Develop 'Foursight' — Keep Your Post-COVID Transformation on Track

Meeting the growing burden of legal and regulatory mandates is an ongoing, increasingly complex battle. Key to success is the ability to easily manage and analyze increasing volumes of digital information.

Coping with the rising amount and variety of digital information sources has become one of the main challenges for IT leaders. This powerful data is both a key requirement of digital transformation, and a potential compliance risk. Collaborative media platforms like Microsoft Teams, WhatsApp, and Zoom, can expose sensitive or proprietary organizational information. With remote work — in some form — likely to endure, it makes the problem of balancing today’s needs with tomorrow’s opportunities a real digital dilemma.

However, by finding the right technology answers to four data safety questions, enterprises can run today and transform for tomorrow.

1. Where is my data and who can access it? A distributed workforce needs access to organizational data and applications from any device. Without knowing what data is where — or who can access it — many organizations risk multiple regulatory violations, including GDPR, CCPA, CPRA, and Federal FRCP 37(e).

A robust unified endpoint management strategy and endpoint backup solution enables swift and secure deployment, management, and backup. Employees have access to data and applications with multilevel protection. It supports your business today, while advancing your digital transformation agenda.

2. Can my people access the right content, and how do I manage it throughout the data life cycle while remaining compliant with retention policies? Suddenly, sensitive corporate data — anything from contracts to PII — is living outside the corporate firewall and is therefore at risk for multiple regulatory violations.

The right content management or content services solution mitigates that risk today and gives the IT organization data hygiene practices that help meet future regulatory mandates. It ensures a global remote workforce can access the data when and where they need it, while a complete access audit trail meets internal security policies and regulatory mandates. Providing e-discovery functionality for rapid content search and retrieval boosts efficiencies, a key digital transformation journey milestone.

3. Is my data securely backed up, from servers through to endpoints? Many organizations discovered the true cost of abandoning traditional endpoint backup, or backup and disaster recovery systems the hard way. For some, the pandemic-driven flight to the cloud has meant data loss, accidental content deletion, security breaches, malware attacks, and loss of intellectual property.

Studies show the average UK adult loses two smartphones during their lifetime, and their US counterparts lose 70 million devices every year. So, enhance your file sync and share profile by implementing a future-enabled endpoint backup or backup and disaster recovery solution. Encrypting content in databases — behind the corporate firewall or in a certified cloud with redundant and secure data centers — is a business imperative. Meeting current mandates and future demands is where the principles of run and transform meet the real world.

4. Are my communications in a searchable archive where I can perform e-discovery at scale? Social collaboration platforms for remote workers need to be e-discovery-enabled. Without an audit trail, or the ability to capture, search, and monitor work, both content misuse and accidental and malicious insider threats are a real danger.

The right solution stores communications from social collaboration platforms in a central and compliant archive. It ingests and safely retains electronic information — structured and unstructured — including email, images, audio, print streams, and text. This enables the instant access that supports search and export exercises, policy application, and setting data life-cycle management parameters.

Run and Transform — Meeting the Compliance Challenge
If you answered “no” to any of the questions above, you risk compliance violations. Enforcement could expose your organization to fines and penalties that compromise both your ability to do business today and transform for the future.

Living the principles of run and transform may depend on having access to a broad software portfolio and strategic services that bridge the gap between current and emerging technologies. Micro Focus delivers technology and supporting services for managing core IT elements across businesses to help them run and transform — at the same time.

About the Author

ChristinaWood_MicroFocus_Headshot.jpg

Christina Wood serves as Head of Global Marketing for the Information Management & Governance (IM&G) product group at Micro Focus. She is responsible for market strategy and positioning across the IM&G product group. Christina joined Micro Focus in 2016 as part of the acquisition of GWAVA, where she served as CMO, Head of Global Marketing. With more than 20 years of experience in the high-tech industry, Christina has served within startups and large corporations focused on AI, security, mobility, and is a subject matter expert in information archiving. Christina holds a bachelor’s degree in Communication Studies with a minor in Biblical Studies from Azusa Pacific University.

Ransomware, Carding, and Initial Access Brokers: Group-IB Presents Report on Trending Crimes

Group-IB, one of the global cybersecurity leaders, has presented its research into global cyberthreats in the report Hi-Tech Crime Trends 2021/2022 at its annual threat hunting and intelligence conference, CyberCrimeCon’21. In the report, which explores cybercrime developments in H2 2020—H1 2021, Group-IB researchers analyze the increasing complexity of the global threat landscape and highlight the ever-growing role of alliances between threat actors. The trend manifests itself in partnerships between ransomware operators and initial access brokers under the Ransomware-as-a-Service model. Scammers also band together in clans to automate and streamline fraudulent operations. Conversely, individual cybercrimes such as carding are in decline for the first time in a while.

