1.    Cybersecurity Is Everywhere

Technology is all around us. Every modern business or other process involves one or more information technology systems behind it—and with great power comes great responsibility. The vast number of information systems is a fertile ground for cyberattacks, increasing the need to integrate cybersecurity defensive systems as part of the infrastructure itself.

CrowdStrike is a cybersecurity company that created an Endpoint Detection and Response (EDR) product specially designed to identify and stop attacks on endpoints and servers. Due to its distributed nature, it is deployed on each and every machine it is protecting, making it part of the core of the critical infrastructure of any IT system that uses it.

When a critical bug is found in a key component of critical infrastructure, the consequences can be devastating. As a matter of fact, even days after the outage, dozens of organizations had yet to recover from this incident, as the fix requires the IT admin to apply the mitigation station-by-station.

2.    The Outage Might Have Been Prevented

So what was the root cause for such a huge event, and what could have prevented it? Naturally, CrowdStrike is not sharing much information, but it seems that a faulty channel configuration file was deployed as part of the latest update, causing a critical exception in CrowdStrike’s Windows driver, which led to Microsoft Windows BSoD (“Blue Screen of Death”). This is probably not a result of a cyber incident, but a human error.

What went wrong?

From Microsoft’s perspective, a faulty design and behavior of the Windows Operating system triggers any unhandled exception in any driver to cause the whole system to shut down. Perhaps after this incident, Microsoft will change this to allow a graceful shutdown of the faulty driver alone, without shutting down the whole system. On the other hand, if this is a critical component such as an EDR, shutting it down may leave the station totally unprotected. However, this is still better than entering into a restart loop that cripples the availability of the whole system.

3.    Never Underestimate the Power of QA

The biggest surprise of this entire incident was that this bug was not caught and stopped before being deployed to millions of computers around the globe. It seems that any station that receives that update immediately fails with Windows’ BSoD with no exceptions, so it is reasonable to think that this bug could have been easily detected by both automated testing as part of the CI/CD (Continuous Integration/Continuous Delivery) development pipeline and manual QA (Quality Assurance) testing. An automated test could have deployed the latest update on a Windows machine and checked for its health, and a manual QA test would look the same, but done by a human tester.

Are these processes absent from CrowdStrike’s driver development process?

4.    Managers Must Invest in Quality and Security

Mature SDLC (Software Development Lifecycle), which includes mature automated and manual QA processes, usually goes hand in hand with mature Secure-SDLC (Secure Software Development Lifecycle), which includes all of the procedures, tools, and processes that ensures software security. Organizations that fail to invest the right amount of resources in software QA often fail to invest in security as well. If there’s one takeaway to be learned from the CrowdStrike outage, it’s that managers in every organization should ask themselves whether they invest the needed resources in quality and security.

5.    The CrowdStrike Incident is Somewhat Like SolarWinds

Are the CrowdStrike and SolarWinds incidents similar? Yes and no.

They are different because first, the CrowdStrike incident is probably not the result of a cybersecurity attack but a bug, while the SolarWinds incident was a cybersecurity incident in which malicious attackers intentionally injected malicious code into SolarWinds’ Orion IT latest update, giving them a foothold in the network of all of SolarWinds’ customers.

Second, while the CrowdStrike incident is painful, its impact is limited to the system’s availability, while in SolarWinds the internal foothold led to the compromise of data confidentiality, integrity, and potentially also availability, resulting in far more impact and doing it silently over a much longer time period.

That said, the two incidents are somewhat similar, as they involved a faulty update, either intentional or not, of a third-party provider that the organization heavily relied on as part of its critical infrastructure, which caused massive business impact.

But here is a key difference: While there isn’t anything a CrowdStrike customer can do except apply the mitigation after the incident happened, in cybersecurity incidents, compensating controls can detect such an incident in its early stages and limit the impact. This is how cybersecurity firm FireEye eventually unearthed the SolarWinds attack.

In conclusion, the CrowdStrike incident should serve as a warning to every company to check whether they invest the needed effort and resources in automated and manual quality and security.

How CYE Helps

We at CYE understand that the amount of resources is limited and try to help our customers focus their cybersecurity efforts and resources on what really matters. This is why we developed Hyver, our optimized cyber risk quantification platform.

CYE can help both in finding potential and exploitable vulnerabilities in an organization and also assessing the maturity of its compensating controls by fully simulating malicious attackers while trying to stay under the radar, similar to the SolarWinds incident.

Want to learn how CYE can help you optimize your security? Contact us.

Cybersecurity metrics help organizations set performance goals, measure the efficacy of existing security controls, and ultimately drive a net positive ROI of cybersecurity investments. These metrics can provide visibility into organizational readiness for a possible attack, its potential financial impact, and the costs involved with mitigation steps.

In this blog, we’ll define 13 crucial KPIs and metrics that have a significant contribution to your cybersecurity ROI.

Why Are Cybersecurity Metrics Important?

Cybersecurity metrics can tell you everything you need to know about the effectiveness of your security posture, from threat detection and incident response times to overall resilience against emerging cyber threats. Having actionable data can help you make more informed business decisions, communicate risks better to the board, and act as benchmarks to track future performance and security posture progress.

Here are several use cases that highlight the importance of tracking cybersecurity metrics:

Better Communication with the C-Suite

CISOs are responsible for briefing the board on the organization’s security programs, risk exposure, and whether or not resources are being allocated correctly. Clear and quantifiable risk metrics show the board what’s working, what areas require improvement, and what they are getting for their cyber investment. This prevents wasting precious meeting minutes and losing the board’s attention by focusing on unnecessary details.

Compliance Reporting

Many of the cybersecurity metrics focus on areas that are relevant to compliance. Is sensitive data being handled correctly? If not, you might face severe penalties that can negatively impact your ability to secure future investments from management, not to mention putting you in the loss column on your balance sheets. Keeping track of your compliance can go a long way towards showing how much the company takes the issues seriously in any cases that might develop.

Data-Driven Decision Making

Tracking key metrics and KPIs helps you make more data-driven decisions and justify them. For example, which cybersecurity issues require immediate attention? Which security measures need immediate improvement? Are your incident response times meeting your objectives? Numbers tell the full story.

Cybersecurity metrics are also important for CISOs planning a budget or those entering a new role in an organization. This helps align strategies that demonstrate measurable progress to stakeholders and leadership.

13 Cybersecurity KPIs and Metrics to Track

1. Mean Time to Detect (MTTD)

MTTD is one of the most crucial cybersecurity KPIs to track. It measures the average time it takes for an organization to identify a security incident from the second it occurs. Research has shown that the average time to detect and contain a breach is 287 days. Whether it’s internal or external, is your incident response team prepared?

How to calculate MTTD:

Average time to detect a security incident / number of incidents

2. Mean Time to Acknowledge (MTTA)

This metric measures the average time it takes for an organization to acknowledge a security incident after it has been detected.

How to calculate MTTA:

Time to acknowledge all incidents / total number of incidents

Organizations should aim for a low MTTA, which suggests that the security team is ready to respond to potential threats as they occur.

3. Mean Time to Resolve (MTTR)

This metric describes how an organization recovers after an incident. Every second counts during a security incident, from initial discovery, to mitigation, to restoring business operations and continuity. Security teams must have incident response plans to limit the amount of data compromised or lost during an attack.

How to calculate MTTR:

Time to resolve each incident / total number of incidents 

MTTR gives you clear insights into whether or not your incident response procedures are up-to-date, effective, and are correlated with the organization and its goals in an emergency. Many companies will set one of the MTTR goals to be business continuity throughout the event.

4. Mean Time to Contain (MTTC)

This metric addresses how an organization takes proactive steps to prevent the threat from causing further damage. From a cybersecurity ROI perspective, this translates to cost savings if the incident response plans are effective.

How to calculate MTTC:

Total # of incidents / time to contain each incident

5. Mean Time Between Failures (MTBF)

Mean Time Between Failures (MTBF) measures the average time elapsed between two successive failures of a system or component. MTBF is also an indicator of the system’s reliability and performance over time. Tracking MTBF is important for preventing downtime. Research has shown that around 98% of organizations claim only one hour of downtime costs over $100,000.

How to calculate MTBF:

Total operational time / number of failures

6. Intrusion Attempts

Are your cybersecurity measures providing you with a strong line of defense? Intrusion attempts are a critical metric showing how easily an attacker can bypass your security measures, such as firewalls and Intrusion Detection System (IDS), and gain unauthorized access to your systems or networks. If an organization experiences a high volume of intrusion attempts, it might be time to reevaluate existing strategies.

7. Cost Per Incident

Simply put, how much does it cost to mitigate a security incident? The answer is more complicated than you think because you must factor in several components associated with remediating a security incident. This includes:

• Incident response and forensics teams
• Operational disruption
• Data restoration and recovery
• Legal and regulatory compliance fees
• Insurance premiums
• Upgrading existing security measures

It excludes external factors such as PR to mend customer and vendor relations, especially if that breach was public or in the news.

8. False Positive Rate

False positive rate (FPR) describes the ratio of alerts that are incorrectly identified as malicious and have absolutely no financial impact on your business.

There is almost nothing more frustrating for a SOC team than to chase false positives. In fact, a recent survey found that SOCs spend 32% of the day on incidents that pose no threat. Not only is this not cost-beneficial for an organization, it also leads to burnout.

9. Preparedness Level

This valuable metric describes an organization’s level of cyber readiness to defend against potential incidents. Organizations can take proactive security measures by conducting a cyber maturity assessment and measuring incident response readiness and response time. Doing so can ensure that security policies and procedures are in place and that routine employee training programs are incorporated to maximize your chances against emerging threats.

10. Patching Cadence

Patching cadence refers to the regularity with which software patches, updates, and other security fixes are applied to systems, applications, and devices. Unpatched software is a leading catalyst of a breach.

A study conducted by the Ponemon Institute found that 60% of breach victims said they were breached due to an unpatched known vulnerability. As many companies have improved their security posture in the past two years, malicious actors are increasingly exploiting vulnerabilities to bypass many organizational security mechanisms. It’s knowing which vulnerabilities to prioritize and focus mitigation efforts on that can drive your cybersecurity ROI.

11. Phishing Attack Success

Are malicious email attachments being opened by employees? More often than you might think. According to the 2023 Gone Phishing Tournament, 10.4% of participants clicked on the malicious link contained within the simulation. With the sheer amount of phishing campaigns conducted, this number of clicks is more than enough to gain unauthorized access to many companies. Phishing attacks have become even more sophisticated with the use of AI. Organizations leverage phishing simulations to test the resilience of their security protocols and employee phishing awareness.

How to calculate phishing attack success rate:

Total phishing emails sent / total successful phishing attacks 

There’s a lot involved in a phishing simulation, but tracking this critical metric can spare you millions in the event of an actual breach caused by a real phishing attack.

12. Policy Violation Incidents

This metric provides insight into where employee behaviors deviate from established security policies and protocols. Examples of policy violations include unauthorized data transfers, neglecting critical software or OS updates, and disabling security controls like firewalls to access confidential information.

How to calculate violation rate:

Total employees or systems / total policy violations

Another consideration is the severity of these violations. The higher their severity, the greater the impact on the organization’s security posture.

13. First-Party Security Ratings

This KPI measures an organization’s internal assessment of its own cybersecurity posture. Based on these findings, an organization will be able to assign a letter-based grade to communicate the risk posture better to key stakeholders.

The best way to uncover cyber gaps is to perform a thorough cybersecurity risk assessment to identify critical issues, vulnerabilities, and weaknesses that require immediate attention. That way, CISOs can better understand their entire risk landscape and what could pose the greatest threats.

Maximize Your Cybersecurity KPIs and ROI with Hyver

Cybersecurity budgets will forever be limited. Don’t waste valuable resources mitigating risks with no impact on your cybersecurity ROI. Instead, prioritize risk remediation according to business KPIs.

CYE’s Hyver platform determines the potential financial consequences of cyber risk in dollars and the costs associated with mitigation efforts. It helps you focus on mitigating the vulnerabilities that have the highest impact on your business with quantifiable data.

Want to learn how Hyver can help you maximize ROI from your cybersecurity investments? Schedule a demo today.

When I turn on the news, read articles, attend conference presentations, and talk to friends, everyone talks about AI like it is some entity that magically arose in the recent past, and is slowly seeping into everyday life, with dire consequences for society. Governments around the world are planning to regulate AI, and it is clear that they just have an understanding that it exists, without knowing how it works or what it is. This is obviously problematic. They might as well just call AI “Fred.”

The Math Behind AI

Essentially, AI is a special set of mathematical algorithms that is more robust than traditional algorithms. For example, when Netflix wants to recommend movies, they could resort to traditional statistical programs, and say if you liked Star Trek, there is an 85% correlation (a very traditional statistical algorithm) that you will like Star Wars. Netflix, however, has countless movies and wants to create a complex profile to entice viewers to spend more time on the site. They had a contest to determine the most effective algorithms for pulling in all the watch data from people throughout the site, and to more accurately determine what content viewers would likely prefer from the entire site based on any given past content viewed. This is exponentially more complicated, involving scouring terabytes of data from hundreds of millions of users to come up with some semblance of a recommendation.

Computer vision, self-driving cars, ChatGPT, robots, and more are likewise all based on mathematical algorithms. They are not magical entities; they are mathematical algorithms. And in most cases, the algorithms have been around for decades.

So if this is the case, why is everything coming to a head now? The reality is that to make AI work, you typically need to have a lot of data points and the computing power to process complicated algorithms against massive amounts of data. We are now approaching a point where we have the data collection, storage capability, and now the processing power to bring it all together. This is why NVIDIA is now worth more than $1 trillion. They created chips that make AI algorithms practical in common cases.

Issues with AI

The talk about regulating AI is problematic, as many people don’t understand what they are regulating. Legitimate problems with AI include the fact that while the algorithms are reasonably defined, the algorithms have parameters that are chosen and tuned by developers. They require a sample data set that may or may not be complete and relevant. Even the best algorithm will make mistakes if it has bad or poorly tuned data. For example, CYE’s Hyver platform is comprised of more than a dozen different algorithms, and we are constantly gathering new data and improving our implementations regularly to enhance accuracy.

Regarding AI violating privacy, that is a bad description. AI requires already collected data to process. It isn’t collecting data on itself. It is just able to process the data more completely than has been able before. For example, for AI to “track people” in public, it already needs video of public settings. It can then more quickly apply facial recognition faster than has been processed before. AI just makes better use of the data.

Regarding AI taking away jobs, if a job is based on processing data, depending upon the nature of data processing, AI algorithms can potentially be tuned to make the decisions both faster and more accurately. It is just a matter of intending to automate the decisions. At the moment, AI is apparently replacing mostly low skilled employees, but will eventually be able to replace any job function that is based on defined functions.

Why AI Is Not the Problem

If AI algorithms make mistakes, it is less a problem with AI as a whole and more a problem with the implementation of the algorithm. If AI becomes too invasive, it is again the implementation of AI as a whole, which is what people want to blame the problem on. To reiterate, AI is not the problem; it is essentially an extension of the same computerization of processes that has occurred throughout the history of information.

The ability to implement AI algorithms is the modern-day equivalent of the release of calculators, the desktop computer, fax machines, etc. It just provides the ability to process more data more effectively than has been done before, allowing for functions not previously envisioned or allowed. Yes, just as with any new technology, there are problems that come with it. However, it is not the issue of the technology, but the application of the technology that is the problem.

Want to learn more about how Hyver uses AI? Check out our data sheet.

The role of a Chief Information Security Officer (CISO) has come a long way from its early days of managing IT security. Today, CISOs are the unsung heroes of the digital world, tasked with safeguarding organizations from a growing number of cyber threats. In this article, we’ll dive into the fascinating world where strategy meets security and explore the dynamic role of a CISO in navigating cybersecurity governance.

The Evolving Role of a CISO

Once upon a time, CISOs were seen as the gatekeepers of IT security, primarily concerned with setting up firewalls and antivirus systems. Fast forward to today, and their responsibilities have expanded dramatically. Modern CISOs are strategic leaders, aligning cybersecurity initiatives with business goals and ensuring that security measures support the organization’s overall objectives. Aligning CISOs with board-level strategies is crucial, especially when it comes to making informed decisions about risk through cyber risk quantification (CRQ).

Cybersecurity Governance Frameworks

Cybersecurity governance is first and foremost about setting up the right policies, procedures, and standards to manage and mitigate risks effectively. Various frameworks guide CISOs in this task, each with its unique strengths.

The NIST Cybersecurity Framework (CSF) is a cornerstone in this arena. The latest version, NIST CSF v2.0, introduced a new “Governance” function, highlighting the importance of integrating cybersecurity with enterprise risk management. This addition underscores the vital role of CRQ in assessing and managing risks.

ISO/IEC 27001 is another heavyweight, providing a systematic approach to managing sensitive company information and ensuring its security. Then there’s the Cloud Security Alliance Controls Matrix, a detailed framework specifically for cloud security, helping organizations secure and comply across cloud services, and CIS Critical Security Controls, and SANS, COBIT, and many more. CISOs use these frameworks to build a strong foundation for cybersecurity governance, ensuring comprehensive risk management that keeps the organization safe and sound.

Building a Robust Cybersecurity Strategy

Creating an effective cybersecurity strategy is like continuously constructing a fortress. You need strong walls, vigilant guards, and a keen eye for potential threats. Identifying risks and vulnerabilities is a critical, systematic, and an arduous effort that must take place continuously, as you always have to know how thick your fortress’s walls should be, how deep the moat should be, and when it is okay to open the gates. CRQ is the most powerful tool in this process, allowing CISOs to quantify and prioritize risks based on their potential impact. This way, they can allocate resources where they are needed most.

But it’s not just about defense. A good strategy aligns cybersecurity efforts with business objectives. This ensures that security measures not only protect the organization but also contribute to its success. Think of it as turning security from a cost center into a value driver.

Implementing Governance Policies and Procedures

Once the strategy is in place, it’s time to set the rules of the game. Developing comprehensive cybersecurity policies is crucial. These policies act as a blueprint for handling security incidents and recovering from disruptions. Clear procedures for incident response and disaster recovery ensure that the organization can quickly and effectively address threats.

Regulatory compliance is another critical piece of the puzzle. With constantly evolving regulations, CISOs must stay updated and implement necessary measures to meet these requirements. It’s a balancing act to both stay compliant and maintain robust security.

Engaging Stakeholders and Building a Security Culture

Walls can be thick, but a fortress is only as strong as its people. Engaging stakeholders across the organization is essential for effective cybersecurity governance. Building a security-first culture means making security a priority for everyone, not just the IT department. Regular training and awareness programs help employees understand their role in protecting the organization.

Collaboration is key. By working closely with senior management and the board of directors, CISOs can ensure alignment on cybersecurity goals and strategies. When everyone is on the same page, the organization is better equipped to tackle security challenges.

Monitoring, Metrics, and Continuous Improvement

When it comes to cybersecurity, vigilance is paramount. Continuous monitoring and improvement are essential for maintaining robust security. Implementing systems to assess the organization’s security posture helps identify areas for improvement. Key performance indicators (KPIs) measure the effectiveness of cybersecurity measures, ensuring that efforts are hitting the mark.

But it doesn’t stop there. Regularly reviewing and updating cybersecurity strategies is crucial to keep pace with emerging threats and vulnerabilities. It’s a cycle of constant adaptation and improvement, ensuring that the organization stays one step ahead of cyber adversaries.

Challenges and Best Practices

Being a CISO is not without its challenges. Keeping up with evolving threats, managing limited resources, and ensuring regulatory compliance can be frustrating. However, there are best practices that can help navigate these challenges.

A risk-based approach is essential. Prioritizing security efforts based on the potential impact of threats and vulnerabilities ensures that resources are used effectively. CRQ is invaluable in this process, providing a clear picture of the risks faced by the organization.

Continuous learning and adaptation are also vital. Staying informed about the latest cybersecurity trends, technologies, and threats allows CISOs to update policies and procedures accordingly. Collaboration and communication foster a culture where cybersecurity is everyone’s responsibility, making the organization stronger as a whole.

Effective cybersecurity governance is the cornerstone of protecting an organization in today’s digital age. By leveraging key frameworks, building robust strategies, and engaging stakeholders with clear and quantitative risk metrics and optimized mitigation roadmaps, CISOs can navigate the complex landscape of cybersecurity governance. Hyver, CYE’s cyber risk quantification platform, exemplifies this approach by providing continuous security risk monitoring, quantification, and analysis, along with cybersecurity maturity improvement. These elements are crucial for maintaining strong security, while best practices help address common challenges. Ultimately, CISOs serve as the guardians of their organizations, ensuring resilience in the face of ever-evolving threats.

Welcome to the new era of AI-powered cybersecurity attacks. Data from a recent report found that 93% of security leaders anticipate daily AI attacks by 2025.

Organizations must rethink their overall cybersecurity strategies and prepare for advanced social engineering tactics, such as AI-generated phishing prompts, poisoning attacks to confuse chatbots, and deploying smart malware to disrupt network traffic patterns against OT security.

But AI is only one part of the equation. In this blog, we’ll discuss current cybersecurity trends and how you can prepare for future threats.

Current Trends and Their Implications for Security Strategies

AI-Driven Threats

AI can help security teams automate processes, analyze large volumes of data, and respond to incidents quicker, but it also can be leveraged by threat actors to create more personalized social engineering attacks. What’s more, since AI is ubiquitous and everyone seems to be using it, the chance for sensitive data leakage is significant. According to The State of AI and Security Survey Report, more than 95% of respondents believe dynamic content through Large Language Models (LLMs) makes detecting phishing attempts more challenging. Threat actors have begun using LLMs such as ChatGPT to generate more targeted phishing attacks that can bypass traditional email security filters, distribute advanced malware, and manipulate AI chatbots to disclose sensitive information.

IoT Security

Internet of Things (IoT) devices are at high risk. A recent survey found that 22% of organizations have had a serious or business-disrupting IoT security incident in the past 12 months. Compromised IoT devices can serve as entry points for attackers to exfiltrate data or launch lateral movement within the organization’s network. Additionally, the proliferation of shadow IoT, or unauthorized connected devices, further complicates security management, enabling attackers to exploit vulnerabilities in unmanaged devices.

Remote Work

Remote work has shifted the way organizations view cybersecurity post-pandemic. The freedom and flexibility of connecting from any location comes with a hefty cost. Bring Your Own Device (BYOD) introduced additional security challenges as employees have accidentally downloaded malware and connected to malicious WiFi to access corporate networks and sensitive data.

But it’s not always the employees at the highest risk of triggering a security breach. Research showed that 80% of C-level executives are likely to send work-related messages from their personal devices. Undoubtedly, part of the reason for this is that personal devices have become more seamlessly connected to the office, thus making it easier to use them for work-related activities. However, without proper security controls, these personal devices can pose a serious risk to corporate security. AI-generated attacks and emerging cybersecurity trends further complicate the remote work paradigm.

Steady Rise of Ransomware

The global cost of ransomware damages has continued to grow and hit a staggering $265B in 2023. Cybercriminals are innovating by expanding their offerings with a new subscription-based model called Ransomware-as-a-Service (RaaS). There is even a profit-sharing option for affiliates and RaaS developers for further incentive. To mitigate the impact of ransomware attacks, organizations must prioritize cyber resilience by implementing data backup and recovery solutions and advanced threat detection.

Human-Centric Security

Human error plays a major role in data breaches. According to a study by IBM, 95% of cybersecurity breaches result from human error. Understanding human behavior is paramount to building a culture of security from within the organization. Gartner predicts that “By 2027, 50% of large enterprise CISOs will have adopted human-centric security design practices to minimize cybersecurity-induced friction and maximize control adoption.” According to Gartner, many organizations have implemented Security Behavior and Culture Programs (SBCPs) to help employees make better cyber risk decisions and minimize breaches directly attributed to human error.

5 Crucial Cybersecurity Measures Organizations Should Implement

Many existing cybersecurity measures protect various aspects of an organization’s critical assets and infrastructure from advanced threats.

Cloud Security

Cloud security encompasses a set of policies, technologies, and controls designed to protect data, applications, and infrastructure. Cloud environments are prime targets for advanced persistent threats (APTs) and other cloud-based attacks such as ransomware, account hijacking, and cloud misconfigurations, all of which can lead to data breaches. Advanced cloud security solutions can detect and mitigate these threats through continuous monitoring and anomaly detection. Another key component of cloud security is Identity and Access Management (IAM), which ensures that only authenticated and authorized users can access cloud resources.

Data Protection Regulations

Compliance is an important topic, as in more and more cases, it steers organizations towards actual protection measures that impact risk reduction and overall procedural maturity. Organizations are responsible for handling and safeguarding large volumes of customer data. Data privacy laws such as GDPR play a significant role in shaping how organizations manage and protect this data, particularly when operating across international jurisdictions.

OT/ICS Security

Attacks against critical infrastructure have increased significantly. A recent survey found that 24% of respondents were forced to shut down OT operations due to a successful cyberattack. Many OT/ICS systems use outdated legacy technology that may contain vulnerabilities that are difficult to patch, not taking into consideration the interconnected IoT devices that are integrated into industrial environments. OT security best practices include scanning and detecting vulnerabilities and misconfigurations, deploying intrusion detection and prevention systems (IDPS) to detect and block suspicious activities, SIEM, network segmentation, and strengthening access controls to critical systems.

Third-Party Risk Management

Disruptions to an organization’s supply chain can trigger a ripple effect across its entire operations. If a single third-party supplier is compromised, it can result in massive damages both in terms of cost and reputation. Third-party risk management (TPRM) tools provide organizations with a comprehensive view of their third parties’ current security posture and point out critical areas that must be immediately addressed.

Cyber Risk Quantification

Cyber risk quantification (CRQ) refers to the process of measuring and analyzing the financial impact and probability of cyber risks to an organization. Organizations can focus their resources on addressing the most critical threats that pose the highest risk to their business assets, thereby prioritizing mitigation efforts more efficiently. Cyber risk quantification also improves communication between management by translating vulnerability findings into simple business terms that everyone can understand.

Another way to secure your organization is by performing a thorough cybersecurity risk assessment to evaluate your current threat landscape. This includes mapping out all critical assets, including data, applications, and infrastructure, and identifying all vulnerabilities and attack routes to visualize the potential consequences of an attack.

Forward-thinking is also crucial for preventing future attacks. A cybersecurity maturity assessment will determine if your security controls and policies are up-to-date to reduce security risks over time and whether you have an effective incident response plan in the event of a potential breach. As threats continue to evolve, your risk management strategies must also adapt to keep pace with the latest cybersecurity trends.

Protect Your Organization from Evolving Threats with CYE

You can keep your critical assets secured from threats with CYE’s optimized cyber risk quantification platform, Hyver.

With Hyver, you can address cybersecurity trends and greatly reduce the likelihood and potential impact of a cyberattack by:

• Gaining complete visibility of probable attack routes leading to critical business assets
• Understanding the true cost of threats and remediation
• Streamlining and prioritizing mitigation planning and building an efficient business continuity plan
• Effectively communicating with executive teams and stakeholders about cyber risk
• Increasing and strengthening cybersecurity maturity

Want to learn more? Request a demo today.

We sat down with Inbar Reis, Chief Product Officer, and Hemi Ramon, Director of Product Management, to talk about cybersecurity maturity and how CYE’s Hyver measures it.

Why is it important to measure cybersecurity maturity?

Measuring cybersecurity maturity is a complementary tool to measuring cyber risk. We know that mature companies have lower risk over time. Using NIST’s Cybersecurity Framework together with a CMMI-like ranking, organizations can measure their cyber strengths and weaknesses that are related not just to the core function of “protect,” but also “govern”, “identify,” “detect” “respond,” and “recover.” And most importantly, organizations can see where they stand compared to the industry benchmark. They can also build a much more strategic mitigation plan on how to make their organization much more mature, as opposed to a tactical mitigation plan which only measures risk and is more common.

How is considering maturity different than simply mitigating vulnerabilities?

Let’s say, for example, I have software with a vulnerability. I can update to the latest version of the software to remediate this vulnerability.

That is a tactical solution which is typically used by less mature companies. Mature companies have patch management, scanners, tools that check that the scanners are working and that systems are configured properly, processes to review vulnerabilities, and automatic tools that mitigate them. It’s about having the right people, processes, and technologies, rather than mitigating that one severe vulnerability that is in the news.

What are some of the challenges that organizations face measuring maturity?

The process of measuring maturity is often done manually and subjectively; it requires a lot of interviews with a lot of stakeholders to obtain the data, and eventually each person provides their own opinion—which could be biased. These are the reasons companies do it only once or twice a year, but not more than that.

Besides the huge investment, at the end of the day, those numbers are not defendable. If I asked you why your maturity scoring is four and not two, it is because people provided their own opinions, so that is hard to defend when presenting it to management and the board. This is the reason that people hardly use these types of maturity assessments.

What is unique about the way that Hyver measures maturity?

Many companies still use Excel spreadsheets for measuring maturity, if at all. In that spreadsheet, they provide their own scoring, which means that it’s very subjective—and they do it only once or twice a year. Which means that it is not continuously updated and therefore most of the time practically outdated.

The information varies based on what they decided to add. With Hyver, on the other hand, scoring is based on objective measures. Hyver’s maturity assessment is structured exactly like NIST’s CSF, using its functions, categories, and subcategories. And it works at the subcategory level, NIST CSF’s lowest granularity, to make everything as accurate as possible. It relies on information such as the security technologies that an organization has in its environment, processes that have been implemented, employee training, and existing vulnerabilities that are related to each subcategory. These are all objective measures which affect the maturity score.

And, yes, you can also provide your opinion about each one of the subcategories through manual evaluation, but even this is relying on a scale which is very well-defined to enable you to provide the most correct information and receive the most accurate scoring possible.

Why is benchmarking your maturity important?

Benchmarking is extremely important. First, it helps you define your own targets, since you typically want to be a notch above your industry.

Second, it helps the CISO communicate maturity to the board by reporting, for example, that the industry score is 2.7, but we are at 3. It places the organization in a very positive position compared to other companies in the same industry. On the other hand, if the company scores lower than the benchmark, it can help the CISO justify a budget request.

This is the reason that CYE has collected and analyzed cybersecurity maturity-related data from many companies over the years. This enables us to provide our customers with a precise benchmark. The benchmark is calculated per industry, as we can see different trends in different industries; not all industries score the same in each of the functions. This is why it’s important to compare yourself to similar companies in the same industry.

How can CISOs communicate maturity scores using Hyver?

When a company receives a maturity assessment score, and they compare that to the industry benchmark, they can set targets and build mitigation plans to improve their maturity.

As mentioned earlier, the information that Hyver uses for the maturity assessment is objective data such as findings, existing technologies, and processes, which are updated regularly; therefore, the maturity scoring is regularly updated too. You can track the progress that you are making over time at the organizational level or the functional level and you can see whether the trend is positive or negative in each one of the functions. Of course, you can also compare the status with the benchmark and your targets and ensure that you keep improving until you reach your targets.

How does Hyver obtain enough organizational data to measure security?

Hyver integrates with EDRs, CNAPP, and many other tools, and also performs its own automatic assessments. All of these generate findings of vulnerabilities and misconfigurations, as well as identify technologies and processes. The maturity score is calculated using all that data. In addition, when findings are remediated, new security controls are introduced, or configurations are changed, the data automatically gets updated in Hyver and the maturity score is adjusted accordingly.

Want to learn more about how Hyver assesses cybersecurity maturity? Request a demo.

When performing an organizational risk assessment, it’s not enough to merely identify weaknesses in our network or defenses. We must also use this activity to evaluate the effectiveness of our monitoring coverage and playbook knowledge. This is where the dynamic duo of red and purple teams come into play.

Purple Teaming: Illuminating Monitoring Coverage

Purple teams act as your friendly attacker, collaborating closely with your Security Operations Center (SOC) team. Their mission is to shed light on the effectiveness of your monitoring coverage. By mimicking real-world attack scenarios, common to your specific industry, they conduct a variety of attacks into your environment to gauge how many of them will be identified by your security systems. Unlike red teams, whose aim is to breach your organization’s defenses undetected, purple teaming focuses on understanding the scope and efficacy of your monitoring capabilities.

One of the primary benefits of purple teaming is its ability to uncover blind spots in your defense strategy. By conducting diverse attack vectors into your environment, purple teams reveal areas where your monitoring coverage may be lacking. Perhaps certain logs are not being collected or analyzed effectively, or maybe there’s a gap in your security product suite that leaves you vulnerable to specific threats. Regardless of the cause, purple teaming provides invaluable insights into the gaps in your monitoring posture, enabling you to address vulnerabilities and structural problems before they can be exploited by real adversaries.

Learning Opportunities: Turning Mistakes into Lessons

Purple teaming isn’t just about identifying weaknesses or blind spots; it is also about learning from our failures. As a former SOC manager, I knew that no matter how good I thought my monitoring was, I was in for surprises after the purple teaming finished. Now, as a CISO, I know that my knowledge and understanding will be lacking without it. When purple teams uncover blind spots in your defense strategy, it’s essential to approach these discoveries not as failures, but as opportunities for growth. Ask yourself why certain attacks went undetected. Was it due to a lack of logging or monitoring capabilities? Did your security products fail to detect and mitigate the threat? By investigating the root cause of these oversights, you can identify areas for improvement and strengthen your defense posture.

Red Teaming: Simulating Real-World Threats

While purple teams focus on evaluating monitoring coverage, red teams take a more adversarial approach. Their objective is to simulate real-world attacks and assess your organization’s resilience to sophisticated and evasive adversaries. Unlike purple teams, whose actions are noisy and coordinated with your SOC team, red teams operate independently, seeking to breach your defenses undetected and achieve their objectives.

The value of red teaming lies not only in its ability to uncover vulnerabilities, but also in its role as a catalyst for organizational monitoring, detection, and incident response improvement. By simulating real-world threats, red teams provide a realistic assessment of your organization’s security posture, highlighting areas where your defenses may fall short against determined adversaries. Additionally, red teaming offers a unique opportunity for your SOC team to test their incident response capabilities in a high-pressure environment: Do they know what to do? What’s the playbook and how do they work with it? Perhaps they will even discover that they don’t have any playbooks that are relevant for a real attacker in your network.

Many CISOs and SOC managers often overlook that an organizational risk assessment goes far beyond simply ticking off the box of “pentesting” or discovering issues regarding exposed interface protocols and even network architecture. The assessment is a huge opportunity to have the whole security band playing together. You can see if the tune is right and if the players know how to work with each other. Simply put, while undergoing a risk assessment and testing how your organization looks from an external and internal attacker’s perspective, red teaming will enable your teams to refine their procedures and enhance their readiness for future attacks.

How CYE Helps

Here at CYE, we believe that combining purple and red teaming makes magic happen. In our risk assessments, we know that our clients get the most out of their investment from both our red and purple teaming activities, which play vital roles in strengthening their organizations’ defense posture through tangible, real attacks that they can handle. While our purple teams focus on evaluating monitoring coverage and uncovering blind spots, our red teams simulate real-world evasiveness and assess an organization’s resilience to sophisticated adversaries.

By leveraging the insights gained from both approaches, our partners can really level up and know they don’t have to trust what’s written in the brochures of their monitoring and detection products. Now they can be assured that they will get that heads up from their monitoring systems on Friday afternoon—because it’s always going to happen on Friday afternoon.

Want to learn more about CYE’s expert services? Contact us. 

1. How much risk is acceptable
2. How much risk should be mitigated
3. How much risk can be transferred to a third party, such as cybersecurity insurance.

According to CYE’s latest report, however, number three can be problematic.

The report, “Inadequacies in Breach Insurance Coverage: A Data-Driven Gap Analysis,” shows that many organizations often underestimate the true cost of potential cyber incidents and mistakenly rely on cyber insurance to cover their losses.

What do CISOs need to know about this? Here are some key takeaways from the report:

1.  Chances are, your company doesn’t have enough cyber insurance coverage.

The report, which analyzed 101 incidents across various sectors, found that:

• 80% of insured companies that suffered a data breach did not have sufficient cyber insurance coverage.
• The average coverage gap was 350%, meaning that more than three-quarters of the cyber incident was not covered. This translates to an average uncovered loss of $27.3 million.
• The coverage gap accounted for 9% of revenue when removing outliers. With outliers, the coverage gap amounted to 42% of revenue.

Bottom line? Cyber incidents are typically much more expensive than CISOs or insurers expect them to be.

2.  Insurers typically will not cover hidden losses resulting from cyber incidents.

When considering cyber insurance, it’s important for CISOs to be aware of the limits: While insurance may cover a portion of the costs of regulatory fines, breach containment, and class-action lawsuits, it usually does not account for “hidden” losses.

These hidden losses may include:

• loss of intellectual property
• lost productivity
• business continuity impact

For example, Equifax’s stock performance dropped significantly after suffering a breach in 2017. A reduced stock value translates to direct losses for investors and damages the organization’s ability to raise capital through its stock. Stock performance is frequently also an indication of lost revenue.

3.  The insurance gap trend has remained constant in recent years.

From 2004 through 2023, the insurance gap has remained in the tens or even hundreds of percents. Unfortunately, we are not seeing improved capabilities estimating breach costs as time progresses. This suggests that organizations are not accurately quantifying their cyber risk, and at the same time, insurers are not providing adequate cyber insurance coverage.

4.  Accurate cyber risk quantification is the key to overcoming the cyber insurance gap.

To understand the potential cyber risk that organizations face and how much cyber insurance is necessary, CISOs must perform reliable and accurate cyber risk quantification.

To accomplish this, it’s important to:

• Focus on the most critical assets that are at the highest risk.
• Calculate asset value according to revenue, industry, historical data, and specific costs to the company including hidden costs.
• Prioritize mitigation based on cost to the organization, as well as the cost to reduce threats.
• Use a cyber risk quantification solution with a continuously updated breach calculator.

Cyber risk quantification with Hyver

CYE’s cyber risk quantification platform, Hyver, produces a risk calculation backed by data from numerous real-world security assessments. Its cost of breach model calculates exposure by considering the likelihood and impact of breaches, including hidden costs.

Because Hyver generates much of the data itself, without relying on the organization’s input as with other CRQ tools, the result is an objective and reliable calculation rather than a subjective assessment.

Using Hyver, CISOs can get a realistic view of the true potential cost of cyber risk and thus plan mitigation and cyber insurance accordingly.

Want to learn more about how Hyver accurately quantifies your cyber risk? Schedule a demo.  

A risk mitigation plan helps organizations protect critical assets from potential threats and reduce the likelihood of a breach by implementing security measures. It is essential for maintaining business continuity and avoiding unexpected service disruptions such as downtime and other cybersecurity incidents.

Cyber risk mitigation enables your organization to answer very important questions such as:

• What are the most critical assets at risk?
• Are we able to prioritize vulnerabilities based on business context?
• What security measures and controls are currently in place to mitigate cyber risks?
• What approach do we want to take with risk mitigation planning?
• Do we consider all relevant financial data, including insurance and regulatory liabilities, to identify the risk optimization point?

