The Department of Homeland Security reportedly sent out a bulletin Sunday to critical infrastructure operators and local government officials warning of the potential for cyberattacks launched by the Russian government in response to any US involvement in a potential war in Ukraine.

News Insights:

Saryu Nayyar, CEO and Founder, Gurucul (she/her):

     “It is not surprising that the cyberattacks on the Ukraine were not going to be isolated to them based on the US involvement in Russia’s aggressive military actions. As the CISA points out with attacks such as WhisperGate, ‘identifying and quickly assessing any unexpected or unusual network behavior’ includes activity such as privileged access violations. Cisco Talos reports that system access was most likely based on stolen credentials. Organizations in the US must go beyond traditional XDR and SIEM solutions and incorporate identity and access analytics with user and entity behavior analytics to pick out unusual network activity, lateral movement and unusual access to applications. This activity must be escalated quickly and with confidence to security teams in light of forthcoming attacks. Stolen credentials can be identified based on abnormal usage by threat actors, especially as most other detection techniques cannot discern this being an immediate threat.”

Additionally, researchers with Trellix found a OneDrive malware campaign which targets government officials in Western Asia by using Microsoft’s Graph API to leverage OneDrive as a command-and-control server. The researchers have named the malware ‘Graphite’ due to its use of Microsoft’s Graph API. The attack takes advantage of an MSHTML remote code execution vulnerability (CVE-2021-40444) to execute a malicious executable in memory. The attack was prepared in July 2021 and eventually deployed between September and November, according to the Trellix report. In response to these findings, an expert with Gurucul offers perspective.

Saryu Nayyar, CEO and Founder, Gurucul (she/her):

     “As described, this is a multi-stage attack over time that is similar to attacks purported by known threat actor group APT28. Without a strong set of security analytics capabilities that includes behavioral analytics to see abnormal communications, remote code execution, unauthorized file access, and other stages leveraging dwell time to stay hidden, security teams will struggle to identify this campaign quickly enough. This is especially true as most vendor solutions are leveraging rule-based machine learning (ML) models that require updates before being able to identify this variant. Current SIEM and XDR solutions are limited in their ability to do more than produce more indicators of compromise and do not provide the necessary detection for identifying an attack out of the box with both context and confidence”.

ArsTechnica is reporting Hacktivists say they hacked Belarus rail system to stop Russian military buildup.

News Insights:

Garret Grajek, CEO, YouAttest:  

“Cyber warfare is simply warfare under another name. Once the lines are drawn the sides will use whatever means necessary. And cyber attacks are extremely effective. As the US has seen cyber attacks can close down the supply chain, stop energy shipments and hamper even meat production. In the west we must use what means around us to guard our own systems. The tools of zero trust and identity governance have shown to be effective at mitigating both nation state and profit-motivated attackers.”

When Data Privacy Becomes a Human Right

Darshan Joshi, Chief Technology Officer, CYTRIO

A deep history of pivotal moments gave root to our modern idea of human rights. Ancients like King Hammurabi set in stone (literally) some parts of the idea that every person has basic rights and freedom. Along the way, the Magna Carta, the English Bill of Rights, the Virginia Declaration of Rights, and the U.S. Bill of Rights codified human rights into the current local incarnation.

However, it was not until the end of World War II and the scale of human tragedy that the world adopted a global declaration of human rights. It was then that the Universal Declaration of Human Rights (UDHR) was formalized.

Today, the world is at another precipice — a digital one. Once the U.N. declared internet access as a human right, it became apparent that protecting personally identifiable (PI) data or data privacy is a significant concern for all consumers — not just a privileged few.

Read full article https://cytrio.com/when-data-privacy-becomes-a-human-right/

When Data Privacy Becomes a Human Right

President Biden issued a new directive intended to strengthen cybersecurity within the Defense Department and intelligence agencies. The directive mandates the use of two-factor authentication and encryption for systems that include the Defense Department and intelligence agencies.

Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems | The White House

News Insights:

Tim Erlin, VP of strategy at Tripwire:

“Today’s memorandum is a follow-up to the Executive Order released last year, and demonstrates that the administration’s strong commitment to cybersecurity continues.  It sets a number of additional and more specific deadlines for the NSA, DoD and the Intelligence Community systems.

The memorandum touches on many aspects of the original executive order, including promoting Zero Trust Architecture, implementing encryption, and improving data sharing about incidents.

It may be difficult for the average person to parse what’s happening here, but these kinds of artifacts, memorandums and Executive Orders, are key components in effectively operationalizing broadly applicable policy changes. For example, the inclusion of Zero Trust in this memorandum and in the Executive Order will cause agencies to make specific decisions about what technologies to purchase and implement. These are not surgical changes, but sweeping ones. There’s simply a lot of work that has to go into standardizing cybersecurity across such a large IT footprint. A government-wide shift in cybersecurity policy and implementation will take time, but it’s important that agencies lay out a plan and measure execution against that plan to protect our critical infrastructure.