For the 10th consecutive year, the Hi-Tech Crime Trends report analyzes the various aspects of the cybercriminal industry’s operations, examines attacks, and provides forecasts for the threat landscape for various sectors. For the first time, the report was divided into five major volumes, all with a different focus: ransomware, the sale of access to corporate networks, cyberwarfare, threats to the financial sector, and phishing and scams. The forecasts and recommendations outlined in Hi-Tech Crime Trends 2020-2021 seek to prevent damage and downtime for companies worldwide.

Initial access brokers: US companies among the most frequent targets

One of the underlying trends on the cybercrime arena is a sharp increase in the number of offers to sell access to compromised corporate networks. Pioneered by the infamous hacker Fxmsp, who was charged by the US Department of Justice in 2020, the market of corporate initial access grew by almost 16% in H2 2020—H1 2021, from $6,189,388 to $7,165,387. The number of offers to sell access to companies almost tripled over the review period: from 362 to 1,099. This exclusive data was obtained by Group-IB’s Threat Intelligence & Attribution system, which gathers even deleted information from cybercriminal underground forums.

This segment of the cybercriminal underground has a relatively low entry barrier. Poor corporate cyber risk management combined with the fact that tools for conducting attacks against corporate networks are widely available both contributed to a record-breaking rise in the number of initial access brokers. In H2 2019—H12020, the Group-IB Threat Intelligence team detected only 86 active brokers. In H2 2020—H1 2021, however, this number skyrocketed to 262, with 229 new players joining the roster.

Most companies affected belonged to the manufacturing (9% of all companies), education (9%), financial services (9%), healthcare (7%), and commerce (7%). In the review period, the number of industries exploited by initial access brokers surged from 20 to 35, which indicates that cybercriminals are becoming aware of the variety of potential victims.

The geography of initial access brokers’ operations has also expanded. In H2 2020—H1 2021, the number of countries where cybercriminals broke into corporate networks increased from 42 to 68. US-based companies are the most popular among sellers of access to compromised networks — they account for 30% of all victim-companies in H2 2020—H1 2021, followed by France (5%), and the UK (4%).

One of the main driving forces for initial access market growth is the steep increase in the number of ransomware attacks. Initial access brokers remove the need for ransomware operators to break into corporate networks on their own.

Lock, Lock Who’s There? Corporansom

The unholy alliance of initial access brokers and ransomware operators as part of Ransomware-as-as-a-Service (RaaS) affiliate programs has led to the rise of the ransomware empire. In total, data relating to 2,371 companies were released on DLSs (Data Leak Sites) over H2 2020—H1 2021. This is an increase of an unprecedented 935% compared to the previous review period, when data relating to 229 victims was made public.

Thanks to the Threat Intelligence & Attribution system, Group-IB researchers were able to trace how the ransomware empire has evolved since it appeared. Group-IB’s team analyzed private Ransomware affiliate programs, DLSs where they post exfiltrated data belonging to victims who refused to pay the ransom, and the most aggressive ransomware strains.

Over the review period, Group-IB analysts identified 21 new Ransomware-as-a-Service (RaaS) affiliate programs, which is a 19% increase compared to the previous period. During the review period, the cybercriminals mastered the use of DLSs, which are used as an additional source of pressure on their victims to make them pay the ransom by threatening to leak their data. In practice, however, victims can still find their data on the DLS even if the ransom is paid. The number of new DLSs more than doubled during the review period and reached 28, compared to 13 in H2 2019—H1 2020.

It is noteworthy that in the first three quarters of 2021, ransomware operators released 47% more data on attacked companies than in the whole of 2020. Taking into account that cybercriminals release data relating to only about 10% of their victims, the actual number of ransomware attack victims is likely to be dozens more. The share of companies that pay the ransom is estimated at 30%.

Having analyzed ransomware DLSs in 2021, Group-IB analysts concluded that Conti was the most aggressive ransomware group: it disclosed information about 361 victims (16.5% of all victim-companies whose data was released on DLSs), followed by Lockbit (251), Avaddon (164), REvil (155), and Pysa (118). Last year’s top 5 was as follows: Maze (259), Egregor (204), Conti (173), REvil (141), and Pysa (123).