By developing a risk mitigation plan, organizations can establish clear guidelines and protocols designed to address security incidents effectively and show cyber resilience.

How to Develop an Effective Cyber Risk Mitigation Plan

Creating a cyber risk mitigation plan requires a team effort. There are a lot of factors that go into successful risk mitigation planning. However, before investing in upgrading existing tech stacks or hiring a full incident response (IR) team, an organization must unite all relevant stakeholders and collaborate as a cohesive unit.

Key stakeholders should consist of the C-suite, DevOps, legal and finance, security analysts, compliance officers (if applicable), and of course, the CISO, who should be the captain of the team. CISOs might bring their team to assist in delegating various responsibilities, such as procurement, researching solution vendors, continuous monitoring of third-party applications, and working closely with AEs for ongoing support for integrated technologies implemented within the organization’s IT infrastructure.

An initial meeting should be held with everyone present to assess the organization’s current cyber risk posture. The meeting should be an open-ended discussion where everyone can contribute equally to benefit the organization. The meeting should preferably be held in a room with a whiteboard, where everyone can come with fresh ideas. Always keep the discussion open and set aside a good 15 minutes of pure brainstorming and Q&A at the end.

CYE Pro Tip: Involve everyone in the discussion and keep it open ended to encourage team participation. Creating a risk mitigation plan requires a collaborative team effort, where each key stakeholder, regardless of their role, must feel equally empowered to add their input so that everyone is fully aligned with the organization’s business and security objectives. 

Each stakeholder on the Risk Mitigation Planning Team brings a different perspective to the table. For instance, a CFO will play a major role in the risk mitigation planning process as they will need to perform a cost-benefit analysis of various cybersecurity solutions to justify the investments before any resources can be allocated efficiently.

Common Concerns by Role (The Core Four Risk Mitigation Planning Quadrant)

CEO

• Understanding the overall risk landscape and potential threats to the organization’s goals
• Alignment of mitigation strategies with business objectives and risk tolerance
• Potential reputational damages if an incident occurs

CFO

• Financial impact of potential risks on the organization’s budget and bottom line
• Cost-effectiveness of proposed mitigation measures and budget allocations
• ROI assessment of the implemented mitigation measures

CISO

• Prioritization of risks based on severity and their potential impact to the organization and its business-critical assets
• Deciding which technologies, processes, and procedures to implement based on the risk assessment
• Updating security measures based on incidents that occurred, newly-discovered vulnerabilities, and new threat intelligence

Security/Risk Analyst

• Quantifying transferred and acceptable risk and how they impact the mitigated risk
• Ensuring compliance with internal security policies and external industry standards
• Monitoring and analyzing threat intelligence feeds to identify any suspicious behavior and patterns
• Assessing and managing security risks associated with third parties

Each individual on the Risk Mitigation Planning Team should be accountable for their contributions to achieving success when it comes to future-proofing the organization from emerging threats. KPIs should be assigned for everyone involved.

Not every organization will have access to an entire team of security professionals. Larger scale enterprises typically have full security and incident response teams deployed, while SMBs might rely solely on a CISO for the entire risk mitigation planning and implementation process.

Research conducted by PwC found that 54% of risk professionals wanted stronger relationships with senior executives for greater influence. This is why it’s so crucial for everyone to be fully aligned from the beginning.

Creative Aspects for Risk Mitigation Planning Success

Calculating & Quantifying Cyber Risk

Mitigation efforts are ineffective if an organization does not have business context behind each risk. This lack of contextualized prioritization leads to wasted resources and budget allocation. Cyber risk quantification makes communication between management a seamless process as vulnerability findings can be presented in business terms that everyone can understand.

Considering Budget

Using cyber risk quantification, the cost of mitigating risks should be compared to the cost of a possible cyber incident that might occur without mitigation. Sometimes, for example, it makes more financial sense to remove the path to a vulnerability, rather than the vulnerability itself.

Considering Return on Investment

Ultimately, risk mitigation should be viewed as an investment into a company’s financial stability, security, and reputation. CISOs will be much more likely to convince the C-suite about cybersecurity investments by demonstrating the alignment of cybersecurity efforts with quantifiable business goals and a clear ROI.

Managing Unforeseen Challenges and Risks

Emerging Cyber Threats

Experts predict that by 2031, ransomware attacks will occur every two seconds and cost victims over $265B. Ransomware attacks are becoming increasingly more difficult to detect due to advancements in AI technology. Ransomware groups are leveraging generative AI tools such as ChatGPT to build more sophisticated attacks, lure more unsuspecting targets, and scale their operations exponentially. Creating an effective risk mitigation plan becomes more challenging as the cyber landscape continues to evolve and AI grows even more sophisticated.

Crisis Management

A cybersecurity incident-related crisis can arise at any given moment without warning. From OT system failure to a data breach, organizations must have an immediate incident response plan to safely restore any data lost and maintain business continuity. Building a risk mitigation plan is challenging in this situation due to the complexity of IT environments, resource constraints, and limited visibility coverage that could be the result of many fragmented security solutions. Security analysts encounter a greater challenge with alert fatigue if risks are not presented with business context, leading to many false positives and wasted resources in the process. Without advanced crisis management and incident response tools, an organization will face a steep uphill climb at effective mitigation planning.

Data Privacy Concerns

During the fourth quarter of 2023, data breaches exposed more than eight million records worldwide. The need to protect sensitive data is a continuous priority for organizations, especially regarding growing concerns about data privacy. Organizations often have complex data ecosystems with data stored across multiple systems, platforms, and locations. Mitigation planning becomes challenging when trying to assess and mitigate risks across these diverse data environments without a clear understanding of where the sensitive data lives.

Cyber Risk Mitigation Planning Checklist

We’ve outlined a 6-point risk mitigation checklist that you can use to safeguard your critical assets and take preventative measures against emerging threats.

Here is a step-by-step process for successful risk mitigation planning: 

Identify: Begin by identifying the vulnerabilities that pose the highest threat to your critical business assets and organization.

Prioritize: Prioritize the findings by levels of severity and focus mitigation efforts on addressing the most critical threats first.

Develop: Work together with your team to develop an effective mitigation plan that aligns with your specific business goals and priorities.

Implement: Put the mitigation plan into action. Implement necessary changes to processes, procedures, systems, or infrastructure to reduce the likelihood of a breach and business impact of identified risks.

Monitor: Continuously monitor the effectiveness of mitigation strategies and make adjustments based on data-driven insights rather than guesswork.

Improve: Conduct regular cyber risk assessments to identify emerging threats, assess the effectiveness of existing mitigation strategies, and prioritize areas for improvement.

Knowing which critical assets are at the highest risk is the blueprint for effective risk management and prioritization of mitigation efforts.

Enhance Your Risk Mitigation Planning Efforts with Hyver

Optimize your cybersecurity posture with CYE’s risk mitigation platform, Hyver.

Hyver’s mitigation graph displays all the attack routes to your critical business assets. It maps out the most severe vulnerabilities, enabling you to manage, prioritize, and plan the mitigation of vulnerabilities to close security gaps that pose the highest threat to your business.

Prioritize cyber risk remediation according to business KPIs. Gain complete visibility of your company’s probable attack routes to make more informed mitigation strategies with CYE.

Want to learn how Hyver’s mitigation planner can help reduce cyber risk in your organization? Contact us.

A Little History

The concept of a cybersecurity maturity model is an extension of the Capability Maturity Model (CMM) developed in the 1980s after a study of data collected from organizations that contracted with the U.S. Department of Defense. Primarily concerned with the quality of software development processes, the idea of a capability model can easily be extended to other areas of work where process optimization is a desired outcome. If one takes the perspective that security vulnerabilities and misconfigurations are just another form of software bugs, then it is simply a matter of writing tickets to address these bugs, no? Not exactly. Having no open security findings after performing a code scan of an application software repository does not mean that you are secure or that you are not at risk. A good pentest will often reveal business logic flaws in an application process that are not based on exploitable software packages and libraries that make up the application or API. The cybersecurity maturity model helps teams take account of components to an infrastructure that are not just lines of code.

From Nothing to Something

In the film “The Sound of Music” there is a lyric that goes:

Let’s start at the very beginning

A very good place to start…

In performing security assessments for companies both large and small, I have found that starting from scratch is helpful for several reasons. With startups it is often the case that they will score a “0” for various security controls and processes or policies. Nothing exists on paper and nothing exists as a technical control. A perfect example of this is the principle of least privilege and the implementation of role-based access controls (RBAC). In the early days of a startup, the need for speed and the ability to enable self-service problem-solving winds up with a permissions scheme of “all or nothing.” Either you have full admin on the cloud infrastructure, or you have no access at all. If left this way for too long, the issue accretes additional risk over time and becomes technical debt.

Conversely, the pathology that emerges within a long-running organization or enterprise is credential bloat. Department names change slowly over time due to restructuring efforts along with the corresponding permissions for file shares and access to service accounts, databases and systems. A group of devops engineers might be temporarily spun off from the main team to focus on quality control issues in the release engineering function. They are given additional permissions and group memberships in Active Directory, for example, and when the initiative is completed, these permissions are seldom removed or pulled back.

There is, and this has been learned from first-hand experience in such organizations, a technical term called “token bloat” for Windows infrastructures. Token Bloat occurs when you are a member of too many groups in Active Directory. At somewhere around 125 groups, your Kerberos token size reaches 64kb in size and causes authentication problems. In these situations, it can often be easier and more efficient to “pave over” the existing infrastructure and launch an entirely new effort which is, in a sense, starting from scratch as well. “Fixing” the problem and trying to trace out the dependencies and inheritance of permissions on objects and files can prove to be a painful and prolonged process that frequently involves shooting yourself in the foot, as they say. Repeatedly. Furthermore, some of the original reasons for various permissions and group membership may no longer be relevant, so sleuthing it out is of little value to the business.

Maturity Levels

With some of the proverbial “low hanging fruit” taken care of by introducing a technical control and the corresponding policy documentation where none had previously existed, we’re ready to explore in a bit more depth the five cybersecurity maturity model levels of Hyver, CYE’s optimized cyber risk quantification platform. I’ll use the remainder of this blog post to provide a few more stories and anecdotes that will serve to illustrate the points and characteristics of each maturity level.

Level 1: Initial

Unstructured security practices: Cybersecurity processes are ad hoc and disorganized, lacking standardized controls. For controls addressing asset management, a company with a Level 1 maturity might have a spreadsheet that contains some (but not all) of the serial numbers of laptops and servers that the company owns. But the spreadsheet is not kept up to date and is not complete, so even the information that it does contain may very well be incorrect as to who is the current owner of a device, for example.

Limited threat visibility: There’s a minimal understanding of potential cybersecurity threats, and responses are reactive. If an organization does not have an accurate or complete inventory of hardware, then the software packages and versions installed on those devices will also be incomplete or partial. How can the infosec team perform an impact assessment or risk analysis of a Zoom vulnerability, for example, if they do not know how many devices have Zoom installed or which version of the software is installed?

Level 2: Developing

Basic security management: Basic cybersecurity management practices are introduced, including incident response plans. Not all activity is reactive and some processes are documented and repeatable (though not automated). A Level 2 maturity for identity and access management controls, for example, would include performing a user rights audit once or twice per year to ensure that permissions are “right-sized” for each user.

Risk management: Initial steps are taken to identify and manage cybersecurity risks. The emphasis is on securing assets and data. Core projects to improve cybersecurity are budgeted and tracked towards execution, such as deploying a password vault or implementing SSO (or expanding its use to third-party platforms that support SSO). Before progressing to Level 3, it makes sense to make sure there are no “zero maturity” areas of work with regard to the observations from an external risk assessment (normally performed against the NIST CSF).

Level 3: Defined

Standardized security processes: Well-defined and documented cybersecurity processes are implemented across the organization. At this level, the burden of performing a SOC2 audit is greatly reduced because there are artifacts available to the auditors that clearly demonstrate that a process is in place which is followed and which meets “reasonable security” practices.

Comprehensive security measures: Comprehensive security measures are put in place, covering areas such as access control, encryption, and vulnerability management. A combination of documentation and cybersecurity technique are present with Level 3 that makes it easy to onboard new hires. This is because there are both technical controls in place with some elements of automation as well as managerial oversight and process to ensure that new software developments and products for the company are discussed with the security team before they are deployed into production. The SDLC (Software Development Life Cycle) will have components that perform code scanning or vulnerability management in a manner that encourages earlier identification of issues and exposure to risk.

Level 4: Managed

Quantitative risk management: At this level, the effectiveness of technical systems is measured and evaluated, policy compliance is measured and enforced, and procedural effectiveness is monitored. Cybersecurity processes are quantitatively managed using metrics and statistical techniques. Increased sophistication of tooling allows for threshold-based monitoring, such as adding a firewall analyzer, and code coverage for repository scanning.

Continuous improvement in security: Constantly evolving and improving cybersecurity practices based on quantitative analysis and feedback. Level 4 will almost certainly introduce a VDP (Vulnerability Disclosure Program) with a company that provides continuous penetration testing and assessment of asset and software risk. Additionally, a bug bounty program might also be funded that rewards those who report issues to the security team for their efforts, demonstrating to the market that the company takes security seriously and is willing to share some remediations of exposures as a means of building trust and transparency.

Level 5: Optimizing

Innovative and improved cybersecurity practices: Emphasis on innovative cybersecurity solutions and practices to stay ahead of emerging threats. One example of an innovative practice is the formation of a threat intelligence capability (either in-house or outsourced) which proactively engages with ISACs (Information Sharing and Analysis Centers) to participate in sharing TTPs and IOCs with industry partners and also competitors. Another example would be to have a deception program that is responsible for operating canary tokens and honey pots in order to receive advanced warning of aggressive security posture probing and testing by threat actors.

Organizational cybersecurity learning: The organization learns from cybersecurity incidents, adapting and optimizing security measures for continuous enhancement. This would extend from its own infrastructure and services to also include that of its third- and fourth-party service providers and vendors to mitigate supply chain attacks and breach risks. Although not often achieved even by well-funded and well-managed security programs, Level 5 maturity does take place and is not impossible to achieve.

(Not) the End

Progressing along this path of cybersecurity maturity is what is meant by the phrase “continuous improvement” and is a goal worthy of pursuing. Hopefully you have learned enough to begin your journey and have realized that it’s not the destination that matters, it is the journey itself that brings the benefits and improvements. Benefits in the form of tooling and process improvement, but also benefits to the security culture and mindset of your organization. The final level of cybersecurity maturity is intentionally self-referential almost like a zen koan. It is a riddle that has no single answer and no set solution space. You are free to interpret what your Level 5 might look like and it will depend on your industry, your company’s DNA, and the “connect the dots later” point of view that Steve Jobs famously referred to in his Stanford University 2005 commencement speech.

The cybersecurity maturity model is a tool that you can wield to help set clear goals for your organization and make those goals quantifiable. You can track your progress across hundreds of controls, each of which can be assessed on this model and understood in terms of what capabilities you wish to obtain. So I entreat you to go forth and benchmark!

Learn more about Hyver’s cybersecurity maturity assessment here. 

Here’s how to do that.

Gather Input from Board Members

A good CISO will start by approaching individual board members and find out what they specifically want to ask and hear about cybersecurity risk. At the end of the day, the board doesn’t necessarily care about whether systems are secured, but how cybersecurity impacts proper functioning of an organization. They care whether cybersecurity, or the lack thereof, will impact company operations. They care about financial risk. They care about the organization remaining functional. Ideally, a smart board will want to see if cybersecurity can become a competitive advantage.

To that end, a CISO should perform the interviews for input. As a board may not know what they want to hear, it is useful to ask other executives what they believe the board may want to hear. They would also know how the board prefers to hear the risk as well. Even before a CISO starts with their preconceived notions, they need to start with a focus on satisfying the board by default.

Address Cyber Risk in Financial Terms

Assuming the CISO accounts for the board’s concerns, CISOs typically get about 15-20 minutes in front of the board. The topics covered can include anything, but there is a general format outside of specific board concerns:

• Overview of the cybersecurity program and risk exposure
• Incidents that happened since the last briefing
• Status of major programs being undertaken by the CISO
• Overview of the threat landscape and emerging issues, and what the CISO is doing to address the issues
• Requests of the board, such as help overcoming roadblocks with other departments, budget, etc.

It is best to address risk in specific financial terms. Risk should be considered in terms of both what there is potentially to lose, as well as what can be saved. Fundamentally, all cybersecurity programs should reduce risk and increase opportunity. For example, one can’t perform online transactions without embedded cybersecurity.

To that end, CISOs do first need to talk about the risk, meaning potential loss. They need to identify types of losses that can result from cybersecurity failures, which is really what boards are fundamentally concerned about. For this type of information, CISOs need to anticipate different types of losses and predict their potential value. Such losses include data breaches, system outages, insider theft, data loss, among other losses that are standard for a given industry.

Use an Effective Cyber Risk Quantification Tool

The next question is how to come up with the potential financial risk.

There is a plethora of cyber risk quantification (CRQ) tools available. There are also consulting services that will calculate this risk. The tools and services vary greatly in quality. The services have an issue in that they can be costly and take a long time to complete and are outdated before the final report is complete. With regard to the tools, they vary immensely in quality.

Because of this, the big question a board will want to ask is, “How were these numbers derived? How can I trust these numbers?” The answer is that with many tools, the stated risk is often not transparent or justifiable and with some tools, it is very clear and understandable for all parties. Ideally, a CISO should be able to walk through the data and see all of the details about the calculations. Without this, you are generally hoping that the board chooses to accept pretty graphics that sound reasonable.

Justify Funding with Return on Investment

The next issue that comes up is that when a CISO discusses their program and requests funding, it helps if they can justify their ongoing efforts with returns on investment and overall reduction of financial risk. For example, if a CISO can say, “With regard to this project, we are X% complete, and have so far reduced risk by $XX,XXX,XXX. We expect to continue according to the following schedule…” This is a powerful description of progress and value produced by the CISO.

At the same time, when a CISO wants to request additional budget or pursue additional activities, it again is best to frame it in financial terms. For example, “I want to implement a new technology that will reduce the threat from XXXX. The technology will cost $XXX,XXX and reduce our exposure by $XX,XXX,XXX.”

Essentially, a CISO is putting a business case together in terminology that the board is used to hearing.

Of course, not all boards are alike. Likewise, there are many incredible CISOs who likely present different information in different ways to their own boards. There isn’t necessarily a single right way to do it. However, when CISOs do present the cyber risk posture to boards, we at CYE have found that it is most effective to discuss plans in financial terms, including return on investment. It helps if the numbers are defensible and can stand up to any skeptics who assume cybersecurity professionals are always doomsayers.

How CYE Can Help

With CYE’s optimized cyber risk quantification platform, Hyver, you can:

• Determine the potential financial consequences of cyber risk in dollars and estimate the cost of mitigating those risks
• Assign the cost and likelihood of a breach to each business-critical asset
• Plan your cybersecurity budget and understand the financial impact of mitigation activities

Want to learn more about how CISOs can present cyber risk to the board? Download our guide.

So how does one manage so many findings and data when other teams are involved? An effective risk mitigation planning strategy.

The Problem: Too Many Findings

Our case study focuses on a 30-year-old software development company that carried its legacy IT infrastructure into the new era of the cloud. The company’s security professionals had partial visibility into its security risk from their security and IT tools. Not surprisingly, the limited information about the company’s security posture that was presented to its management and board was extremely positive.

As the company grew, customers and regulations demanded more security requirements, so the company conducted a thorough organizational risk assessment that included a questionnaire and hands-on penetration testing. The assessment highlighted more than 50 findings across different technological domains, such as networking, identity management, and others.

The security team, led by the CISO, reviewed the findings and began addressing the critical and high priority cyber gaps, which resulted in an endless list of tasks and tickets. After a few months, the team understood they needed to change their approach, as the list got only slightly shorter.

The Solution: A Different Strategy for Prioritizing Risk Mitigation

The immediate prioritization of findings by criticality is often the first mistake security teams make. Of course, organizations want everything to be fixed, but that can’t happen immediately.

Working with CYE and its mitigation prioritization methods, the company changed its approach to prioritizing risk mitigation:

• Identify “low-hanging fruit”
• Understand the attack route
• Consider roles and responsibilities
• Dig into the “root cause”

After this change in prioritization, half of the findings were addressed within a month, and more importantly, the potential attacker’s route was blocked. This meant that the attack could not be repeated, and the organization was protected via this vector.

So how did this company do it, and how should you approach prioritizing risk mitigation?

Identify “Low Hanging Fruits”

Based on CYE’s experience in remediation and conversations with different technical IT teams, the team highlighted what might be easier to address in their specific case. Every network is different from the others and has unique challenges and improvement opportunities.

Visualize the Attack Route and Block It When Possible

The complete picture of the attack route is not visible when looking at a list of the findings from a penetration test. It is not clear what exactly was done and how the assessors were able to successfully access systems.

When looking at an attack with a graph, including a start position, the findings that can be exploited, and end position (business impact), the team can “cut” the attack route and make sure the route and methods used in the attack vector cannot be leveraged anymore.

Taking this different approach to risk mitigation benefits the organization by reducing the exposure of its business-critical assets—even without remediating all the findings.

Consider Internal IT Teams Roles and Responsibilities

As organizations grow, they become more complex. Understanding the internal organization’s IT teams’ roles and perspectives is the key to success in the risk mitigation phase. The team and CYE separated the findings into different domains based on the teams’ roles and met with only the relevant stakeholders. Remediating some findings was possible only with a clear understanding of these roles and responsibilities.

Treat the “Root Cause” and Not Only the Symptoms

CYE focuses on “root cause” to treat the findings once and for all and ensure they do not return in the future. Identifying the root causes of findings requires vast familiarity with different IT issues and experience in fixing them.

To identify the root cause, CYE and the security team met with the different IT teams based on their roles, and dug into the environments and how they work, primarily by questioning and understanding how things are configured and, more importantly, why.

CYE’s approach for organizations is based on the resulting maturity of their fixes and not only about treating the symptoms. This way, the remediation is comprehensive and provides the right solution.

Following the above, the organization was able to remediate a lot faster and, more importantly, in a way that increased their cybersecurity maturity. This ultimately enabled them to avoid future security challenges.

Want to learn more about CYE’s approach to mitigating cyber risk? Download our ebook. 

Cybersecurity maturity is like baking a cake: Its level depends on your equipment (technologies), your recipe (processes and procedures), and on having the right people with the right skillsets in the right positions. But unlike baking a cake, the cybersecurity of your organization consists of many different aspects, and you need to assess the maturity level of each one of these aspects separately to get a clear picture of the cybersecurity maturity level of your organization.

For example, you may have perfect systems to detect a potential cybersecurity incident, indicating high maturity, but you lack the necessary people in important positions to effectively respond to an attack, indicating low maturity.

So how do you ensure that you don’t overlook measuring the maturity level of important aspects of your organization’s cybersecurity posture? The secret recipe is to use a comprehensive cybersecurity framework as the basis for your maturity assessment.

Using NIST CSF 2.0 for Cybersecurity Maturity Assessments

NIST recently released its Cybersecurity Framework (CSF) v. 2.0. While the original NIST CSF was designed for critical infrastructure organizations, its wide adoption by different organizations in different industries drove NIST to target the new version to all types of organizations.

NIST CSF 2.0 introduces a new “Govern” function, emphasizing the critical role of governance in cybersecurity risk management. In fact, the new Govern function consists of 31 out of the 106 subcategories of NIST CSF 2.0, demonstrating the importance of managing risk correctly to succeed at preventing, managing, and recovering from cyberattacks.

This important change is aligned with the growing liability expectations from management and boards of organizations, demonstrated through the new rules that the SEC adopted earlier this year regarding cybersecurity risk management, strategy, governance, and incident disclosure by public companies.

Measuring Cybersecurity Maturity

How can you measure the cybersecurity maturity level of your organization? Take NIST CSF 2.0—which now, more than ever, covers all the important aspects of the cybersecurity posture of your organization—and then do the following:

• Add scales to each subcategory to measure:
  • the level of the security technologies you have in place
  • the level of your related processes
  • personnel aspects, such as having the right people in the right positions, their level of training, and availability in case of an incident
• Provide objective indications to enable setting the scoring to each of these. This is critical to the accuracy of the resulting scoring.
• Calculate the scoring from all the different subcategories to create scoring for the different functions, and for the entire organization.

Doing the above will give you a pretty good picture of your organization’s cybersecurity maturity level. The result should yield a number which represents the level at which your organization is prepared for an attack and can recover from one when it happens.

But is this enough? Of course not. Measuring is the first step towards improvement, but there are several additional important steps you must take.

Benchmark

Comparing your results to other companies with similar business characteristics as yours is a good way to help you understand whether your weaknesses are common in your industry or if you are lagging. This process can reveal that you are stronger than your peers in some respects, but weaker in others. With this in hand, you can decide where you want to focus your improvement efforts and can proceed to the next step to decide on your targets.

Define Your Targets

Now that you know your current cybersecurity maturity level in each of the aspects represented by NIST CSF 2.0, and you benchmarked your score to other companies like yours, it’s time to decide what to address first. Not less important, it’s time to decide what not to address—at least for the time being.

You should set improvement targets for the aspects you decided to address that will eventually help you reach the maturity level you desire, and at a minimum, the level of your industry sector.

Continuously Measure and Identify Trends

Measurements are in place, benchmarking is done, and targets are set. Now what?

Your team is now working on mitigating and improving, focusing on items with the highest ROI that can help you achieve your targets. To determine how successful they are, and the progress towards the targets, you should repeat this entire process: measure, benchmark, define (adjust) targets, and measure again.

Repeatedly measuring over time enables you to identify trends, and not less important, predict, given the trends, where you are likely to end up if your mitigation continues as it does now.

How CYE Can Help Assess Your Cybersecurity Maturity

Is cybersecurity maturity like baking a cake? I think that it’s more like building a nation-wide bakery chain: You’ve got to have the right technology, the right processes, and the right people in place to get it right. You also need the right cyber risk quantification solution to help you make the right decisions by measuring, benchmarking, setting targets, identifying the most impactful items to mitigate, and identifying trends. Hyver, CYE’s optimized cyber risk quantification platform, does exactly that.

• Hyver calculates your organization’s cybersecurity maturity by considering CYE’s objective and continuous data, as well as your security team’s input.
• It compares your cybersecurity maturity level to others in your industry, and helps you pinpoint areas for effective improvement and set targets.
• Through Hyver’s continuous maturity assessment, you can identify trends and ensure meeting your cybersecurity maturity targets.

Want to learn more about Hyver’s cybersecurity maturity assessment? Contact us.

While SIM swapping or hijacking is a long-standing technique employed by fraudsters, in rare cases exploiting vulnerabilities in GSM protocols, a more straightforward approach involves convincing the mobile operator to register a new SIM card. This approach can lead to identity theft, exploiting 2FA, stealing WhatsApp accounts and more.

What’s new then? The emergence of deep fake technologies adds a new layer of sophistication to fraud attempts. A noteworthy example involved an employee joining a Teams call with the CEO and transferring funds under the assumption that the call participants were legitimate. Unbeknownst to him, the entire attendance in the call comprised a group of fraudsters adeptly using deep fake technology.

The containment strategies I propose are outlined at the conclusion of this article. However, addressing the looming challenge of deep fake technology in the future raises critical questions for security. In an era dominated by deep fakes, relying on someone’s voice or image as a basis for trust constitutes a significant vulnerability. To counter this, I foresee a shift towards uniquely signing different data types, such as voice or video, directly by the physical device itself. These signatures would then be bound to a specific persona, subject to validation by a recognized authority or through blockchain technology, akin to the functioning of SSL. While this approach introduces potential privacy concerns, in my perspective, these are not substantially different from longstanding privacy issues.

To structure my recommendations, I intend to align them with 3 out of the 4 phases of NIST’s Incident Response (IR) cycle: Preparation, Detection and Analysis, and Containment, Eradication, and Recovery.

Preparation

1. Remaining vigilant serves as the foremost defense against various forms of fraud, regardless of vulnerabilities arising from human actions. It is crucial to inform and train all employees about potential threats, including the dangers posed by deep fake, and emphasize strict adherence to the business protocols detailed below.
2. Clearly define actions necessitating multi-channel verification involving more than one entity.
3. Identify critical business procedures requiring adherence to verification protocols, such as initiating a validation call to the requesting entity.
4. Implement 2FA where feasible, utilizing an authenticator app. When deciding between email or SMS for cases where app-based authentication is not possible, determining the more secure option can be challenging, as it based on multiple factors and it’s hard to recommend which is safer.
5. Enhance security for applications such as WhatsApp/Telegram by implementing a PIN code using the app settings.

Detection

1. Unusual requests, particularly those concerning funds and finances, may signal fraudulent activity.
2. Inability to make calls or utilize data services could indicate a potential phone number hijacking.
3. Detecting deep fake attempts is challenging. Some bad techniques can be detected with tools or by noticing issues such as lags in video; however, employing a multi-channel verification and callback mechanisms as defined in the preparation phase can thwart such efforts. A reliable method involves posing a question known only to the genuine user and recipient.

Containment

1. Report the incident to your service provider and request:
   a. Detailed instructions on binding your SIM card to your phone number.
   b. Temporary suspension of outgoing calls to prevent impersonation — won’t be suitable for all cases.
   c. Access to communication history associated with your number for further investigation.
2. Generate a new SIM card and link it to your phone — effective primarily against classic SIM swapping attacks rather than those relying on GSM routing protocols.
3. Update 2FA configurations to use an authenticator app or email, rather than SMS, across all phone number related accounts. A list of all services can be enumerated through SMS history.
4. Terminate active sessions on all associated accounts, change login passwords, and revoke authentication tokens.
5. Closely monitor all accounts linked to the affected number.
6. In certain scenarios, individuals may need to caution colleagues and family members about the potential for impersonation through their phone line, as the aforementioned steps might not suffice in some cases.
7. DON’T disconnect the phone unless all security measures in the playbook have been implemented, as in certain cases, complete mitigation may not be achievable, and maintaining some level of control over the phone number could be essential.

In conclusion, lots of information is available online on preventing situations like SIM swapping, encompassing the methods detailed above. Detection methods are generally straightforward, often linked to a phone’s inability to make calls or use mobile data. However, the internet has been lacking in containment playbooks specifically addressing SIM hijacking from the standpoint of deep fake threats. Organizations should be urged to formulate the appropriate playbook and enhance awareness among their employees, family, and friends.

1. CISO Series Podcast (United States)

Led by David Spark, the CISO Series is, without a doubt, one of the best podcasts out there. Topics range from compliance to ransomware, and the latest breaches that hit the news. They publish 9-10 episodes every week across their vast network, which also includes Capture the CISO, Cyber Security Headlines, Super Cyber Friday, and Defense in Depth, co-hosted by Geoff Belknap, CISO at LinkedIn.

Make sure you subscribe to the CISO Series Newsletter as well.

2. Cloud Security Podcast (UK)

Ashish Rajan and Shilpi Bhattacharjee’s Cloud Security Podcast covers everything a CISO should know about mastering application security. Featured episodes include “CISO Perspective: Pentester to CISO” with Josh Lemos, CISO of GitLab, “How to Build a Modern Cyber Security Program” with Larry Whiteside Jr., and “Cloud Security in the BoardRoom – CISO Perspective” with Phil Venables, CISO at Google Cloud.

You’ll also love “Hot Takes,” where CISOs discuss the latest trending security topics while eating spicy chili peppers. See who has the highest threshold for spice.

3. CISO Tradecraft® (United States)

CISO Tradecraft® is hosted by G Mark Hardy and Ross Young. It covers a wide range of topics which include risk management, product security, detection and response capabilities, and leadership. Featured episodes include “CISO Predictions for 2024,” “Board Perspectives,” and “The Cost of Cyber Defense.”

4. CISO’s Secrets (Israel)

CISO’s Secrets is presented by Check Point and features in-depth discussions with some of the most prominent names in the industry. CISO’s Secrets covers the latest security trends and challenges that CISOs and CIOs face daily. It is definitely worth adding to your playlist.

5. The Virtual CISO Podcast (United States)

The Virtual CISO Podcast is hosted by John Verry. Featured episodes include “Strategies for Reducing the Cost of Your Cyber Liability Insurance Policy” with Jack Liljeberg, True “Confessions of a Real Virtual CISO” with Andrew Farkas, and “Revolutionizing Security Training” with Kevin Paige, CISO and VP of Product Strategy at Uptycs.

6. CISO Talk (United States)

Hosted by James Azar, CISO Talk covers all the essential topics for success in the modern enterprise. Renowned CISO Andy Ellis, author of the “1% Leadership Book,” shares the importance of small daily improvements and how they can be applied to enhance leadership skills, cybersecurity strategies, and overall professional growth. Tune in for insightful discussions and actionable insights.

7. 401 Access Denied Podcast (United States)

The 401 Access Denied Podcast is hosted by Delinea’s ethical hacker Joseph Carson and is one of the top cybersecurity podcasts you will listen to. Featured episodes include “Cyber Insurance Trends for Risk Management” with Dara Gibson, “Going from Hacker to CISO” with Jason Haddix, and “Cybersecurity in the Boardroom” with Art Gilliland, Delinea’s CEO.

8. Hacker Valley Studio (United States)

Hacker Valley Studio is led by Ron Eddings, CEO of Hacker Valley Media, and is a treasure trove of knowledge for CISOs. Featured episodes include “Cyber Defense Reinvented: The New Era of Attack Surface Management” and the latest episode on “Paving the Path for CISOs of the Future” with Gary Hayslip.

9. The New CISO Podcast (United States)

The New CISO Podcast is hosted by Exabeam Chief Security Strategist and former IT security leader, Stephen Moore. Every CISO should tune in to this podcast. Featured episodes include “What Would a Breach Cost You? Personal Risk vs. Reward as a CISO,” “Landing a Seat in the C-Suite” with Mike Woodson, and “Investing in Your Security Team” with Zane Gittins.

10. mnemonic Security Podcast (Norway)

Based in the gorgeous Nordic region, the mnemonic Security Podcast is a place where IT security professionals can go to obtain insight into what their peers are working with and thinking about. Join host Robby Peralta as he explores the global cyber risk landscape. Notable episodes include “Influencing the Board” with Roger Ison-Haug, CISO at StormGeo, “Enterprise Security Architecture” with Nick Murison, CISO at Ardoq, and “Securing LinkedIn” with who else but LinkedIn CISO Geoff Belknap.

11. Resilient Cyber (United States)

Resilient Cyber is hosted by Chris Hughes, President of Aquia, and co-author of Modern Vulnerability Management. Chris is one of the most sought-after voices in the AppSec field. Resilient Cyber features episodes that include “A Year in the Seat – a CISO’s Retrospective” with Joseph Lewis, “Threat Hunting & Detection Engineering” with Chris Kulakowski, and “Cyber, the Board and Regulations” with former SEC Chair Senior Cybersecurity Advisor Chris Hetner.

12. Risky Business (United States)

Risky Business has been around since 2007. It is hosted by Patrick Gray and features everything from the latest breaches to privacy concerns and network security. Risky Business goes in-depth on the latest attacks and covers cybersecurity trending news as well.

13. Life of a CISO with Dr. Eric Cole (United States)

Dr. Eric Cole began his career with the CIA as a professional hacker, eventually joining the SANS Institute, where he developed coursework that is now the foundation of the SANS Information Security Training and Security Certification. Featured podcast episodes include his “Fact vs Friction” series and “Cybersecurity Focus: Communication & Risk.”

14. Smashing Security (UK)

Smashing Security is one of the most popular podcasts on cybersecurity. Hosted by cybersecurity superstar and Doctor Who fan Graham Cluley, and his partner in cybercrime, Carole Theriault, Smashing Security adds a much-needed dose of humor to the latest ransomware attacks and bogus scams. The episode titles say it all. They even have their own Subreddit, r/SmashingSecurity, so make sure you follow them.

15. eXecutive Security (United States)

Gene Fay serves as the CEO of ThreatX, an API security company, and also hosts the eXecutive Security Podcast. Key episodes include “How AI Will Change Cybersecurity Jobs” With Tony Pietrocola of AgileBlue, “The Role of Behavioral Science in Cybersecurity” With Masha Sedova of Elevate Security (acquired by Mimecast), and “How to Reskill to Work in Cybersecurity” With Christine Gadsby of BlackBerry.

Follow CYE to learn more about cyber risk quantification.

A Real-World Example of an Application Security-Related Cyberattack

Recently a client was the victim of a severe brute force attack. Although the client performed a penetration test that revealed security issues, no mitigation was performed to secure the publicly accessible interface. Consequently, an attacker issued millions of login requests and was able to discover valid usernames and credentials.

The result was the identity theft of several clients’ users, the loss of tens of thousands of dollars that were stolen from these accounts, emergency testing and deployment of security measures to stop the attack, and a general mess that really shook up the company, its clients, employees, and reputation. If proper mitigation steps had been implemented to fix the security issues and if application security best practices had been followed, none of this would have happened.

Preventive Measures and Mitigating Actions

The organization was forced to deploy mitigations and preventive measures to stop the attack in real time. They included:

1. Anti-bot throttling

This involves applying an anti-bot throttling mechanism to protect interfaces from automated attacks. It includes both a generic throttling for the entire interface and a stricter restriction (for example, using a CAPTCHA mechanism) for more sensitive actions, such as login operations. The attacked organization did have some kind of throttling mechanism that was restricting IP addresses, but it was incomplete; therefore, the attacker was able to jump between different IP addresses.

2. Strong password policy

It is important to enforce a strong password policy that includes minimal length and complexity. Currently, it is recommended that passwords be at least 12 characters for regular users and 16 characters for administrative users. In addition, passwords should contain characters from all four of the following categories: uppercase, lowercase, digits, and special characters. Another option as an alternative for password complexity is to create and enforce a password deny list that contains common passwords and variations of them. The attacked organization was not enforcing a robust password policy, forcing them to deploy an improved one in real time for all their clients as part of the login process. Inactive users were disabled.

3. Multi-Factor Authentication (MFA)/strong authentication

Implementing MFA adds an extra layer of security by requiring multiple forms of authentication, thereby reducing the likelihood of unauthorized access, even if login credentials are compromised. The attacked organization was forced to deploy MFA and apply it to all users as part of the login process in real time.

4. Concealed user existence

The system should not reveal any information about the existence of a user. Whenever possible (login interfaces, password reset), the system should return the same response, whether the user exists or not. Whenever a different response needs to be returned (a public registration mechanism, for example), apply a strict anti-bot throttling mechanism such as a CAPTCHA, in addition to the general API anti-bot mechanism. The attacked organization was not following this best practice, allowing the attacker to first build a list of valid usernames and then focus on these users’ credentials – greatly increasing the effectiveness of the brute force attack.