Zero Trust Architecture holds a lot of promise as a defensive security control. Preventing attackers from accessing resources, and limiting which resources are accessible, is a great strategy, but there’s a big gap between the specification on paper and the realized implementation. These are the gaps that attackers will attempt to exploit.”

James McQuiggan, security awareness advocate at KnowBe4:

“As with similar requests from the Biden Administration last year to organizations, it is crucial to see the need to document all assets, implement zero-trust requirements and multi-factor authentication added to user accounts accessing National Security Systems.

CISOs must maintain asset lists within organizations, so the proper processes and tools are available to protect those systems. If they are unaware of what they have, it is challenging to protect and becomes their weakest link.

It is important to consider that it is not a silver bullet with MFA and will not necessarily prevent attacks. It is rather a deterrent and thus makes it a little harder for cybercriminals to gain access.

One missing item from the order is education around and the creation of a solid security culture among users. When users can spot social engineering attacks, have the necessary training to work in Network or Security Operations Centers and understand the importance of developing secure code, it can strengthen the resiliency of the organization or government systems and significantly reduce the risk of a cyberattack.”

Mark Manglicmot, VP of Security Services, Arctic Wolf:

“The line item in the Biden cyber memorandum that includes accountability for federal contractors may be the most important part here as the Defense Department and the security industry play by team sport rules – and to ensure collective cybersecurity – federal contractors need to as well. Federal contractors must be held to the same rigorous standards as the federal agencies that they support. The memo rightly points out something the industry is unfortunately too familiar with – security is only as strong as its vulnerabilities.

Agencies being required to identify their national security systems and report cyber incidents that involve them to the NSA aligns with the advice that industry often tells customers. To defend something, you need to have an asset inventory to know what your most critical systems and data are. This directive mandates this best practice.

A sorely recent example of this is Log4Shell. In the immediate aftermath, every organization rapidly attempted to identify and mitigate the exploit in the vast array of tools and services that drive modern business and connectivity. The situation exploited a weakness in a fundamental part of what were considered strong security postures. So many organizations remain underprepared for this kind of issue and are stuck in the dark when it comes to fully knowing their technology stack. If IT teams don’t have a holistic view of their network from the start, swift and decisive action is rendered nearly impossible. Centrally collecting incident data allows for better trending to be identified and thus improve predictive capabilities.

New security standards and testing requirements for security tools are key. Having a well-known standard sets a baseline that can be enforced and improved up on. Testing is part of a mature security program to test its effectiveness and technical controls. Without testing, it’s unclear just how effective the implementation of these controls is – much less how to improve it as the threat landscape evolves.

In addition to standardizing testing, putting experienced practitioners into leadership roles helps ensure things are clearly defined with practical guidance. Just as it is critical to have a human element to contextualize tools’ output and alerts, it’s important to have industry professionals at the leadership level to do the same for this level of guidance. This shows again how seriously the administration is taking this national security issue.

Andrew Howard, CEO of Kudelski Security:

These baseline standards have existed under the government’s NIST 800-37 Risk Management Framework for a long time but were not always deployed unless the computer system had significant confidentiality, integrity, or availability concerns.  More ubiquitous deployment of multi-factor authentication and hard disk encryption across government systems is a prudent step.  The government’s footprint of systems is huge and a strong baseline is a good idea.

W. Curtis Preston, Chief Technical Evangelist, Druva:

“President Biden’s national security memorandum is one of the biggest directives taken to date to secure our nation’s critical systems. Cloud-based technologies have already proven their agility, flexibility and security compared to hardware-based alternatives. A requirement for federal agencies to more widely deploy cloud technologies will greatly assist in strengthening our nation’s defenses and can immediately help minimize the impact of ever-increasing cyber attacks.

These government-led initiatives are essential if we are going to drive change and ensure resilience for all. The President’s move will lay a critical pathway for concrete government action, as well as providing an example on how private organizations should protect their employees and their data.”

Rebecca Krauthamer – Co-Founder, CPO || QuSecure 

“The aim of the executive order is to standardize cybersecurity requirements for national security systems across all agencies to present a directed and unified front against emerging cyber threats, most notably the very real threat quantum computers pose to today’s encryption standards. 