Country-wise, most companies whose data was posted on DLSs by ransomware operators in 2021 were based in the United States (968), Canada (110), and France (103), while most organizations affected belonged to the manufacturing (9.6%), real estate (9.5%), and transportation industries (8.2%).

Carding: The Joker’s Last Laugh

Over the review period, the carding market dropped by 26%, from $1.9 billion to $1.4 billion compared to the previous period. The decrease can be explained by the lower number of dumps (data stored on the magnetic stripe on bank cards) offered for sale: the number of offers shrank by 17%, from 70 million records to 58 million, due to the infamous card shop Joker’s Stash shutting down. Meanwhile, the average price of a bank card dump fell from $21.88 to $13.84, while the maximum price surged from $500 to $750.

An opposite trend was recorded on the market for the sale of bank card text data (bank card numbers, expiration dates, names of owners, addresses, CVVs): their number soared by 36%, from 28 million records to 38 million, which amongst others can be explained by the higher number of phishing web resources mimicking famous brands during the pandemic. The average price for text data climbed from $12.78 to $15.2, while the maximum price skyrocketed 7-fold: from $150 to an unprecedented $1,000.

The Scamdemic

Another cohort of cybercriminals actively forging partnerships over the review period were scammers. In recent years, phishing and scam affiliate programs have become highly popular. The research conducted by Group-IB revealed that there are more than 70 phishing and scam affiliate programs. Participants aim to steal money as well as personal and payment data. In the reporting period, the threat actors who took part in such schemes pocketed at least $10 million in total. The average amount stolen by a scam affiliate program member is estimated at $83.

Affiliate programs involve large numbers of participants, have a strict hierarchy, and use complex technical infrastructures to automate fraudulent activities. Phishing and scam affiliate programs actively use Telegram bots that provide participants with ready-to-use scam and phishing pages. This helps scale phishing campaigns and tailor them to banks, popular email services, and other organizations.

Phishing and scam affiliate programs, initially focused on Russia and other CIS countries, recently started their online migration to Europe, America, Asia, and the Middle East. This is exemplified by Classiscam: an automated scam-as-a-service designed tosteal money and payment data. Group-IB is aware of at least 71 brands from 36 countries impersonated by affiliate program members. Phishing and scam websites created by affiliate program members most often mimic marketplaces (69.5%), delivery services (17.2%), and carpooling services (12.8%).

Darktrace Reports 30% More Ransomware Attacks Targeting Organizations During the Holiday Period

CAMBRIDGE, United Kingdom, Dec. 2, 2021 /PRNewswire/ — Darktrace, a global leader in cyber security AI, today reported that its security researchers discovered a 30% increase in the average number of attempted ransomware attacks globally over the holiday season in every consecutive year from 2018 to 2020 compared to the monthly average.

The researchers also observed a 70% average increase in attempted ransomware attacks in November and December compared to January and February. Following a record number of ransomware attacks this year, the company expects the spike to be higher over the 2021 holiday period.

During the nascent 2021 holiday season, Darktrace’s AI detected and autonomously stopped an in-progress, early-stage ransomware attack on a U.S. city before any data exfiltration or encryption could occur. The city’s security team had the foresight to deploy an AI solution to combat multi-stage ransomware attacks, enabling them to stop the attackers at the earliest stage. 

Ransomware is often falsely considered an encryption problem. This misconception masks and undermines attackers’ determination and creativity to initially break into and then move around within an organization’s digital environment first to discover, then steal and encrypt data. The break-in is often through email, but that quickly evolves to targeting servers where the data lives. Therefore, a combination of email and network security is crucial to stop these attacks. 

Powered by Self-Learning AI, Darktrace technology develops an understanding of normal business operations for each organization. It autonomously interrupts in-progress attacks at every stage from the initial entry with sophisticated spearphishing emails to brute-forced remote desktop protocol (RDP), command-and-control, and lateral movement, all without business disruption. 

“Based on what we’ve seen in previous years, holidays are consistent target periods for cyber-attackers. Interestingly, the largest rise in attempted ransomware attacks is between Christmas and New Year’s when attackers know there will be fewer eyeballs on screens defending against threats,” commented Justin Fier, Director of Cyber Intelligence and Analytics, Darktrace. “Business leaders should know that there is available technology that can identify and respond to the initial warning signs of ransomware before attackers can hold critical systems hostage, even when human security teams are out of office.”