General Application Security Best Practices

To avoid similar scenarios, organizations should invest in application security posture. Here are some of the best practices:

1. Follow Secure Software Development Lifecycle (Secure-SDLC) best practices

Organizations should integrate security into their software development lifecycle processes and follow SDL/Secure-SDLC best practices. This should include performing threat modeling for sensitive systems, as well as the definition of security requirements, metrics, compliance, and goals both for specific systems and for the entire organization.

2. Integrate automated tools

Organizations should integrate automated security tools into their development and CI/CD pipeline. This includes dynamic scanning tools (DAST), static code analysis tools (SAST), known vulnerability and dependency scanners (SCA, container scanners, cloud scanners), and more. Ideally, when a serious finding is found, this should generate an alert and block deployment to production.

3. Perform regular penetration tests

Conduct a penetration test at least once a year and follow mitigation steps to ensure findings are fixed.

4. Define an SLA for security-related issues

Set a service-level agreement with the development, IT, and DevOps teams that would define the maximum time it would take to fix a security issue, depending on its severity. For example, critical issues should be fixed immediately, high-severity issues should be fixed in the current sprint, and medium and low issues can be treated and prioritized as regular bugs.

5. Education and training

Providing comprehensive cybersecurity training to employees is paramount. Specifically, it is crucial to provide dedicated application security training for developers to familiarize them with application-related cyberattacks, their implications, and mitigations. Application security is primarily the developers’ responsibility.

6. Integrate security into the design process

Ensure ongoing security-related design reviews are being done as soon as possible in the software development lifecycle, to fix and prevent design issues before their code is implemented.

7. Establish and practice a standard incident response process

Make sure a proper incident response policy is in place that includes all roles and contacts in case of an incident. Validate that incidents are identified, preferably automatically. Perform an incident response drill to make sure all requirements are properly set and met.

Conclusion

Application security is often overlooked. This story is an example of the ramifications of focusing on an application’s functionality and rushing to develop the next feature, rather than applying security measures, fixing previously discovered security issues, and ultimately investing in security as an integral part of the software development process.  Following application security best practices can save organizations a lot of time, money, and effort and reduce the risk of future application-related cybersecurity incidents.

Want to learn more about how CYE can help protect your organization from cyberattacks? Schedule a demo today.

To address this issue, Hyver, CYE’s optimized cyber risk quantification platform, uses advanced technology to generate business insights that empower companies to make effective cybersecurity decisions. By using Hyver, security leaders can stop making guesses about cybersecurity and know that their decisions are backed by data.

Here are some of the ways that Hyver accomplishes this:

Mathematical Foundation

At the core of Hyver lies a robust mathematical foundation, distinguishing it from conventional CRQ solutions. By integrating over a dozen AI/ML algorithms, Hyver eliminates the inherent guesswork. These algorithms are not merely disparate tools, but a cohesive ensemble meticulously designed to analyze data, identify patterns, and generate precise risk assessments. Unlike intuition-driven approaches, Hyver’s conclusions are rooted in data-driven insights, ensuring unparalleled accuracy and reliability.

Advanced Algorithms

Hyver’s arsenal comprises a diverse array of AI/ML algorithms, each tailored to address specific facets of cyber risk assessment. From anomaly detection to predictive analytics, these algorithms work together to analyze large datasets, identify emerging threats, and quantify potential impacts. Moreover, Hyver’s algorithms continuously evolve through iterative learning, adapting to new threats and vulnerabilities. This adaptive capability ensures that Hyver remains at the forefront of cyber risk management, effectively mitigating risks before they escalate.

Data Source Optimization

A crucial aspect of Hyver’s efficacy lies in the optimization of data sources and parameters. The vast repository of CYE’s curated data ranges from historical breach data to threat intelligence feeds. In addition, CYE’s experts govern and fine-tune data collection and analysis, ensuring optimal accuracy and relevance. Extensive experimentation and refinement ensure data-driven risk assessments, empowering organizations to make informed decisions in the face of cyber threats.

Hyver Benefits

Hyver transcends the limitations of traditional CRQ solutions in the following ways:

• Hyver enables organizations to achieve unparalleled precision in risk assessment, thereby enhancing the ability to prioritize and allocate resources effectively.
• By leveraging AI and ML algorithms, Hyver provides real-time insights into evolving cyber threats, enabling proactive mitigation strategies.
• Hyver’s data-driven approach facilitates objective decision-making, minimizing the influence of human biases and subjective judgments.
• Hyver enhances organizational resilience by identifying vulnerabilities and recommending targeted remediation measures.
• By quantifying the potential impact of cyber incidents, Hyver empowers organizations to calculate the cost-benefit ratio of security investments accurately.
• Hyver’s adaptive algorithms enable continuous monitoring and refinement, ensuring that risk assessments remain current and relevant in a rapidly evolving threat landscape.

Conclusion

Hyver represents a paradigm shift in cyber risk management, ushering in a new era of precision and reliability. As cyber threats continue to evolve in complexity and sophistication, the adoption of innovative technologies like Hyver becomes imperative. By embracing technological advancements and leveraging AI-powered solutions, organizations can navigate the intricacies of cyber risk with confidence and resilience.

Want to learn more about how Hyver can help you make effective decisions about cybersecurity? Schedule a demo today.

Real-World Example of a Cyberattack with Social Engineering

In many cases, such an incident is discovered when a vendor claims they haven’t received payment for their services. In one case, a company conducted a brief internal review. This led to the suspicion of potential mail fraud. An extensive investigation ensued, involving threat hunting and a darknet inquiry, aiming to ascertain the extent of the breach and its origin and to effectively block further access by the attacker.

A scrutiny of mailboxes owned by high-ranking employees with funds transfer authority uncovered several suspicious activities emanating from a specific mailbox. Subsequent probing identified several suspicious IP addresses that accessed files in the secretary’s SharePoint within the same timeframe. It is our belief that the attacker, who possessed login credentials, may also have had access to other available resources. A closer examination of these connections revealed unusual activity originating from Nigeria and Mexico.

The Anatomy of the Threat

Cyber incidents involving financial theft from organizations often begin with the exploitation of technological vulnerabilities. Cybercriminals may infiltrate an organization’s network through various means, including phishing attacks, malware injections, or exploiting unpatched software. Once inside, they seek to locate and exploit financial systems, gain unauthorized access to accounts, or manipulate transaction records.

However, what sets these incidents apart is the integration of social engineering techniques. This involves manipulating individuals within the organization to facilitate or overlook fraudulent activities. These techniques range from impersonation to psychological manipulation, leveraging trust and authority to gain access to sensitive information or systems.

Types of Social Engineering Exploits

Phishing

This remains one of the most prevalent social engineering tactics. Attackers send deceptive emails, masquerading as legitimate entities, to trick employees into revealing confidential information or click on malicious links.

Pretexting

A more elaborate form of manipulation where the attacker creates a fabricated scenario to extract information. For example, posing as a co-worker or vendor to elicit sensitive data.

Tailgating and Piggybacking

This physical form of social engineering involves gaining unauthorized access to restricted areas by exploiting human courtesy or trust. An attacker may simply follow an authorized individual into a secure area.

Impersonation

Attackers may impersonate executives, IT personnel, or trusted vendors to bypass security protocols, gain access to sensitive systems, or authorize fraudulent transactions.

Impact on Organizations

The consequences of successful cyber-social engineering incidents can be devastating for organizations. Apart from direct financial losses, organizations face a loss of reputation, diminished customer trust, and potential legal repercussions. The ripple effects extend to disrupted operations, regulatory fines, and increased cybersecurity expenditures.

Preventive Measures and Mitigation Strategies

Education and Training

Providing comprehensive cybersecurity training to employees is paramount. They should be able to recognize and report suspicious activities, especially in emails or communications requesting sensitive information.

Multi-Factor Authentication (MFA)

Implementing MFA adds an extra layer of security by requiring multiple forms of authentication, reducing the likelihood of unauthorized access even if login credentials are compromised.

Access Controls and Segmentation

Limiting access to sensitive systems and information on a need-to-know basis can minimize the damage potential of an insider threat or compromised account.

Incident Response Plans

Organizations must develop and regularly update incident response plans to ensure swift and effective action in the event of a breach. This includes protocols for communication, containment, eradication, recovery, and lessons learned.

Conclusion

The convergence of cyber and social engineering techniques in the theft of organizational funds represents a critical challenge in the modern threat landscape. By understanding the tactics employed and implementing robust cybersecurity measures alongside comprehensive employee training, organizations can fortify their defenses against these insidious attacks. Vigilance, education, and technological safeguards are the pillars upon which organizations can stand strong against this evolving threat.

Want to learn more about how to outsmart hackers? Download our guide. 

In the realm of cybersecurity, maturity refers to an organization’s ability to effectively manage and reduce security risk over time and recover from cyberattacks. Even the most sophisticated security operations team within a well-funded organization will have room for improvement and be able to set goals for advancing its cybersecurity maturity. There is no finish line to be crossed in cybersecurity where one can declare “we are now secure” and there is no real sense of “winning” when it comes to operating a cybersecurity program. Cybersecurity is a game, but it is an infinite game, much like the game of catch. There are no winners or losers in the game of catch. You play the game to get better at it and to practice and improve your skills and ability. If we keep this in mind, then we will be able to deliver a more sustainable approach to this infinite game.

Cybersecurity maturity assessments are often measured on a 1 through 5 scale that assesses an entity’s capability to protect its information systems, data, and assets against potential threats. It encompasses various elements, including policies, processes, technology, and human factors.

When performing maturity assessments for an established company, university, government agency, non-profit, or a startup it should be noted that level 5 is rather uncommon. In my estimation, you and your team have literally written the book on the subject and are going on a lecture tour at conferences about just how good you are at doing something if you merit being scored with a 5.

A mature cybersecurity posture involves not only the implementation of robust technical controls but also the development of a comprehensive cybersecurity strategy and set of policy documents that align with the organization’s goals and risk tolerance. This strategy typically evolves through different stages, progressing from basic cybersecurity measures to more advanced and proactive approaches.

Key Components to Consider

Some security compliance frameworks are only concerned with whether a given control exists or not. A “pass or fail” approach to compliance is all that is expected. As such, I would argue that security is not the goal of such compliance efforts but rather just a “check the box” mentality of doing the minimum and hoping that bad things won’t happen. It is my belief that a lot of organizations fall into this category of being compliance-minded and not security-minded. As I like to put it, compliance is something that you pick up along the way to building a good information security program and capability.

If you stop short of implementing effective security controls because you only want to achieve the minimum required for a compliance audit, then you are probably not laughing at the absurdity of the following anecdote: A company is preparing for an audit and has asked a security consultant to help them prepare for the actual audit. When asking about whether the company has a firewall, the person replies, “Yes, we have a firewall. I can show you the invoice. We purchased a really good firewall.” Upon being asked the follow-up question of taking a look at the firewall rules and configuration, they sheepishly admit that the firewall is still sitting in the box it was shipped in and has yet to be plugged in and configured.

Key components related to cybersecurity maturity include:

Risk Management

A mature cybersecurity program integrates risk management practices to identify, assess, and prioritize potential threats and vulnerabilities. This involves regular risk assessments and the establishment of a risk mitigation plan. If your organization does not have an ORC (Operational Risk Committee) composed of departmental representation from infosec, legal, HR, and engineering then your maturity with regard to risk management is immature. If you do not have a corporate risk register on which strategic risks are identified and tracked by the ORC and, as required, escalated to the senior leadership team and board of directors occasionally then your risk management is also immature. How can cybersecurity risk be properly managed if there is no risk register on which to place and track it?

Security Policies and Procedures

Well-defined and communicated security policies and procedures are fundamental to cybersecurity maturity. These documents guide employees and stakeholders on acceptable behavior, responsibilities, and actions in the context of security. At a minimum, these policies and procedures need to be reviewed and updated annually. Stronger teams understand that “living documentation” equates to performing updates and reviews more frequently than just once per year.

Technical Controls

Implementation of effective technical controls, such as firewalls, intrusion detection systems, encryption, and endpoint protection, is crucial. A mature cybersecurity program continuously updates and adapts these controls to address emerging threats. You might, for example, need to refine your endpoint protection approach and introduce a baseline profile of technical controls that are applied to all users. Stepping away from a “one size fits all” technique gives rise to applying specialized endpoint profiles that are designed to address a lower tolerance for risky behavior on HR and legal laptops and workstations due to the sensitive nature of the data and records that these users access and control. Conversely, you may also need to carve out a more “relaxed” endpoint security profile for members of your infosec team who regularly partake in malware analysis and reverse engineering of executables and code that are identified in email attachments and quarantined by various tools and service providers.

Incident Response and Recovery

A mature organization is prepared to respond to and recover from security incidents. This involves having an incident response plan, a capable incident response team, and the ability to learn from incidents to improve future resilience. Too often we see that an organization is desperately focused on progressing through the various stages of incident response and take the decision to exit the containment phase too early. This often leads to re-infection and re-compromise because the original attack path and vector were not actually identified and mitigated. A mature infosec team exhibits something that can be called “tactical restraint.”

Employee Awareness and Training

Human factors play a central role in cybersecurity maturity. The world of risk management and cybersecurity capability is as much if not more concerned with mindset as it is with toolset. It’s actually easier to make changes to toolsets than it is to make progress on improving a company culture around security and its mindset. This component includes ongoing education and training programs to ensure that employees are aware of security risks and best practices. As with technical controls, mature organizations realize that a diverse user population requires customized training. Data scientists within an engineering department, for example, should be given role-based training around PHI and PII data handling requirements, especially as the new cybersecurity regulations around breach disclosure and reporting take effect this year.

Continuous Monitoring and Improvement

Cybersecurity maturity is a dynamic process that requires continuous monitoring of the threat landscape and regular assessments of the effectiveness of security measures. Organizations should be agile in adapting their strategies based on evolving risks. Building or buying a threat intelligence capability is, for example, a more advanced component with regard to cybersecurity maturity. Knowing what threat actors are targeting your industry means learning about their specific TTPs (Tactics, Techniques and Procedures). Taking this one step further, a very robust and strong continuous monitoring capability will include active threat hunting capabilities where a deception program is in place that makes use of canary tokens and honey pots in order to identify and attribute probing and prodding by threat actors of your infrastructure. Rather than just block it with a WAF or firewall rule, such organizations actually create intentionally vulnerable infrastructure in order to gain threat intelligence of attackers that are actively targeting not just your industry, but your actual company itself.

Maturity Assessments in Hyver

Hyver’s cybersecurity maturity assessment enables CISOs to gain visibility, optimize, and communicate cybersecurity maturity by being able to:

• Calculate the organization’s cybersecurity
• Benchmark to their industry sector
• Define maturity targets
• Create mitigation plans to meet targets
• Track progress over time

In summary, assessing cybersecurity maturity is a holistic and evolving approach to safeguarding digital assets. It goes beyond mere compliance with regulations and standards, aiming to establish a proactive and adaptive security posture that can effectively navigate the complexities of the modern cyber landscape. Continuous improvement requires a concerted effort to align your policies and your practice. The upside of this approach, however, is that you will find that audits and regulatory oversight becomes much less of a burden and source of dread. Who knows, you might even find yourself embracing the idea of being audited so that you can proudly demonstrate the robust set of controls and processes that you and your team have put into place to manage risk.

Want to learn more about Hyver’s cybersecurity maturity assessment? Schedule a demo today. 

While 23andMe might have had 14,000 users compromised through password reuse, they apparently allowed lateral movement, causing the compromise of the data of 6,900,000 users. This goes well beyond any fault of any user. This is a clear example of the delineation of user responsibility and corporate responsibility. That aside, even if the users are 100% the cause of a breach, it is still the job of the cybersecurity team to mitigate the results.

Can We Blame the User?

First, let’s talk about when it is okay to blame a user. While there is the typical mantra, “You can’t blame the user,” the reality is that users do many things that they should not do. For example, I investigated a case where a security guard wanted to watch movies on duty, and loaded VPN software on the physical security PC so that he could bypass the corporate controls. The guard ended up downloaded malware and causing a major impact to physical access to the facilities. Yes, you blame that user. I discuss these concepts in detail in my book, You Can Stop Stupid.

There is a concept called a Just Culture. In a Just Culture, users are provided with the appropriate training to know what to do, are given the resources to do it correctly, have the time to do a task correctly, and the jobs are not overly complicated to cause unnecessary confusion. If the prerequisites are not there, the user cannot be considered at fault, assuming there is no malice. Users can make mistakes, but in a Just Culture a user is not blamed for mistakes, and is encouraged to report mistakes. However, if there is a clear violation of policy, users can be blamed and disciplined.

The Importance of Security Awareness Programs

This has strong implications for security awareness programs. First is the obvious that the user has to be provided with the appropriate training. The training should include ensuring that people actually understand and apply the material. Second, and more important, the implication is that training has to be focused on what to do versus what to be afraid of.

There is a great deal of awareness training that focuses on the mystique of “hackers” and teaches people to be afraid. Good awareness training should have a focus on how to do things right, and not to fixate on hackers and fear. This is a critical distinction and I cover the concepts in detail in my book, Security Awareness for Dummies.

That aside, whether or not the user is to blame, you have to assume that users will fail and cause harm. Anyone who advocates for the human firewall is a fool. This implies perfection on the part of the users. This will never happen. Knowing there will never be a perfect user, you have to anticipate all possible actions and defend against this. This why the attack path visualization integrated into Hyver is critical to understanding not just the actions a user can take, but the implications and potential losses resulting from the actions.

The Responsibility of the Organization

You also need to consider that you can blame users as much as you want, but the organization is ultimately responsible for breaches. For example, if a user decides to intentionally click on a phishing message and causes a major data breach, regulators will go after the organization and not the user. Regulators are not going to walk into a breached organization and just commiserate with your admins about “stupid users.” They will only ask what you did to prevent the breach.

Clearly this leaves infinite possibilities. To account for those possibilities, you need to define clear attack paths to see where users can fail and the potential loss associated with these actions, which again is exactly what Hyver was built to do. It doesn’t matter why users fail, but just seeing the points where users can provide an attacker a further path into critical roles. At that point, you can start to determine how to mitigate the inevitable. Just because a user fails in some way does not mean that the organization has to experience a loss. Again, applying attack path visualization and optimizing the choice of countermeasures should account for user failure, regardless as to if they’re to “blame” or not.

Want to learn more about how Hyver can help prevent data breaches? Schedule a demo. 

The standard cybersecurity advice for IT and security managers of companies with OT networks is to make efforts to separate them from the regular networks. That being said, CISOs often talk about the separation of networks and the basic fundamentals that go with it, but they don’t make sure that these fundamentals are implemented well or consider the possible ramifications.

Recently, for example, we spoke to a client that asked for advice about different cybersecurity matters. Although the client had acceptable security, they were completely unaware that the OT network was connected by the IT staff to one of the administrative networks and basic security practices were not in place, thus potentially opening it to the outside world.

Here are ten best practices for securing operational technology (OT) cyber environments.

1.    Risk Assessment and Asset Inventory

The first step in OT cybersecurity is understanding the landscape. Conducting a thorough risk assessment and creating an exhaustive inventory of assets is crucial. This enables organizations to identify vulnerabilities, prioritize critical systems, and allocate resources effectively. Regular updates to this inventory should be made to account for changes in the environment.

2.    Access Control and Authentication

Implementing strict access controls and robust authentication mechanisms is essential. Each user should have the least privilege necessary to perform their job functions. This minimizes the potential damage an attacker can inflict if they gain unauthorized access. Recommended practices include multi-factor authentication, strong passwords, and biometric verification.

3.    Network Segmentation

Segmenting the network into isolated zones helps contain breaches and limit lateral movement by malicious actors. Critical systems should be isolated from less sensitive ones, and firewalls should be employed to regulate traffic between zones. This way, if one segment is compromised, the rest of the network remains secure.

4.    Patch Management and Vulnerability Assessment

Keeping software and firmware up-to-date is imperative for OT environments. Regularly scheduled patch management routines and vulnerability assessments should be conducted to identify and rectify weaknesses in the system. Additionally, a thorough testing process should precede any updates to ensure they don’t inadvertently disrupt critical operations.

5.    Remote assistance and maintenance

Remote assistance and maintenance should be performed with a fresh PC booted with a preassigned flash drive every time and a remote-control system that would need an approval for every connection.

6.    Intrusion Detection and Prevention Systems (IDPS)

Deploying IDPS tools helps with real-time monitoring of network traffic and events. These systems can detect suspicious activities and, in some cases, take automated actions to mitigate threats. Regularly reviewing and fine-tuning IDPS configurations ensures they remain effective against evolving attack vectors.

7.    Security Information and Event Management (SIEM)

SIEM solutions aggregate and analyze security data from various sources, providing a comprehensive view of the network’s security posture. This facilitates rapid incident response and enables organizations to identify trends or patterns indicative of potential threats.

8.    Employee Training and Awareness

Human error remains a significant factor in cyber incidents. Properly training employees on cybersecurity best practices and creating a culture of security awareness is crucial. This includes regular training sessions, simulated phishing exercises, and clear reporting protocols for suspicious activities.

9.    Incident Response and Business Continuity Planning

Having a well-defined incident response plan in place is essential. This plan should outline the steps to take in the event of a security incident, including roles and responsibilities, communication procedures, and containment strategies. Additionally, a robust business continuity plan ensures that critical operations can continue even during a cyber-attack.

10.  Regulatory Compliance and Standards

Adhering to industry-specific regulations and cybersecurity standards is essential for OT environments. Compliance with frameworks like NIST, IEC 62443, and ISO 27001 demonstrates a commitment to security and can provide a structured approach to implementing best practices.

Conclusion

Securing OT cyber environments is of paramount importance in today’s interconnected industrial landscape. By following these best practices, organizations can mitigate risks, enhance operational resilience, and safeguard critical infrastructure. Implementing a holistic approach to cybersecurity not only protects assets and data, but also ensures the safety of employees and the continuity of operations in the face of evolving cyber threats.

Want to learn more about how to secure OT cyber environments? Contact us. 

Attack Surface

It’s not the sidewalk pavement surface itself that is interesting, it’s the cracks between them. Good smells aggregate between the pavement stones of the sidewalk and the same is true for our digital assets. The attacks focus on the gaps and cracks between the assets more than on the assets themselves. The same can also be said about process gaps. Take the new hire process that is responsible for onboarding new employees. Someone is being elevated from no privileges to one of trust and, depending on the role, privileged access. Dragos.com was targeted in such a manner and, to their credit, wrote about the incident so that we all might benefit from their experience. The gap or “tactical edge” in this process was the steps and the time period between an offer letter and employee start date.

The personal email address of that soon-to-be employee was compromised (probably immediately after posting on social media that they were excited to be starting a new job) after which the threat actor attempted to take over initial steps in the onboarding process. Thanks to good anomaly detection and monitoring, the attack was thwarted. The infosec process known as “threat modeling” is not as widespread as it ought to be, especially if we are now needing to include HR functions and the pre- and post-interview process steps. We would all do well to take a fresh look at our own onboarding processes and cybersecurity strategy to see if there are any “trust gaps” where the baton of information is handed from one system to another that could be intercepted or commandeered by bad actors. Insider risk programs should also be expanded in scope to include pre-hire identification of employee BYOD assets, identification of public IP addresses that we will eventually see showing up in our VPN logs, and the security post of personal accounts of users before their first day of employment such as MFA.

Zero Trust Attitude

Dogs exhibit the spirit of “zero trust” automatically and instinctually. When Molly sees another dog on our walks, it doesn’t matter whether she has met that dog a hundred times before or not, she still approaches the other dog with an attitude of uncertainty. Can I sniff you? How are you looking (and smelling) today? Is there something new or odd about your gait, is your tail wagging happily? Are you recently groomed and bathed? There is no doubt that there are a myriad of chemical indicators of the other dog’s mental and physical health that are being communicated to Molly’s olfactory system that are well beyond our mere human capabilities of perception.

Checking briefly for a little substantiation of this, I read that a canine’s capacity for odor detection has been reported to be as much as 10,000–100,000 times that of the average human, and the canine lower limit of detectability for volatile organic compounds is one part per trillion (ppt). It’s no wonder that dogs like to stick their heads out of a moving car window… it must be a real rush to have all that information stimulating your senses.

Cone of Shame

If you’ve seen the Disney movie “Up” or you are a dog owner who has had to experience this directly, you will know what is meant by the phrase “cone of shame.” A veterinary doctor will prescribe this apparatus to be placed around the neck of a dog, usually made of white plastic of sufficient length to keep the dog from being able to sniff or lick various body parts so that they have time to heal or for medicine to have a chance to be absorbed by the skin.

I wonder if there could be a cybersecurity strategy equivalent of this cone of shame? Maybe some kind of API endpoint header or client/server header that declares the number of days since the asset was last breached or compromised. When two dogs (or IP addresses in this analogy) meet, maybe the three-way TCP handshake should also be accompanied by the as-yet-defined protocol of TCP sniffing and for us to devise an obvious method for an asset to declare that it has been digitally admonished recently with a cone of shame as well.

Barking and Threat Detection

Not only do dogs have a vastly more involved and nuanced system of perception when it comes to smell, they also have a superior range of hearing. The frequency range of human hearing is about 20–20,000 Hz, while dogs can hear sounds between 40–60,000 Hz. A passing ambulance or fire truck is likely producing sounds that are outside of the human range, but Molly definitely takes notice, as do most dogs, and feels compelled to “sing along” with the siren and throw in a few barks between her howls and vocalizations. Dogs can also hear sounds four times farther away than humans. However, they can only discriminate resolutions of about 1/3rd of an octave, while humans can discriminate resolutions to 1/12th of an octave.

In my original post on LinkedIn about lessons that our dogs teach us about cybersecurity strategy, I referenced the movie “101 Dalmatians,” in which Perdita and Pongo make use of the communication network among dogs known as the “twilight bark” to advise others of the abduction of their puppies. One might, in a manner, think of the new SEC disclosure and reporting requirements as a form of the twilight bark. Or the DORA reporting requirements taking shape in the European Union for financial services entities. Our collective resilience as a society, an economy or as a business owner is predicated on timely information sharing and threat detection.

How can we improve our range of “hearing” so that we can perceive threats that are operating at novel frequencies? The audio frequency analogy works in my view as a means to help us reconceptualize our understanding of threat detection. Just as money laundering schemes and organized crime try to find ways to avoid detections for SAR (Suspicious Activity Reporting) thresholds of $10,000 in some economies, I am convinced that some “low and slow” breach activity could be detected if we were to work on tuning our apparatus of detection to include a wider range of activity. Dutch chipmaker NXP only became aware of their own breach when the investigation of Transavia’s breach led security researchers to notify them of traffic with their headquarters.

Pack Theory

“Leading from the back” is a business management philosophy that was, if I’m not mistaken, inspired by wolves and wolf packs. The alpha wolf is there at the back of a progression of wolves in transit to protect the older and more vulnerable wolves from predators and other threats like accidents such as crossing a river or a narrow trailhead through the mountains. Although these lupinus management books talk about leadership within an organization, it’s worth mentioning that many of the same lessons for group strength and resilience apply between organizations.

Here is the point where I make the pitch for everyone to join an ISAC: Information Sharing and Analysis Center. If you are not in a particular industry that has a dedicated sector ISAC like mining and metals (MM-ISAC), or maritime transportation system (MTS-ISAC), then you are most certainly welcome to join the IT-ISAC, since every company has an IT function that can benefit from threat intelligence sharing and group awareness of trends and indicators of new campaigns and tactics of bad actors. Over the last few years, I’ve worked with and been a member of over ten of these ISACs, presenting threat intelligence briefings and giving presentations on third-party risk management and other subjects. Membership is usually based on the size of your organization, so fees are variable.

But keep in mind, just joining a gym doesn’t suddenly make you fit and trim. You have to put in the work to get any substantial results. The same is true of threat intelligence sharing communities. Collaboration and communication is not a one-way street. What you can offer the community of practice is just as important as what you can receive. But I can guarantee that you will see the benefits of joining an ISAC and being an active participant. You will upscale your company’s security posture, grow the talent and knowledge of your team, and deliver on the mission of a strong cybersecurity strategy: the avoidance of harm.

Want to learn more about building a comprehensive cybersecurity strategy? Contact us. 

This threat has become such a nuisance that over 50 countries all over the world have come together for the International Counter Ransomware Initiative (CRI), which seeks to enhance international cooperation to combat the growth of ransomware. It also aims to build cross-border resilience and collectively disrupt and defend against malicious cyber actors. During the third CRI gathering, members reaffirmed their joint commitment to building a collective resilience to ransomware, cooperating to undercut the viability of ransomware and pursue the actors responsible, countering illicit finance that underpins the ransomware ecosystem, and combatting the payment of ransom.

The Evolution of Ransomware

Ransomware is not a new concept, but its evolution and how it came to be a part of the cybersecurity vocabulary has been rapid and alarming. Early iterations of ransomware were relatively simple, demanding a modest sum in exchange for decrypting the victim’s files. However, as cybersecurity measures improved, attackers adapted, introducing more complex and lucrative strategies.

One significant trend in recent years is the targeting of high-profile entities such as corporations, hospitals, and government agencies. These attacks are often meticulously planned, with threat actors studying their targets for vulnerabilities. The goal is to inflict maximum damage and demand exorbitant ransoms, recognizing the critical nature of the data held by these organizations.

Double Extortion: Adding Insult to Injury

As cybersecurity measures improved and organizations became more adept at securing their data, cybercriminals sought new ways to increase their chances of a successful ransom payoff. Enter double extortion – a strategy that involves not only encrypting the victim’s files but also exfiltrating sensitive data before the encryption takes place.

In a typical double extortion scenario, hackers gain access to an organization’s network, identify valuable or sensitive information, and siphon it off to their servers. Following this data exfiltration, the attackers encrypt the victim’s files and demand a ransom. If the victim refuses to pay, the threat actors threaten to release the stolen data, potentially exposing the organization to legal and reputational repercussions.

This dual-threat approach has proven highly effective for cybercriminals, as organizations are not only faced with the immediate threat of data loss but also the long-term consequences of potential data exposure. Double extortion has become so prevalent that it has evolved from a trend to a standard operating procedure for many ransomware groups.

Triple Extortion: Raising the Stakes

In a sinister escalation of tactics, some cybercriminals have taken double extortion a step further, introducing a triple threat to their victims. Triple extortion incorporates the elements of double extortion but adds a third layer of pressure by targeting the victim’s clients, partners, or other associated entities.

After exfiltrating sensitive data and encrypting the victim’s files, cybercriminals employing triple extortion tactics go one step further. They threaten to release the stolen data not only to the public but also to the victim’s customers or business partners, creating a cascading effect of potential damage. This introduces a new dimension of complexity and raises the stakes for organizations, making the decision to pay the ransom even more agonizing.

The Newcomer: Quadruple Extortion

As SEC and GDPR regulations place greater demands on companies – the four-day incident report, for instance – so will the pressure on companies by ransom groups. Recently, a well-known group called ALPHV took an unusual step by filing a complaint with the U.S. Securities and Exchange Commission (SEC) against their victims for allegedly failing to disclose a data breach. The ransomware group, known for targeting organizations and demanding payment in exchange for stolen data, claims that some victims have not fulfilled their legal obligation to report the incidents to the SEC and other relevant authorities. The complaint signals a new tactic in the evolving landscape of cybercrime, where attackers are leveraging regulatory bodies to put pressure on victims. This development raises questions about the potential intersection of cybersecurity, legal obligations, and regulatory compliance in the face of escalating ransomware threats.

The Underground Economy of Ransomware

The success of ransomware attacks, especially those employing double and triple extortion, has fueled a thriving underground economy. Ransomware-as-a-service (RaaS) platforms even allow individuals with limited technical expertise to engage in cybercriminal activities. These platforms provide a marketplace for hackers to buy and sell ransomware tools and services, further democratizing the ransomware landscape.

The use of cryptocurrency, often Bitcoin, for ransom payments adds another layer of anonymity for cybercriminals. Cryptocurrencies facilitate untraceable transactions, making it difficult for law enforcement agencies to track and apprehend the perpetrators. The anonymous nature of these transactions also encourages the growth of ransomware attacks, as it minimizes the risk of getting caught.

Mitigating the Ransomware Threat

As ransomware threats continue to evolve, organizations must adapt their cybersecurity strategies to protect against these sophisticated attacks. Here are some key measures that can help mitigate the risk of falling victim to ransomware:

1. Backups: Maintain regular backups of critical data and ensure their accessibility in the event of an attack. This enables organizations to restore their systems without succumbing to the pressure of paying a ransom.
2. Employee training: Educate employees about the risks of phishing and social engineering attacks, as these are common entry points for ransomware. A well-informed workforce is the first line of defense against cyber threats.
3. Network segmentation: Implement network segmentation to contain the spread of ransomware within an organization’s infrastructure. This can limit the extent of the damage in the event of a successful attack.
4. Patch management: Keep software and systems up to date with the latest security patches. Cybercriminals often exploit vulnerabilities in outdated software to gain access to networks.
5. Incident response plan: Develop and regularly test an incident response plan to ensure a swift and effective response in the event of a ransomware attack. This includes communication plans, legal considerations, and coordination with law enforcement.
6. Collaboration and Information Sharing: Foster collaboration within the industry and share threat intelligence. Information sharing can help organizations stay ahead of emerging ransomware trends and tactics.
7. Cybersecurity awareness programs: Promote a culture of cybersecurity awareness within the organization. Regular training sessions and simulated phishing exercises can help employees recognize and avoid potential threats.

Conclusion

Ransomware has evolved from a nuisance to a critical threat, with cybercriminals employing increasingly sophisticated tactics (in some cases nation state level capabilities) to maximize their profits. The rise of double and triple extortion has added layers of complexity and danger to these attacks, making them even more challenging for organizations to combat. This new method of extortion is an almost natural evolution. As the ransomware landscape continues to evolve this battle will always revolve around technology, people, and processes. Proactive cybersecurity measures, employee training, and industry collaboration are essential for mitigating the risks and protecting against the potentially devastating consequences of these malicious attacks.

Although governments all over the world are very keen on aggressively countering the trend of ransomware, ransom groups will always use the soft spots of the organization and take sensitive information to make these organizations face difficult choices. The International Counter Ransomware Initiative cannot make every organization commit to this course of action if they don’t ever divulge the information. and it might even make the ransom demands go higher because attack groups will have to compensate for ongoing daily losses of wallets, blacklists. and infrastructure apprehended or destroyed.

This is why, at the end of the day, the best protection against ransomware is thorough preparation.

Want to learn more about how to protect your organization from ransomware threats? Contact us. 

A truly optimized cybersecurity budget means that the highest return on investment will be achieved. Creating such a budget—and successfully explaining it and getting approval for it from executives—sounds like an impossible task. How can CISOs create and present a reasonable cybersecurity plan and budget to their boards?

To find out how this goal can be achieved, we spoke with CYE’s founder and CEO, Reuven Aronashvili, who offered these essential tips:

1.  Consider KPIs

When planning a cybersecurity budget, it’s important to consider three KPIs:

• What is the current organizational cyber risk? To determine this, it’s important to understand how cyber risk is translated into financial risk. For example, it might be determined that a data breach could cost an organization as much as $200M.
• How much of the risk is acceptable, and how much should be mitigated? Not all risk can or should be mitigated; residual risk is never zero. The CISO must determine how much risk should be reduced; for example, from $200M to $50M, and how much it would cost to do so. This price of mitigation then becomes the basis for the cybersecurity budget.
• How much of the risk can be transferred to a third party? For example, if a company expects to be left with $50M of cyber risk after mitigation, then it might consider purchasing cybersecurity insurance for $30M, leaving $20M of organizational risk.

2.  Consider Complexity, Adjustments, Compliance, and ROI

When planning a cybersecurity budget, think about not just the cost of a tool, but also its complexity. What will be the effect on people, processes, procedures, and operational capabilities? These are important parameters to consider.

In addition, it’s essential to think of risk as dynamic and adjust the budget accordingly. For example, a retail company might decide that cyber risk in March is not as significant as cyber risk in busy December, which might threaten a sizeable number of sales. As such, the company may choose to allocate resources differently during the holiday season.

Any budget will need to prioritize regulatory requirements, since compliance is non-negotiable. For example, financial organizations will need to have Data Loss Prevention (DLP) to comply with various regulations; this is a given.

Finally, it’s important to only approve new initiatives according to your organization’s true needs. A thorough ROI analysis should be required for the purchase of every new tool to determine that it will be a worthwhile expense.

3.  Consider New Threats and Requirements

Any cybersecurity budget for 2024 should be sure to consider these new threats and requirements:

1. Attacks are becoming much more personal, targeting C-level executives. For this reason, it’s important to budget for the personal protection of VIPs.
2. Risk from AI has grown exponentially; any cybersecurity budget and strategy should consider how to mitigate this threat.
3. Regulatory requirements are quickly becoming an offensive tool. For example, we have seen attackers threatening to report organizational non-compliance to the SEC. For this reason, it’s important to understand and comply with regulations so they don’t become weak points. In the event of a breach, it’s crucial to be proactive about communicating it to prevent extortion from attackers.
4. Frameworks like NIST are adding requirements around governance, requiring management to play a greater role in cybersecurity. Consequently, budgets should have an emphasis on cyber risk management optimization and quantification in 2024.

4.  Be Absolutely Clear

By presenting acceptable residual risk, mitigated risk, and transferred risk to the board, a CISO can be very clear about

• The goals for cybersecurity in 2024
• Which specific projects will help the organization achieve those goals
• How long those projects will take
• How much they will cost

With this clarity, the budget discussion becomes easy: The board can truly understand cybersecurity risk and what to do about it. Consequently, accountability is shared with the relevant decision makers.

Want to learn more about building a 2024 cybersecurity strategy and budget? Watch our webinar.

Cyber risk quantification (CRQ) enables CISOs and security leaders to discuss the organization’s current risk exposure with the leadership team and risk officers using business terms. By using a common language, leaders across the organization can decide how to prioritize cybersecurity investments, plan the budget, and meet overarching business goals.

How can Hyver, CYE’s optimized cyber risk quantification solution, help different security leaders? Check out this infographic for more information.

Would you like to learn how to choose the right CRQ solution? Download the Buyer’s Guide to Cyber Risk Quantification Solutions: Top Questions to Ask.

From Wikipedia:

A priori (‘from the earlier’) and a posteriori (‘from the later’) are Latin phrases used in philosophy to distinguish types of knowledge, justification, or argument by their reliance on experience. A priori knowledge is independent from any experience. Examples include mathematics, tautologies, and deduction from pure reason. A posteriori knowledge depends on empirical evidence. Examples include most fields of science and aspects of personal knowledge.