In the past several years quantum computing research and development has sparked serious international competition among countries vying to be the first to build a powerful quantum computer that would be able to, among its various awesome capabilities, devastate our cyber security infrastructure. The reason bringing systems into post-quantum cryptographic compliance cannot wait until the day a sufficiently powerful quantum computer comes online, it comes down to SNDL, or store-now-decrypt-later data harvesting schemes where data is stolen and shelved until the hacker has the computational power to decrypt it. Data often has a shelf life – think bank account information, social security numbers, and national security secrets – so data whose secrecy needs to outlive the next several years when a sufficiently powerful quantum computer is likely to come online, needs to be encrypted in a post-quantum resilient way immediately. This executive order is a significant step in adequately addressing this risk for the US.

The order will help drive updates to classified systems, and should soon drive post-quantum cyber security standards and compliance in highly regulated sectors including finance, healthcare, commercial aerospace.” 

Antonio Martinelli, Director of Cyber Training, GRIMM (www.grimm-co.com):

“Attack surface reduction is a critical aspect of any Information Security program, yet something companies have consistently been struggling with since The Internet became ubiquitous. We’re seeing it’s easier now more than ever for employees to spin up new cloud resources and enroll in SaaS services without proper channels being involved, leading to companies being hit by attacks in these ever-expanding blind spots. A cyclical process of active asset inventory identification and subsequent attack surface assessment & reduction is mandatory in this day and age of Shadow IT complacency.”

Security Week just broke the news that ransomware attack locked down a US jail, knocking out security cameras and leaving inmates confined to their cells, court documents show.

https://www.securityweek.com/ransomware-attack-locks-down-us-prison

News Insights:

Purandar Das, Co-founder and CEO from Sotero (www.soterosoft.com) an encryption-based security solutions company, said, “There are no systems that can’t be touched. What these attacks continue to demonstrate is the fact that security as it has been envisioned is no longer secure. They continue to emphasize the fact that technological advances have ignored security and these weaknesses are now being exploited and monetized by the very same skillsets and technologies that were used to achieve them. Analogous to physical security the days of leaving doors open and windows open are long gone. Organizations need to adapt rapidly to keep the bad actors out. Strategic planning and the adoption of newer technologies are needed.”

The UK’s National Cyber Security Centre has joined US calls to be wary of Russian state interference in critical infrastructure IT systems including telecoms networks, energy and utility suppliers, transport operations and logistics and distribution specialists. This comes shortly after a joint advisory published by CISA and the FBI urged CNI operators to “adopt a heightened state of awareness and to conduct proactive threat hunting”. 

News Insights:

Sanjay Raja, VP of Product Marketing and Solutions, Gurucul: “The NCSC and CISA are absolutely missing the mark. Preventive measures are certainly an important layer of defense, but antivirus is fairly useless against most advanced attacks. Vulnerabilities are no longer the primary entry point (aka initial compromise) for most attacks. While a vulnerability is often exploited as a step in an overall attack campaign, the primary mechanism being more actively used by many adversarial nation states is a combination of phishing and social engineering. This means that initial compromise is dependent on human behaviors and impossible to prevent 100% of the time. All it takes is one successful compromise to circumvent most preventive controls and certainly antivirus, especially as variations in attack strategies are implemented to circumvent signatures, pattern matching and rule-based machine-learning detection analytics. What is required is a stronger detection program that also monitors for and identifies risky access controls, entitlements and user behaviors and associated abnormal or deviant activity. This includes potential threats from the inside, not just outside threats. More advanced and adaptable technologies that use machine learning and artificial intelligence to compensate for threat actor activity and human behavior have proven to be more effective at stopping successful attacks. “

The FCC has proposed more rigorous data breach reporting requirements for telecom carriers in response to breaches that recently hit the telecommunications industry. On Wednesday, Chairwoman Jessica Rosenworcel shared the proposal in the form of a Notice of Proposed Rulemaking (NPRM), the first step in changing the FCC’s rules for alerting federal agencies and customers of data breaches. “Customers deserve to be protected against the increase in frequency, sophistication, and scale of these data leaks, and the consequences that can last years after an exposure of personal information,” Chairwoman Rosenworcel said.

Policy Insights:

Trevor Morgan, product manager with data security specialists comforte AG, commented, “The FCC’s proposition that data breach reporting rules should be more rigorous on telecom carriers reflects the pressure put on governmental agencies to take better proactive action on cybersecurity. Last year’s high-profile breaches that affected numerous supply chains and even large ICT organizations, many of which had a rippling effect on the average consumer, certainly caught the attention of governments and regulators across the globe. Carriers collect an enormous amount of information about their customers, much of it consisting of private and highly sensitive data, so ensuring that these businesses respond responsibility and rapidly to any data breach—intentional hack or inadvertent data leak—helps to create a better collective culture of data privacy and security, and incidentally nurtures public trust. Another mitigating tactic for businesses in telecom or any other industry is to adopt data-centric security, which applies strong tokenization or format-preserving encryption protection directly to sensitive data, making it unreadable and thus unusable by threat actors. Reporting that a breach has occurred but that no sensitive data has been revealed is a much better call than the alterative, with much better reception.”

