. In August, there were 40, 942. MFA fatigue relies on social engineering, as well as any shortcomings in the system design, to access the corporate network. “It’s a huge threat because it bypasses the security measures put in place by an organization, including one of the most effective, which is MFA, ” Sami Elhini, biometrics specialist at Cerberus Sentinel, told The Register.
Tomi Engdahl says:
Microsoft: Venäjä yritti tunkeutua Suomen verkkoihin keväällä https://www.is.fi/digitoday/tietoturva/art-2000009180099.html
SUOMI nousee esille tänään julkaistussa Microsoftin Digital Defence Report -tietoturvaraportissa. Maininta liittyy Venäjän valtiolliseen vakoiluun. – Kahden Pohjoismaan ilmoitettua halukkuudestaan liittyä Natoon tiedustelutoiminta niitä vastaan lisääntyi merkittävästi, Microsoftin Tom Burt sanoo.
Tomi Engdahl says:
Nation-state cyberattacks become more brazen as authoritarian leaders ramp up aggression https://blogs.microsoft.com/on-the-issues/2022/11/04/microsoft-digital-defense-report-2022-ukraine/
On February 23, 2022, the cybersecurity world entered a new age, the age of the hybrid war, as Russia launched both physical and digital attacks against Ukraine. This year’s Microsoft Digital Defense Report provides new detail on these attacks and on increasing cyber aggression coming from authoritarian leaders around the world.