Research into patching cadence by Kenna Security’s Michael Roytman (acquired by Cisco) and analyzed by the Cyentia Institute’s Wade Baker have surfaced a metric that most organizations are able to remediate 50% of their vulnerabilities within 30 days of the patch becoming available. That’s not good enough for CISOs and their senior leadership teams to sleep well at night. There are more and more vulnerabilities discovered and disclosed every day. Closing half of them every month is not a winning strategy. Oddly enough, the severity of the vulnerabilities does not influence the patching cadence. A reasonable assumption would be that critical vulns get remediated more quickly than lower severity vulns. But given that this is not the case and combined with the fact that the patch cadence cannot be accelerated due to a general inability to acquire additional resources for performing security updates and the requisite QA and testing of those updates, we can see that infosec teams cannot hope to keep pace with the exposures that are a priori critical risks.

Rather than take a mindless brute force effort to remediate risk, we need to drop our obsession with the prioritization of work based on severity alone. Instead, we need to focus on exploitability. If we can only remediate half of the vulns for a given month of Microsoft Patch Tuesday updates and other security fixes, let’s make sure we put our time into patching what matters based on the likelihood that it will be used in a successful attack on our infrastructure, applications, and APIs. We need to come up with a solid empirical (aka a posteriori) basis for prioritizing our infosec team’s attention and efforts. How can we patch more judiciously? Meaning, how can we address the most likely paths to breach rather than trying to tackle 100% of critical and high vulnerabilities?

Exploit Prediction Scoring System (EPSS) for Vulnerability Management

Thankfully, this kind of thinking and data-driven machine learning analysis has already been in place for a few years now and EPSS v2 is available as an open source model. I first learned about EPSS in 2019 when v1 was published and presented at a security conference where I was giving a talk that was followed by Michael Roytman’s session on EPSS. Since then, the model received a nice “bump” in exploit and incident response data when Cisco acquired Kenna Security and the Cisco proprietary DFIR (Digital Forensics and Incident Response) data was added for training the ML algorithm and model. The model got a lot better. What does that mean exactly? It means that we can patch less, yet remediate more risk. Remediating exploitable vulns (or highly likely to become exploitable with code snippets and evidence discovered in the wild) helps us address the resource constraints and testing challenges that plague security teams the world over.

Credit: https://www.first.org/epss/model

How Attack Path Analysis Helps

So we’re now in a position to prioritize our vulnerabilities based on an increasingly sophisticated machine learning model. We no longer have to suffer under the mindless rubric of patching all criticals and highs within 30 days (which was demonstrably not happening anyway). And for better or for worse, the new SEC disclosure regulations will require more breaches and security incidents to be disclosed, which adds even more data to the collective awareness of infosec teams and exploited vulns. But this is still just a generic improvement to the work of vulnerability management and remediation of risk for our companies. It is definitely a welcome improvement with regard to prioritization, but there is yet another powerful approach to be brought to bear on the problem of prioritization: attack path analysis. Experience can also be applied from historical DFIR case analysis to identify the routes that attackers take or their path to successful exploitation.

You’ve undoubtedly already heard the phrase “kill chain” when talking about threat actors and how we need to disrupt their sequence of reconnaissance, weaponization, delivery, exploitation, and exfiltration. Each of these steps in an attack can be met with detection and, with the right tools, disruption. Attack path analysis should be tailored to your organization’s specific application stack and set of libraries, tools, and assets. Mitigation of risk can be achieved not only by going after just those vulnerabilities which are exploitable, but also by going after just those critical junctures that matter in your stack. Optimized mitigation of risk should be based on an enriched view (aka metadata) of your assets, their value, and their importance to the business.

Example of Hyver Risk Dashboard

In the above Hyver screenshot, you can begin to see the value of risk quantification beyond just the identification of CVEs and assignment of CVSS and EPSS scores. The dashboard speaks a fundamentally different language of risk: dollar value. Effective cybersecurity risk management has been languishing for years without the full support of executive management because they just didn’t understand the crazy “moon language” that infosec professionals speak. But modern governance of risk needs to include an increasingly large dose of cybersecurity risk. And while it is a laudable goal to ask boards of directors to step up and get some cybersecurity acumen, that will take time. Creating and sharing a view of an organization’s risk posture in terms that the senior executives can readily understand is an excellent way to bring everyone into alignment about risk. We must present the options for addressing risks with focused projects to add process capabilities and fundamentally raise the bar on an organization’s maturity around managing risk, both cyber and non-cyber.

Experience matters. Whether that is selecting the best candidate from a pool of applicants or selecting tools that deliver insights and actionable intelligence around risk. Your processes only get better when you invest in your people and when you invest in your tools. For a lot of tool choices out there, I am quite vendor-agnostic. You can implement any tool poorly and waste your money chasing a silver bullet solution that promises the world. But in the same vein, you have the possibility to implement any tool well and get beyond the 1.0 level of implementation and reach a 2.0 and 3.0 level of control and observability that amplifies your security posture. This is the idea behind what is meant when saying we need to be accomplishing more with less.

What sorts of cyber threats will organizations confront in the coming year? We asked our CYE experts what security teams should expect. Here are their predictions.

More AI-Enabled Threats

Artificial Intelligence has evolved into a double-edged sword in the digital era. While it has empowered us to create systems capable of processing and analyzing data at unprecedented speed and accuracy, it has also armed cybercriminals with tools for crafting more intricate and targeted attacks.

As a result, the quality, accuracy, and sophistication of social engineering, phishing, and human related attacks is expected to increase significantly in 2024. Attacks will become even more personal, targeting individuals in order to gain access to companies.

Attacks on the Supply Chain and Service Providers

As in 2023, supply chain attacks will continue to rise in the coming year. In particular, states will persist in launching supply chain attacks to reach their main targets. The appeal of such attacks to cybercriminals is that using a third party as a “proxy” provides legitimate access to the target, allowing a high level of confidentiality and deniability. Malicious actors are expected to continue targeting service providers, software providers, and large market leading vendors.

Attacks Targeting OT and ICS Environments

The geopolitical situation that started in 2022 with the Russia-Ukraine War and the present overall geopolitical climate generated some techniques and tools that focus on the Operational Technology (OT) part of organizations. Consequently, in the coming year, we expect to see a significant increase in attempts and attacks against OT- and Industry Control Systems (ICS)-based environments. In addition, the relatively lower cybersecurity maturity in those environments will elevate the expected impact and losses to compromised organizations.

Cyberattacks as Weapons of War

In the past few years, we have witnessed a dramatic shift in the usage of cyber as a weapon of war. This has occurred for two primary reasons:

• Significant development of cyber capabilities to create damage and chaos, such as CNA (computer network attacks) and CNE (computer network exploitation) attacks
• Countries can execute attacks with little risk of retaliation; they can always deny them.

These attacks can take various forms, including the deployment of ransomware, malware, and distributed denial-of-service (DDoS) attacks. They can target traditional military targets, as well as civilian infrastructure, financial systems, and communications networks. In the coming year, we will continue to see this trend as state and non-state actors seek to gain a strategic advantage or disrupt the operations of adversaries.

Increase in Ransomware as a Service (RaaS)

With Ransomware as a Service, creators of ransomware lease out their malicious software to others, allowing them to launch attacks without having the technical knowhow to develop the malware on their own. The creators can customize and deploy the ransomware and they typically take a percentage of the ransom payments.

During the Russia-Ukraine war, we witnessed a large usage of RaaS groups used by Russia for deniability purposes. In the coming year, we will likely see much more of this extremely fast-rising phenomenon.

Attacks on Multiple Targets

Malicious actors often target multiple entities to cast a wider net and increase their chances of success. As such, we expect to see an increase in the following targets in 2024:

• Endpoints: The rise of remote work and of devices connecting to corporate networks have made endpoints (such as laptops, mobile phones, and tablets) prime targets for cybercriminals.
• Cloud: As organizations transition their operations to the cloud, it becomes a prime target for cyberattacks.
• IoT: The Internet of Things (IoT) connects billions of devices globally, offering opportunities for innovation and efficiency. However, many IoT devices require enhanced security, making them susceptible to cybercriminals.
• Mobile devices: As mobile devices become ubiquitous, they have become prime targets for cyberattacks. Implementing robust mobile security measures, such as regular software updates, strong passwords, and multi-factor authentication, is imperative for protection.
• Automotive: Modern vehicles incorporate various electronic systems that enhance safety and convenience, but they also provide new opportunities for cybercriminals.

Increased Cyber Risk Quantification

To help prioritize the mitigation of cyber threats and help comply with regulations, we predict that more organizations will invest in cyber risk quantification. Quantifying cyber risk is vital for making informed decisions on cybersecurity resource allocation. Organizations can enhance their cyber risk quantification efforts by investing in advanced analytics tools and gaining a comprehensive understanding of their risk landscape.

Want to learn more about what to expect in 2024 and how to adjust your security budget accordingly? Watch our webinar.

Cyber risk quantification is the process of calculating an organization’s risk exposure and the potential budgetary impact of that risk in business-relevant terms. In other words, it describes cyber risk in monetary terms.

Cyber risk quantification is essential today. With the cost of cybercrime rising rapidly and predicted to reach $10.5 trillion by 2025, executives have increased their expectations. They now expect security leaders to not only ensure organizational cybersecurity, but also to justify the costs. Yet in most organizations there is a misalignment between security strategy and business objectives, and the security team often does not communicate effectively with the C-suite and the board. As a result, security leaders struggle to make business leaders understand that security is a business enabler rather than an unnecessary expenditure.

Cyber risk quantification has recently gained traction as a way to bridge the gap between the security and business realms. However, it is a poorly understood concept. Early attempts at cyber risk quantification involved simply filling out a checklist or questionnaire. In reality, it is a much more complex process, made doubly difficult when trying to calculate the potential financial and business ramifications of possible cyberattacks.

Why Cyber Risk Quantification is Necessary

Cyber risk quantification fulfills a key function in organizations: it bridges the gap between technical and business discussions. It allows business decision makers to understand the impact of cyber threats and helps security teams prioritize remediation efforts. Armed with the results of cyber risk quantification, business owners, CFOs, CEOs, and boards can understand the organization’s risk in monetary terms. The use of a common language lets both technical and business leaders prioritize spending and measure the overall effectiveness of the cybersecurity program.

The practice of conducting cyber risk quantification is not just good business: it will soon be the law. The U.S. Securities and Exchange Commission recently proposed stronger rules for reporting cyberattacks, with the expected outcome of increasing the accountability of senior management for cybersecurity. The board and executives will now need to increase their knowledge of cybersecurity not only from a technical point of view but also in terms of risk and business exposure. They will need to quantify and manage corporate risk at a scale never before seen.

Cyber risk quantification will not only empower the board and C-suite to see the risk landscape; it will also enable the security team to make cybersecurity decisions in the context of business imperatives. They will be able to determine which risks pose the biggest threat to the organization’s business, and what the expected economic loss would be. Based on this information, they can assess current security investments and prioritize the steps needed to reduce cybersecurity risk.

What a Cyber Risk Quantification Strategy Entails

A cyber risk quantification strategy involves understanding precisely which threats are present or will likely occur in the cyber landscape, and what business assets are at risk. A thorough assessment involves multiple steps. Many are difficult to carry out, and most are based on probabilities. The basic process is as follows:

1. Map out critical business assets and their value. Include all environments: on-premises assets, those on the perimeter, assets in the cloud, and operational technology (OT).
2. Identify each likely threat to each critical asset and calculate the probability that it will occur.
3. Determine the potential damage the business would incur if the threat were successful.
4. Calculate damage beyond immediate costs, including productivity loss, brand and reputation damage, and the cost of responding, replacing assets, and paying fines and judgments.
5. Finally, determine the vulnerability of each asset to each threat. This involves assessing the strength of your defenses, controls, and processes in the event of an actual threat.

Once the cyber risk quantification model has all the above information, it will report a basic financial risk metric that allows the team to compare various options when planning security investments and remediation.

“Seeing the breakdown of costs – and the timeline of when they would need to be paid out – helps companies plan for such expenditures and better understand how their cyber exposure figure was calculated.”

Inbar Ries, Chief Product Officer at CYE

The Problems with Traditional Cyber Risk Quantification Tools

Several cyber risk quantification tools have come onto the market in recent years, but they are largely manual and subjective, producing misleading risk scores that don’t reflect the real-world security posture of the organization and don’t account for the dynamic landscape that is cyber threats. A security team that bases its assessment on faulty or inadequate results can easily waste time and money prioritizing defenses against threats with no material impact on the business.

Traditional cyber risk quantification tools lack four key components:

Risk Context:

Many traditional tools are unable to correctly estimate which vulnerabilities an attacker is most likely to exploit. Without proper context, the team can lose focus and spend energy addressing vulnerabilities that are unlikely to be exploited.

Financial Context:

Many traditional tools include only direct costs, failing to account for costs related to detection and escalation, notification, post-breach response, or brand impact. Many also ignore the secondary costs of “vendor impact” where, for example, a business sells software that is responsible for a data leak, which can result in lawsuits.

Breadth:

Cyber risk quantification models need to look at all parts of the organization, including on-premises, cloud, perimeter, and OT. Traditional tools generally only focus on one part of the organization, resulting in “guesstimates” as to which threats are most likely to impact critical data.

Coherence:

Lots of tools generate data, but data does not equal visibility; rather, too much data from too many tools creates a firehose of information that can overwhelm the security team. As the attack surface increases over time due to migration to the cloud, increased use of OT, and digital transformation, traditional tools can only leave the security team overwhelmed and unable to obtain the remediation guidance needed to reduce risk.

Characteristics of Effective Cyber Risk Quantification Models

A truly effective cyber risk quantification model understands and parses the data, deriving a risk score that has meaning and is easily communicated to the C-suite and the board. It takes into account constantly evolving and newly emerging threats, providing built-in automated and continuous visibility into the cybersecurity landscape.

Once the required information (assets and value, likely threats and probabilities, potential damage, and vulnerability of critical assets) is plugged into the model, the immediate output is a metric indicating organizational risk. At this point, optimal cyber risk quantification models will also incorporate data to assess the attack likelihood for each business asset, calculating the specific probability of each business asset being breached and the associated cost.

Highly effective cyber risk quantification models will map out possible attack routes to each critical asset along with their probabilities. Using AI, the model will consider all relevant data: this includes multiple factors such as type of attacker, business assets at risk, the environment and current threat landscape, and the impact of vulnerabilities.

The model should provide realistic views of all possible attack routes. This level of visibility helps the security team reduce overall exposure, prioritize actions, and take proactive measures to reduce the likelihood of becoming a cyberattack victim.  Perhaps most importantly, the model should prioritize vulnerability and problem mitigation efforts based on the extent to which they actually reduce risk. This makes it possible for CISOs and security professionals to stop relying on ineffective severity-based (or in many cases gut-based) approaches for prioritizing mitigation, which are detached from risk modeling.

Quantifying the Cost of a Data Breach

Quantifying the cost of a data breach is no longer a simple matter of multiplying containment costs by the cost of regulatory fines, as insurers often do to predict loss. Factors and focus matter.

Factors to include:

• The cybersecurity posture of the organization
• The entire attack surface
• Direct and indirect costs – e.g., website downtime, customer churn, lost productivity
• Related third party costs – e.g., reporting requirements, legal fees, lawsuits

Focus:

• Keep focus on the most critical/expensive assets, at highest risk
• Calculate asset value based on revenue, industry, historical data, and specific costs to the company (asset value, associated breach costs such as customer churn, downtime, lost IP)
• Prioritize mitigation based on cost to the organization as well as the cost to reduce threats
• Use a cyber risk quantification model with a built-in, continuously updated breach calculator

“Companies need to think about the worst-case scenario if any parts of their businesses are attacked and put a dollar value on it.”

Reuven Aronashvili, Founder and CEO, CYE

Benefits of Cyber Risk Quantification

Cyber risk quantification yields a wealth of both tactical and strategic benefits. They include:

Resource and budget allocation

Cyber risk quantification lets the organization better understand the cost of threats and their eventual remediation, informing investment decisions. For example, the ROI of specific cybersecurity programs can be demonstrated through measurement of the extent to which they reduce the level of breach risk. This can help justify future security investments.

Action plans

Cyber risk quantification equips the team to prioritize mitigation planning in full alignment with financial and business impact. A thorough understanding of which critical assets are specifically at risk, as well as the attack routes, breach and mitigation costs, enables the organization to plan and prioritize prevention and mitigation plans. Closing specific key cyber gaps to avert those attacks is a more efficient method than simply employing blanket solutions.

Communication

A key benefit of cyber risk quantification is that it defines the organization’s security posture in financial and business terms. When a common language bridges the security and business realms, management can better understand the organization’s risk posture and make more informed decisions about reducing risk. Cyber risk quantification equips the executive team to answer key questions such as:

• Are we secure, based on the actual vulnerabilities that are worth addressing?
• Are we spending enough, and in the right places?
• Are our investments effective?

Risk that is quantified can be reduced. This is key to changing the perception that security spending is just a cost; now it emerges as a business enabler.

Overall Improved Security

Cyber risk quantification, done right, makes the organization as a whole more secure. It provides the ability to track, report, benchmark, and optimize the security effectiveness of the security team’s efforts. By reducing risk, improving security investments, and prioritizing mitigation efforts, it helps the organization save both time and money.

Cyber Risk Quantification with CYE

CYE’s optimized cyber risk quantification platform, Hyver, delivers all the above benefits of cyber risk quantification. It turns complex investment decisions into simple equations, enabling security leaders to determine realistic cybersecurity investments that consider both the cost of a possible incident and the cost of remediation. Resulting mitigation plans prioritize actions according to specific business considerations and goals such as fiscal impact, security maturity, and loss exposure.

Hyver produces a risk calculation backed by data from numerous real-world security assessments. Because Hyver generates much of the data itself, without relying on the organization’s input (like many other risk quantification tools), the result is an objective, reliable calculation rather than a subjective assessment.

With Hyver’s cyber risk quantification, security teams can communicate cyber risk in business terms. This allows management to make informed decisions about reducing risk, fully aware of the costs and benefits. Decisions are based on facts instead of guesses.

Finally, Hyver’s cyber risk quantification helps organizations understand their true cyber risk, identifies possible attack routes, and determines the key cyber gaps that must be closed. This lets security teams track, benchmark, and optimize their security investments. With a clear view of investments and expected ROI, teams can focus on what matters the most for the organization.

The Dimensions of Cyberspace

In my work teaching cybersecurity and creating courses on threat intelligence and cybersecurity analytics at NYU over the last few years, I have developed an analysis that casts the discussion of cyber risk management as having three dimensions:

• Physical – the core infrastructure of hardware and software
• Informational – the content or data, both at rest and in transit
• Cognitive – the values, beliefs, intentions and perceptions of individuals and groups

I collapse virtual and physical into just the physical dimension because at the end of the day, all virtual systems run as software on some physical system somewhere, so there is no need to maintain that as a separate dimension. It is useful to point out that the informational dimension is where cyber personas reside: digital representations of individuals or other entities that use cyberspace and have one or more identities that can be identified, attributed and acted upon. But it is my firm belief that it is the cognitive dimension which does not receive enough attention and discussion. Furthermore, I have come to believe that executive cognitive risk is one of the areas where we need to work most urgently. Good governance of cybersecurity risk requires the top of the org chart to better understand the nature of cybersecurity risks and their effective mitigations. NIST has added “Govern” as a sixth category to the Cyber Security Framework v2.0 with good reason, as it informs and directs the efforts in the other five categories.

Increasingly, board members are being asked to think like chief risk officers, whether they have the skills and experience or not. Understanding cybersecurity risks demonstrated by supply chain attacks against SolarWinds, Kaseya, Microsoft Proxy-Logon, Storm-0558 and Okta illustrate that all senior executives can expect to be increasingly held accountable. The SEC case against SolarWinds and its CISO is just the beginning of what promises to be a long line of prosecutions and trials.

What Is Cognitive Risk?

This cognitive dimension of cyberspace provides the societal, cultural, religious, and historical contexts that influence the perceptions of those producing content and those consuming it. Governments, criminals, activists, and hackers all think, perceive, visualize, understand, and decide within this dimension. Cognitive risk has many components such as the infamous “too big to fail” in the financial services industry, or a bias towards prevention in compliance frameworks and controls that leaves precious little budget for detection and response capabilities once a breach occurs.

Among the many characteristics of cognitive risk is confirmation bias, which is especially important in board governance environments where most directors are not subject matter experts on cybersecurity. Confirmation bias is a phenomenon whereby we actively seek out and assign more weight to evidence that confirms our hypothesis and ignore evidence that could refute our hypothesis. One such belief is thinking that our company won’t be breached or compromised. By now we should all have heard the mantra that compromise is not a matter of if, but rather just a matter of when. We should not speak about breach likelihood but rather breach cadence. Some companies seem to be compromised every six months, whereas others are only being successfully attacked and breached every five years or so.

How can boards provide effective challenge to their security programs if they don’t yet comprehend the fundamentals of cybersecurity?

Understanding cyber risk is a relatively new ask of executive management and boards of directors. A seat has been made at the proverbial table for the CISO and infosec professionals, but few board members are able to understand the crazy “moon language” of CVEs, CVSS scores, IOCs (Indicators of Compromise) and TTPs (Tactics, Techniques and Procedures). In many cases, board members are simply not even asking the right questions about failure and risk. How can boards provide effective challenge to their security programs if they don’t yet comprehend the fundamentals of cybersecurity? How can we empower board members to question a hype-based approach to risk management (and not fall victim to it themselves)?

Any discussion of cognitive risk also must entail discussing systemic risk. Systemic risk is an emergent property of complex systems. It is not rooted in any one component of these systems that comprise our digital economy, but rather in the density of connections and dependencies between all of the “nodes” in the network. One of the major elements of cybersecurity risk management is to be aware of and to design trustworthy and resilient systems with an eye towards addressing systemic risk. A deep dive into the nature and properties of systemic risk is beyond the scope of this article. I will leave that for a subsequent post.

Together, cognitive risk and systemic risk in the boardroom can exacerbate the consequences of an unforeseen event. In February of 2021, Texas nearly dropped off the grid due to a severe winter storm. The citizens of Texas were a few seconds away from returning to the Stone Age had there been a “black start” event where the entire electrical grid experiences a cascade failure and collapse. After the storm, the very next meeting of ERCOT (Electricity Reliability Council of Texas) saw half of its board members resign. This is an example of both cognitive risk (the board discussed the storm for only 40 seconds in their meeting before the storm) and systemic risk because rolling blackouts were invoked to shed load on the system, which in turn took even more electricity generation offline.

Complex systems behave in ways that surprise us and the operators of the systems. This is the very definition of systemic risk, an emergent property of our increasingly interdependent critical infrastructure. Without continuous monitoring of these systems, our awareness of systems failure and breaches is significantly hampered. How we help make our ecosystem of vendors and service providers more resilient is the real challenge that must be met. Modern governance of cybersecurity risk sits squarely at the heart of that path forward.

Let’s Do Something About It!

In the world of incident response, there is a term called “tactical restraint” which speaks to the instinct of defenders to want to take action immediately and “do something.” But more than once, it has proven to be a detriment to the successful investigation of a cybersecurity incident to act hastily and without a plan.

Traditional warfare is constrained by natural features of the physical environment and can be used to one’s advantage or disadvantage. But there are no natural features to cyberspace; in fact, it is constantly changing, adapting, and transforming. In kinetic warfare, a combatant delivers an ordinance to a location at a particular time. Boom! In cyber warfare, entities create the capability to deliver “an effect” at a particular point in time against a particular set of digital assets (denial of service attacks or malware infections are good examples). This is a much more “silent boom.” The combination of the two is what is being termed “hybrid warfare” or “cyber-kinetic warfare” by analysts and experts.

Cyber-kinetic risk management brings some new questions to boards of directors:

• Do you have the capability or an established method to calculate the potential financial impacts of a breach or cybersecurity incident? Do you use this information to prioritize and plan your risk mitigation accordingly?
• How resilient is your organization to the loss or severe disruption of critical service providers?
• What is your current “too big to fail” scenario? If you haven’t already, can you plan a tabletop exercise with your team to explore your response and options?

Companies that effectively manage their entire portfolio of risks, including cyber, do better in the marketplace. Regulators around the world are demanding scenario planning incorporating “severe but plausible” events with significant impact across a wide range of risk domains, including cyber risk. We must find ways to empower the effective stewardship of cybersecurity risk and that most definitely includes addressing cognitive risk in the boardroom. The resilience of our increasingly digital economy depends on a more holistic approach to risk management across enterprises both large and small.

Want to learn more about how to improve your organization’s cybersecurity? Contact us for more information.

It is clear that Hamas’s attack on October 7 was meticulously planned months in advance. The nature of the execution and the brutality involved strongly indicates the direct involvement of Hezbollah and Iran, including planning, training, and financing. Moreover, the horrific acts carried out in Israel’s south are similar to descriptions of how Iran treats political prisoners, regime opponents, and apostates. This attack ended with the highest number of dead and wounded that Israel has known as a result of terrorism and it is possible that this is one of the largest terrorist acts in the world relative to Israel’s population. These are numbers that Israel and the world will surely remember for years to come: over 1400 murdered, hundreds injured, and over two hundred kidnapped by Hamas, the Islamic Jihad, and Gazan citizens who participated in looting and kidnapping.

The attack, however, extended beyond land. According to Cloudflare, at the same time that Hamas started its attack in the south, it was accompanied by relatively low intensity Distributed Denial-of-Service (DDoS) cyberattacks of about 100 thousand connections per second. These attacks targeted Israeli websites that provide civilians with information and alerts on rocket attacks. Approximately 45 minutes later, a targeted and massive cyberattack began with about a million connection requests per second—an extraordinary intensity that has not been observed to date in similar conflicts with Hamas in the past. Connection requests are attempts to connect to a website, or online service and application. A point attack with the power of a million connection attempts indicates a cyber tool that was believed to be beyond Hamas’s capabilities. This suggests assistance from a state entity or having access to state weapons. Of course, the immediate suspect may be Iran or a more powerful country.

Here are some of the cyber warfare trends we are seeing in the Israel-Hamas war:

Escalation of Cyber Operations

The Israel-Hamas war has witnessed a surge in cyber operations from both sides. Cyberattacks have become an integral component of war strategies, enabling the targeting of critical infrastructure, compromising sensitive data, and disrupting communications. These operations range from DDoS attacks to sophisticated malware deployments, reflecting a concerted effort to exploit vulnerabilities in digital infrastructure.

Erosion of Norms and Rules of Engagement

The integration of cyber operations into the Israel-Hamas war has blurred the lines of traditional warfare, challenging established norms and rules of engagement. The ambiguity surrounding cyberattacks complicates attribution, making it difficult to hold perpetrators accountable. This has been a problem of cyber warfare for years and has led to a hesitancy in defining what constitutes an act of aggression in the cyber domain, creating a potential vacuum in international law.

Escalation Dynamics and Cyber Deterrence

The escalation dynamics in the Israel-Hamas war have introduced a new dimension to the concept of cyber deterrence. Both parties must now consider the potential repercussions of cyber operations, weighing the benefits against the risks of retaliation (like trying to attack critical infrastructure such as water plants and so on). This calculus is further complicated by the asymmetrical nature of cyber capabilities, where non-state actors like Hamas can leverage cyber tools to target more technologically advanced adversaries.

Global Implications for Cybersecurity

The Israel-Hamas war serves as a stark reminder of the global ramifications of localized conflicts in the digital age. The tactics employed by both parties have far-reaching consequences, as cyber threats are not constrained by geographical boundaries. The proliferation of cyber capabilities and tactics witnessed in this conflict underscores the urgency for nations to bolster their cybersecurity defenses and establish international norms to govern cyber operations.

A Polarized World

Perhaps most concerning is that the Israel-Hamas war illustrates a great divide in the world, with Iran, Russia, China, and North Korea on one side and much of Western countries on the other. This is borne out through the Iranian support of Hamas’s horrors, the speculation about Russian intelligence involvement, and the very lukewarm statements of Russia and China. Many countries in between these two camps will need to tread carefully. This polarity will undoubtedly create more conflicts and will greatly affect the day-to-day reality and the cyber landscape around the world and in Israel.

CISOs should be aware that:

• As these camps grow more polarized and aggressive towards each other, so will hostile cyber activities between the two camps, as well as countries and companies aligned with their respective camps.
• At the same time, along with a proliferation of capabilities, we see more groups using APT tools, so companies that are connected to either side might face greater risk. This is especially true for supply chain companies related to the defense or civilian industry.
• Radical camps will often attack civilian companies, sometimes simply to show the Western world that they can.
• High profile companies in the West should be prepared for an uptick in cyberattacks, because malicious actors are often determined to make their attacks as public as possible.
• It is crucial to increase cybersecurity awareness throughout organizations and take steps to prevent phishing and detect suspicious behavior.

Clearly, the Israel-Hamas war has evolved beyond traditional warfare, incorporating cyber operations as a vital component of strategic arsenals. This shift has profound implications for the global cyber threat landscape, challenging established norms and necessitating a re-evaluation of international cybersecurity policies. As nations grapple with the complexities of cyber warfare, it is imperative to foster dialogue, establish clear norms, and strengthen cybersecurity defenses to mitigate the risks posed by escalating conflicts in the digital age. Only through concerted efforts can the international community hope to navigate this new frontier of warfare and safeguard the stability of the interconnected world.

Want to learn more about how to improve your organization’s cybersecurity? Contact us for more information.

This is the twentieth year of Cybersecurity Awareness Month, but cyber risk continues to grow and spread. What are the primary cyber threats that we face today, and how has the cybersecurity landscape changed? To find the answers, we spoke with CYE Founder and CEO Reuven Aronashvili and Field CISO and Vice President Ira Winkler. Here are their responses.

The Changing Cybersecurity Landscape

In the past 20 years, there have been both minimal and major changes to the cybersecurity landscape. Just as it was two decades ago, the cybersecurity landscape remains fraught with constant threats, and cyberattacks and malicious activities continue to be a major concern. In additional, hackers continue to be motivated to attack—whether it be for financial gain, public recognition, nationalistic reasons, or just the challenge.

However, the cybersecurity landscape has increased in complexity compared to 20 years ago. Technology has advanced rapidly, leading to a proliferation of interconnected devices and systems, such as IoT, cloud computing, mobile devices, and more. This complexity has introduced new attack vectors and challenges in securing the digital environment. Moreover, regulatory requirements have become more stringent, creating the need for enhanced cybersecurity measures.

The Most Common Cyber Threats for Consumers

• Phishing remains a prevalent and highly effective threat. This is when cybercriminals use deceptive emails, messages, or websites to trick individuals into revealing sensitive information like passwords or credit card details.
• Ransomware attacks on individuals and small businesses also continue to rise. Cybercriminals encrypt personal data and demand a ransom for its release. This can be financially devastating and lead to the loss of important files.
• Credential theft involves targeting consumers to steal usernames and passwords. These credentials can be used for various malicious activities, such as unauthorized access to email or social media accounts, identity theft, or further attacks.

There are also some less common, but highly intriguing cyber threats to consumers:

• Artificial Intelligence tools can be leveraged by malicious actors to carry out more sophisticated and effective cyberattacks. For example, with AI-enhanced social engineering, AI can assist in analyzing and predicting human behavior, allowing hackers to craft more convincing social engineering attacks that exploit psychological factors.
• Internet of Things (IoT) devices have become ubiquitous in our homes, businesses, and industries, but they also introduce a host of cybersecurity threats. Some IoT devices that can be a threat to cybersecurity include medical devices, connected vehicles, smart home, and many others.

The Most Common Cybersecurity Threats for Businesses

As with consumers, ransomware and phishing attacks continue to be a significant threat to businesses. Ransomware attacks can cause data loss, operational disruptions, and financial loss, and phishing often serves as an entry point for other cyber threats.

In addition, whether through current or former employees, associates or contractors, 20% of business data breaches come from trusted insider threats. Bad actors act out of greed or sometimes disgruntled employees act out of bitterness. Either way, their dissemination of critical information can cause significant financial damage.

Defending Against Cyber Threats

The focus of this year’s National Cybersecurity Month is around four ways to stay safe online. They include:

• Use strong passwords
• Turn on multi-factor authentication (MFA)
• Recognize and report phishing
• Update software

According to our experts, some additional ways that consumers and businesses can protect themselves include:

• Secure home networks: Given the increase in remote work, educating individuals on securing their home networks is crucial.
• Social engineering awareness: This includes educating users about various forms of social engineering attacks beyond phishing, such as pretexting or baiting.
• Data privacy: Focusing on the importance of protecting personal data and understanding privacy settings on social media platforms.
• IoT device security: As the Internet of Things (IoT) expands, awareness of securing smart devices is increasingly important.
• Safe online shopping: Guidance on secure online shopping practices, especially during the holiday season.

Want to learn more about how to improve your organization’s cybersecurity? Contact us for more information.

Among additional updates, perhaps the biggest change that demonstrates not only a quantitative expansion in the topics covered by the framework, but a qualitative conceptual shift of it, is the addition of “Govern.” This is the sixth function to join the previously known pentagon of “Identify; Protect; Detect; Respond; and Recover.”

The addition of the Govern function emphasizes, as the National Institute stated, “that cybersecurity is a major source of enterprise risk, ranking alongside legal and financial risks as considerations for senior leadership.” By officially acknowledging cyber risk as an incremental part of organizational risk, the NIST experts have contributed a milestone brick to the never-ending bridge-building journey between CISOs and management, which aims at solving one of cybersecurity’s biggest problems.

The Disconnect Between Boardrooms and CISOs

So what’s the problem? Cybersecurity is technical; therefore, it tends to be disconnected from the business.

In a recent study that was published in the Harvard Business Review, 600 board members were surveyed about their attitudes and activities around cybersecurity, revealing alarming insights into the disconnect between companies’ boardrooms and their CISOs. According to Lucia Milică and Dr. Keri Pearlson’s study, only 67% of board members believe human error is their biggest cyber vulnerability, although findings of the World Economic Forum indicate that human error accounts for 95% of cybersecurity incidents. This might be an indicator that some boards do not understand the organizational risk they face.

Further, half of survey participants value CISO cybersecurity expertise the most, followed by technical expertise (44%) and risk management (38%). This suggests that even though cybersecurity topics may have made it onto the agenda, the board still sees them as technical issues. We get a better glimpse of this “dialogue of the deaf” with the finding that while 65% of board members think their organization is at risk of a material cyberattack, only 48% of CISOs share that view, and yet 76% of board members believe they have made adequate investments in cyber protection.

When cybersecurity is regarded solely as a technical matter by boards, it transforms into an operational concern that might not receive adequate focus during their meetings. Due to the time constraints within board meetings, it becomes challenging to get into the depth required for effective supervision. Directors might refrain from posing tough questions, as they might feel insufficiently skilled to formulate comprehensive queries or grasp the responses entirely. However, perceiving cybersecurity as an organizational concern shifts the conversation from being technical to being a managerial obstacle. As cybersecurity is embraced as a strategic necessity for the organization, it gains relevance for discussions at the board level.

Bringing Cyber Risk Management to the Board

And how can this be accomplished? As with every good compromise, the answer is somewhere in the middle of the road. Recently, the U.S. Securities and Exchange Commission (The SEC) officially adopted new rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. During the review process of the suggested amendments, one specific rule “garnered significant comment”—the rule suggested to require disclosure about the cybersecurity expertise, if any, of a registrant’s board members. After considering the comments, the SEC decided not to adopt the amendment, as they were “persuaded that effective cybersecurity processes are designed and administered largely at the management level, and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise, as they do with other sophisticated technical matters.”

While this doesn’t sound like a compromise, it is admittedly difficult to ensure that every board of every American public company includes a cybersecurity expert; there are simply not enough of them. But the main issue here is not about the SEC telling boards they don’t have to understand cybersecurity. The issue is about the SEC instructing the management teams, and specifically the CISOs, to talk risk management with the board.

Answering the “How” Question

From the other end, the new NIST CSF v2.0, with the addition of the Govern function, emphasizes the CISO’s responsibility to “[e]stablish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy.” In this advanced approach, it is as if NIST experts are saying to the CISOs, “Your decision-making must be aligned with the organization’s management (that you’re hopefully a part of).” The skillset and scope of responsibility of the CISOs are no longer just about memorizing 108 controls that answer the question of WHAT to do, but also about answering the HOW question: “How can the organization achieve and prioritize the outcomes of the other five Functions in the context of its mission and stakeholder expectations?”

Governance activities are critical for incorporating cybersecurity into an organization’s broader enterprise risk management strategy. They require an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policies, processes, and procedures; and the oversight of cybersecurity strategy.

The combination of the two—regulators instructing boards of disclosure of a registrant’s risk management, strategy, and governance regarding cybersecurity risks, and a standardized cybersecurity framework that instructs CISOs to think, plan, and act in a broader organizational context of risk management strategy—may not be a revolution in the way we navigate cybersecurity. However, it is definitely the evolution of both CISO and BoD roles that we’ve been waiting for.

The Role of Cyber Risk Quantification

If “The Answer” is indeed in the middle of the road, what is that middle? Well, the fusion between cybersecurity expertise and business-oriented risk management is cyber risk quantification. This is the only way both CISOs and board members can talk the same language, as the numbers they receive in the end are the result of deep knowledge from both ends:

From the cybersecurity perspective: You have to know exactly what the threats are to your organization. “Threats” are not endless lists of vulnerabilities, hopefully ordered by generic CVSS criticality, coming from automatic scans. “Threats” are high-quality data on existing gaps, real potential attack routes coming from cybersecurity assessments conducted by independent red teams, with probability and likelihood evaluations of every step.

From the organizational risk perspective: You have to properly identify the organization’s business critical assets, then have a deep understanding of the potential financial impact in case of a breach to any of these assets.

This information is then combined with the likelihood of all possible attack routes to the organization, providing the board and the CISO with a full understanding of the organization’s cybersecurity posture. Only then can real strategic conversations begin, allowing for stakeholders to approve budgets and initiate projects. Only then can cybersecurity become scalable.

Want to learn more about how cyber risk quantification can help you communicate with the board? Contact us.

Too Much Noise in the Forest

Organizations frequently use out-of-the-box rules for alerts that are not relevant. For example, SIEM systems come with many predefined rules and alerts that are not necessary. It’s better to create customized alerts that are relevant to the organization’s particular systems. Also, keep in mind that the cyber forest is ever-changing, so make sure to have a designated function to add alerts and regularly review the current alerts.

Lack of Patrolling the Forest

There is often no correlation between actual IT inventory and the one defined in the SIEM ages ago. Basically, SOC analysts get their data from the field, so frequently they do not know and cannot monitor what they do not know. Having a single point of truth, such as a shared inventory, is critical.

Troubling Legitimate Forest Workers for Nothing

Alerts are often not fine-tuned enough, so they create many false positives. We do not want to exhaust resources for monitoring legitimate actions while slowing down response times for the potentially risky ones. For instance, administrators sometimes use PSExec, PowerShell, or even port scanners, but administrators are familiar with infrastructure and their tasks, so it should be quite easy to distinguish between reconnaissance and administration.

Forgetting Who Rules Outside the Forest

Organizations frequently do not expect the unexpected. They think of cyberattacks based on the controls they buy. Unfortunately, attackers do not use the same handbook defenders do, so identifying known attack signatures is fine, but it will only get you halfway there. A good hacker would attempt to look legitimate, so creating a baseline and monitoring anomalies is key.