News broke today about individuals allegedly associated with the REvil ransomware gang being arrested by the Russian FSB. REvil had been associated with many high-profile attacks, including one against software vendor Kaseya last year. The group had ceased operations in October 2021 due to an unexpected compromise of their infrastructure. This followed a brief summer hiatus, triggered by the group’s alleged founder, who was said to have run off with the money.

News Insights:

John Shier, Sophos Senior Security Advisor: “There is no confirmation of whether any of the self-identified leaders (e.g. UNKN, 0_neday) leaders have been arrested. The arrests by the FSB, allegedly at the request of the US government, are unusual given Russia’s stance on such crimes. The news comes at a time when political tensions between the two governments are running high and it’s easy to be cynical about the motive. At a time when Russia needs a little geopolitical goodwill, they arrest individuals associated with a defunct ransomware group. If nothing else, it serves as a warning to other criminals that operating out of Russia might not be the safe harbor they thought it was. While we can be afforded some brief time to celebrate the good news, it’s always important to remember that cybercrime isn’t just about ransomware. There are plenty of other cybercriminals, who were not impacted by these arrests, who will continue operating as usual.”

Dirk Schrader, Global VP of Security Research at NNT, now part of Netwrix: “The news about arrests of ransomware gang members and affiliates give a promising start to year 2022. We can hope that the REvil group is now dismantled in what looks like an unprecedented coordinated effort by law enforcement across the globe. Events like this should send shivers throughout the ransomware ecosystem and significantly increase the risks for current and potential future cybercriminals. Time will tell if the number of high-profile ransomware attacks eventually goes down as a result. In the past, any vacuum in the ransomware space was filled by other gangs. That said, it is too early to say whether such level of international cooperation will turn into systemic efforts to put an end to widespread ransomware attacks. Only consistent united efforts to deprive the attackers of any safe harbor can ensure long term results. Otherwise recent detentions will remain exceptional incidents. Most importantly, don’t let these arrests lull you into a false sense of security. While one major ransomware actor is taken down, other gangs may see this as a call to step up their game. IT and security teams should continuously re-evaluate the threats and risks, and adapt their processes and tools to protect the organization’s sensitive data and infrastructure.”

Ziv Mador, VP of Security Research, Trustwave SpiderLabs: “This unprecedented action from the Russian Federal Security Service (FSB) aligns with the fear that we’ve observed while conducting cybercriminal chatter reconnaissance on the Dark Web. Cybercriminals on the Dark Web indicated back in November 2021 that they believed there were secret negotiations on cybercrime between the Russian Federation and the United States and urged each other to prepare for potentially serious actions from Russia. Time will tell if REvil resources will reemerge in another form, as we’ve seen with other ransomware groups many times in the past.”

In a blog published Saturday, Microsoft says it has discovered  a destructive malware being used to corrupt systems of multiple organizations in Ukraine. Microsoft Threat Intelligence Center (MSTIC) first discovered the ransomware-like malware on January 13.

News Insights:

Saryu Nayyar, CEO and Founder, Gurucul (she/her), said, “As noted, this is not atypical ransomware as it overwrites the master boot record. Nation state threat actors usually have three objectives, spying for intelligence, intellectual property theft, and disruption/destruction. Clearly this is the latter as these threat actor groups aren’t interested in simple financial gain. What is of note is the malware propagates through publicly available code used for lateral movement and execution. Part of that execution is downloading of file corruption software from a Discord channel. This is where it is critical to employ adaptive machine learning and behavioral detection found in true next generation SIEMs identifying the lateral movement and connection attempts to Discord. In addition, identity and access analytics are extremely useful here to determine unusual or unauthorized remote access. The combination of the two goes beyond sifting through traditional IoCs that can easily be missed or escalated by traditional SIEMs or XDR tools.”

Eric Milam, VP Research and Intelligence, BlackBerry, remarked, “The latest cyberattack on Ukraine may be a manifestation of tensions over Crimea but it is also a reminder of the power of Russian cyber threats internationally. My own team’s investigation and prevention of these Russian threats, such as Dr. REvil, has revealed that it is crucial for organisations and government to learn how to protect against state-sponsored cyber attacks as a matter of highest priority. As government agencies collect and share more digital information, they must develop a comprehensive, integrated approach to security to protect highly confidential data and communication. This can be done through AI-based threat prevention, enabling a Zero Trust security environment which continuously validates that trust at every event or transaction to authenticate users.