About Darktrace

Darktrace (DARK.L), a global leader in cyber security AI, delivers world-class technology that protects almost 6,000 customers worldwide from advanced threats, including ransomware, and cloud and SaaS attacks. The company’s fundamentally different approach applies Self-Learning AI to enable machines to understand the business in order to autonomously defend it. Headquartered in Cambridge, UK, the company has 1,600 employees and over 30 offices worldwide. Darktrace was named one of TIME magazine’s ‘Most Influential Companies’ for 2021.

Top 5 Reasons to Get 'SASE' With Security

What’s the key to effective security? How can we continue to defend against the ever-rising tide of cyberattacks amid a constantly evolving perimeter and the unprecedented acceleration of hybrid work? And let’s not forget about the proliferation of devices connecting to the network, and the mass movement of applications into the cloud.

If we’ve learned anything over the years, it’s that security is a journey, not a destination. That said, how do we get anywhere?

According to the “Cisco Security Outcomes Study,” the two most important things an organization can do to improve its security are to proactively refresh technology and make sure the technology is well-integrated. All it takes is one gap for attackers to infiltrate your organization. But when you work with a variety of disjointed products from various vendors, you may unintentionally be creating some serious gaps. The same goes for outdated technology. If it’s not updated and tuned to catch the latest threats, you’re basically trying to protect your network with a colander.

Another cyber defense success factor is collaboration between IT and security, according to the study. When trying to defend your network against threats, you need to know what your networking and IT teams are working on, and they must be intimately familiar with your security plans.

Proactively updating and integrating technology, and ensuring tight collaboration between IT and security … it’s simple, right? Well, not always – especially for organizations with limited resources. But one thing can help with all these efforts at once: secure access service edge, a.k.a. SASE (pronounced “sassy”). Cisco’s recent “Future of Technology” report found that 86% of respondents are considering, planning to adopt, or have already adopted SASE solutions.

Embracing SASE for Stronger Security
SASE is an evolving architecture that combines a software-defined wide area network (SD-WAN) with multiple security capabilities, and delivers them through a single, integrated cloud service. Ideally, this service is provided by one vendor or a very small number of vendors instead of through a patchwork of disparate solutions. To better accommodate today’s more distributed workforce, SASE operates closer to the end user and endpoints (hence the “edge” part of the moniker).

While SASE is still in its nascent stages, you can begin experiencing its many benefits now by taking initial steps toward the architecture. With SASE you can:

  1. Reduce complexity and improve security by integrating multiple functions into a single, cloud-delivered service, and minimize dangerous blind spots with comprehensive visibility over all network assets and user activity.
  2. More quickly and easily update and scale technology via cloud- and service-based delivery to keep up with growing risks and requirements.
  3. Allow for more effortless communication between networking and security teams through an integrated architecture and collaborative processes.
  4. Thrive in today’s new hybrid work environment by enabling employees to seamlessly and securely connect to any application, in any network or cloud, from any device or location.
  5. Embrace automation and gain valuable insights into the network so your security teams can focus on higher-level priorities and do more with less.

What About Zero-Trust and XDR?
You have also likely heard that zero-trust and extended detection and response (XDR) are important initiatives for boosting security. The pandemic has accelerated digital transformation – and the transition to a hybrid workforce – so much so that all three of these security trends (SASE, XDR, and zero-trust) must now work together to help organizations keep up.

  • XDR provides a more holistic way of combating the latest threats.
  • Zero trust brings identity into the equation, making sure that only the right people and devices are allowed to access your network and critical systems.
  • SASE enables organizations to deliver these and other security functions, alongside networking capabilities, at scale – accommodating the growing need for secure access to anything from anywhere.

451 Research provides a great explanation of how SASE, zero-trust, and XDR concepts intersect to set organizations up for more effective, agile security.

With SASE, organizations can achieve enhanced security and performance for the modern way of working and connecting. Bringing together crucial networking and security components now helps set the stage for tomorrow’s inevitable transition to SASE.

Planned Parenthood LA Breach Compromises 400,000 Patients' Data

A security incident at Planned Parenthood’s Los Angeles (PPLA) branch compromised personal data of about 400,000 patients, officials confirmed this week.

News of the breach was confirmed in letters
sent to affected patients. These state suspicious activity was detected on the PPLA network on Oct. 17, 2021. Following its discovery, PPLA took its systems offline, notified law enforcement, and hired a third-party security firm to aid in its investigation.

The investigation revealed an unauthorized person gained access to PPLA systems between Oct. 9 and Oct. 17 and exfiltrated files. On Nov. 4, officials learned the type of information compromised. In its letters, PPLA wrote “we identified files that contained your name and one of more of the following: address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and/or prescription information.”