Not Knowing the Trees that Need Extra Care

Organizations fail to map their sensitive assets and data well. Priority is key: If you don’t know where your crown jewels are, you cannot respond based on severity and risk.

Not Understanding the True Concerns of the Forest

Many organizations do not monitor based on actual intelligence gathering. One size doesn’t fit all in this case. Different threat actors exploit different vectors and have different methods, so understanding current threats to your business would be beneficial to your cyber risk monitoring strategy. Remember, you’re not the only forest around: Communicate with your peers, learn from their experience, and implement their battle-tested alerts.

Inability to Detect Footprints in the Forest

Organizations write rules for alerts they cannot simulate, so how would they know what they are really looking for? Don’t just rely on EDRs; create and test custom alerts on your security controls based on what concerns you, so you can feed your SIEM—not just raw data. Correlations are time-consuming and not always necessary.

With all that in mind, zooming out and examining the organizational cybersecurity monitoring strategy as a whole is often beneficial to all involved parties. We recommend that you do the following:

• Fine-tune alerts
• Refresh inventory
• Baseline normal activity
• Map and classify assets
• Gather intelligence
• Customize alerts
• Create alert simulations

Want to learn more about focusing on the cyber threats that present a true risk to your business? Contact us. 

In this article, we will explore ChatGPT cyber risks and provide insights into how individuals and organizations can protect themselves against potential threats.

Phishing Attacks

ChatGPT’s ability to engage in human-like conversations can make it a potential tool for cybercriminals to carry out phishing attacks. By imitating trusted entities or individuals, malicious actors can trick users into revealing sensitive information such as passwords, financial details, or personal data. Users must exercise caution when interacting with chatbots and remain vigilant about verifying the authenticity of the information they provide.

Social Engineering Exploitation

ChatGPT’s natural language processing capabilities enable it to convincingly simulate human responses, making it a prime target for social engineering exploitation. Cybercriminals can exploit the trust users place in AI chatbots to manipulate them into disclosing confidential information or engaging in harmful actions.

Also, in the last three months, new “ChatGPT-like” tools have appeared with few guarantees of their authenticity and origins. In some cases, hackers even pay to be a Google-sponsored ad to appear more credible. A few websites and browser extensions claiming to be chatbot tools have appeared to harvest all sorts of user data.

ChatGPT in its original form is an internet-based interface that does not require tools to be downloaded to a user’s endpoint. AI chatbots like ChatGPT can be manipulated by cybercriminals to impersonate individuals or trusted entities. This can lead to identity theft, fraud, or manipulation of users’ beliefs and preferences. It is important to exercise caution and verify the authenticity of chatbot interactions, especially when sensitive or personal information is involved. Users should refrain from sharing personal or confidential details with AI chatbots or anything they download to their endpoint to conduct interaction with the tool, especially when the requests seem suspicious or unusual.

The following are just a few examples of websites or extensions that impersonate as ChatGPT:
• chat-gpt-pc.online
• chat-gpt-online-pc.com
• chatgpt4beta.com
• chat-gpt-ai-pc.info
• chat-gpt-for-windows.com
• ChatGPT for Google

Figure 1: The original ChatGPT page

Figure 2: A malicious ChatGPT impersonation site

ChatGPT Malware Distribution

AI chatbots, including ChatGPT, can be leveraged as a medium for creating and distributing malware. Cybercriminals may embed malicious links or attachments within the conversation to trick users into downloading and executing harmful software. Quite a few cases have already shown that ChatGPT can be tricked into malicious code writing and while this gap in the tool’s security has been patched, it’s only a matter of time until the next one will be found.

It is crucial to exercise caution and refrain from clicking on suspicious links or downloading files from untrusted sources in day-to-day work, including during chatbot interactions.

ChatGPT Data Privacy and Security

The vast amount of personal information shared during conversations with AI chatbots poses significant data privacy and security risks. ChatGPT relies on absorbing, storing, and processing user data when it is inputted, thus enriching the collective knowledge of the tool and potentially making it a target for data breaches or unauthorized access.

Users should ensure that the chatbot service they are interacting with adheres to robust data protection practices, including encryption, secure storage, and strict access controls. For example, in April, Samsung employees in the semiconductor division accidentally shared confidential information while using ChatGPT for help at work. This resulted in a data leak estimated in gigabytes. Consequently, nation states might now be able to target ChatGPT as a tool and OpenAI as a company.

While AI-powered conversational agents like ChatGPT offer exciting possibilities, it is crucial to be aware of the cyber risks they present and to respond accordingly. The risk of falling victim to phishing attacks, social engineering exploitation, malware distribution, data privacy breaches, impersonation, and manipulation could be dire for an organization.

Users—and primarily CISOs—must adopt a proactive approach to protect themselves and enforce company policies for this subject. They can accomplish this by implementing best practices, such as being cautious about sharing sensitive information, verifying the authenticity of chatbot interactions, and maintaining robust cybersecurity measures. Additionally, organizations developing integration with AI chatbots like ChatGPT must prioritize data security, implement strong authentication mechanisms, and educate users about potential risks.

By staying informed and taking necessary precautions, especially by setting forth policies and preemptive measures, we can enjoy the benefits of AI while minimizing ChatGPT cyber risks and similar conversational agents.

Recent incidents that we have dealt with highlighted how many times, threat actors, instead of immediately releasing stolen data or encrypting files, employ a more insidious approach, waiting weeks, months, or even a year before publishing the compromised data on the dark web or other platforms. We have seen that with an Iranian group, with the criminal enterprise BlackBasta, and more.

This delayed data publication poses a severe threat to affected organizations, as it extends the impact of the ransomware attack far beyond the initial breach. Such a prolonged timeline presents significant challenges for traditional incident response strategies, making it imperative for organizations to adopt comprehensive threat intelligence monitoring measures.

Monitoring the Dark Web and Various Sources

Close monitoring of the dark web and other sources is essential for detecting leaked data. Threat intelligence analysts continuously scour the hidden corners of the internet to identify any potential traces of stolen information from recent or past attacks. By proactively tracking these platforms, organizations can gain crucial insights into their data exposure and the activities of threat actors.

Benefits of Ongoing Threat Intelligence

Timely threat intelligence empowers organizations to react swiftly when their data surfaces in the dark web. By being aware of the publication of compromised information, companies can take proactive steps to inform affected individuals, customers, or partners about potential data breaches. This level of transparency helps in building trust and demonstrates a commitment to data protection.

Additionally, ongoing threat intelligence enables organizations to identify trends in the attackers’ behavior and tactics. Armed with this knowledge, cybersecurity teams can develop more effective strategies to prevent similar incidents in the future and improve their overall resilience against ransomware attacks.

In general, a ransomware attack leaves organizations vulnerable, even after the immediate incident response and data recovery phases. Hackers might have implanted backdoors or retained access credentials, potentially leading to future attacks. Here’s how threat intelligence monitoring comes into play:

1. Early Detection of Secondary Attacks

Threat intelligence monitoring allows organizations to identify any suspicious activities or indicators of compromise that might signal a secondary attack after the ransomware incident. With continuous threat data, IT teams can promptly respond to potential threats before they escalate into another crisis.

2. Insights into the Attackers’ Tactics

Understanding the modus operandi of the attackers is crucial for preventing future attacks. Threat intelligence monitoring provides valuable data on the techniques, tools, and procedures used in the ransomware attack. This knowledge helps organizations adapt and enhance their security measures to mitigate similar threats in the future.

3. Vulnerability Identification

In the wake of a ransomware attack, organizations often find vulnerabilities in their systems that the attackers exploited. Threat intelligence monitoring assists in identifying these weaknesses, enabling businesses to patch and fortify their infrastructure against known vulnerabilities.

4. Proactive Defense Strategies

Threat intelligence empowers organizations to take a proactive approach to cybersecurity. Armed with relevant threat data, businesses can anticipate potential attack vectors and implement targeted defense strategies to thwart future ransomware attempts.

5. Collaborative Sharing and Learning

Threat intelligence is not limited to individual organizations. Information sharing and collaboration among businesses, industries, and cybersecurity communities are essential for building a collective defense against ransomware attacks. By participating in information-sharing platforms, organizations can contribute to and benefit from shared knowledge.

How CYE Can Help

In just the last five years, CYE’s expert threat intelligence department has handled hundreds of cyber incidents instigated by state actors. We believe that the organizational cybersecurity framework should be built against the potential attacker’s capabilities, intentions, and work methods.

Our team:

• Monitors customers 24/7 on a variety of internet platforms including social media, telegram, and the dark web.
• Provides customers with online alerts when needed as well as scheduled reports.
• Focuses on three main areas:

1. Brand – the company itself, its domains, IPs, emails, subsidiaries, etc.
2. TechStack – the company’s most important technologies. This monitoring allows us to alert in near real time about vulnerabilities to these technologies, even before they become highly scored CVEs.
3. Key personnel – our team creates a list of key personnel that may hold sensitive information and/or strong permissions credentials. We monitor these people on all platforms as well.

Conclusion

The evolution of ransomware attacks demands a proactive approach to cybersecurity, especially when it comes to data breaches and the delayed publication of stolen information. The significance of threat intelligence monitoring after a ransomware attack cannot be overstated. Detecting data leaks or publications on the dark web in a timely manner enables organizations to mitigate the long-term consequences of these incidents.

By actively monitoring dark web activities, engaging in ongoing threat intelligence, and fostering collaboration across the cybersecurity community, businesses can bolster their resilience against ransomware attacks. It is crucial to remain vigilant, adaptable, and proactive to protect valuable data, uphold customer trust, and stay one step ahead of the ever-evolving threat landscape. Only through a collective effort can organizations effectively combat the menace of ransomware and safeguard their digital assets in today’s interconnected world.

Want to learn more about CYE’s threat intelligence monitoring? Contact us. 

Interestingly, CISA’s goals closely align with what CYE provides to its customers. Here are the goals and how they line up with CYE’s solution:

Goal 1: Address Immediate Threats

CISA’s Objectives:

• Increase visibility and mitigation of cyber threats
• Disclose and mitigate critical and exploitable vulnerabilities
• Plan for cyber defense operations and incident response

How CYE Helps:

Using Hyver, CYE’s cyber risk quantification platform, you can gain visibility into likely attack routes by identifying and analyzing exploitable vulnerabilities that can potentially threaten your organization. Hyver provides a single view of all critical issues with the ability to focus on and mitigate the ones that are truly a threat to your business assets.

CYE’s expert services also focus on building and implementing incident response plans, so you can be prepared to respond quickly in the event of a cyber incident. By incorporating training, exercises, and simulations into these plans, organizations and management can confidently act when a crisis occurs. This comprehensive approach cultivates a prepared and cohesive response that mitigates potential damage, minimizes confusion, and maximizes the effectiveness of the response team.

Goal 2: Harden the Terrain

CISA’s Objectives:

• Understand how attacks occur and how to stop them
• Drive implementation of effective cybersecurity investments
• Provide cyber capabilities that fill gaps and measure progress

How CYE Helps:

CYE’s comprehensive organizational assessments test security controls in every environment to determine if your critical assets are protected and how you can outsmart hackers. Using cyber risk quantification, Hyver helps maximize ROI of cybersecurity investments by helping you understand the financial impact of mitigation.

CYE provides tailored solutions ensure the right investments in technology, personnel training, and procedural enhancements. By leveraging CYE’s expertise, organizations can confidently allocate resources to areas that promise the greatest cybersecurity returns, thereby establishing a robust defense against cyber threats and bolstering overall resilience.

Goal 3: Drive Security at Scale

CISA’s Objectives:

• Drive development of secure technology
• Reduce risks posed by emergent technologies
• Build a national cyber workforce

How CYE Helps:

CYE has often been tasked with assessing the security of technology. For example, when a medical device company contacted CYE to make sure there were no security issues with its product, Hyver uncovered a critical issue that needed to be addressed. CYE even recommended an unusual solution to avoid having to reapply for FDA approval.

Building a national cyber workforce is a critical endeavor to strengthen a country’s cybersecurity defenses and support its digital growth. This involves cultivating a skilled and diverse workforce capable of addressing evolving cyber threats and challenges. To achieve this, initiatives can include education and training programs, collaboration with academic institutions, public-private partnerships, and the promotion of careers in cybersecurity.

By nurturing a proficient national cyber workforce, a country can enhance its ability to detect, prevent, and respond to cyber incidents, ultimately safeguarding its digital infrastructure, economy, and national security. CYE experts can help with thinking, building, and executing such a plan.

Want to learn more about how you can improve your organization’s cybersecurity maturity and build resilience? Contact us.

According to NIST, the new Cybersecurity Framework 2.0 provides guidance for reducing cybersecurity risks by helping organizations understand, assess, prioritize, and communicate about those risks and the actions that will reduce them. In many ways, however, it also represents a transformative approach to cyber risk management, introducing a more holistic perspective. Here’s how:

Creation of the Govern Function

The unveiling of the Govern function within NIST’s Cybersecurity Framework serves as a clear, central message from NIST. Govern joins the well-known wheel of Identify, Protect, Detect, Respond, and Recover; however, it appears in the center because it informs how an organization implements the other five functions. The Govern function underscores the need for ongoing cyber risk management at the organizational management level. Within this domain, the Risk Management Strategy category includes several new subcategories (GV.RM 04-08), which are at the heart of NIST 2.0.

Involvement of Senior Management

NIST 2.0 squarely targets senior management in organizations. It emphasizes the urgency of addressing cyber risk management seriously and consistently. NIST 2.0 directs organizational management to seamlessly integrate cyber risk management as an integral facet of overall risk management activities.

Additionally, decision-makers must understand the significance of cyber risk. This is underscored by the pivotal addition of a new subcategory, “GV.OC-02: Internal and external stakeholders are determined, and their needs and expectations regarding cybersecurity risk management are understood,” within the “Organizational Context” category.

Similarly, a new subcategory within the “Roles, Responsibilities, and Authorities” category (GV.RR) explicitly clarifies the responsible parties for cyber risk. For instance, “GV.RR-01: Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continuously improving.”

Focus on Cyber Risk Quantification

Another critical aspect that NIST 2.0 addresses is the imperative of cyber risk quantification, detailed in the “Risk Management Strategy” category. It articulates the requirement for standardized methods to calculate, document, categorize, and prioritize cybersecurity risks. This directive illustrates the need for systematic evaluation of cyber risk based on the impact to organizational objectives.

Effective Cyber Crisis Management

Finally, NIST 2.0 emphasizes the vital necessity of effective cyber crisis management. This responsibility extends beyond the purview of CISOs or even their managers (usually CIOs). Instead, it mandates management-level involvement in managing cyber crises, as highlighted in the “Risk Management Strategy” category and the subcategory “GV.RM-04: Strategic direction that describes appropriate risk response options are established and communicated.”

How CYE Aligns with NIST 2.0

NIST 2.0’s overarching aim is to actively shape organizational management’s approach towards addressing cyber risks as an integral component of their core endeavors. This is also a key approach of CYE, which focuses on improving organizational cybersecurity maturity, optimized cyber risk quantification, and comprehensive cyber crisis management readiness.

Moreover, working with Hyver helps companies comply with the new Govern function by establishing a standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks. In closely aligning with NIST 2.0, CYE ensures that cyber risks are recognized, managed, and mitigated across all tiers of organizational leadership.

Want to learn more about how CYE can help you align to the NIST cybersecurity framework? Contact us. 

The Limits of CRQ Tools

It was critical to cover cyber risk quantification first, because you can’t optimize risk if you’re not measuring (AKA quantifying) it. The unfortunate reality is that most cyber risk quantification tools stop there. They provide a number and some attractive graphs, so that you can share with management and present at board meetings. Again, that can have some use, and makes executives feel like they have a grasp of the situation, and it can largely satisfy governance requirements, which in and of itself can be critical. The problem is that to provide better cybersecurity, it has minimal use. Having a CRQ number that may or may not be accurate doesn’t actually help improve your risk posture.

Going back to the basics of CRQ, you have the total possible loss, and then determine the probability of the loss being realized. The probability of the loss being realized is where most CRQ efforts fall apart. FAIR is a great model, but it asks people to guess the probabilities of losses occurring. The probability is dependent on many things, including ease of exploiting given vulnerabilities, the skill levels of given threats to exploit them, etc. You need a model to take all those factors into account. A tool or model that cannot incorporate true probabilities is not going to give you anywhere near accurate CRQ.

How CRO Bolsters CRQ

Cyber risk optimization actually makes CRQ useful. The way you optimize risk is by being able to assign costs to given vulnerabilities and compare that to the costs of mitigating the vulnerabilities. Then you can calculate a real return on investment (ROI) for mitigating a vulnerability, and then decide how to make the best use of available resources to mitigate those vulnerabilities that would have the highest ROI.

Clearly, this is not an easy task. It requires a variety of methods that determine how probabilities of all vulnerabilities are being exploited, which assets they can access, and then calculating the cost of the vulnerability. In short, the cost of the vulnerability is the probability of a vulnerability being exploited times the total cost of all assets the vulnerability is tied to.

Once you understand the costs of the vulnerabilities, you then need to determine the cost to mitigate each vulnerability. This involves factoring in a wide variety of concerns, including the costs of tools, maintenance, labor to implement countermeasures (including factoring in geographies where they are located), among a variety of other concerns.

You can create your own methods to implement CRO. Frankly, you need to implement some form of CRO, even if it is rough. You should try to rationalize your cybersecurity efforts by determining how to optimize your spending.

How Hyver Helps You Save Money

It is complicated, and that is frankly the reason why I joined CYE. We’ve been refining our Hyver platform for more than seven years to accomplish this. We’ve been optimizing the AI and other algorithms constantly to improve the results. The results allow our customers not just to improve their cybersecurity programs, but to save money as well, as CRO also allows you to determine unnecessary countermeasures in place.

While I believe everyone should use Hyver, for many people that might not be a choice. However, you should attempt to implement the principles of CRO either way. You shouldn’t just blindly spend money on what you have been spending it on. Your cybersecurity program should be a living program that is modified as circumstances change. CRO is the way you put life in your program.

Want to learn more about how Hyver can help you quantify and optimize your cyber risk? Schedule a demo.

Here are some of our key takeaways:

1. The global average cost of a data breach is continuing to rise.

As the threat landscape expands and cyberattacks become more sophisticated, data breaches continue to pose significant financial risk to organizations. The average cost of a data breach reached a staggering $4.45 million in 2023—a 2.3% increase over last year and the highest figure ever. Moreover, the costliest data breach expense was detection and escalation costs, which grew 42%. Clearly, this highlights the importance of measuring and strengthening cybersecurity maturity to rapidly identify and respond to threats.

2. Only half of organizations are planning to increase their security investments because of a breach.

As the cost of data breaches rises, one might think that the cost of preventing them rises as well. However, according to the IBM report, just 51% of organizations are planning to increase their security investments in areas including incident response planning and testing, employee training, and threat detection and response technologies.

3. …But they might save money in the long run by doing so.

Done correctly, investing in strategic mitigation to reduce cyber risk and increase organizational cybersecurity maturity can pay off in the long run. In particular, the IBM report noted that “organizations with high levels of IR planning and testing save $1.49 million, compared to those with low levels.”

Undoubtedly, using effective and proven strategies such as cyber risk quantification can also provide necessary clarity as to where organizations should focus their mitigation efforts and investments. The key is to understand and address the true threats that can negatively impact the business.

4. Healthcare has the highest data breach costs of all industries.

The healthcare industry’s data breach costs rose to $10.93 million in 2023—the highest cost of any industry for the 13th year in a row. The healthcare industry has always been a significant target for criminals because its data can be quite valuable, while its security is often inadequate. This unfortunate reality was seen in our Cybersecurity Maturity Report 2023, where healthcare was ranked lowest for network level security.

5. Critical infrastructure breaches have also jumped in cost.

Organizations considered to be critical infrastructure—including utilities, healthcare, transportation, and education—incurred data breach costs of $5.04 million in 2023, rising 4.6% over 2022. These figures correspond with the uptick in cyberattacks and ransomware in critical infrastructure, as well as the considerable challenges of securing OT systems.

6. Organizations need to do a better job of protecting their assets while considering costs.

On the whole, the new IBM report should serve as a wake-up call for organizations to implement cyber risk strategies like CYE does that rapidly identify threats, quantify cyber risk, and prioritize mitigation. Yet, as the report also illustrates, a truly effective and holistic approach to cybersecurity must also consider cost and overall return on investment.

Want to learn more about how Hyver can help you improve your cybersecurity maturity and prevent data breaches in the most cost-effective way? Schedule a demo.

Risk 1: Using Default Usernames

You might have all the fancy cybersecurity tools installed on your servers and workstations like antivirus, DLP, EDR, XDR, and firewall, but many administrators are still using the same old and popular method of signing in: They use the default username “Administrator” for all IT admin personnel.

On top of that, some organizations install applications on the servers while using the administrator user and profile without knowing this is a potential high-risk backdoor. A hacker can manipulate those weaknesses, access the whole server’s sensitive data, and move on to other servers on the network. The attacker can also exploit the open ports, which were left open to the internet for software like the employee reporting system (attendance system).

Risk 2: Issues with Attendance Systems

Some software, such as an attendance system, may have a scheduled task which is using a telnet/WinSCP/FTP or other vulnerable services in the vendor’s SaaS-based systems.
Indeed, it’s necessary to have an attendance system, but who said that this software must be installed on a Windows server platform? This server might even be in the server’s segment, allowing access between servers, which is a worse situation from a cybersecurity perspective.

It is better to have those systems in a designated environment, separated from the servers and workstation segment, and installed on minimal OS (Sometimes it’s not a must to have Windows Server OS). Also, create a service account with minimal permissions and avoid giving this user account- a local administrators membership.

Risk 3: Issues with Azure AD

Another backdoor and vulnerability in an organization may be correlated to the Azure AD. Sometimes system administrators define some settings in Azure AD, which allows other third-party applications that integrate with it to have a so-called SSO (Single Sign On), which intends to automate user logins as much as possible for all company applications.

But why must we grant default “Global Administrator” permissions to those third-party applications? Sometimes, we are in a hurry and don’t pay that much attention to the consequences, the negative impact, and the potential threat and future damage by doing that.

The IT manager plays a key role here, as the one in charge of centralizing all the systems. Therefore, the cyber team and the IT team should always work together to define permissions and integrate third-party apps in Azure AD. The IT manager is responsible for applying and setting up all the permissions defined by the cyber team and the CISO.

Risk 4: Lack of an Adequate Firewall

It is quite easy to define and open all ports to the local domain controller (Active Directory) server. Doing that, however, allows any kind of threat to access the domain controller and may put it at high risk.

Ports such as SMB and RDP should always be blocked to those servers from the Internet and from unrestricted servers and workstations in the network. These kinds of ports may open a backdoor to malicious attacks by having a remote control on the server and can even lead to the injection of malicious files and stolen data. For this reason, it’s important to avoid defining ports as “Any to Any” (opening all channels) and instead define the minimal ports needed by the server, system, or services to operate.

Risk 5: Unsecured Server Documents and Network Diagrams

Often, IT and network personnel keep schemas of network topology in VISIO files. They also keep information about access points, switches, firewalls, and servers organized on Excel sheets, including the server’s name, IP address, and sometimes even user names and passwords.

This obviously presents a major risk. These highly sensitive TLP files should always be encrypted and contained in a secure place. The password for these encrypted files should be kept in a separate place, rather than as a regular text file on the network.

Risk 6: Vulnerable Printer Server Role

One last tip from me to you: Never install the printer server role on your local “domain controllers,” as it will become more vulnerable by opening the spooler mechanism and protocols to attackers.

Beware, as attackers may try to access your data through these methods.

To sum up, avoid integrating third-party apps with Azure AD using your administrator user or a high-privilege user. Set permissions as low as possible, always double-check your settings and your environment, and follow this guide.

Want to learn how you can outsmart hackers? Download our guide.

This article dives into this critical oversight within cybersecurity and highlights the need for organizations to prioritize the basics in their security strategy.

The Complexity Trap

With the goal of securing their networks, organizations often find themselves overwhelmed by the intricacies of threat detection and response. They invest significant resources in deploying cutting-edge technologies and tools to identify advanced threats and analyze network anomalies. While these measures are important, they should not overshadow the fundamental security practices that lay the foundation for a robust defense posture.

Neglected Basics

One of the most glaring oversights is the failure to address basic security elements. Simple measures, such as changing default passwords on devices and systems remain unattended, leaving organizations vulnerable to opportunistic attackers. Attackers can exploit default settings to gain unauthorized access and compromise critical systems. By simply changing these default passwords to complex ones with strict policies that disallow common, easily crackable passwords, organizations can significantly enhance their security posture.

Another crucial oversight is the failure to restrict external access to interfaces and sensitive systems. Exposing interfaces to the internet without appropriate security controls is an open invitation to attackers. Implementing robust access controls, blocking external access for all interfaces which do not require it, and employing virtual private networks (VPNs) can help fortify the organization’s perimeter defense and prevent unauthorized access.

Additionally, organizations often neglect to emphasize the importance of password changes at regular intervals, along with ensuring a significant deviation from the previous passwords. This practice is crucial in preventing unauthorized access to accounts and reducing the impact of credential-based attacks. When employees retain the same passwords for extended periods, it becomes easier for attackers to exploit leaked credentials or use methods like brute-forcing to gain unauthorized entry. By implementing a policy that encourages regular password changes and requires substantial differences from previous passwords, organizations can enhance their overall security posture.

Furthermore, maintaining a comprehensive blacklist of commonly used passwords and disallowing the use of easily guessable information is essential. Employees often opt for weak passwords such as “password123” or use personal information like their names, birthdates, or the name of the organization. By proactively preventing the use of such predictable passwords and educating employees on the importance of choosing strong and unique passwords, organizations can significantly reduce the risk of successful credential-based attacks.

By combining regular password changes with effective password blacklisting and educating employees about password security, organizations can significantly enhance their overall cybersecurity defenses and reduce the risk of unauthorized access to their systems and sensitive data.

Prioritizing the Basics

While it is essential to invest in advanced cybersecurity solutions and threat intelligence, organizations must not overlook the significance of the basics. Effective security starts with a strong foundation, and organizations must ensure that their security posture addresses these fundamental elements.
By enforcing strong password policies with regular password changes and active backlists, disabling default credentials on interfaces, and blocking them from external access, organizations can eliminate low-hanging fruit for attackers.

Conclusion

In the relentless battle against cyber threats, it is crucial for organizations to strike a balance between complexity and simplicity. While sophisticated threats exist, neglecting basic security practices leaves organizations exposed to common and easily preventable breaches. By redirecting focus towards the fundamentals, organizations can establish a robust security posture that complements their advanced security measures.
Cybersecurity should be viewed as a holistic approach that incorporates both advanced threat detection and the implementation of basic security elements to create a resilient defense against evolving threats. It is time for organizations to recognize the importance of the basics and bridge the gap between complexity and simplicity in their security strategies.

Learn how CYE helped improve the cybersecurity maturity of an electronic manufacturing company with hands-on security management, expert mitigation, and awareness programming.

However, with great power comes great responsibility: Reverse proxies increase the attack surface of organizations, and one new attacking technique threatens the number one most popular reverse proxy, Nginx. This attack is called Frontend Server Hijacking or FrontJacking for short, and it was presented at the most recent Hack in Paris and OWASP Dublin global event conferences.

What is FrontJacking?

FrontJacking is a hacking technique that combines CRLF injection, HTTP request header injection, and XSS. This technique exploits a web interface deployed in a shared hosting environment and published via a poorly configured Nginx reverse proxy. The vulnerable configuration allows attackers to inject a new host header, hijack the execution flow and the frontend reverse proxy server, and replace the website’s accessed backend server with an attacker-controlled server. This basically allows attackers to show malicious content to the unsuspecting user.

For example, a regular Nginx reverse proxy configuration looks like this:

The backend server address is 52.27.77.148 and the requests are passed to it.

However, one can also create a very similar configuration with the $uri and $document_uri variables:

These variables are supposed to concatenate query parameters into the request sent to the backend server, but surprisingly they are not necessary, as the regular configuration shown above without any variables is behaving the same.

So it looks as if these configurations are identical, but in fact, the last two configurations have a hidden flaw: Using the $uri and $document_uri variables makes the request that is sent to the backend server vulnerable to CRLF injection. CRLF or new-line injection enables attackers to inject new line characters combination and add a new request header to the request. Consequently, attackers can inject a new host header. In shared hosting, the host header controls which backend server would be accessed. This enables attackers to hijack the execution flow and redirect it to an attacker-controlled server.

Examples of FrontJacking

Here, instead of accessing the localhost server, a new host header is injected resulting in accessing the example.com server:

Here is another real-life demo in GitHub pages. The real green-looking website is located at https://omritest.tk:

A (fake) malicious website was created at the address https://omriinbar-cyesec.github.io:

The attack then redirects an unsuspecting user using the malicious address containing the FrontJacking payload:

https://omritest.tk/%20HTTP/1.1%0d%0aHost:%20omriinbar-cyesec.github.io%0d%0a%0d%0a

This address is URL decoded in the reverse proxy server:

The IP address of omritest.tk is that of the shared hosting server, but the hostname itself is pointing to the malicious website. The result is that the malicious website is presented under the vulnerable website’s address:

This vulnerability has already been found in hundreds of websites in the wild, including some shared hosting and landing pages providers.

What makes it even more dangerous is that it enables attackers to execute any reflected XSS and phishing-related payloads while bypassing any defensive mechanisms including CSP (Content Security Policy), HttpOnly cookie attributes, CORS (Cross Origin Resource Sharing) and HTTPS certificate validation. The only mechanism that partially helps in some cases is Web Application Firewall (WAF).

Conclusions

FrontJacking is a new dangerous attacking technique that exploits the common web architecture of a self-managed Nginx server with a shared hosting service, combined with a poor Nginx configuration. Contacting Nginx developers resulted in them answering that this issue is not going to be fixed, so developers and DevOps engineers should be aware of it and avoid the usage of the $uri and $document_uri variables in Nginx’s configuration.

If you wish to learn more about this attack and how to prevent it, check out this SecureFlag blog post.

CYE always strives to find cutting-edge attack techniques in our customers’ systems and in general, as part of penetration tests and red teaming activities. Contact us to learn more.

What is your background in security?

I began my career as a fighter in an elite unit, and later served as a battalion commander in the infantry and eventually as a brigade commander in the Home Front Command. These roles allowed me to lead operational activities against adversaries and manage crises, both civil and related to pandemics.

Simultaneously, in my civilian career, I held the position of security director at the Israeli Embassy in Nigeria and was responsible for overseeing the physical and information security at all Israeli embassies in the US and Africa. This experience provided me with valuable insights into physical and information security. Additionally, I served as the deputy Chief Information Security Officer (CISO) for all Israeli embassies worldwide.

Meanwhile, I pursued my studies in software engineering with a specialization in cybersecurity. I worked in cyber roles at the prime minister’s office, engaging in development, defensive and offensive support, and even served as the acting director of security risks and cyber risks within the organization. In my final role within the Israeli security system, I served as the director of the operative cyber division at the DSDE, Ministry of Defense. This division guided security companies and organizations in Israel in assessing and addressing cyber threats, while I personally led the handling of cyber incidents for security bodies in Israel. As a senior member of the exclusive “Organ” forum, which includes representatives from all security organizations in Israel, I actively contributed to the assessments and response strategies employed by the State of Israel to counter cyber threats.

What are your responsibilities at CYE?

I hold three key positions at CYE. First, I am the company’s CISO and CIO, focusing on internal company activities. Additionally, I serve as the leader of the Critical Cyber Operations Group, which provides professional cyber services at the state level. Following the NIST model for handling cyber incidents, we have established a fully operational group that applies this model to our clients. The group consists of specialized professional departments, namely the Advanced Cyber Architecture Department (Arch), Cyber Intelligence Department (CTI), Department of Cyber Incidents and Forensics (DFIR), and Project and Operations Management Department. These departments work together in a coordinated and synchronized manner.

Our activities include assisting customers in constructing and evaluating their cyber architecture (IT and OT) and managing their cyber incidents and crises.

How is working at CYE different from the other roles you’ve held throughout your career?

After spending more than 25 years working in the civil service and state security and intelligence organizations, I transitioned to CYE. Joining a startup company has been a completely different experience for me. The working atmosphere is distinct, characterized by reduced bureaucracy and increased flexibility and creativity. Professionally, the main surprise for me has been the significant and dynamic challenges that require me to stay up-to-date with technology on a daily basis.

When I made the move to the civilian world, I was certain that I would not be dealing with state actors in cyberspace. However, to my surprise, that assumption was proven wrong. The computer infrastructures of companies worldwide have become the battleground for 21st-century cyber warfare. State-sponsored hacker groups, alongside criminal organizations, operate within the dependencies of these companies for various purposes. In fact, we often encounter situations that surpass my previous experiences in terms of magnitude and complexity.

What is intelligence-based security?

I believe that the effectiveness of security measures cannot be solely determined by the number of barriers or general security activities implemented. Each organization faces unique threats that may not necessarily align with conventional security practices.

Consider a scenario where your organization or your customers attract specific interest from China. Let’s say China is involved in your organization’s supply chain, selling critical services or components. Suppose your company takes cybersecurity seriously and invests significantly in it. From a cybersecurity standpoint, your organization may appear secure against Chinese threats. However, the challenge lies in the fact that the Chinese may not necessarily target your organization through cyber means. They may exploit their position in your supply chain to introduce threats into your organization. Consequently, your company should prioritize vendor assessment and supplier security over traditional cybersecurity measures.

This is where intelligence-based security becomes crucial. It allows you to focus on the actual threats you face and adapt your security strategy accordingly, rather than addressing hypothetical or irrelevant risks.

For instance, we collaborated with a company that heavily emphasized cybersecurity efforts. However, upon analyzing their situation, we determined that the likelihood of nation-state actors targeting them was low because the company lacked technology or data of interest to such attackers. Instead, the company’s significant financial resources made it a prime target for criminal groups seeking financial gain, often through ransomware attacks.

Following our analysis, we had to explain to the company that their cybersecurity investments needed to be tailored to address their specific threats. By gathering and analyzing intelligence, we were able to redirect their security efforts in the right direction, making a significant impact.

What are some of the challenges that you face?

At times, the extent to which my team can investigate an incident is limited by the level of access and resources granted by the customer. The customer’s priority may be to quickly and cost-effectively resolve a security incident, while my expertise and training emphasize the importance of thoroughly investigating the incident to prevent future attacks.

For instance, I recently conducted an incident response for a global corporation. Upon completion, I inquired whether they wanted CYE to conduct a detailed analysis to identify the threat actor behind the attack. In government scenarios, this step is mandatory as the government needs to know who is targeting them. However, when dealing with a commercial entity, they can choose to decline investing in identifying the attacker, and we have no choice but to respect their decision.

Personally, I prioritize long-term success over short-term gains. To effectively protect an organization from persistent attackers, it is crucial to identify and block the attacker’s identity. Without this information, the likelihood of future attacks remains high.

Want to learn more about how CYE’s critical cyber operations adds value to organizational cybersecurity? Contact us to learn more.

One such framework that has been widely adopted is the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The NIST Cybersecurity Framework is a set of guidelines, standards, and best practices that organizations can use to manage and reduce their cybersecurity risk.

The Five Functions of the NIST Cybersecurity Framework

The NIST Cybersecurity Framework comprises five core functions that organizations can utilize to build and maintain an effective cybersecurity program. These functions are: identify, protect, detect, respond, and recover.

The identify function aims to develop an organizational understanding of cybersecurity risks to critical assets, data, and capabilities. Key activities in this function include identifying physical and software assets, business environment, cybersecurity policies, asset vulnerabilities, and risk response activities. This function helps organizations prioritize their efforts based on their risk management strategy and business needs.

The protect function outlines appropriate safeguards to ensure the delivery of critical infrastructure services and limit the impact of potential cybersecurity events. It covers activities such as implementing identity management and access control, providing security awareness training, establishing data security protection, managing technology, and maintaining protection of information systems and assets.

The detect function defines activities to identify potential cybersecurity incidents in a timely manner. This function includes implementing continuous monitoring capabilities, detecting anomalies and events, and verifying the effectiveness of protective measures.

The respond function focuses on taking appropriate actions during and after a detected cybersecurity incident. It covers activities such as ensuring response planning processes are executed, managing communications with stakeholders, analyzing incidents, performing mitigation activities, and incorporating lessons learned for improvements.

The recover function aims to restore any capabilities or services that were impaired due to a cybersecurity incident. This function includes ensuring recovery planning processes and procedures are implemented, coordinating internal and external communications during and following recovery, and incorporating lessons learned for improvements.

How CISOs Can Leverage the NIST Cybersecurity Framework

The NIST Cybersecurity Framework is recognized as the gold standard for developing a comprehensive cybersecurity program, and it is particularly effective for presenting at the board level. As a CISO, you can leverage this framework to introduce your cybersecurity strategy and plan to the organization’s leadership. To ensure ongoing alignment with the framework, it is recommended to include the following slides in your quarterly presentations:

• Overview: Provide a brief summary of the organization’s cybersecurity program and the importance of maintaining an effective security posture.
• Identify: Review the steps taken to identify critical assets, business functions, and potential cybersecurity risks to the organization.
• Protect: Explain the measures in place to protect the organization’s assets and systems, such as identity management, data security, and technology management.
• Detect: Discuss the procedures in place to detect potential cybersecurity incidents and how they are monitored to ensure their effectiveness.
• Respond: Describe the plan of action to take in the event of a cybersecurity incident, including communication protocols, mitigation activities, and lessons learned.
• Recover: Discuss the steps taken to restore systems and assets affected by a cybersecurity incident, including recovery planning and improvements based on lessons learned.

By following this structure and aligning with the NIST Cybersecurity Framework, you can effectively communicate your cybersecurity strategy and plan to the board, helping to ensure ongoing support and resources for your cyber program.

Want to learn how Hyver evaluates risk according to NIST IR 8286? Learn more here.

Why I Differentiate Between Risk Quantification and Risk Optimization

To give a very simple working definition, cyber risk quantification (CRQ) is basically the monetary value of the potential loss from a cybersecurity perspective. It is pretty simple. That involves determining the value of the information and services that are computer based. I will go into a bit of detail later, but again the concept is simple, even though coming up with a reasonably accurate number is very difficult.

There is also the concept of cyber risk exposure, which incorporates the probability of the quantified risk. So for example, if you quantified $100M of cyber risk, and your exposure is likely 20%, this means that your exposure is $20M. Sometimes the terms are used synonymously, but you should know the difference. Either way, cyber risk quantification/exposure is about the potential loss an organization can experience.

Cyber risk optimization, which I have been advocating for 25 years, involves taking your cyber risk exposure and determining which countermeasures would be the most cost effective for your organization. In other words, you look at the financial impact of a given vulnerability, and you then determine if the countermeasures to mitigate the vulnerability provide a good return on investment. In other words, optimization makes cyber risk quantification useful.

Cyber Risk Quantification

It is important to note that there are different ways to perform cyber risk quantification. Some organizations offer software-based solutions, where you enter data into a system, and it creates an estimation of cyber risk quantification. Some software solutions provide some sort of index score. In other words, they create their own arbitrary scale, such as a number from 1–100. They will say that your CRQ is a 53, for example. OK. I guess it’s good for tracking trends, but it doesn’t give any hard value. Other organizations will give you a dollar value, which does make a better business case.

The accuracy of CRQ depends upon the data sources and the mathematical models. You will hear a lot of people tout machine learning here, and be aware that machine learning is really just the use of advanced mathematical techniques. The CYE Hyver platform, for example, uses data from multiple insurance companies, regulatory information, geographical considerations, and most uniquely, detailed data about organizational vulnerabilities to understand the true level of risk quantification. We’ve tuned the models and data sources to within 7% of actual measures of losses, when we’ve compared it to actual losses experienced by organizations and manually performed quantifications.

As implied in the last paragraph, the other way to perform CRQ is with an expensive consulting engagement. You can bring in organizations that do this type of work, such as Big 4 firms, and they gather information and put together studies to estimate CRQ. While in theory these consulting efforts can be more accurate, they are expensive and can take months. Given the speed of information, a study that takes months is not going to be accurate for long. Likewise, it is expensive to reperform to see if there is improvement.

Perhaps my biggest problem with CRQ efforts is that they are great for providing pretty pictures to management, but not much else. This could be all that is necessary, as sometimes management just wants to have something to prove that they are doing some oversight. And to a certain level, this satisfies the requirements.

Some CRQ tools provide recommendations to say that based upon past information, a company might want to put more funds into some efforts over others. Those suggestions tend to be broad generalities and lack specific recommendations.

For now, that’s CRQ. I will address how to use CRQ for cyber risk optimization—where I think every organization should be—in my next column.

Want to learn more about how to choose a cyber risk quantification strategy? Download our guide. 

What We Know 

According to the Cybersecurity and Infrastructure Security Agency (CISA), the Royal group leverages the following to gain initial access to the city’s networks: 

• Phishing 
• Remote desktop protocol (RDP) 
• Public-facing applications 
• Virtual private network (VPN) credentials  

The attack group used phishing to gain initial access into the city of Dallas’s systems.  Royal actors typically use command and control function (C2) to maintain this access. They use legitimate Windows and open-source software to strengthen their foothold and to communicate with their C2 infrastructure. Royal also uses legitimate pentesting tools, including the popular C2 tool Cobalt Strike, for lateral movement and persistence. Other commercial tools used by the Royal attackers include remote monitoring and management (RMM) software including AnyDesk, LogMeIn, and Altera. For data exfiltration, the attackers use Cobalt Strike and malware tools. Royal actors also leverage encryption and Windows Volume Shadow service’s shadow copies to prevent system recovery.  

For more information about the Royal ransomware group, see CISA’s Cybersecurity Advisory Alert Code AA23-061A, as well as MITRE ATT&CK’s Royal page.   

Preventive and Defensive Measures Against Ransomware Attacks 

Offensive security gives organizations the upper hand when dealing with their threat landscape. Ransomware prevention processes should be hardwired into national and healthcare security protocols. CISA offers guidance on ransomware prevention as well as a useful ransomware response checklist. 

Ransomware should be part of any organization’s disaster recovery and business continuity plan. It should also be a topic to include in tabletop exercises.  

Ransomware actors leverage phishing to gain initial access into an organization, and exploitable vulnerabilities in the environment give them opportunities to perform post-exploitation activities such as lateral movement, data exfiltration, and maintaining persistence.  

Phishing is a common threat vector of ransomware groups such as Royal. Unfortunately, not all anti-phishing solutions are the same in the breadth of protection they offer. There are many commercial solutions out there that only test for awareness and logs clicking on URLs in the phishing emails. They do not test the effects of clicking on a phishing email that contains malware. Penetration testing solutions that go deeper may uncover crucial information about how far an attacker can get into an organization’s environment.  

Organizations may invest heavily in securing their environments, but if they are not educated in anti-phishing security, all it takes is one person in the organization clicking on a phishing email to potentially bring down the organization.  

Penetration testing is one crucial part of an organization’s offensive capabilities when it comes to dealing with ransomware and phishing. Other offensive capabilities such as adversary emulation, also known as red team operations, can also play an important role in a holistic security assessment. More information on vulnerability exploitation can be found in CISA’s Known Exploited Vulnerabilities Catalog and MITRE ATT&CK’s knowledge base.   

Conclusion  

It is important to leverage multiple offensive strategies to reduce the risk of ransomware attacks through phishing, remote desktop protocol, and more. When choosing a security partner, it is crucial to consider the offensive capabilities they offer and their ability to detect vulnerabilities, anticipate malicious actors’ potential exploitation routes, and offer timely, applicable remediation plans based on risk prioritization.  

CYE’s Hyver platform delivers comprehensive cyber risk assessments, creates graph models that detail attack routes to critical business assets, and quantifies the cost of potential attacks. CYE’s cyber risk quantification capabilities improve communication between CISOs and management, helping CISOs clearly put a dollar value on cyber risk and mitigation. CYE also offers a diverse set of added-value offensive and defensive capabilities, including penetration testing and red teaming conducted by nation-state security specialists.  

Want to learn more about protecting your organization from cyberattacks? Contact us for more information.   

It would make sense to assume that during times of economic slowdown, companies would reduce their security spending. Unfortunately, the growing prevalence of attacks and their increasing sophistication has required organizations across the board to increase their security spending despite the economic downturn. According to one source, 65% of organizations plan to increase cybersecurity spending in 2023. 

CISOs tasked with maintaining strong security postures in the face of these new threats must scrap everything they know about budgeting in ideal circumstances and rethink how they optimize their security plans.  

Here are CYE’s 5 cornerstones of a solid security plan in times when the money isn’t flowing, and management is keeping a tight watch on the spending.  

Understanding your threat landscape   

By performing a baseline assessment, you will know where your vulnerabilities lie and what attack routes hackers are likely to take to reach your most business-critical assets. CYE’s baseline assessment is also the first step to a prioritized mitigation plan, which is a CISO’s best friend when it comes to optimizing cybersecurity on a budget.  

Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed security teams are struggling to effectively attend to vulnerabilities because they are overwhelmed. Prioritization based on the findings of a baseline assessment solves this very problem, giving the CISO a clear indication of which vulnerabilities pose the most risk to the business, what to mitigate first, and where to focus the security team’s efforts.  

Assessing before purchasing    

When budgets are tight, every purchase must be accounted for with a clear indication of its value to the business operation. This is especially true for security purchases which tend to be costly line items.  

In today’s economic climate, proving ROI for security spend is a big part of the CISO’s job. It is crucial that before purchasing a new cybersecurity tool, investing in a service, or hiring specialists, you understand their functionality and purpose.  

If this functionality overlaps with other tools or services you are using, or it doesn’t offer a holistic enough solution that addresses multiple security concerns, you are probably better off finding a more fitting tool to invest in. 

The name of the game in a lean operation is a solution that is customizable and adaptable, and that will grow with the changing needs of your security team.   

Reducing your attack surface   

While the wealth of tech solutions available today can help companies scale their operations, companies should remain mindful that these products and services can expand the organization’s attack surface and increase security risk.  

Security teams should be vigilant about checking the added security risks that come with adding tools, services, and integrations and giving access to company databases. By limiting access to critical data and implementing PAM (privileged access management), CISOs can reduce the organization’s attack surface to what the security team can realistically manage. 

Quantifying your cyber risk    

CYE’s cyber risk quantification translates the security risks a company faces from technical terms into monetary business terms that management and board members can understand. By attaching a dollar value to the cyber risks the organization is up against, you will be in a much better position to discuss your security plan and budgetary needs.  

A cyber risk quantification process is an excellent way for CISOs to improve communication with management. It is a particularly good investment in times when management is closely monitoring spending and is looking to understand how security investments figure into business operations.  

Creating a culture of cybersecurity    

Cybersecurity awareness is one of the most effective and cost-efficient ways to optimize security and maintain a consistently high security posture over time. Investing in CYE’s security awareness programming and security education companywide is always a good idea. It is especially important to do this when budgets are cut, due to the relatively low cost of implementation compared to its high return on investment.  

How CYE can help 

To summarize, CYE’s cybersecurity optimization platform, Hyver, helps organizations: 

• Easily identify and address critical security issues 
• Prioritize cybersecurity and remediation efforts 
• Quantify the cost of risk vs. the cost of mitigation 
• Allocate resources more efficiently 

Want to learn more about how CYE helps organizations protect themselves from cyber threats while optimizing security budgets? Contact us. 

“The CISO role must evolve from being the ‘de facto’ accountable person for treating cyber risks, to being responsible for ensuring business leaders have the capabilities and knowledge required to make informed, high-quality information risk decisions.” – Sam Olyaei, research director at Gartner

Security and risk management (SRM) leaders can use cyber risk quantification models and tools to help them better communicate risk, help boards of directors and executive teams make cybersecurity decisions, and prioritize cybersecurity risks based on impact to the business. The following are six things CISOs can gain from cyber risk quantification to help them align security needs with business needs.

1. Better Understanding of Cyber Risk

Faced with rising threats, an ongoing shortage of cybersecurity professionals, and increased attention on the business impacts of cyberattacks, CISOs must prioritize the various risks facing their organizations. Cyber risk quantification models and tools help them understand what threats exist as well as what data and business assets are at risk.

2. Visibility into Attack Routes

While all vulnerabilities may present some degree of risk, malicious actors may be able to plan attack routes to important business assets by exploiting just a few of them. Other gaps may seem significant, but if they do not present a serious threat to your vital business assets, you do not need to prioritize them. Advanced cyber risk quantification tools help you make those decisions by centralizing cyber risk data, so you have visibility into risks across the organization rather than trying to piece together different reports from a variety of tools. This centralized view is critical to helping you quantify your risk.

3. Cyber Risk in Monetary Terms

Once you know which business and data assets are at risk, you need to understand whether they present any real risk at all. All risks are not created equal. Part of the quantification process is understanding each probable threat and figuring out the likelihood of occurrence. What costs might your organization incur in a data breach? What are your most critical or expensive assets, and which ones are at highest risk?

Putting that cyber risk into concrete monetary terms can help you calculate the value of your assets in real business terms and prioritize mitigation based on both the cost of a breach and the cost to reduce threats. That information also helps you decide how much to spend on security tools and where those tools will have the greatest impact in financial terms. The identification of threats and assets is an ongoing process, not something that you can do once and move on. The evolving nature of risk and your changing environment means that you need to focus on relative risks and how to mitigate them.

4. Prioritized Risk Mitigation

Adding the financial context for identified risks is essential if you want your security team to prioritize which gaps to address first. If a threat materialized as an attack, what would be the potential damage to the business? A few examples of the potential damages and cost to the business include:

• What is the cost of shutting down a shopping website or an assembly line for a few hours, days, or more?
• What if employees are idle due to a network outage?
• Is there an additional cost to perform tasks manually instead of digitally in case of an outage?
• Are there any third-party costs, such as legal fees or costs associated with data breach reporting?

Costs are not limited to the possible cost of the cyber incident itself but also to the cost of remediation – and some of those costs relate to loss of reputation and trust by your customers and partners. Once you understand the potential business impact, how exploitable the threat is, and what it will cost to mitigate the risk, you have the information you need to decide which risks are the most critical for you to mitigate.

5. Optimized Cybersecurity Investments

You can make better budget decisions based on the real dollars at risk in the event of a breach to your critical assets. According to Gartner, organizations will spend $188.3 billion on information security and risk management products and services this year, and Gartner expects that spend to increase to $262 billion in 2026. While funding may be growing, there are many attack vectors and scores of security tools and services available, so choosing how to spend cybersecurity dollars can be difficult without the context supplied by a robust cyber risk quantification model or tool.

CRQ helps you focus on making choices based on the real risks that you need to mitigate. When you bring budget requests to the executive team backed by real numbers rather than vague threats due to malware, distributed denial of service attacks, and ransomware, it will help you get the spending approval you need and use it effectively.

6. Better Communication with Your Executive Team

Increasingly, the US, the EU, the UK, and many other countries are passing, enforcing, and updating regulations on reporting cyberattacks, as well as regulations on disclosing breaches, cyber policies, and risk management models. These changes require boards and executives to understand cybersecurity and related risks to the business.

Adopting the right cyber risk quantification model can help you ensure that decision makers fully understand the potential financial and business ramifications of different cyberattack scenarios and approve budget to implement cybersecurity solutions effectively and efficiently.

Cyber Risk Quantification Drives Business Decisions

Understanding the full implications of attacks and costs can help your security team focus efforts and budgets where they will make the biggest impact and transform security into a business enabler instead of a blocker. Cyber risk quantification can help you effectively reduce cyber risk, backed by an executive team whose members understand that cybersecurity spending, done right, is an investment in the business as a whole.

Want to learn more about how CISOs can adapt to their changing role? Read our ebook.

Anonymous Sudan is a hacker group, apparently based in Sudan, which claims to engage in cyber activism and hacking activities. The group is believed to be part of the larger Anonymous network, which is an international group of hacktivists and activists that execute disruptive attacks throughout the world and are known for their #OP activities (#OPIsrael, #OPAustralia, etc.). The #OP activities are usually related to a specific cause and date in which the group executes their attacks.  

This group is known for conducting various types of cyberattacks, including distributed denial of service (DDoS) and defacement attacks, and for claiming responsibility for these attacks through public statements and online posts mainly on Telegram and Twitter. The motivations and goals of Anonymous Sudan are not very clear, but their actions often appear to be aimed at raising awareness about specific political and social issues. Since the Russian-Ukraine war began, this group has claimed to support the Russian cause; therefore, it often attacks Ukrainian targets. 

From March 16 to March 23, 2023, Anonymous Sudan and Killnet—which are believed to be the same group—claimed responsibility for several unverified DDoS and website defacement attacks. Killnet’s recent targets for cyberattacks included the Latvian governmental Project “School 2030,” NASA, and a Precision Rifle Series-affiliated club located in Lviv, Ukraine called Poligun Team. Anonymous Sudan, meanwhile, claimed responsibility for numerous DDoS attacks in France that targeted hospitals, universities, airports, and public organizations including the French Police, the Ministry of Justice, and the Ministry of the Interior. 

Historically, Anonymous Sudan cites geopolitical events that it perceives as anti-Muslim as the catalyst for its DDoS attacks. Anonymous Sudan allegedly began targeting Danish entities on February 22, 2023, and continued doing so throughout March 2023. Anonymous Sudan began targeting French entities in mid-March 2023 and has cited “the offensive caricature of the Prophet Muhammad [in France]” as the catalyst for its DDoS attacks. Many pro-Russian hacktivist groups are ego-driven and have historically publicized both verified and unverified Western media coverage of its alleged attacks.  

There are claims in recent months that Anonymous Sudan is actually a Russian group. At this point, we have no hard evidence that can connect directly between the group to Russian official entities as is the case with other Russian attack groups we know such as APT28 and APT29.  

CYE’s CTI group revealed the following TTPs and IOCs while researching Anonymous Sudan:

TTPs:
Defacement (T1491.001 – internal defacement, T1491.002 – external defacement)

Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.

Network Denial of Service (T1498.001 – Direct Network Flood, T1498.002 – Reflection Amplification)

Network Denial of Service (DoS) attacks are used by adversaries to block or degrade the availability of targeted resources. Network DoS can be performed by exhausting the network bandwidth services rely on. Websites, email services, DNS, and web-based applications are examples of resources. Adversaries have been observed conducting network DoS attacks for political purposes and to support other malicious activities, including distraction hacktivism, and extortion.

Network DoS occurs when the bandwidth capacity of the network connection to a system is exhausted due to malicious traffic directed at the resource or to the network connections and network devices it relies upon. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

To perform Network DoS attacks, several aspects apply to multiple methods, including IP address spoofing, and botnets.

It is possible for adversaries to use the original IP address of an attacking system or spoof it to make it more difficult to trace the attack traffic back to the attacker or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

IOCs:

101.167.152.76
101.167.152.90
109.235.139.13
213.61.253.152
213.61.253.250
213.61.254.11
213.61.254.36
217.110.80.14

Recommendations

To help prevent being attacked by the Anonymous Sudan group, the following is recommended: 

General  

Have a continuous information feed to stay up to date with the latest trends and threats in the cyber warfare world. 

DDoS 

• If possible, block all the known IOCs of the group. 
• Verify your Anti-DDoS configuration. Make sure your critical sites are under protection. 
• If you do not have an anti-DDoS appliance, consider asking your ISP for anti-DDoS solutions. Alternatively, some security vendors offer scrubbing services; however, it requires configuration on your part. 
• It is recommended to have a secondary ISP line sufficient enough to support your traffic as a redundancy option. 
• Have your NOC (network operations center) monitor your ISP lines for abnormal traffic. 

Websites 

• Make sure your sites’ infrastructure is up to date with the latest patches. If you’re using WordPress, make sure plugins and themes are updated as well. 
• Scan your site for vulnerabilities to verify no patches are missing. 
• Make sure your WAF service/appliance is updated with the latest signatures. If possible, enable geolocation and restrict traffic to valid locations. 
• Verify your sites’ backup. If need be, back up your site ASAP and keep it in a secure location. 
• Monitor your sites for suspicious behavior and instruct your analysts to be on high alert. 
• If possible, take a proactive approach and have your websites evaluated from a security standpoint. Rectify critical gaps and implement quick changes. 

Want to learn more about how you can protect your organization from cyberattacks? Contact us today.  

Essentially, hackers strive for maximum success with minimal investment while still maintaining anonymity. This is why hackers usually use public tools, rather than more sophisticated ones. Nevertheless, hackers are often successful because they only need to find one weak point, while defenders must protect all assets 24/7.

We spoke with one of CYE’s red team leaders to better understand how hackers successfully break into organizations. Here are three techniques that have proven to be the most effective.

1. Social Engineering Attacks

The goal of a social engineering attack is to trick victims into revealing private information. The success of social engineering attacks is based entirely on the human factor failing; that is to say, the attacks specifically exploit human behavior.

Phishing is a classic social engineering attack. In phishing, an attacker sends fraudulent emails that appear to be coming from a reputable source who urges the recipient to disclose private information, login information, or click on a link that can launch malware. For example, an email might look like it comes from a trusted bank, asking for more information such as a password or Social Security number. In spear phishing, the attacker will thoroughly research a particular target on social media and Google, and then create an email that appears to be sent from a place familiar to the user.

The best way to prevent such attacks is with a healthy dose of cybersecurity awareness. Employees must be trained to recognize the telltale signs of phishing emails, as well as to not respond to any emails that request sensitive information.

2. Brute Force Attacks

A brute force attack is essentially a glorified guessing game. In such attacks, hackers will attempt to crack credentials and encryption keys by systematically attempting combinations of usernames and passwords until the right guess is inputted. In a simple brute force attack, a hacker does this manually by using standard password combinations or PIN codes.

In password spraying, an attacker attempts to use one or two common passwords to access numerous accounts on one domain, like “123456” and the name of the organization. Interestingly, this method is extremely effective, because many organizations still have legacy passwords or service accounts that lack strong, robust passwords or don’t implement measures to freeze accounts with unusual login activity. Once credentials are discovered, hackers can “bomb” an employee with multiple MFA requests until the employee, confused about the unexpected notifications, approves one.

In general, a lack of password quality continues to be the most common way that hackers get their feet in the door of organizations. Reuven Aronashvili, CEO and co-founder of CYE, has said that he continues to be surprised to see “how many organizations fall victim to attacks that stem from weak passwords.”

Preventing brute force attacks involves using complex passwords that are difficult to crack. For this reason, using a password manager that automatically generates robust passwords is essential for every organization. Also, implementing 2FA with a one-time password can freeze accounts with unusual login activity.

3. New Vulnerabilities

Another very effective way of breaking into an organization’s systems is by exploiting recent vulnerabilities. Hackers frequently check software vendor bulletin boards for new CVEs, which enable the hackers to infiltrate an organization’s network. The reason this works is because companies often do not promptly update their apps or website, and that leaves them wide open to attacks.

Such attacks can be prevented by staying updated about new vulnerabilities and promptly patching. Of course, there are always challenges, because mitigating vulnerabilities takes time.

The Common Thread

What do these three methods have in common? They are all widespread, they are all simple tactics, and they all have straightforward fixes. This is why an essential part of protecting an organization from cyberattacks involves simply blocking the easiest entry points, making it that much harder for the less sophisticated attackers.

Want to learn more about common vulnerabilities found in organizations? Download our Cybersecurity Maturity Report 2023.

Insurance providers have always calculated probabilities. When the Russian-Ukraine war broke, for example, insurance companies started refusing to cover Ukrainian businesses after doing the math. Insurers understood that the likelihood of Ukrainian entities being attacked by Russian nation-state actors and state backed civilian groups was so high that cyber insurance for Ukrainian companies would not be profitable.  

A similar situation is now happening with cyber insurance and causing a reform in the industry. Insurers are fast realizing that in today’s threat landscape, no matter how much a company fortifies itself, it still has a chance of getting hit. Moreover, insurance companies are also faced with the difficulty of assessing the impact security tools and services have on improving cybersecurity. While companies may invest heavily in their security, this investment may not result in effective reduction of cyber risk, and insurers rightly lack the confidence that their clients’ investment will prevent them from getting attacked.    

Moreover, President Biden’s new cybersecurity strategy, which holds companies directly responsible for the user information in their domains and premises, adds another security concern for companies and insurers alike. This new strategy shifts liability over cybersecurity to companies and requires that they shoulder the burden of securing users’ private information. Companies that fail to do this and remain vulnerable to attacks may find themselves dealing with civilian lawsuits for compromised user information originating from their databases.  

Insurance providers are responding to these shifts and the growing risks their clients face by taking various measures to protect themselves against reoccurring payouts.  

In August of 2022, for example, Lloyd’s of London announced they will no longer insure companies against nation-state attacks. This comes on the heels of major attacks, which tipped the scales of profitability for insurance companies. It made insurers aware of the cost of such breaches, and it made them aware of the probability of reoccurring attacks on the same organizations after being breached once by state actors.  

Organizations up for insurance renewal and those applying for cyber insurance for the first time may be in for a rude awakening when they discover the new norm in cyber insurance. Here are the top three considerations companies should discuss internally before relying on cyber insurance: 

1. “Insurance as security” may not be a feasible option

The tightening of the terms and conditions for cyber coverage means that some companies will no longer be eligible for cyber insurance, while others will be priced out.  

We can expect the trend that started with Lloyd’s of London to continue and spread, as insurers continue to eliminate certain attacks from their offerings. This means that even companies that meet the new coverage requirements and manage to get past the new underwriting standards could still face problems if certain cyberattacks are not covered in policies. As a result, organizations will be forced to invest in their security measures and practices instead of relying solely on insurance policies to cover their attack costs. 

2. Insurers’ new requirements will mean an added investment in security

Companies that still intend to invest in cyber insurance will likely need to invest more in security to reach the cyber maturity level that will become a prerequisite for insurance coverage. We can expect cyber audits and cyber maturity assessments to become mandatory and stipulated in the terms and conditions of new cyber policies.   

But investment in improving security will not be the only financial strain companies should expect. Another step insurers will take that will have financial implications is increasing premium prices. The sharp rise in insurance costs will likely price out many small and medium businesses.  

3. Companies will need to adjust their security budgets to these new demands

For some organizations, the increased costs will mean asking for bigger budgets. For others, it will mean reprioritizing their existing budgets. Insurers’ new security posture requirements put the burden of proof on the customer, thereby adding a new line item to the security budgets of organizations seeking cyber coverage.  

How companies can prepare for insurers’ new requirements 

This reality is already underway, and companies are responding by stepping up their game and establishing new standards of cybersecurity. They are doing this by: 

• Investing in robust security plans that are both proactive and reactive 
• Developing security protocols that will mitigate, patch, and manage breaches when they happen. 
• Taking defensive measures to anticipate attacks and reduce risk. 
• Renegotiating security budgets or redistributing existing resources to improve cybersecurity. 

Bottom line? Improved cybersecurity is proving to be a necessity either as a prerequisite for cyber insurance, or as a way for companies that don’t intend to rely on insurance anymore to handle their risk. 

Learn more about how CYE can improve cybersecurity for overall risk reduction and for insurance eligibility. Contact us today.

Cyber risk assessment is the process of evaluating an organization’s threat landscape, the vulnerabilities, and cyber gaps in its domains that pose a risk to the company’s assets. A cyber risk assessment allows companies to get a clear view of what they are up against in the cyber threat landscape, and is part of an integrated risk management approach that looks at cybersecurity as a layered, multi-step operation. It is a crucial first step in the formation of a security plan designed to keep an organization, its digital assets, IT services, and human capital safe from cyber threats.  

“Cyber risk assessments are used to identify, estimate, and prioritize cyber risk to organizational operations, assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.” (NIST Guide for Conducting Risk Assessments)

Cyber risk relates to the loss of safety, confidentiality, integrity, or availability of information, data, or systems, and reflects the potential adverse impacts these may have on an organization. Malicious actors try to exploit cyber threats, primarily for financial gain and bragging rights.  

Why are Cyber Risk Assessment Services Necessary in the Digital Age? 

The digital transformation has brought with it an array of risks created by the technologies organizations have adopted. These include third-party applications, big data, IoT, cloud services, social media assets, and mobile applications. The further along companies are in their usage of digital services, the higher their risk of exposure to cyber threats, and the greater their need for cyber risk assessment services.  

Why Perform a Cyber Risk Assessment? 

A cyber risk assessment allows companies to get a clear view of what they are up against in the cyber threat landscape. A well-rounded risk assessment will cover the two kinds of cyber threats organizations face: 

External threats 

These are caused by malicious actors outside the organization who use one or more of these hacking tactics: phishing, malware, and ransomware. These attacks may be on any security domain of the organization including remote access, security policies, and procedures, network level, data management, server level, endpoint, supply chain, or cloud security.  

Internal threats  

These are caused by people inside the organization or with approved access to it, such as employees and third-party suppliers. These threats are the result of poor security protocols and insufficient security training, and are carried out either by employees who wish to harm the organization or who merely serve as an access point into the company without knowing the harm they are indirectly causing. 

Why is Cyber Risk Assessment a Necessary First Step?  

CRA identifies the external and internal cyber threats a company faces. Only once a company can fully see its threat landscape can it devise a security plan to treat it. A comprehensive cyber risk assessment does more than outline the cyber risk a company faces, it also allows security teams to prioritize risks by order of severity, enabling them to direct their focus and resources to the most pressing threats first.  

When to Perform a Cyber Risk Assessment 

Cyber risk assessments are not one-time projects that can be put away once done. If companies are to maintain the security improvements they achieved after a first CRA, they will need to regularly perform these assessments to see what has changed in the threat landscape and amend their security plans accordingly.  

“Risk assessment and risk management are not single shots but rather are continuous processes repeated as a cycle of identifying risks, creating plans to address those risks, acting on those plans, and monitoring the results of the actions.” (SANS Institute white paper: Security Program Management and Risk) 

Who Performs a Cyber Risk Assessment? 

Security providers may offer different ways to conduct a cyber risk assessment, with approaches varying from a focus on attack vectors to threat modeling. Whatever approach a security team takes, a cyber risk assessment should ultimately cover the organization’s entire attack surface.  

CRA can be performed by security teams in-house or it may be outsourced to third-party security providers. This will depend on the size of the organization, the size of its security team, its level of expertise,  its budget, and regulatory considerations such as being required to perform a CRA by an external party.  

The 5 Steps to a Comprehensive Cyber Risk Assessment  

We believe in the detailed increment approach that offers the greatest level of visibility and monitoring. Based on such an approach, a cyber risk assessment can be broadly broken down into five steps: 

1. Understanding the organization’s existing security plan 

Through a process of questionnaires and interviews with IT and management, the assessment team will get an understanding of the company’s business critical assets which must be protected, and the security measures, processes, procedures, and compliance requirements it currently uses to protect its confidential data, intellectual property, domain, and premises.    

2. Defining the company’s threats 

In this stage, the assessment team will gather information about the company’s threat landscape and estimate the probability of these threats affecting the organization. To get a full and complete inventory of the threats the company faces, the assessment team will look into all threat actors that may want to attack the company, including state-sponsored actors, ransomware gangs, criminals after payment information, and competitors out to steal intellectual property.  

3. Identifying the company’s vulnerabilities and attack routes 

In this stage of the assessment, the team will combine the knowledge it has gained about the assets the company must secure, with the vulnerabilities it has found, and determine how each vulnerability can lead an attacker into the organization and through its systems to reach the business-critical assets. The assessment team will then suggest mapping out these attack routes so that the organization can clearly see how each vulnerability may affect each critical asset, and how blocking each attack route will help secure these assets. 

When choosing a cyber risk assessment provider, companies should ask about the providers’ mapping solutions to ensure this visualization process is part of the assessment.

4. Visualizing the consequences of an attack 

After the organization’s threat landscape has been mapped out and the assessment team has gained a clear understanding of the company’s security plan, it is time to put the two together to estimate how the company will handle an attack. This is a crucial part of the assessment because it gives security leaders and management as accurate of a look as possible at the effectiveness of their existing security plan, and the potential consequences of an attack (including loss of revenue, damage to ongoing business, reputational damage, loss of private data, loss of intellectual property). 

5. Deciding on a mitigation plan 

We discussed how a cyber risk assessment can hone in on the most relevant threats based on their relation to the organization’s most prized assets and their likelihood of being attacked. However, the security team still needs to know what to mitigate and which threats to attend to first.  

At this stage, a prioritization process is utilized to help the security team flesh out a mitigation plan that tends to the most critical vulnerabilities first according to severity.  

Assembling Your Cyber Risk Assessment Team 

A comprehensive cyber risk assessment includes multiple checks and analysis processes conducted by security specialists trained in locating vulnerabilities and attack routes. A winning cyber risk assessment team will include red teams and blue teams, cyber threat intelligence analysts, threat hunters, and vulnerability checkers, as well as analysts that can take this data and work it into quantifiable metrics.  

The results of a cyber risk assessment should provide the framework upon which a company can advance to a cyber risk quantification process, in which the risks found are correlated with business metrics to assign a monetary value to the risks.  

What Can Be Done with a Cyber Risk Assessment? 

A cyber risk assessment can uncover a vast array of vulnerabilities and cyber gaps, in different parts of the organization, across multiple security domains, and with varying degrees of severity.  

When choosing a cyber risk assessment provider, it is important to consider multiple factors including: 

• Visualization and presentation 
• Mitigation planning and tracking 
• Cost-sensitive remediation planning  
• Risk quantification capabilities 
• Dynamic and adjustable to the changing threat landscape  
• Agility and scalability potential 

The Future of Cyber Risk Assessment 

According to the latest Gartner report on IT and Cybersecurity, by 2025, over 60% of organizations in regulated industries will employ dedicated security risk management of which cyber risk assessment as a first step.  

We have publicized our tips on how to perform a cyber risk assessment in 2023, and will continue to update these tips as the security landscape changes and new threats come on the market. Whatever new players enter the arena and whatever threats they bring with them, the risk assessment process will continue to locate and prioritize the risks organizations face.  

Cyber Risk Assessment with CYE 

Hyver is CYE’s cloud-based cyber risk optimization system. This unique platform combines innovative technology, domain expertise, and field knowledge to document threat sources including vulnerabilities and cyber gaps, suggest remediation plans, and track their progress. 

Hyver’s graph modeling of an organization’s threat landscape is one of its foremost features. The platform also uniquely combines a feature that takes mitigation costs into account, proposing the most cost-effective remediation plans. Hyver’s ability to change and adjust its remediation suggestions based on new data inputs and the changing threat landscape makes it particularly agile and scalable.    

How CYE Can Help  

CYE is the leading provider of technology and services for cyber risk assessment and cyber risk quantification featuring attack route analysis. With the help of experienced red teams performing real attacks, we map attack routes to business assets across all environments to deliver a detailed contextual assessment of organizational security. As a result, you receive full visibility into true cyber risk, the business assets that are impacted, and the effectiveness of security protection and detection solutions. 

Want to learn more about how to assess your cyber risk? Contact us.  

The new reality that SVB’s customers woke up to on March 10 will likely increase their cyber risk. Anticipating their state of uncertainty and reduced funding, attackers will be on the lookout for companies affected by the SVB demise and will be targeting them in the weeks and months ahead.  

The difficulties tech companies face in light of these events can be broken down into five categories which sum up the ripple effect of chaos on the security of an organization. 

1. Insider Threats 

Shrinking budgets and job uncertainty are in the immediate future for many of SVB’s clients. The drop in employee satisfaction and job security could lead to some potentially damaging behaviors. If salaries or benefits are affected, these companies may discover insider threats in the form of disgruntled employees who could exploit sensitive private information locked in the companies’ systems.  

2. Infrastructure Disruptions 

A bank’s unexpected shutdown inevitably causes infrastructure disruptions that impact clients and organizations reliant on the bank’s services. For example, if a bank’s digital payment platform is down, this will impact businesses’ ability to process payments. This type of damage to business continuity will serve as an entry point for cybercriminals waiting to strike in the aftermath of SVB’s closure.     

3. Lack of Regulatory Compliance  

SVB’s exit from the finance arena may mean that its clients and other entities involved with it will no longer comply with regulatory requirements related to their financing. The situation could be exacerbated because SVB customers could very well be forced to reduce staff, which means that it will be harder for these companies to have the necessary resources to adequately comply with regulations.

4. Rise in Cyber Insurance Rates

In the coming weeks, SVB’s former clients may be required to reapply for their cyber insurance, receive new policies with various changes to their coverage, and will likely see their premium prices rise. Unfortunately, combined with their dwindling budgets, the rise in insurance costs may price out tech companies affected by SVB’s going out of business.  

5. Reputational Damage  

Silicon Valley Bank’s demise has a resounding effect on the companies associated with it. For early-stage startups and young companies just earning their customers’ trust, being financed by SVB may raise a red flag and cause clients to question their trust in the company. This potential hysteria is true for investors as well and may lead to fewer investment opportunities until the dust settles.  

Difficulties Lead to Increased Cyber Risk  

The five potential outcomes of the SVB situation have put the bank’s clients and the greater tech community at increased risk of cyberattack. Attackers will likely focus their efforts on startups’ finance teams and leverage the current climate of uncertainty in the banking sector that is affecting finance departments across the board.  

Under such conditions, these are the types of attacks malicious actors are likely to attempt: 

• Phishing attacks may be used because they can be effective in times of uncertainty, when employees are more susceptible to slipups. These will take the form of impersonating company officials or bank officials and may look like an attempt to help finance departments execute banking tasks.   
• Business email compromise (BEC) campaigns that involve impersonating executives or other trusted individuals in an organization may be used by attackers to trick employees into making fraudulent payments or revealing sensitive information.  
• Fake social media accounts may also spring up across different platforms to lure in employees and get them to disclose personal information.  

Next Steps 

SVB’s clients which now face added security risks and tech companies affected by the bank abruptly going out of business will need to adjust their security practices with these considerations in mind: 

1. With malicious actors targeting SVB-affected entities, businesses should remain vigilant and proactive in their approach to cybersecurity, and work with trusted partners to help manage their risk. 
2. With less money to spend on security tools, companies should invest in security providers that cater to their security processes and procedures. 
3. With smaller security teams and fewer people allocated to security tasks, businesses should put their money into solutions that help them prioritize their risks. 
4. With management dealing with the loss of a creditor, investors pulling out and other business critical issues, companies should invest in a security solution that simplifies the risk landscape and helps make clear, accurate and immediate security decisions.  
5. Companies should ease the uncertainty felt in their ecosystems by communicating the effects of the SVB situation to their customers and employees and sharing the company’s course of action at this time. 

Want to learn more about how to protect your organization from cyber threats? Contact us.  

“Seeing the results that a potential attacker will see, in addition to the prior knowledge the defenders have over their own networks, will grant great visibility over the actual status of the network and its assets.” – Itay Peled, Have You Attacked Your Own Network Yet? 

Red team services help your defensive team improve its capabilities more rapidly by:  

• Detecting weaknesses 
• Understanding and optimizing incident response processes 
• Optimizing detection and monitoring systems  

Experts skilled in red team cybersecurity understand that threat actors aren’t limited to remote cyber attackers; they may also be compromised collaborators, disgruntled employees (insider threats), competitors, and terrorists or cyber activists. Red team services can help protect your business in the following three ways. 

1. Thinking Like an Attacker 

Understanding your potential adversaries and their motives for attack helps red teams evaluate which high-value targets to focus on when they begin a red team engagement. Most businesses — and their security teams — focus primarily on training, prevention, and detection. The challenge is that attackers think differently. They’re looking for ways to leverage people, processes, or technology to gain access to the resources they want. Red team cybersecurity brings the attacker’s approach to every engagement. The best red teamers use their knowledge, skills, and imagination to carry out attacks and provide feedback to your business so you can protect your cyber assets effectively.  

“If you know the enemy and know yourself, your victory will not stand in doubt.” – Sun Tzu, The Art of War

Attackers frequently focus on how to get the access they need to infiltrate internal networks. Once they do so, their motives dictate their next steps. Red team services help businesses by considering those motives and uncovering critical issues in their cybersecurity defenses, including:  

• Determining how easy it is for a hacker to access, modify, exfiltrate, or delete privileged client data — and the methods an attacker might use to do so  
• Identifying methods that could be used to disrupt business continuity or inflict financial harm 
• Exposing any gaps in monitoring and detection that may allow criminals to evade discovery by the internal security team 

2. Prioritizing Based on Risk Severity  

All cybersecurity professionals are familiar with the Common Vulnerability Scoring System (CVSS) framework, which captures the characteristics of a software vulnerability to create a numerical score that reflects how severe that vulnerability is. Those scores are then ranked qualitatively: low, medium, high, and critical. This helps organizations prioritize their processes for vulnerability management based on how critical the vulnerability is, how easy it is to exploit, and how challenging it is to patch or create compensating controls to mitigate the risk.  

Risk severity is similar — it’s a way to measure the degree of impact if a given risk occurs. Red team services can evaluate the technical risks and then apply them to business risks to help the leadership team at your business understand the real-world impacts of different risks. For example, if a specific technical risk is extremely difficult to exploit and the red team has determined that the business risk is low, you can prioritize other technical risks that carry greater business risk. Red team activities, combined with technology, can provide the context needed for your business to make better business decisions and focus on the most important remediation efforts. 

3. Creating a Hierarchy-Based Attack Route Map  

In addition to understanding risk severity, red team services can help your business understand potential attack routes, the related severity if those routes are used, and the probability that an attacker will use a given attack route. This information helps you decide which attack routes are most important to block based on the potential business impact.  