At the time the letters were sent, PPLA stated there was no evidence any information involved in the incident has been used for fraudulent purposes. It does not disclose who might be behind the attack. Recipients of the letters are advised to review statements from their health insurer and health care providers and monitor for charges for services they did not receive.

Read more details here.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Exploring Container Security: A Storage Vulnerability Deep Dive

Kubernetes Security is constantly evolving – keeping pace with enhanced functionality, usability and flexibility while also balancing the security needs of a wide and diverse set of use-cases.

Recently, the GKE Security team discovered a high severity vulnerability that allowed workloads to have access to parts of the host filesystem outside the mounted volumes boundaries. Although the vulnerability was patched back in September we thought it would be beneficial to write up a more in-depth analysis of the issue to share with the community.

We assessed the impact of the vulnerability as described in vulnerability management in open-source Kubernetes and worked closely with the GKE Storage team and the Kubernetes Security Response Committee to find a fix. In this post we’ll give some background on how the subpath storage system works, an overview of the vulnerability, the steps to find the root cause and the fix, and finally some recommendations for GKE and Anthos users.

Kubernetes Filesystems: Intro to Volume Subpath
The vulnerability, CVE-2021-25741, was caused by a race condition during the creation of a subpath bind mount inside a container, and allowed an attacker to gain unauthorized access to the underlying node filesystem and its sensitive files. We’ll describe how that system is supposed to work, and then talk about the vulnerability.

The volume subpath feature in Kubernetes enables sharing a volume in multiple containers inside a pod. For example, we could create a Pod with an InitContainer that creates directories with pre-populated data in a mounted filesystem volume. These directories can then be used by containers in the same Pod by mounting the same volume and optionally specifying a subpath field to limit what’s visible inside the container.

While there are some great use cases for this feature, it’s an area that has had vulnerabilities discovered in the past. The kubelet must be extra cautious when handling user-owned subpaths because it operates with privileges in the host. One vulnerability that has been previously discovered involved the creation of a malicious workload where an InitContainer would create a symlink pointing to any location in the host. For example, the InitContainer could mount a volume in /mnt and create a symlink /mnt/attack inside the container pointing to /etc. Later in the Pod lifecycle, another container would attempt to mount the same volume with subpath attack. While preparing the volumes for the container, the kubelet would end up following the symlink to the host’s /etc instead of the container’s /etc, unknowingly exposing the host filesystem to the container. A previous fix made sure that the subpath mount location is resolved and validated to point to a location inside the base volume and that it’s not changeable by the user in between the time the path was validated and when the container runtime bind mounts it. This race condition is known as time of check to time of use (TOCTOU) where the subject being validated changes after it has been validated.

These validations and others are summarized in the following container lifecycle sequence diagram.

Volume subpath validations before the container startup

A New TOCTOU Vulnerability: CVE-2021-25741
The latest vulnerability was discovered by performing a symlink attack similar to the one explained above, with the difference being that it constantly swapped the symlink with a directory in a tight loop, using the RENAME_EXCHANGE option with renameat(2). If the timing is just right, the kubelet will see the path as a directory and pass the validation check. Then the mount utility may find that the path is a symlink pointing to the host and follow it, exposing the host filesystem to the container. This is visualized in the following diagram:

The expectation and the attack outcome

The GKE Security and Storage teams worked closely to revise the fix done previously to find a solution. The previous fix takes several steps to ensure that the directory being mounted is safely opened and validated. After the file is opened and validated, the kubelet uses the magic-link path under /proc/[pid]/fd directory for all subsequent operations to ensure the file remains unchanged. However, we found out that all of the efforts were undone by the mount(8) linux utility which was dereferencing the procfs magic-link by default. Once the problem was understood, the fix involved making sure that the mount utility doesn’t dereference the magic-links by using the –no-canonicalize flag in the mount command.

The fix is in

Once the problem was well understood, we fixed it inside Kubernetes and quickly released the fix to GKE and Anthos. If GKE auto-upgrade is enabled in your clusters there’s no action on your part for this vulnerability, your nodes have already been patched. We strongly recommend that customers utilize auto-upgrades. Auto-upgrade gives peace of mind that your clusters are running with the latest patches.

GKE released a Google Kubernetes Engine security bulletin on this vulnerability, which detailed what customers can do to immediately remediate this issue across GKE and Anthos. We also provided guidance to customers who manually manage their node versions, ensuring that fixed releases were available in every region for our Static and Release Channels.