Red team cybersecurity exercises typically identify possible attack paths that would allow malicious actors to map the routes and processes that provide access to IT systems and facilities. The most common attack routes include enterprise, cloud, application, network, operational technology (OT), internet of things (IoT), and industrial IoT. A comprehensive cyber risk assessment covers your organization’s ecosystem and combines that information with context that is specific to your company.  

To create a hierarchy-based attack route map, you need to gain visibility into the attack route. Red team services help you increase this visibility by:

• Considering likely threat sources, such as the internet perimeter, insider threats, and the supply chain   
• Assessing your business’s infrastructure to uncover vulnerabilities, security gaps, and misconfigurations 
• Referencing continuous threat intelligence and leveraging tools that attackers use to gain access to your environment 

The hierarchy-based attack route map helps you prioritize potential risks and understand how attack vectors can be combined by an attacker to access privileged information or essential internal systems.  

Increase Cyber Asset Protection with Red Team Services 

Attackers, including red teams, must not only assess what they should attack but do so while remaining undetected by your organization’s blue team. Attacking your own network, whether through your internal teams or using an external red team, provides excellent visibility into the status of your network and its assets.  

Once you have this information, you need to understand the potential business impact of a given threat being exploited, as well as the cost of mitigating that threat — or mitigating the impact of a breach. If you understand that, you can take steps to mitigate your risk while prioritizing those issues that have the greatest impact on your business. These efforts help you improve your organization’s security posture by allocating your resources and remediation efforts where they will have the greatest effect in protecting your cyber assets.  

Want to learn how red team services can help your business protect its cyber assets? Request a demo to get a personal overview of how CYE can help. 

These tools may include:

• XDR/EDR products that are used to monitor the behavior of processes and provide an automated response. The higher the security maturity level of the company, the more prevalent these tools are across computers and servers and the better their utilization by security teams to detect patterns and signs of an attacker’s activity.
• Web proxies and firewalls that monitor domain traffic activity, including SSL interception.
• NDR products that monitor suspicious activities in the internal network.

These companies with mature security practices usually also have a dedicated team of security experts whose job it is to continuously search for ways to improve the company’s security posture. Red teams servicing mature companies must constantly upgrade their tools and techniques, moving beyond the readily available or commercial tools out there, and creating custom tools that will allow them to continue providing value.

Here are a few common initial access methods used by malicious attackers or red teams:

• Password spraying from several IPs using tools such as CredMaster against SSO/VPN/VDI/cloud infrastructure provider. MFA can help protect against this type of attack and should be enabled across all users and services.
• Simple MFA prompts (such as the ones that ask for “Accept” or “Deny” approval) from the target’s country of residence still put users at risk of compromise. This type of attack may be circumvented by disabling simple MFA prompts across the organization.
• Evilginx coupled with blocking the IPs of automated defensive scanners still does the trick and prevents your domain from being blacklisted (bonus points for using expired domains), and works even better with SMS phishing (Smishing). The effect of this attack can be reduced with conditional access or similar security measures.
• Misconfigurations that can be abused to remotely execute code.
• Taking advantage of new vulnerabilities that allow for remote code execution (such as the MS Exchange’s numerous vulnerabilities, VPN provider’s vulnerabilities, etc.)

Assuming that the attacker has already gained access to the internal network, let’s discuss a few important points to consider from the perspective of post-exploitation.

Communication Channel

Bypassing domain monitoring and SSL interception is situational and depends on the segment the attacker made his way into (for instance, certain segments might not have outbound HTTPS, and no access to the organizational proxy).

There are those of the belief that due to the increased monitoring of HTTPS, it’s best not to use it and rely instead on other “normal” organizational traffic (such as ICMP and DNS tunneling, DNS over HTTPs, Outlook COM object). In my opinion though, a project that utilizes HTTPS nicely is by WithSecure (previously known as F-secure) that offers an effective way to enhance your HTTPS C2 communication channels, building on various chatbot service APIs (Slack, Discord to name a few).

WithSecure offers an opensource solution that supports Cobalt Strike and Covenant out-of-the-box. Their implementation of peripherals, connectors, and channels allows a dedicated team to implement their own channels along with a different execution logic.

Execution Features

Several things to keep in mind when developing your own offensive infrastructure: ensure its interoperability with existing tools, reduce development time, and make use of cool open-source tools!

There are a lot of existing opensource tools written in C/CPP that utilize the logic of loading C# tools in memory and the parsing of the arguments to pass onto the C# program (also being utilized by Microsoft Signed binaries legitimately, which is another thing to consider if you want to “blend in”) and redirect its STDOUT/STDERR to a mailslot (in-memory named pipe).

Similarly, there are existing community tools that can be used to load Beacon Object Files (BOF). These and other community tools are continuously updated and are available for security teams to use and integrate with their own infrastructure.

Delivering these payloads through your channel without the creation of a sacrificial process (such as the fork and run commonly used by execute-assembly in CS), in the memory of your process (minimizing the risk of crashing your process by setting exception handlers to your thread), disabling AMSI and ETW before execution and without the payloads ever touching the disk, is vital for evasion.

Application Whitelisting Bypass

I don’t think this method gets enough credit. Here’s an example of basing an entire payload delivery around a signed, well-known software, with a (hopefully signed by an Extended Verification Certificate) DLL sideloaded into it.

This has the benefit of adding other legitimate software to your payload, and running your payload within less-scrutinized software, which appears to have a great effect on a product’s decision to scan its memory at regular intervals.

Shellcode/DLL Encryption and Entropy Reduction

Payload encryption is very common these days (and still very necessary), with products determining if your loader contains malicious code simply by examining its entropy. Replacing your shellcode with English dictionary words (which will have the adverse effect of increasing your final payload size significantly) and adding common strings from known binaries (such as web browsers) will go a long way in entropy reduction.

Compile-Time String Obfuscation

This one is pretty self-explanatory. You should minimize the strings that can be used to determine your usage of different APIs or other strings present in your binary that are or can be used as a detection logic against your payload.

This library does the trick well.

Anti-Sandbox

Anti-sandbox is extremely important when designing your payload, because it cannot follow common anti-sandbox techniques. It should be tailored to your payload delivery tactics, while taking into account the operators’ ease of use, and not adding extra hurdles or possible bugs that completely prevent the execution of your payload. Below are some great examples to understand the logic of anti-sandbox. However, these ideas should be adapted with care because some might be suspicious on their own:

• Idea 1
• Idea 2

Separate Loader Project

Performing process injection these days is far less detected when performed within the process itself (opposed to remote process injection), even more so when the process is a signed binary, and even more so when it’s signed by Microsoft.

Sideloading your payloads (like in the demonstration at the application whitelist bypass) goes a long way into making even post-exploitation items (such as inline dotnet execution) not detected by automated scanners, due to these well-known executables receiving less scrutiny (in the defensive products attempt at avoiding false positives).

Hiding your actual implant within a loader project that is constructed in a manner that combines all of the above does the trick well, in conjunction with hiding your implant in memory when it is sleeping (demonstrated also here), and of course spoofing the thread call stack to further aid in hiding malicious process behavior.

Combine this with spoofing of the thread start address (by placing a trampoline over a legitimate module’s function that is never used by the process, though you should definitely double check that) along with the removal of the “Mark of the Syscall” (excellently explained here) and of course implementing all of the above will help your loader remain under the radar.

The cyber threat to airports is growing, and it’s no wonder: Airports are particularly vulnerable to cyberattacks because of their complex and interconnected systems and significant amounts of sensitive passenger data. Airport systems that are vulnerable to attacks, for example, can include passport control systems, reservation systems, flight traffic management systems, fuel gauges, and even in-flight entertainment. Indeed, recently 97% of the world’s top 100 airports were found to have inadequate cybersecurity. 

Some of the common threats to airports include data breaches, ransomware attacks, phishing attempts, and malware infections. These incidents can cause significant disruptions to airport operations, delayed flights and cancellations, and most concerningly, compromised passenger safety and security.  

In January, thousands of flights were delayed or canceled when a technical glitch wreaked havoc on air travel throughout the United States. Although officials were quick to offer reassurance that there was no evidence of a cyberattack, the event put a spotlight on the many vulnerabilities that clearly exist in airport systems. It also offered a harrowing glimpse of how malicious actors could potentially shut down air systems across the country. 

“At a time when cyberattacks are rising in both scope and sophistication, modernizing the cybersecurity of air travel must be a priority for the federal government,” wrote U.S. Representative Ritchie Torres (NY) in a letter to CISA Director Jen Easterly following the incident. “Twentieth century air systems will no longer suffice in a world of 21st century cyber challenges.” 

Here are some recent notable airport cybersecurity incidents, and what we can learn from them.  

San Francisco  

In March 2020, malicious actors hacked two login portals and injected malicious code to harvest usernames and passwords at San Francisco International Airport (SFO). As a result, they gained access to data such as names, birthdays, and contact information. The websites were not connected to the airport’s critical operational systems. Following the incident, officials concluded that the attack was likely performed by Russia’s Energetic Bear hacking group, which primarily targets U.S. infrastructure.   

The two sites, SFOConnect.com and SFOContruction.com, were taken offline after the airport discovered the attack, and users were urged to change their passwords.  

Takeaway: It’s possible that having multi-factor authentication in place may have prevented stolen credentials from being used.  

United Kingdom 

In 2017, an employee of Heathrow Airport lost a USB flash drive that contained 76 folders and more than 1,000 confidential files, including routes taken by members of the British government and information related to the airport’s surveillance cameras and runways. The USB was not encrypted or password protected. Fortunately, the person who found the flash drive returned it to airport authorities and alerted the press. Consequently, the airport was fined 140,000 Euros for not complying with data privacy regulations.  

Takeaway: You don’t necessarily need malicious actors to cause a cyber incident. This is a great example of how breaches can easily occur through negligence.     

United States 

In October 2022, more than a dozen U.S. airport websites went offline because of cyberattacks attributed to the Russian hacker group Killnet. The group often uses distributed denial of service (DDoS) attacks, which involves overloading computer systems with traffic until they cannot function. Airports affected included New York’s LaGuardia Airport, Chicago’s O’Hare International Airport, and Los Angeles International Airport.  

Takeaway: While this incident primarily caused flight delays, cancellations, and undoubtedly a lot of aggravation, it should not be dismissed as a mere inconvenience. Unfortunately, there is a very real possibility that an attack such as this can be just the first phase of a much more serious attack.  

Germany 

On February 16, 2023, the websites of seven German airports were hit by a suspected cyberattack, caused by large-scale DDoS attacks. This occurred just one month after the websites of German airports, public administration bodies, and financial sector organizations were attacked by the Russian hacker group Killnet.  

Takeaway: DDoS attacks do not result in stolen or corrupted data; rather, they cause damage by preventing an organization from running essential systems and services. It is possible to prevent such attacks by reducing network exposure and utilizing protection strategies with threat management systems and intrusion prevention.  

How Can Airports Improve Cybersecurity? 

Clearly, airports must be extremely vigilant and implement robust cybersecurity measures to protect their data and systems. Some ways that they can do this include the following:  

• Adopt a proactive, and not only a reactive, approach to cybersecurity  
• Perform comprehensive cyber risk assessments on all airport systems  
• Prioritize mitigating vulnerabilities and cyber gaps by order of severity   
• Educate employees throughout all departments about security awareness  
• Identify cyber threats in the supply chain  
• Secure the systems responsible for data transmission   
• Encrypt all data transmitted, stored, and processed in airport environments  
• Secure access to network devices and systems   
• Protect endpoint devices   
• Comply with all national and international security regulations    

Want to learn more about how CYE can improve airport cybersecurity? Contact us today.

The cyber incident occurred right before Christmas, which is not unusual. Often, malicious actors plan to attack right before or during a holiday, or weekends when many employees are on vacation. Consequently, it takes longer for the company to detect the problem and take action—which is exactly what happened here.  

What Went Wrong 

The problems started with notifications about failed backup processes and antivirus alerts. Within hours, the servers stopped working and all data was encrypted. In time, it became clear that a known ransomware group was behind the attack, and they had succeeded in stealing sensitive data and encrypting most of the company’s computers and systems. Customers could not pay bills or check their account status online, and employees were completely shut out of systems.  

Later, it was discovered that malicious actors infiltrated the systems by exploiting an undisclosed weakness in the phone system and then planting a backdoor on the network. In the meantime, the company discovered the gap and patched it, but it was too late: The group remained quietly on the company’s network for five months, waiting for the opportune time to strike.  

In addition, the CISO was not aware of the practices of the professional teams and cyber teams. For example, phone systems, printers, and cameras—which can significantly increase an attack surface—were not adequately secured. 

What Really Went Wrong 

The incident was exacerbated by the company’s poor cyber hygiene: An Excel file existed that contained hundreds of credentials for systems and servers, and the company failed to have logs of their client systems. In addition, employees were able to download freely, which increased the risk of introducing malware to end points, including laptops connected to the network on daily basis.  

Yet the main problem was that the company, as well as their IT partner, had no clear idea how to effectively respond. This meant that the first hours—which are the most crucial for incident response—were spent determining what had happened, who were the major players, and what needed to be done to recover and to start searching for artifacts to allow an IR investigation. Precious time was wasted, and thus it took nearly ten days to get the systems functioning again.  

What can be learned from this incident response? Here are 6 important takeaways. 

1. Prepare your plan. 

When it comes to incident response, companies must adopt the attitude of “not if, but when.” Although we would prefer to think otherwise, it’s quite possible that your company will be a victim of a cyberattack, and so it’s important to be prepared.  This means having SIEM systems and logs in place that backtrack as far back as possible and having an incident response playbook that specifies TTPs (techniques, technologies, and people). The playbook should be checked regularly and there should be internal certification of the process. It also means conducting IR engagement readiness and crisis management readiness. Being prepared means that in the event of a cyber incident, your company will be able to respond swiftly.  

2. Establish communications and responsibilities. 

The speed at which an incident response takes place can make a vast difference in terms of limiting damage. The first hours are critical, but they can be chaotic, as they involve law enforcement, public relations and legal teams, your cyber insurance provider, and IT and forensics teams. Clearly, this should not be the first time that these teams are meeting. It helps the process greatly if there is already a plan in place that establishes clear lines of communications and responsibilities.  

3. Perform regular backups. 

It may seem obvious, but so many companies fail to understand the importance of backing up systems on a frequent basis. Having available backups can make the difference between a quick or lengthy recovery.

4. Practice cyber hygiene.

In addition to backups, organizations can significantly strengthen their security posture by maintaining good cyber hygiene. This includes, for example, enabling multi-factor authentication and using password managers, limiting user permissions with access control, patching regularly, encrypting sensitive data, and having secure remote access. It’s also a good idea to regularly perform cyber risk assessments to uncover cyber gaps and plan mitigation. These are all examples of best practices that can minimize the risk of operational interruptions, compromised data, and data loss.   

5. Separate your networks where possible. 

Network segregation can significantly help organizations limit the damage from cyberattacks from most actors by making it harder for threat actors to make their way through your systems. It restricts how far an attack can travel within the network and isolates vulnerable endpoints, thus limiting the risk of exposure. The trick, however, is to make sure that the networks are separated before a cyber incident takes place so that damage can be controlled.   

6. Train your employees. 

Security awareness training can help reduce the risk of a cyber incident by educating employees about the threats they face and how to respond to them. For example, they should be instructed to avoid downloading malware and suspicious websites, and to recognize and not respond to phishing attempts. This can have a significant impact on keeping your company safe.   

How CYE Can Help 

CYE’s Critical Cyber Operations group provide organizations with Cyber Threat Intelligence (CTI) assessments that identify potential attackers and their motivations, possible targets within an organization, and the potential exposure resulting from such attacks. Critical Cyber Operations also provides incident response and crisis management services to assist companies with recovering from a cyberattack.  

To prevent such incidents, CYE’s cybersecurity optimization platform, Hyver, combines technology with red team activity to deliver the most comprehensive organizational security assessments and contextual risk analysis and insights. Using Hyver, businesses can assess, quantify, and mitigate cyber risk so that they can make better security decisions and invest in effective remediation.  

The Crimes of 2023

Looking to 2023, Aronashvili and Winkler agreed that cryptocurrency theft and NFT attacks against Web3 are going to feature prominently, “because they are easy money,” explained Winkler. As for what else companies should be worried about, the two agreed it won’t be revolutionary crimes but rather evolutionary ones.

“Whatever the criminals are doing successfully today, they will find ways of doing more successfully tomorrow,” Aronashvili said.

Unpacking the great promise of Web3, Aronashvili and Winkler discussed blockchain technology and how it is not all it’s cracked up to be in terms of security. The duo weighed in on the common misconception of the blockchain providing bulletproof security. The blockchain, they said, is a single platinum card in house of playing cards; it is very secure but everything around it is exposed to threats. This metaphor served as the backdrop to experiences the two have had with major internet-based clients who hadn’t thought cybersecurity into their products because they figured blockchain technology was enough.

In the context of cryptocurrency, Aronashvili and Winkler touched on the latest attacks on blockchain environments which are coming from newer, less secure areas, such as fledgling trading platforms that lack the maturity and security of the blockchain. The cyber crimes happening in these trading platforms are beyond the account hijacking and DNS poisoning we are used to seeing. These crimes are about hackers targeting the open-source code used to create the trading platforms.

The Scientification of Risk Management

When it comes to security budgets in 2023, Aronashvili predicted that in light of the economic downturn, they will either stay the same or be slashed. CISOs that don’t adopt a scientific approach to security risks will fail to explain to management the implications of budget cuts to cybersecurity.

Security leaders need to learn how to speak to management about their budgetary needs based on numbers that the C-suite cares about, and not based on hunches and gut feelings, the two said. They need to understand the numbers, attach quantifiable value to cyber risk, and then talk about the budget they need to reduce the risk. That is risk management. But instead, Aronashvili and Winkler explained, many CISOs still approach management with a guesstimation of what they need and what level of security they can provide.

The Risk of Overpromising

Aronashvili and Winkler agreed that the problem really starts with CISOs overpromising. Security leaders tend to think of themselves as preventers of security breaches, rather than managers of incidents. They promise management they are “doing security,” which implies the absence of risk, which is obviously misleading and impossible. Incidents will happen, that’s a given, and CISOs need to be able to say that to management. Mature CISOs know to say their job is to mitigate and manage risk—not eradicate it.

Shared Accountability for Security

Monumental breaches like Equifax and Target have changed the power dynamic around cybersecurity in organizations. Some 10 years ago, it used to be that a company was hacked and the CISO’s neck was immediately on the line. In firing the CISO, management thought they had taken care of the problem. Things are obviously very different today, Aronashvili and Winkler said.  And while the CISO is still the point person for all things security, as the attack routes increase and the costs of breaches grow, security is becoming a company-wide responsibility.

You’ll find more threat forecasts and insights on cyber risk management in the full discussion, where Aronashvili and Winkler also touch on the reality of ransomware and how companies should be prepared for it, as well as on the age-old question of defensive security versus offensive and how companies should do both. All these and more in the latest Cyber Talks.

Cyber Talks

Cyber Talks is a space to bring CYE’s security leaders and experts together to share their stories, insights, and forecasts with our community and beyond. Visit Cyber Talks for the full discussion.  

Not surprisingly, ChatGPT also raises important questions about its potential effects on cybersecurity. Here are some of the issues to consider:

The Pros

It’s a powerful cybersecurity tool.

ChatGPT can be helpful to everyone, including CISOs, by conducting research, writing reports, creating a playbook for dealing with various incidents, and examining data. Security officials have used ChatGPT to create a detailed explanation of the best ways to deal with cyber risks, increase knowledge on a security issue, produce data integration between different security domains, and more. These are just some examples of how this powerful new technology can be used to improve cybersecurity and make the CISO’s job easier.

The Cons

It’s a possible data leak vector.

Employees who use ChatGPT could unintentionally be exposing sensitive data to the public. For example, if someone submits a query with specific information about a customer, this—as well as the answer—can then be shared with anyone.

It can compromise organizational confidentiality.

By sending questions to ChatGPT, employees may unwittingly share details about what the organization is working on. For example, a query about how to deal with a cyber incident can reveal that the organization is currently dealing with a cyber incident. In addition, queries about technology issues can reveal a direction in business development that is of interest to the organization.

It can generate malware.

Much has already been written about the potential for using ChatGPT for malicious activities. Although it will not write malware code if it is specifically asked to do so, there have been developers who have succeeded in bypassing its protocols to create mutating malware. What this means is that using this tool, hackers will be able to work faster, and even script kiddies will be able to get ahead with very little knowledge.

It can create phishing emails.

Unlike many phishing emails that contain typos and other revealing traits, ChatGPT can rapidly generate very authentic-looking emails urging the recipient to provide confidential information. In addition, it can create variations based on the prompt to create completely unique emails. As a result, it is quite possible that business email compromise (BEC) could increase significantly.

Recommendations

1. Limit sensitive queries

Since information shared with ChatGPT can be made available to the general public, we recommend limiting queries to those that are not sensitive, both on personal and organizational levels. You should only share information that will not produce any harm or result in compromising the organization.

2. Test AI-generated code

Recently, there have been several incidents involving programmers who used open source code containing vulnerabilities. Indeed, a significant portion of open source software was developed without a secure development process. For this reason, we expect that an AI system that learns from open source is also likely to produce code that can and will contain inherently harmful code, as well as code that does not meet the standard of secure development. Therefore, we recommend testing any AI-generated code before use and assimilation into a production environment.

3. Check accuracy

If you will be using ChatGPT for research or reports, it’s important to check that they are accurate. Much like performing research using Google, you must keep in mind that just because AI provides you with an answer does not mean that it is correct.

4. Be mindful about data

The lack of privacy with ChatGPT means that users should be mindful of the data that they are sharing. There’s a possibility that in the future, OpenAI may create a paid version that maintains privacy; this would alleviate many of the current cyber concerns with ChatGPT.

5. Manage correctly

Regardless of all the possible issues, ChatGPT still has the potential to be a powerful tool for cybersecurity if managed correctly.

Want to learn more about protecting your organization from cyber threats? Contact us.

What Makes a Red Teamer 

Can you describe your professional background? 

My degree is in electrical engineering, so I come from more of a hardware background. I have always been interested in taking apart technical devices and assembling all the bits and pieces. I started my professional career doing DevOps. My move into security, and specifically red team cybersecurity, came from DevOps.  

What made you get into red team services? 

I have always been interested in the mechanics of how things work. A big part of a red teamer’s job is to understand how the minds of cybercriminals work, in an effort to think like them and anticipate their moves. I liked the idea of being a psychologist of sorts.  

I was also drawn to the idea of doing something undetected. I liked that the success of an exercise is determined, among other things, by whether it is completed unnoticed by the customer.  

What is the typical background of a red teamer? 

Red teamers are a diverse lot. They come from different fields but mostly from technical backgrounds. Like me, they may have worked in operational parts of cybersecurity and entered red team services that way. Otherwise, they may have come from doing other things in the security space before getting into red teaming. What they all share is a technical background and the ability to think and execute creatively. 

Would you say most red teamers are drawn to the job for the thrill of the hunt? Or are there other reasons? 

I think the thrill of the hunt is a big draw. It makes the job exciting. But there are other reasons too. For example, the thrill of executing an attack without becoming compromised. And then there is the thrill of completing a red team exercise and presenting your findings to the customer. Seeing the customer’s reaction and understanding how much you have helped them is very satisfying.  

The Illusive Team Nobody Quite Understands 

Why are red team services needed? 

Red teams check a company’s cyber defenses on multiple levels: the company’s software defenses, their security team’s response, their policies and procedures, and their overall readiness across all attack surfaces.  

How are red teams different from white hat hackers, penetration testers, and vulnerability researchers?  

White hat hackers are another term for ethical hackers, which means people who infiltrate systems for defensive purposes to help organizations. This is different from black hat hackers, who exist on the dark web and do these same activities for gain, usually monetary. So you could say that pen testers and red teamers both fall under the category of white hat hackers.  

Penetration testers focus on a single application or system, while red teams try to exploit all attack surfaces. That is one way to differentiate between penetration testing and red teaming. But the main difference between the two is that penetration testers do what they do with the awareness of the organization and can make as much noise as they want. Red teamers, on the other hand, work under the radar, and the point of their work is to infiltrate without being noticed. Vulnerability researchers are something slightly different because they don’t perform organizational assessments or red team engagements. They research specific vulnerabilities. 

All these jobs require strong technical capabilities and there are some personality traits that the people who perform them may have in common, like precision, patience, and perseverance. But red teamers need to know how to operate under the radar. This is a huge part of the job.  

What tools do red teams use? 

Red teams mostly use customized tools developed in-house. There are some off-the-shelf products that are available as well, but naturally, those will be more conspicuous and increase the risk of being found out.  

But perhaps the biggest asset that red teams use is not really a tool—it’s the human mind. It’s the ability to think like a hacker and tap into the mindset of a cybercriminal.  

How often and when should red team operations be performed? 

The frequency of red team exercises depends on the company size and how many assets and users are in its systems. Some red team exercises can take up to several months to complete, from when we get started to when the company can implement the changes we suggest. But as a rule of thumb, I would cautiously say every six to nine months, so that there is always some level of security improvement going on: either the uncovering of gaps in cyber defenses or their remediation.   

Something About Yourself 

Have any hobbies helped shape your red teaming skills? 

Yes, I would say that my love for gaming, specifically competitive gaming and strategy games like StarCraft, have had a profound effect on the skills I brought to security in general, and more specifically to red teaming.  

Ever since the earliest documented militaries, war tactics were fleshed out of battle simulations and war games. This is not directly related to red teaming, obviously, but if we think about cyber threats as warfare and cyber space as a battlefield where malicious actors are the enemy, then we can see a lot of similarities. Mostly around getting into the head of the enemy to anticipate their next move. Other elements too, like the element of surprise, of going undetected, are also borrowed from the military playbook.   

What’s your favorite part of the job? 

I really enjoy the psychological aspect of it. Red teams need to get into the minds of malicious hackers and try to think like they do. I also enjoy digging into a client’s organization to uncover how their security team thinks and operates.  

Can you share one red teaming experience that stands out in your memory? 

I remember a particular exercise in which we uncovered the internet login credentials of one of our customers. We were flown over to the customer’s physical offices, and we logged into their Wi-Fi from just outside their offices using the credentials we uncovered. Once we were on their Wi-Fi, we had access to all their systems and were able to attack them shortly after. It was memorable to show the customer how easy it was to breach their organization simply with credentials that were floating around the web.  

Want to learn more about how to develop a comprehensive red team strategy that enhances the security of your organization? Download our guide. 

Such state-backed attacks often involve ransomware and other sorts of advanced attacks, which can be devastating. According to our data, more than 85% of ransomware attacks infect backups, thus making it much harder to recover. Twenty-nine percent of organizations who paid ransom still could not recover their data or were compelled to take steps that resulted in significant damage. Let us not forget that paying ransom only encourages attackers to attack again – thus making this sort of venture so lucrative and attractive.

We have also seen examples of crippling cyberattacks against the power grid. In July 2021, Saudi Aramco confirmed that some company files were leaked after hackers reportedly demanded a $50 million ransom from the world’s most-valuable oil producer. That November, a quick response thwarted a ransomware attack on a major Queensland energy company. Moreover, two major European oil refineries, Oiltanking/Mabanaft in Germany and ARA in the Netherlands and Belgium, were victims of ransomware in January and February 2022, disrupting a total of 17 refinery terminals in these nations and preventing oil tankers from being loaded and unloaded. These incidents underscore why it is so crucial to not only be prepared for malicious actors, but also for state-backed attacks that exist as part of the larger geopolitical situation.

They also illustrate the considerable challenges of securing OT systems. The problem began when industries, over the last century, shifted towards computerized management of the different aspects of their production lines and expanded to digital devices connected to these systems (IIOT). Although these systems were designed for reliability and longevity, they also often sacrificed security to support these goals.

According to our experts, here are some of the most dangerous issues your OT environment could face over its lifecycle.

Deprecated components and protocols

Different components that are deployed throughout the network—whether software components like HMIs and Historian servers or hardware components like PLCs and various sensors—are deployed with a specific mindset: to last for as long as possible. This kind of thinking results in OT networks that include components installed decades ago when designing the network, when security was not even considered, let alone emphasized, and still hasn’t been implemented because of the complexity of such moves. In addition, the standard protocols which are still being used today by the majority of industrial systems such as the Modbus protocol lack even the most basic forms of protection, such as encryption or authentication.

Lack of network visibility

An additional point of interest, not unlike the deprecated components which could lead to direct exploitation of the hardware or protocols, is an overall lack of visibility in the OT network. Being able to monitor your OT network in a manner that would allow you to detect, block, and respond to an intrusion in a timely manner would not only allow you to minimize the damage a malicious entity could cause, but to mitigate it entirely.

Lack of separation between IT and OT networks

Today, many industries such as energy and utility companies embrace modernization procedures and processes which rely on remote management, site-to-site connections, and more widespread IoT. Therefore, it is imperative that proper segmentation and segregation between the networks follows suit. Implementing an internal DMZ (demilitarized zone) and proper firewall rules between the different zones would result in a reduced attack surface.

A classic example is in the energy sector, where electrical companies build and maintain substations that include servers and equipment connected to the same network as the primary plant. These stations are, in most cases, unmanned and contain minimal physical protection in the form of CCTV, motion sensors, and standard door locks—all of which could be disabled or bypassed by a sophisticated attacker. When such a facility is accessed without sufficient restrictions on the network or physical facilities, an attacker could use such access as a foothold to access and propagate through the network and potentially compromise critical infrastructure.

Insufficient awareness of existing security risks

One of the major issues in any security-oriented environment is, without a doubt, the human factor. Lack of knowledge and awareness could result in the successful compromise of even the most secure networks. All that it takes is for an employee to be compromised or mistakenly made to click on a suspicious attachment, connect an unknown USB, or even post a photo to social media with various credentials appearing in the background of the control room. All these situations can be avoided with sufficient guidance and awareness training for employees, making sure that they understand the risk and threats cybercriminals are posing and what they can do to minimize such exposure.

Conclusion

While there are many ways to approach the mitigation of these issues, it is important to consider the outdated nature of an OT network. Whereas patch management, security monitoring and other areas can be implemented on an IT network with relative ease, engineers typically do not want to make changes to the OT network because they are concerned about destroying it.

The reality, however, is that the consequences of cyberattacks on OT networks can be severe, including denial of service, release of hazardous materials, and even loss of life. For these reasons, it’s important to have continuous monitoring and security updates, proactive activity for checking network penetration, and management of cyber incidents in the context of OT networks.

Understanding the risks and creating a detailed workplan that includes threat modeling, risk assessments, and remediation plans is crucial for implementing a robust cybersecurity posture improvement strategy. Understanding the physical risk and insider risk are just as important to protect the organization from advanced state-level attacks.

Want to learn more about how to protect your organization with strategic IT and OT security? Watch our webinar.

Risk assessment for cybersecurity is necessary for any company that relies on information systems and technology to do business. Because cyber threats are a real and very costly line item in the security of any organization, companies of all sizes assess the risks that surround them by examining likely attack routes, the potential impact on business, and the estimated cost of a potential attack. It is through such calculations that companies can make informed decisions about their security investments.  

What is Cyber Risk? 

Cyber risk is a term that accounts for all the potential threats that exist in an organization’s technological landscape at any given time. New cyber risks emerge daily, causing a company’s risk level to change continuously. Cyber risk depends on internal factors like a company’s security posture, and external factors like hacking trends, political and financial climates, national and international laws, regulations, and policies.   

Why Perform a Cyber Risk Assessment? 

Ongoing risk assessment for cybersecurity is needed to assess: 

• The security of third-party tools and services 
• A company’s development process of its own technological products and tools  
• The company’s core assets that are the most likely targets for cyberattacks  
• The security posture of the organization relative to the threats it faces 

Key Factors in Cyber Risk Assessment 

A cyber risk assessment should answer the following questions: 

• What are the company’s most valued assets? 
• What type of attack would have the largest impact on the business?  
• What technology is the company using for security? 
• How comprehensive and granular is the company’s existing security plan? 
• How often does the company check for vulnerabilities? 
• How often is the company’s security strategy reassessed? 

These should be deduced from these questions: 

• What is the company’s current policy about security training of employees? 
• What level of access do employees have to company assets and how is this enforced? 
• Is the company using third-party vendors? If so, can the company’s security team map each third-party provider? 

Answering these questions will give all stakeholders a clear and concise picture of where security stands in their organization and will answer the following: 

• What is the level of risk the company is comfortable taking? 
• What are the risks that are being reduced or eliminated through security measures? 
• Is the company utilizing a prioritization system based on risk severity?  
• Is the company reducing risk in the most cost-effective way? 

What Will Factor into Cyber Risk Assessments in 2023? 

Global issues which are affecting the political and economic landscape have not gone unnoticed by cybercriminals and are impacting cybersecurity for companies of all sizes and across all industries. Increased security budgets, the Russian threat to OT, and the accelerated adoption of third-party services are some of the big trends we are going to see in 2023 that should be considered in cyber risk assessments.    

Increased Demand for Cyber Risk Quantification 

IT spending will reach $4.6 trillion globally in 2023. The top category to benefit from the increased IT budget will be cyber and information security, slotted to take 66% of the increased budget according to recent Gartner forecasts. With cybersecurity’s rising budgets, executive boards will demand greater visibility into cybersecurity costs. This will, in-turn, give way to an increased need for measuring, quantifying, and prioritizing the cyber risks companies face. With management and executive boards showing greater interest in security, cyber risk quantification will become a must-have for security professionals.  

Greater Risk to Operational Technology 

Malicious actors have long since understood the value of OT systems as attack targets and have shown a growing interest in OT throughout 2022. Such hackers will display a greater interest in OT environments in 2023, especially those linked to critical infrastructures. This trend will make cyber risk assessment for OT environments a particularly important line item for the coming year.   

As such, robust operational technology (OT) security will be crucial as organizations of all sizes become potential targets of either direct attack or casualties in larger attacks directed at government and national-level institutions. The main culprit in this trend could very well be Russia, with the Russia-Ukraine war continuing to serve as a potent backdrop for Russian cyberwarfare directed at Western entities. 

If in 2022 Russia gave the world a taste of its attack capabilities, in 2023 it will continue to direct efforts towards bringing down former Soviet ruled countries. A recent example of such cyberwarfare is the January and February attacks on the Ukraine which preluded the breakout of war between the two nations. Russia may also attempt additional attacks on Western entities, similar in nature to the October 2022 attack on 14 U.S. airport websites believed to have been executed by pro-Russian hacker group Killnet. 

Continued Adoption of Third-Party Vendors 

The increasing reliance on outsourcing services for many parts of companies’ business needs has resulted in a distinct rise in third-party data breaches throughout 2022. Morley Companies, which provides data management services to Fortune 500 and Global 100 corporations, was hacked in 2022, resulting in 520,000 protected health information (PHI) files being leaked. Also on the cusp of 2022, Major League Baseball’s databases were hacked through a third-party consulting company, Horizon Actuarial, that managed MLB’s health and benefits plans. In February 2022, the auto manufacturing giant Toyota was forced to shut down operations in Japan after a major plastic supplier, Kojima, suffered a data breach.    

Due to the cost-effective benefits of using outsourced services and the ever-growing improvements of third-party tools and functionalities, this trend will continue in 2023, making third-party security a prominent part of cyber risk assessments. 

Strategies for Performing a Cyber Risk Assessment 

An effective cyber risk assessment strategy will help a company evaluate its vulnerability level and should include the following:   

• Continuous monitoring of a company’s IT, OT, and IOT 
• A holistic approach covering all assets and leaving no blind spots 
• Quantified and prioritized risk based on severity and threat to critical assets 

How CYE Can Help 

CYE’s clients ranging in size and industry depend on us to assess, quantify, and mitigate cyber risk so they can make better security decisions and invest in effective remediation.  

CYE considers multiple factors when assessing an organization’s cyber risk, including the type of attacker, the business assets at risk, and the severity of vulnerabilities. Using this data, CYE maps possible attack routes and then recommends which gaps should be closed.  

In this way, CYE helps companies receive full visibility into their cyber risk and gain control of their cybersecurity plan, putting a dollar value to each action item suggested to keep the company’s core assets secure.  

Want to learn more about how CYE can help protect your company from cyber threats? Contact us.  

With that said, let’s dive into what we can expect to see in the year ahead.

1. Focus on Disruption of Business

Extortion will continue to be a significant attack motive but will be offset by attacks for the sake of creating disruption without immediate monetary gains, forecasts Reuven Aronashvili, CYE’s founder and CEO.

Attacks carried out for the sole purpose of disruption will serve as a training ground and testing environment for new hackers and will be used as an initiation protocol by veteran hacking groups. We can also expect these attacks to become a means for new hacking groups to get noticed and build up their reputations, as well as to develop affiliate work and partnerships.

2. A Shift in Ransomware Crimes

Ransomware will continue to be the foremost way for cybercriminals to gain access into victims’ networks and will continue to affect medium to large corporations and government institutions. But with a more aggressive stance taken against ransomware in the U.S., criminals may become deterred and move ransomware-as-a-service (RaaS) to targets in Europe.

Ransomware and extortion tactics will also grow more personal in 2023, putting not only companies, but executives and board members at risk of attack.

“Extortion of personal data and credentials and sextortion will affect business executives, public figures, their families and friends,” predicts Aronashvili. This will bring about a growing need to provide security for executives—from home networks and environments to personal devices and accounts.

3. Continued Rise in Supply Chain Attacks

Supply chain attacks will increase throughout 2023 due to the efficiency they offer. Building on the unique capability of affecting multiple victims through a single attack route, these attacks will grow in sophistication and magnitude.

We can expect to see supply chain attacks executed by independent actors as well as by cybercriminals hired and backed by governments and state organizations, predicts Aronashvili.

4. Evolution of the Hacker Profile

We have become accustomed to thinking of hackers as organized entities operating on behalf of governments or backed by organizations. The attacker profile will change in 2023.

Security specialists are expecting to see the age of hackers drop dramatically and a shift in their motivations. Malicious actors will no longer be driven only by monetary gain. As their age drops, we will see their goals focused on earning bragging rights and garnering respect among hacker peers.

5. Countries to Watch Out for

From a geopolitical perspective, 2023 may be the year local conflicts go global and expand to include additional state and non-state players, explains Lior Bar Lev, CYE’s VP Strategy and BizOps.

We will see an increase in cyberattacks coming from superpowers or superpower-affiliated attack groups aimed at civilian infrastructure and military facilities. These attacks will attempt to undermine and disrupt civil society and will pose harm on two counts:

• In the narrow sense, they are likely to expose new zero-day vulnerabilities that require immediate patching. The targets of such attacks will be critical infrastructures like cloud or DNS, or physical entities like plants, airports, and water supplies. These attacks have likely been planned in advance for 2023.
• In the wider sense, the ripple effect of such attacks will affect many more services around the world.