Moving forward
Google continues to invest heavily in the security of GKE and Kubernetes. We encourage users interested in finding vulnerabilities to participate in the Kubernetes bug bounty program and in the Google Vulnerability Rewards Program (VRP) which was recently expanded to cover GKE vulnerabilities. For the latest guidance on security issues, please follow our GKE Security Bulletins.

Key Characteristics of Malicious Domains: Report

The newness of top-level domains as well as infrastructure located in certain countries continue to be reliable signs of whether network traffic could be malicious, while the use of self-signed Secure Sockets Layer (SSL) certificates — or those issued by the free Let’s Encrypt service — are not abnormally risky, according to new research.

Internet security service DomainTools, in a new report released today, focused on active domains that exceeded certain thresholds in terms of the size of the infrastructure and found that top-level domains, IP autonomous system numbers, and IP geolocations are consistent indicators of risky content, compared with the average domain. 

Domains that use name servers maintained by Internap Japan and HostKey in the US, for example, were far more likely to be the source of risky traffic than average, according to the “DomainTools Report for Fall 2021.”

On the other hand, SSL certificates that are self-signed or from free services, such as Let’s Encrypt, were not any more likely to be malicious than average, says Tim Helming, security evangelist with DomainTools.

“We were surprised by the findings in the SSL certificates — most defenders assume Let’s Encrypt or a self-signed cert is an indication of badness, where in fact, that is really not true, statistically speaking,” he says. “The caveat is, however, that context matters so much. … If you have a domain that is mimicking a legit domain, and it uses a self-signed or Let’s Encrypt certificate, that’s a whole different ballgame.”

Domain reputation is a common input into security groups’ determination of whether certain network traffic or connections may be signs of an attack or malicious content. Phishing, malware, and spam domains are much more likely to be from newly issued top-level domains — such as .quest or .bar — or from relatively small countries, such as .ml for Mali, as compared with the average top-level domain.

DomainTools looked at relationships between domains that are a source of malware, phishing and spam, and six other characteristics: the top-level domain, IP autonomous system number (ASN), name server ASN, the geolocation of the domain’s IP address, the registrar, and the SSL certificate authority.

“We chose these characteristics because they are often used by defenders and security researchers as part of a process of building out a better understanding of a domain,” the report states. “Seasoned practitioners often develop intuitions about the implications of a given characteristic, based on their experience, expertise, and judgment in the analysis of adversary assets. In many cases, the data seen at scale tend to support those intuitions.”

“Signal Strength”
DomainTools used its own database of tracked domains and cross-referenced that with a variety of domain reputation databases and subscriptions services to classify the domains. The company compared the number of malicious domains with the overall number of domains for a specific provider, ASN, or certificate to create a relative measure of badness. 

The researchers then divided that ratio by the same ratio for so-called “neutral” domains, which are not contained in the reputation databases. The resulting number is called the signal strength, and values greater than 1.0 indicate that malicious content is more likely from that source.

The top-level domain .quest, for example, has a signal strength of 131 but rather small volumes — fewer than 1,500 domains in DomainTools’ database. Companies are not likely to see content from that domain, but if they do, they should consider it risky.

“A lot of defenders think, and with good evidence, that there are certain [top-level domains] that just host a lot of malicious stuff, and that generally is because registrations are free or very inexpensive,” Helming says. “Cost is such a big part of the whole game.”

Most of the domains, registrars, and autonomous system numbers that appear on the lists of maliciousness have relatively small numbers of domains, which means that even a moderate number of malicious domains can cause their signal strength — a measure of relative maliciousness — to jump. The ASN for Nice IT Services Group in Dominica, for example, has a signal strength of 8,047 for phishing and 463 for malware but accounts for fewer than 2,000 domains. HostKey US has 7,155 domains associated with spam and only four “neutral” domains, giving it the highest signal strength for spam: 90,200.

“Some of the signal strengths of these domains were pretty extraordinary,” Helming says. “Granted, the law of small numbers is clearly at play — some of these just have a tiny handful of domains on them. You may not be super likely to run across those, but if you do, holy smokes, that is a really, really strong indication that you should send that domain into the sun, as they say.”

Help With Triage
Interestingly, the only lists that did not have a full 10 malicious entries were SSL certificates. Overall, certificates are a weak indicator of maliciousness, and half of the lists’ entries had scores near 1.0 or less, which indicates that their domains are typically safer than average.

Companies can use such data to inform their triage of threats, DomainTools stated. Some of the relationships uncovered by the report show a strong signal of maliciousness tied to one of the six characteristics. Many others, the company warned, have strong signals for very small collections of domains.

“[S]ome of these hotspots are like neutron stars: very high ‘heat’ and density (Signal Strength), very low size (number of domains),” according to the report. “As forensic indicators, these data points are not likely to make a big impact for most organizations, as the odds of coming across any of the domains tied to them are low.”

When Will a Cloud Infrastructure Heavyweight Launch a SASE?

Regardless of your role in cybersecurity or IT, if you’re reading this article, there is a good chance you may already have heard mutterings of a tech trend called SASE.

Secure access service edge is a somewhat cumbersome assemblage of words dreamed up by Gartner, which frequently plays the John the Baptist of IT, anointing new and emerging trends and technologies with monikers, which are then rapidly taken up by vendors that have largely failed to describe themselves. Convenient hooks on which to hang their marketing hats, you might say.

SASE’s Component Parts
Be that as it may, kudos to Gartner for identifying and naming a trend in the market (for SASE is most definitely not a new technology but, rather, an emerging delivery mechanism for several important technologies, most of which already existed, in networking and security. In the case of networking, these are:

  • Software-defined wide area networking (SD-WAN) and
  • 5G mobile connectivity.

Meanwhile, in network security, they are:

  • Next-generation firewall (NGFW),
  • Secure Web gateway (SWG), and
  • Cloud access security broker (CASB).

In secure remote access, the technology in question is the nearest thing to a new kid on the block, namely:

  • Zero-trust access (ZTA), which is a cloud proxy-based replacement for virtual private network (VPN) technology that provides both tighter security and more efficient use of bandwidth.

SASE brings all these technologies together and delivers them as a managed service, preferably (though not exclusively) from the cloud. For this reason, a further essential element of SASE is the network itself, which enables the SASE provider to offer service-level agreements to its customers.

The SASE Gold Rush
In the past 12 to 18 months, there has been a veritable SASE gold rush, with tech vendors from all the segments listed above working feverishly to don the SASE mantle and become service providers in their own right. Palo Alto Networks, Fortinet, and Check Point have all launched SASEs, as have companies that were already in the “as-a-service” business, such as content delivery specialists Akamai and Cloudflare, cloud-delivered SWG and ZTA provider Zscaler, and network-as-a-service pioneer Cato Networks.

Traditional telecoms operators, whose lunch the tech vendors now threaten to consume, have responded to this existential challenge with SASE offerings of their own: AT&T was first out of the gate in early 2020, but Verizon has since entered the fray, trumpeting the fact that it has had its own ZTA technology since its 2018 acquisition of Vidder.

The coronavirus pandemic has, of course, supercharged interest in SASE: With millions of knowledge workers suddenly forced to work from home, ZTA was a more convenient alternative to provisioning multiple new VPNs. And as some of these workers trickle back into offices where possible, the attraction of branch connectivity delivered as a cloud-managed service, whether via SD-WAN, 5G, broadband, or any combination thereof, is a cost-effective alternative to MPLS WANs.

Just When You Were Getting Used to SASE…
Now that it has taught the world to talk SASE, meanwhile, Gartner has moved on to launch yet another acronym: SSE, which stands for secure service edge (i.e., SASE without the “A”). In essence, an SSE has all the elements of a SASE minus the networking, and Omdia suspects that it may have been created at the request of vendors that play in this market but don’t have any SD-WAN technology. Zscaler is a case in point.

IBM, which launched its Security Service for SASE offering in September this year, delivers it via a partnership with Zscaler, making a virtue of the latter’s SSE status by arguing, therefore, that it will work with whichever SD-WAN vendor the customer has in place.

Will a Cloud Titan Throw its Hat into the Ring?
Frivolity aside, the question Omdia ponders is this: Will the SASE market grow to a point where one of the big players in cloud (Amazon Web Services, Microsoft Azure, Google Cloud, or even Salesforce) decides to launch a SASE of its own? They all have extensive networks with huge bandwidth between their multiple data centers. Indeed, Google’s network already underpins Palo Alto Networks’ SASE offering. Furthermore, GCP was a pioneer in ZTA with its BeyondCorp technology.

One might argue that SASEs are designed to facilitate multicloud access and thus work against the interests of the cloud heavyweights, which would love to be their customers’ sole providers. That said, multicloud is coming, if not already here in some form, and there are signs that some cloud service providers are actually embracing this heterogeneous world as a competitive advantage: Both Azure and GCP have cloud-based security information and event management (SIEM) platforms that can work across their rivals’ clouds, while Oracle has endowed its OCI Web Application Firewall (WAF) with the ability to protect apps in third-party clouds as well as on customers’ premises.

Omdia has long considered heterogeneous cloud security as a canny competitive tool for all cloud providers that want to convince the customers of market leader AWS to adopt a more promiscuous approach to cloud procurement. As such, a SASE could provide such vendors with a useful means of delivering secure cloud connectivity, with all the visibility into their customers’ cloud usage that would come with such a service offering.

Breaking the Black Mirror and Other Lessons From Day of Shecurity

While the numbers are improving, the vast underrepresentation and underpromotion of women in technology roles is hampering the industry’s effectiveness. Many organizations are joining a growing effort for more diversity and inclusion: Day of Shecurity. I recently spoke at the October virtual event and was inspired by the group of women in attendance — all eager to share their knowledge on how to break the glass ceiling (or in this case, “black mirror”) of the information security arena, negotiate your worth, and overcome fears of moving into management.

Once reserved for tech blogs and DEF CON, discussions around securing our personal and professional devices have become more mainstream. Our shift to a largely at-home workforce with fewer safeguards on access to corporate infrastructure and assets gave attackers a multitude of new attack vectors. We also started relying on the Internet for many of the activities we used to perform in person: online banking, online shopping, online learning, online socializing, online everything.

There are, however, far too few trained cybersecurity professionals available to meet the demand set by businesses. Projections for workforce shortages in cybersecurity have vastly underestimated the requirements of an ever-growing and evolving threat to the technology we have grown dependent on. In my last article, I explored how eager minds can find their niche in cybersecurity, but another passion of mine is empowering women to join the cyber workforce.

I’m often asked how to gain footing in a new role in this industry, and my answer always boils down to these tips:

  • Find a mentor. The cybersecurity industry is relatively small, and building relationships can help with everything from discovering new, open job positions to attending conferences and learning how best to prepare for an interview.
  • Consider the benefits of moving laterally within your organization. In the current age of digital transformation, most organizations are starting their own security teams and realizing the benefits of having experts on hand. Employee turnover is expensive, and many companies would be much happier to reposition a valued employee within a different team — especially a team that’s notoriously difficult to hire for.
  • Try a self-directed side project. Choosing a project may require guidance from a mentor who can lead you toward an option that will be representative of working in that role, but this can also provide you with a portfolio for potential employers in lieu of work experience. By sharing my malware research projects with hiring managers, I was able to demonstrate my experience in malware analysis and bolster my resume.
  • Understand the value of your “unrelated” skills. Your skills are more transferable than you realize: A history of software engineering grants you the ability to understand the process (and potential pitfalls) of the software delivery process; an undergraduate degree in humanities may make you well-equipped to effectively communicate strategies to executives. My time studying political science — a seemingly unrelated area of study — now helps me to understand the geopolitical context of the threat I’m researching.

Despite a growing interest in cybersecurity (due in large part to initiatives dedicated to equalizing the ratio of men and women in the industry), women still only represent 25% of the industry workforce, according to research from (ISC)2. This is concerning for several reasons, one of the most important being that diversity brings more varied solutions to major challenges in cybersecurity — just as it has in every other industry. Our attackers are constantly finding new, creative ways to exploit users; we need to be able to catch up.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Launching ESET Research Podcast: A peek behind the scenes of ESET discoveries

Press play for the first episode as host Aryeh Goretsky is joined by Zuzana Hromcová to discuss native IIS malware

Did you ever wonder why researchers behind a cybersecurity discovery chose to go down that particular rabbit hole? What made them curious about that specific malware family, variant, or campaign? Did they come up with a specific name for that malware in the bathtub, on a run, or just used the first thing in the code that hit them?

From now on, we will offer answers to those and many other questions in our brand new ESET Research podcast – because there’s always more to ESET research stories than what made it into the paper or blogpost.

So be it the broader context of an attack, some obscure artifact found during analysis, or an inkling that lit a spark and led to a deeper dig in the malware, our host and ESET Distinguished Researcher Aryeh Goretsky will mine for it in his interviews with ESET researchers.

There will be a new episode every time we publish major research, which usually happens several times a year.

Our first episode focuses on native IIS (Internet Information Services) malware – a threat that has been lurking in the shadows of public-facing servers since 2013, yet is almost invisible to their admins as well as other defenders. Listen to the fascinating journey of ESET malware researcher Zuzana Hromcová, who co-authored a comprehensive guide describing 14 IIS malware families found in the wild, used by both crimeware and APT threat actors.

If you’d like to hear more, subscribe to ESET Research podcast on any of the popular podcast applications including Spotify, Google Podcasts, Apple Podcasts and PodBean.