The countries to watch out for in 2023 will not vary drastically from the countries that have consistently displayed hostility towards Western entities. However, according to the Mandiant Cybersecurity Report and ESET APT activity report, the threats they pose will become more nuanced.

Russia

The Russian-Ukrainian war has effectively already become a Russian-Western war, with democratic countries assisting Ukraine in its resistance. The third-party intervention in the Russian-Ukrainian battlefield opens up a new type of warfare. Cybercrime that falls just below the threshold of jus contra bellum, the International Humanitarian Law against war, has probably been deployed by Russia on its adversaries for some time, and the Western countries’ intervention might cause an increase in such attacks, notes Bar-Lev. This type of third-party alliance and potential retribution may also be at play in the China-Taiwan tension, he adds.

With Russia gradually running out of weapons, we are likely to see a renewed turn to cyber activity in an effort to continue disrupting Ukrainian civil life. Infrastructure and OT will be at the top of the target list. Security specialists also expect Russia to expand its malicious activity beyond the Ukraine to neighboring countries.

China

China’s cyber activity will also rear its head in 2023 to advance the country’s national security and economic interests. Cyberespionage and intelligence collection will be China’s core activity and its primary targets will be global organizations in the public and private sectors.

Iran

Like China, Iran will continue to pose a cyberthreat to Western entities. Iran’s primary targets in the year to come will remain Middle Eastern governments and national entities.

North Korea

North Korea’s political and economic isolation, combined with public health challenges, will inform the country’s cyberattack policy, which will be directed mainly at the U.S., Japan, and South Korea.

North Korea is taking interest in pharmaceuticals as a key industry on which to focus, and security specialists are warning global pharmaceutical companies of attack threats.

Preparing for 2023

Making it through this year unscathed is going to be about awareness and foresight. Companies of all sizes will be directly in the line of fire or second or third-degree potential victims of cybercrime. The threats will affect public as well as private entities, and individuals as well as organizations. This means that everybody should be doing what they can to assess cyber risk, build effective security plans, reinforce security measures, and have incident response plans ready to execute immediately. This approach will help companies stay ahead of the threats and come out of 2023 stronger and more secure.

The primary difference between IT and OT oriented environments is that certain security aspects and mechanisms cannot be implemented in an OT environment because they can hinder availability and reliability. Regardless of the motives of a malicious entity, the result of a successful intrusion into an OT environment could have severe and far-reaching implications, especially when critical infrastructure is involved.

While IT environments are considered flexible and dynamic, with an average lifecycle of 3–5 years, some OT architectures are designed to last decades with little to no changes. In addition, the usage of outdated protocols like Modbus, reliance on proprietary software or hardware, and the general lack of resilience to network stressors are just some of the issues a company would have to face when it comes to establishing a sufficiently secure OT network.

Below are crucial insights about certain areas that could end up being an Achilles heel to organizations in the event of an intrusion, as well as recommendations for prevention.

1.    Remote access

Along with network segregation, remote access is also a considerable challenge. This is because of the different entities that require access to the network and related components, such as company employees or vendors providing continuous support for their products. Employee access is relatively easy to manage as there should already be a centralized identity management system. The primary risk, therefore, would be the vendors.

When looking into different remote access schemes, there are two main designs: VPN and ZeroTrust access. VPN, the older of the two, provides a connected endpoint with direct access to the internal network. If such access is granted to your vendor for the purpose of providing remote support under their warranty agreement, it could very quickly turn into a third-party attack should vendor endpoints be compromised.

On the other hand, ZeroTrust access provides a more ideal and secure solution, granting indirect access via cloud-based broker to only the relevant applications. ZeroTrust also enables a more granular approach in terms of access management, as you can enforce stricter policies. Additionally, as the ZeroTrust access does not provide the endpoint with a seamless connection to the internal network, the potential attack surface would be considerably smaller than with a VPN architecture.

2.    Dependency on outdated vendor technologies and processes

A classic example of outdated technologies used in OT environments is Modbus. This critical protocol is designed to facilitate communication between PLC components yet provides no built-in security mechanisms for authentication or data encryption. This can enable various attacks including unauthorized command insertion or interception of data. Despite not being able to support even rudimentary security controls, Modbus is still being utilized by critical infrastructure such as nuclear reactors for operational processes.

Furthermore, hardware and software deployed by different vendors often use proprietary technologies, as opposed to off-the-shelf solutions with standardized communication protocols in the IT world. This consequently creates a very strong vendor dependence by negatively impacting the ability of organizations to upgrade any component independently.

Since most components in the network are owned and maintained by the different vendors, an organization could take additional security measures in an approach referred to as “virtual patching.” This ensures proper separation between the different networks, enforces an allow-list firewall ruleset, disables interfaces that are exposed unnecessarily, and more. While this approach does not provide an airtight solution, it would substantially reduce the exposed attack surface.

3.    Network visibility

When it comes to your OT network, the ability to detect, react, and manage an incident could be the difference between a minor breach of the peripheral systems and a catastrophic failure of production lines. It is imperative that an organization is able to rapidly detect and react to potential breaches.

With network visibility, three key areas should be taken into account:

Asset management – A precompiled list of assets such as PLCs, technician workstations, and HMI endpoints should be periodically updated to ensure the state of the network is well known in the event of a breach.

Network monitoring – Since some OT environments, even those that were deployed 10 years ago, consist of older hardware, deploying active monitoring solutions could run the risk of overstressing the different components. By implementing regular logging collection and analysis alongside OT-aware monitoring solutions, security teams would have better detection points throughout the network with a more fine-tuned response times in the event of an unauthorized intrusions.

Event logging – This is a crucial part of incident investigation and response in any environment. By conducting a thorough analysis of the different logs, a baseline of day-to-day operational activity in the network can be established, which consequently would increase the detection chance of anomalous behavior or potential intrusion.

4.    Network segregation

The importance of network segregation cannot be overstated. This is a recurring issue we have seen time and again that includes direct access from the employee IT networks, both LAN and WAN, to the human machine interfaces (HMI). This would place an attacker with internal network presence in a strong starting position to compromise the exposed interfaces.

To help ensure network segregation, make sure you have dedicated jump stations that are hosted on an internal demilitarized zone (DMZ), sufficiently hardened, regularly updated and that access is granted to designated personnel only.

Conclusion

While security strategies in OT environments are similar to those of IT networks, many of these mechanisms need to be implemented with a heightened sense of awareness of ICS components, as the even the modern ones are not “secure by design” and would require peripheral protection to ensure the continuous operations of your organization. By implementing the recommendations that are highlighted in this article, you can help improve the security maturity of your OT network.

Want to learn more about how to implement strategic IT and OT security? Watch our webinar. 

In red team cybersecurity exercises, red teams are comprised of cybersecurity experts who have critical offensive cybersecurity skills. These experts use their skills to attack your business’s security defenses, while the blue team’s role is to defend against the red team attacks as well as launch an effective response. Together, these exercises help your business prepare for the diverse cyberattacks you may encounter from increasingly sophisticated adversaries.  

Red and blue team activities are modeled on military training exercises by creating a scenario where the red team uses real-world tactics to try to compromise the environment. Those tactics include finding and using weaknesses in people, processes, and technology to gain access to critical assets. The blue team, made up of incident responders, often works concurrently to identify, evaluate, and respond rapidly to an attacker’s intrusion. Following the red team exercises, red teams make recommendations for how to strengthen the security posture of the organization. 

What Is Red Team Cybersecurity?  

The goal of red team cybersecurity drills is to mimic the types of attacks that are occurring in the wild to test both your organization’s cybersecurity capabilities and how your employees react and respond to an attack. For this reason, most organizations bring in a third party, either a vendor or a consultant, to simulate an attack on their own network. Red team members are both adept with technology and creative thinkers, leveraging those skills to exploit system and human weaknesses alike. 

A few red team exercises include:  

1. Compromising business assets — red teams use a variety of tools to gather information about the target environment, such as the internal domain, intellectual property, client data, operating system types, networks, cloud service providers, and other technologies in place.
2. Penetration testing — a pen tester attempts to gain access to a system using a variety of tools and techniques. 
3. Social engineering — red team members mislead staff members into disclosing credentials or allowing unauthorized access into restricted areas by manipulating your team’s processes, habits/tendencies, and even emotions. Phishing is a type of social engineering that uses text, email, or a messaging app to gather personal information by pretending to be a trustworthy entity, such as a financial institution or an employee at your company. 

The red team must be up to date on new penetration techniques currently in use by hackers and stay current on threat intelligence. 

What Is Blue Team Cybersecurity?  

Blue teams are security professionals whose role is to protect your organization’s critical assets against cyber threats. Members of the blue team understand both your organization’s security strategy and business objectives. Blue teams begin by gathering data and carrying out a risk assessment to identify the critical business assets most likely to be breached and prioritize the protection of those assets.  

While the red team is carrying out research to attack your business, the blue team must work to strengthen your defenses and prepare to respond to those attacks. The blue team uses security tools, systems, processes, and additional resources to protect your organization and identify gaps in your detection capabilities. There are many activities and tools a blue team cybersecurity team may undertake to detect suspicious activity and defend against it, including:  

1. Creating a baseline of network activity to make it easier to detect suspicious activity 
2. Distributed denial of service (DDoS) testing to determine how resilient your network is to DDoS attacks 
3. Reviewing, configuring, reconfiguring, and monitoring security software in the environment 
4. Implementing, configuring, and updating security tools, such as firewalls and antivirus software 
5. Implementing a least-privilege access model to ensure that each user has as little access as possible, which limits the ability for an attacker to gain access initially and/or move laterally across the network 

The blue team needs to stay current on the latest technologies that can help improve security in your organization. This is a significant challenge as technologies continue to evolve and adversaries update their tactics.  

How Is Red Team Cybersecurity Different from Blue Team Cybersecurity? 

Red team and blue team cybersecurity efforts approach the challenge of protecting your business from attackers differently. Red teams focus on acting as an attacker to discover cybersecurity vulnerabilities and misconfigurations, while blue teams prioritize ongoing monitoring and deploying tools that will help them protect your environment.  

“Even if a company has carried out thorough security testing and prioritized all of its assets in relation to overall business risk from cyberattacks, but still doesn’t fully understand the most likely enemies or potential attackers–and respond accordingly– it will not only still suffer defeat many times, but will be unprepared in case an attack does happen.”

Shmulik Yehezkel, Chief Critical Cyber Operations Officer at CYE  

How Do Red and Blue Teams Work Together? 

Red team and blue team cybersecurity exercises work together to increase your cyber resilience and help you stay current on evolving threats. Blue teams use the information that red teams uncover during attacks to improve your organization’s cybersecurity posture. If you are running red team and blue team cybersecurity exercises, it is critical that these teams work together to share information and fully debrief stakeholders after every engagement. The exercises must include a detailed report of the activities in the project, such as testing techniques, vulnerabilities, access points, and any additional information that can help your organization understand and close security gaps. This knowledge sharing will help you strengthen your defenses and help your security team respond to threats better.  

How Can You Apply Red Team and Blue Team Cybersecurity at Your Business? 

In your business, you need to consider the potential impacts of a cyberattack, the severity of any threats, and the total cost of mitigating an attack. Red team and blue team exercises can help you understand those risks and how to improve your overall resilience to attack. 

It is also critical to understand which technical risks are also business risks — which you can do by correlating the value of an asset, the severity of a given vulnerability, and the activity of threat actors. You must assess and quantify your cyber risk to make informed security decisions that help you prioritize remediation to maximize effectiveness. Together with the insights gleaned from red and blue team cybersecurity exercises, you can prioritize remediation and reduce your cyber exposure. 

Want to learn how red teaming can help your organization’s cybersecurity? Contact CYE to learn more. 

Ira’s role is focused on CYE’s operations in the US and he will assist clients in optimizing their global security operations and integrating the use of Hyver, CYE’s cybersecurity optimization platform.  

We sat down with Ira to discuss his thoughts on the state of security, his advice to CISOs, and his vision for the future of the industry.  

Understanding CISO Pains 

In your various roles, you’ve had a first-row seat to the pains CISOs face. What would you say are some of the reoccurring issues that seem to be true for security officers across sectors, industries, and company sizes?  

It really depends on the company and their management. For some it’s getting support. For others, it’s balancing limited resources. For others still, it’s putting out fires. Some can’t hire the right people. However, the one problem I do see across the board is CISOs’ difficulty communicating the costs of cyber threats to executives and justifying their budgets.  

Security Words of Wisdom 

What are the security words of wisdom that you find yourself sharing with CISOs over and over again?  

The most common thing I tell CISOs is that they get the budgets they deserve, not the budgets that they need. They need to learn to deserve more. This is exactly what Hyver does. It helps CISOs show executives what they deserve, which is why I was drawn to it.  

Security’s Common Denominator  

You’ve been doing security for a long time. Do the computer crimes of the 2020s look anything like the early cyber breaches of the 1990s, such as the Citibank hack of 1995 or the  data breach at Target in 2014? Is there a common denominator that runs through the decades despite the growing sophistication of hacks and the magnitude of destruction that they cause?   

I actually worked on the Citibank investigation. The crime was fairly straightforward and not overly sophisticated. The criminals just invested the time to do it. They got caught because they were not sophisticated.   

I would say that the majority of crimes we see today are similar to the Citibank hack in that the criminals take advantage of basic cyber gaps and are just persistent. However, cybercrime has become an established business and many crimes are committed by highly efficient groups that can be effective and maximize their gains. It’s not simply about getting lucky anymore, but about treating it like a formal business operation, which in many ways is what happened with the Target breach. That’s a scary notion to entertain, but understanding that cybercriminals spend months studying their victim’s infrastructure, operations, and third-party vendors helps us prepare better for sophisticated attacks.   

Explaining Security Threats to Management 

How invested are executives and board directors in the security efforts of their organizations? Is the job of relating security threats to management becoming easier or harder as time goes by?  

That varies. Some leaders firmly believe in and prioritize security, while others minimize it. They don’t look at it as a necessity. Regarding whether it is easier or harder, it should be getting easier but that’s not always the case everywhere yet. There is more acceptance of security as being a critical business need, so you could say we’re in the process of institutionalizing the discussion. This is one reason why I love Hyver. It makes these discussions easy.  

Future of Cybersecurity 

And now for the big one, the question we all want answers to: what does the future of security look like?     

More of the same, but different. Computer crimes have grown and evolved as value moved to computers. The criminals you need to worry about have evolved with their targets. Those criminals are persistent, creative, and disciplined. Good security programs are those that are likewise persistent, creative, and disciplined. A good security program will experience incidents, but they will generally be contained and mitigated efficiently. Those organizations that do not invest will have uncontained incidents and be at the mercy of the criminals. 

To improve cybersecurity maturity, organizations from every industry should perform a cyber risk assessment on a regular basis and mitigate the gaps that can be exploited. However, even small steps can make a significant difference.

In honor of National Cybersecurity Awareness Month, here are four key strategies you can implement to help improve your company’s cybersecurity.

1. Enabling Multi-Factor Authentication

Multi-factor authentication (MFA) has been proven to be very effective at verifying that users are the people they claim to be. It is accomplished by using at least two out of three types of authentications: something you know, which could be a password or PIN number; something you have, such as a smartphone with an authentication app; and something you are, such as a fingerprint, voice, face ID, or other biometric data.

By enabling MFA, you can greatly lessen the chances that an intruder will be using your employees’ credentials to gain unauthorized access to your organization’s systems.

2. Using Trusted Password Management

Surprisingly, a significant number of organizations have legacy passwords or service accounts that lack strong, robust passwords. In fact, poor password quality is an extremely common issue in companies and is usually how hackers first gain access to the organization.

Here are some tips for improving your company’s password policy:

• Use strong passwords, including capital and lowercase letters, digits, and special characters.
• Require employees to create new passwords on a regular basis.
• Use password managers to generate and store passwords securely.
• Advise employees not to share personal credentials with anyone.

3. Updating Software

It sounds so simple to do, and yet so many companies fail to update their software on a regular basis. This can result in a much greater risk of being targeted by hackers, who can exploit unfixed security flaws in software. So why does this continue to be a problem?

The answer is likely because of a combination of inconvenience and fear. Patching can be a manual, time consuming process, and users would rather avoid having to reboot their computers to install updates. In addition, users might be concerned that their software will stop working or cause other applications to not function properly.

Nevertheless, there’s no question that updating software is a simple step that can greatly strengthen your cyber posture. Here are some tips:

• Be sure to only download updates from the company that created it.
• Have your employees receive automatic updates so as to simplify the process.
• Advise users to beware of pop-ups that urge them to download something or fill out a form; it could contain malware.

4. Recognizing and Reporting Phishing

Phishing attempts continue to increase and break records. According to the Anti-Phishing Working Group (APWG)’s Phishing Activity Trends Report, there were nearly 1.1 million observed phishing attacks in the second quarter of 2022, the most the group has ever measured in history. One reason for this is that today’s phishing can be quite sophisticated, with graphics that mimic emails or texts from banks, employers, and companies. Clearly, many people are being duped: In a mock phishing engagement carried out by CYE against a US-based bank, nearly 40% of the employees clicked on the URL that was sent to them.

To address this issue, organizations should be sure to conduct mandatory cybersecurity awareness training for all employees. The training should advise users to:

• Be cautious of email attachments and links to websites.
• Avoid responding to SMSes that ask you to click on unfamiliar websites.
• Ensure that business emails are used strictly for work, not for personal communications.
• Check the sender’s address carefully.
• Look for spelling mistakes in the email and the URL.

Bottom Line

Undoubtedly, these tips can greatly strengthen your organization’s cyber posture. However, these steps should be part of an ongoing cybersecurity strategy that provides visibility of your attack routes, quantifies the risk of each security finding, and optimizes mitigation plans to close gaps.

Want to learn more about how to improve your organization’s cybersecurity? Contact us for more information.

A widespread Java library under the Apache Commons project was found to allow remote code execution for publicly exposed web servers that implement one of the vulnerable methods based on user-controlled input.  

This is reported to affect Apache Commons Text in versions 1.15 ~ 1.9.  

Apache Commons Daily Use  

Apache Commons Text is a general purpose text manipulation Java library. It is a well-known feature for developers of any language.  

Just for clarity, ordinary use of the library by a Java developer can look something like this: 

The above code will output “My current username is SomeUsername” (where “SomeUsername” is the result of the environment variable USERNAME in the host machine).  

This is a quick introduction to string interpolation, which is implemented in a variety of languages and libraries. What it teaches us so far is that replace takes a string input and resolves certain predefined parts of the string into their desired value. The ${} scopes where the interpolation occurs, the keyword env determines the type of operation StringSubstitutor should do, and the right-side value is the value to be resolved programmatically.  

By taking a closer look, it’s also easy to notice that replace supports other keywords besides env:  

Source: commons-text GitHub repository  

Each of the above expects a slightly different value and resolves it in its corresponding way.  

For example, the dns keyword can be used to perform a DNS lookup of a domain name and put the result inside our string (to output the IP address of cyesec.com as a string):  

The Threat  

The major attack vector starts if you have an internet-facing web server that uses Java and a vulnerable version of Apache Commons Text. On top of that, the web server has to pass user-controlled input into one of the risky functions in a non-secure way.  

The most fearful keyword at the time of writing this article is the script keyword.  

For example:  

For the script keyword to affect your server, it needs to work with a relatively older version of Java, because newer builds are reportedly not shipped with the built-in JavaScript engine that is needed for the script to execute. At the time of writing this article, the most recent JDK version that was found reported as vulnerable is JDK 11.  

Other keywords like dns could also be abused, because if the attacker had managed to control the value inserted into the string, the interpolated value might be later used in your web application in another procedure – although rare, this could trigger chain reactions that lead to other vulnerabilities.  

Moreover, the state of the vulnerability is still new, and it’s common for other techniques to pop up soon.  

The New Log4Shell?  

In short – no, although the risk exists.  

There are obvious similarities – another Java library doing risky interpolations. However, as of now, this vulnerability is less likely to be abused than Log4Shell. Here’s why:  

• Log4j (the vulnerable library behind Log4Shell) is a logging framework. It’s more common for unsanitized user input to find its way into a logging function rather than to a library like Apache Commons Text, which is explicitly used to perform string interpolations. Developers usually know better than to insert user input into direct interpolations, and more commonly remember to sanitize user input that must go inside such procedures.  
• As explained above, several conditions must be met for the vulnerability to be exploited, other than the insecure passing of user-controlled input.  

However, this doesn’t mean the risk should be taken lightly.  

Am I Affected?  

There are preliminary checks that you can do to prioritize your mitigation for this vulnerability.  

• Identify services that use the Apache Commons Text library “commons-text” in versions 1.5 ~ 1.9, more so on Web Servers that have a JDK (Java Development Kit) lower than version 11 installed.  
• Search within your source code with the use of StringSubstitutor.createInterpolator(), followed by the reported vulnerable methods .replace(), .replaceIn() and .lookup()  
• Search for StringLookupFactory class files within compiled .jar files located on your servers.  

It’s expected that more accurate techniques to detect the vulnerable instances will be published soon; however, for quick checks you can use these scripts:  

On Windows-based servers:  

On Linux-based servers:  

Source  

Mitigations  

• Update Apache Commons Text to version 1.10.0 which have script, dns and url turned off by default.  
• Once you have identified and prioritized the public servers that make use of the vulnerable library and updated the library version, initiate a focused secure code review, with the goal of determining if user-controlled input is unsafely passed to the vulnerable interpolation methods (like .replace(), .replaceIn() and .lookup()).  
• Even after mitigation, it’s recommended to perform a forensic sweep on servers that might have been infected in the period between the bug disclosure to the time the server was mitigated.  
• Be alert to the latest discussions – it’s common for variations of the vulnerability to pop up soon, and in unexpected ways.  

References  

• https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/  
• https://blogs.apache.org/security/entry/cve-2022-42889   
• https://nakedsecurity.sophos.com/2022/10/18/dangerous-hole-in-apache-commons-text-like-log4shell-all-over-again/ 

Cyber risk assessments involve the same basic activities, including: 

• understanding the organization’s security posture and compliance requirements 
• collecting data on threats, vulnerabilities, and assets 
• modeling potential attacks 
• prioritizing mitigation actions 

However, there are numerous approaches with important differences in emphasis and results. You should be aware of these differences before purchasing cyber risk assessment software or solutions.   

Here are the three leading approaches to cyber risk assessments. 

Approach 1: Compliance-driven 

A cyber risk assessment that is driven by compliance focuses on comparing an organization’s security controls with requirements specified in cybersecurity and regulatory frameworks. These might include, for example, frameworks published by the National Institute of Standards and Technology (NIST), ISO/IEC, the Payment Card Industry Security Standards Council, or the European Union. In fact, some of these organizations even provide guidance on how to conduct a cyber risk assessment, such as NIST SP 800-30 and ISO/IEC 27005.  

These frameworks are well established and very credible as guidelines for compliance activities and basic security practices. However, they provide mostly high-level, “one size fits all” recommendations and typically lack detail on (or ignore) important areas such as cloud security and secure coding practices. Sometimes they lead to a “check-the-box” mentality where security teams are incentivized to fix many vulnerabilities quickly even when they pose no significant risk to the organization. 

Approach 2: Threat modeling 

This approach to cyber risk assessment starts with compiling comprehensive lists of the threats facing the organization, vulnerabilities in systems and networks, and infrastructure and information assets. This information is acquired through questionnaires and interviews with IT and business managers, together with vulnerability scanning. The data is used to model the impact of possible security events based on factors such as the probability of attacks, the severity of vulnerabilities, the weaknesses of existing controls, the value of assets, and the consequences of outcomes such as data breaches and business interruptions. The security team can then select the remediation actions that reduce risk the most. 

A cyber risk assessment based on extensive threat modeling generates valuable, detailed insights into potential threats and gaps in existing controls. The results identify the greatest risks to the organization and help prioritize remediation actions.  

Unfortunately, this approach requires a large investment of staff time compiling lists, completing questionnaires, holding interviews, collecting data, estimating probabilities, and modeling long catalogs of threats and vulnerabilities. It may take weeks or months before the analysis is complete and ready to be applied, by which time much of the analysis may be obsolete. 

Approach 3: Attack Route Analysis 

Attack route analysis starts with gathering information about likely threats and key assets. However, instead of relying primarily on checklists, questionnaires, and interviews, it utilizes the techniques and thought processes of real attackers: discovering and exploiting existing vulnerabilities, exploring the organization’s environment, and deciding on a sequence of tactics to reach critical business assets.  

The information gathered from this activity enables the security team to build a graph of attack routes between the likely threats and the key assets. These routes are the paths threat actors could take to reach the critical assets, including systems, networks, and cloud platforms with vulnerabilities. Routes also include security controls that can block attacks.  

Security teams can use the graph of attack routes to focus on modeling those attacks that pose a real danger to the organization. They can deprioritize the vast majority of vulnerabilities which either are not on an attack route leading to a critical asset or are on an attack route that is blocked by an existing control.  

The graph also helps identify the most effective remediation options. An attack route can be eliminated by removing any of the vulnerabilities in the path or by deploying a security control. With a little analysis, and sometimes merely by viewing the graph, security teams can quickly determine the most cost-effective mitigation action to protect a specific asset.  

The attack route analysis approach also simplifies communication with non-technical managers. The graph shows them how threats operate to reach critical assets and how the threats can be neutralized by removing vulnerabilities or adding controls. However, to achieve maximum benefits, the assessment must be revisited periodically so the organization can address emerging threats and medium-priority vulnerabilities not covered in the first round of modeling.  

Want to learn how to conduct an effective cyber risk assessment? Download our new ebook.  

Healthcare cybersecurity breaches continue to spread at an alarming rate. In fact, in July 2022 alone, 66 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights—amounting to over 5 million exposed healthcare records in one month.

Healthcare has always been a significant target for cybercriminals, and with good reason: First, the data can be quite valuable, with stolen health credentials often being sold for higher prices than credit card numbers on the black market. Moreover, healthcare increasingly relies on technology to store this ever-increasing data—and the security is often completely inadequate.

Healthcare cybersecurity is unique, however, because malicious actors can target three significant areas, and each one requires a different cybersecurity approach and strategy.

What are these targets? Read on.

1. Your Patients

The great challenge that healthcare systems face is ensuring that health data is readily available to those who must access it, while also guaranteeing that such data remains private.

The ramifications of not safeguarding patient data extend well beyond identity theft. Healthcare cyberattacks can result in paralyzing systems, which can disrupt surgeries, health monitoring, and even life support. For this reason, a robust cyber risk strategy is not only necessary to protect data; it can help save lives.

To effectively protect patients, healthcare organizations must implement vigorous access control and data protection, thus ensuring that patient data remains private but is also available on a need-to-know basis.

2. Your Organization

As with other industries, healthcare cyberattacks can cause reputational damage to organizations and shut down their operations. In addition, the regulatory fallout resulting from healthcare cyberattacks can be devastating. Not complying with regulations such as HIPAA can lead to hefty fines and even potential jail time, depending on the severity and frequency of the violation. In one case, for example, a medical center that lost a flash drive and laptop containing unencrypted PHI was forced to pay a $3 million settlement.

At the same time, healthcare organizations must also keep in mind that FDA approval requires a lengthy certification process, which is intended to safeguard health. Even small changes to health products that require FDA approval can require recertification, which can take years and cost millions. An effective cybersecurity strategy must therefore consider how these regulatory requirements and implications may impact mitigation plans.

3. Your Medical Devices

Medical devices are also a major target of healthcare cyberattacks. In fact, because of escalating healthcare data breaches, GlobalData predicted that cybersecurity spending in the medical device sector will grow from $869 million in 2020 to $1.2 billion in 2025.

As is the case with patient privacy, protecting medical devices from cyberattacks can save lives. For example, a cyber incident that results in having to shut down x-rays, MRIs, and ultrasounds can be a disaster for patients. In addition, halting operations unquestionably has a major negative effect on businesses that rely on such medical devices.

For all of these reasons, a robust cybersecurity strategy for healthcare organizations should be sure to include, among other things:

• Medical data encryption
• Security awareness training
• Access control

How CYE Can Help

Many major healthcare organizations depend on CYE to assess, quantify, and mitigate cyber risk so they can make better security decisions and invest in effective remediation.

CYE considers multiple factors when assessing a healthcare organization’s cyber risk, including the type of attacker, the business assets at risk, the environments, and the true threat of vulnerabilities. Using this data, CYE maps possible attack routes and then recommends which vulnerabilities should be fixed and their costs.

In this way, CYE helps healthcare companies receive full visibility into their true cyber risks, the business assets that are impacted, and the effectiveness of security protection and detection solutions.

Read more about the benefits of cyber risk quantification with CYE.

Want to learn more about how CYE can help protect your healthcare company from cyber threats? Contact us.

Banks, insurance companies, investment firms, and other organizations in the financial industry are justifiably concerned about both cyber exposure and regulatory compliance. Accessing financial data continues to be at the top of hackers’ wish lists. Personal data stolen from financial organizations is highly prized, not just for the sale value of account and credit card information on the dark web, but also because criminals can use credentials to break into the network and reach valuable assets. Consequently, the average cost of a breach – including containment costs, regulatory fines, legal expenses, and other factors – is one of the highest of all industries, at $5.29 million in 2021.  

Despite ongoing investments in security tools and technology, the financial industry faces unique challenges to reducing risk. The push for digital transformation comes at a time when many organizations are still saddled with legacy systems they must maintain. Customer demands for innovation and frictionless services put increased pressure on the security team. Open banking introduces added risk of data loss, identity theft, and data protection violations, as aggregated customer data is held in third party providers’ infrastructure.  

As a result, financial organizations look to cyber risk assessment services to help manage cyber threats and to communicate effectively with executives.  

Five Tactics for Cyber Risk Assessment Services  

A variety of cyber risk assessment services are available, many based on established frameworks or historical data and probabilities. However, given its unique demands, the financial industry has adopted specific tactics to select and utilize the most suitable cyber risk assessment services. Financial organizations have found these five tactics to be optimal in choosing and using the most suitable cyber risk assessment services.  

Tactic 1: Develop a risk focus  

Organizations select cyber risk assessment services that help them better understand the trends and new/changed regulations they need to address to reduce cyber risk. Services based on an understanding of the organization’s unique characteristics, coupled with relevant historical intelligence, can determine which cybersecurity threats pose the greatest risk.  

Tactic 2: Look at the big picture – in context  

Financial organizations determine what is most important to protect, such as customer data, business continuity, fraud protection, intellectual property, or other assets. They look for cyber risk assessment services that can prioritize threats that pose an immediate risk to these valuable business assets, rather than services that merely provide a list of the biggest misconfigurations and vulnerabilities without context. A service that can visually display the attack routes that could lead to those business assets, along with the probability that potential attackers will take those attack routes, is especially valuable.  

Tactic 3: Discover the true cost of a potential breach  

Traditional loss components – the cost to contain a breach, along with regulatory fines and expenses related to class-action lawsuits – must be combined with others, such as the variable cost of cryptocurrency-based ransom payouts, damage to the brand and customer churn, and downtime/ lost productivity. Financial organizations know that the cost horizon is long for organizations in highly regulated industries: costs continue to accrue more than two years after the breach. 

Tactic 4: Develop mitigation plans for valuable business assets 

No organization has the time or resources to mitigate all possible attacks. Financial organizations build mitigation plans for vulnerabilities with the highest probability, while blocking attack routes to the most valuable assets. They look to the cyber risk assessment service to prioritize the highest-exposure critical business assets – those that are most likely to be breached—along with data on the cost of a breach. Services that allow the organization to visually evaluate the impact of blocking various attack routes can make mitigation plans more efficient and cost-effective.  

Tactic 5: Build resilience and scalability 

The organizational environment is constantly changing, as is the cyber threat landscape. It is extremely important to be able to protect the organization as attack methods evolve. Resilience allows the organization to prepare for rapid recovery from a cyber breach. Scalability allows even the largest organizations to address all probable threat sources, including those coming from the internet perimeter, from insiders, and from the extended supply chain. The optimal cyber risk assessment service for the financial industry helps in the continuous monitoring of the organization’s infrastructure and prioritization of mitigation efforts, with a focus on the most valuable business assets.  

Conclusion  

The financial industry faces a growing level of cyber risk due to its complex set of demands and requirements; at the same time, the cost of a breach is only increasing. The five tactics presented here enable financial organizations to reduce risk: they rely on cyber risk assessment services that provide visibility into the most probable attacks on their most valuable business assets. Complete, visible information helps them prioritize actions to reduce risks, and help communicate material risk reduction and avoidance to senior management and the board.  

CYE’s comprehensive security assessment covers your entire organization’s ecosystem while considering context. With the help of experienced red teams performing real attacks, CYE maps possible attack routes to business assets across all environments, thereby delivering the most contextual organizational security assessment. Click here to learn more about how CYE helps financial organizations. 

It’s no secret that there are more cyber threats than ever before. No matter how fast organizations upgrade their defenses, attackers outpace them. They grow more creative and aggressive by the day. And as the attack surface expands due to massive migration to the cloud, increased use of operational technology (OT), and digital transformation, cybersecurity can feel like a losing game. In fact, experts predict that cybercrime will cost the world $10.5 trillion annually by 2025.

Which threats should your team tackle first? Where should you put your security investments? In the past, qualitative guesses were almost good enough. However, today’s world calls for quantification: measuring IT and cyber risk exposure in terms of the probable monetary impact to your organization.

Needed: Not More Data, but Better Models

The problem is too much information. The billions of dollars spent annually to identify external and internal risk result in a firehose of information that overwhelms SOC teams, internal security executives, and analysts.

What’s needed is a better way to consume the data you have, parse it, and get a simple, actionable monetary risk score that can be used when communicating with executives – especially important because 50% of IT leaders say the board and C-suite do not understand cyber risk. The answer is cyber risk quantification models.

Traditional Cyber Risk Quantification Models

Cyber risk quantification models employ multiple steps, many of which are labor-intensive and most based on probabilities. In general, the process is as follows:

1. Define which assets to consider– including on-premises, on the perimeter, in the cloud and OT.
2. Next, identify each likely threat to each asset, calculate the probability of its occurring, and determine the potential damage that could occur if successful.
3. Calculate the damage to productivity, competitive advantage, or reputation, as well as the cost of responding, replacing assets, and paying fines and judgments.
4. Determine how vulnerable each asset is to each threat: how strong are your defenses, controls, and processes?

Once all of this is done, the cyber risk quantification model yields a financial risk metric which allows you to compare various options and invest security dollars wisely.

Weaknesses in Traditional Cyber Risk Quantification Models

Weaknesses in traditional cyber risk quantification models include time, cost, and subjective decisions. First, probabilities: you must determine the frequency of threat events occurring, the capabilities of each threat, and the strength of your defenses and controls. Inaccurate estimates can yield unusable information.

Second, it is difficult to predict the magnitude of loss that could occur to assets, including the cost to detect and escalate, notify stakeholders, perform post-breach response, and deal with lost business.

Third, traditional cyber risk quantification models treat vulnerabilities as equally risky. In reality, some very prevalent threats may not pose a real threat to your business. Others might be minor, but a hacker exploiting a few minor threats together can yield a devastating result.

Fourth, traditional models often result in “guesstimates” of the likelihood and magnitude of potential loss, based on a guess as to what vulnerabilities are most important and probable. Rather than whittling down a massive amount of data, they make assumptions about what information is important, and may cause your team to chase down issues that do not really put your critical assets at risk.

Finally, the results of cyber risk quantification can sometimes be difficult for the C-suite and board members to understand.

CRQ Considerations

When evaluating a cyber risk quantification model, take into account four key factors.

1 – Quality of the Data:

The model should utilize data customized to your specific company, industry, and location. It should access historical data when predicting loss factors (relieving your team of the challenging task of gathering all that data). It should be based on risk context, quantifying what specific vulnerabilities real hackers could use to compromise your business-critical assets (“guesstimates” are not acceptable here!) This cuts through the noise and reduces the amount of data your team needs to deal with.

2 – Financial Context:

The model should account for the financial cost of a breach to each asset, including productivity loss (lost revenue, lost wages); loss of IP, trade secrets and other differentiators which lead to a weakened competitive stance; and loss to reputation (reduced market share, decreased sales growth, impacts to the stock price, etc.) as well as the costs of incident response, asset replacement, fines, and judgments. This assessment should be based on financial context, ranking a low-impact threat to a high-value asset as higher priority than a high-impact threat to a low-value asset.

3 – A 360 Degree View:

An optimal model will not limit its assessment to well-known and well-documented assets, but will evaluate cyber risk in multiple environments including on-premises, cloud, perimeter, and OT. It weaves together all the threads that relate to a wide variety of assets, threats, and potential costs.

4 – Business-oriented:

The model should help your team present a cybersecurity plan to the board, in terms that are easy to communicate to executives. The result of the model should be ratings that translate technical risks into business risks, correlating asset value, severity of threat, and threat actor activity.

In summary, an accurate, useful cyber risk quantification model lets you make optimized cybersecurity investments that take into consideration both the cost of a possible breach and the likelihood that it will happen. This saves you time and money – while reducing the chance of a cyber incident.

Want to learn more about effective cyber risk quantification? Contact us for more information.  

Attacks on hospitals continue to increase in number and severity: over the past five years, six of the top 25 breaches have affected hospitals. The problem is only getting worse, for three reasons. First, healthcare is a rich target. Breached information such as contact details, Social Security Numbers, medical history, and other data paints a comprehensive picture of an individual. Once stolen, this information can be used to perpetrate frauds, order prescription drugs, or make fraudulent claims to providers.  

Second, healthcare is an easy target: Electronic Health Records systems, telemedicine, the complex interrelationship of insurance companies, practitioners, specialists, patients, and others, all expose weak spots in the security fabric. Because keeping systems up and running is a matter of life and death, hospitals are easy targets for devastating attacks such as ransomware which cannot be ignored.  

Third, healthcare is a vulnerable target, spending less than half as much on cybersecurity as other industries. In addition, COVID caused many hospitals to deemphasize data protection measures, leading to an increase in cyberattacks. Investments in security solutions are spread across multiple unconnected products that do not communicate. A barrage of alerts and false positives makes it hard for the security team to detect real threats. While spending time and money in the wrong places, breaches are carried out in the background. The cost to discover, mitigate and report attacks, and recover from reputational damage is the highest of any industry: an average cost per breached record of $408, with many breaches involving thousands of records. It makes sense to understand the top risks, why they matter, and how to deal with them.  

Top Cybersecurity Threats Affecting Hospitals

Threat 1:  Inadequate Security Practices 

Many practices open the door to attacks, but poor identity security tops the list. Weak passwords, credentials changed too infrequently, and passwords reused for multiple sites and applications provide a beachhead for cyberattacks. A close second is the failure to ensure that employees, contractors, and other partners are trained in how to spot and avoid phishing attacks.  

Hospitals that fall victim to an attack via a stolen password or a phishing attack often find themselves facing the threat of ransomware. In fact, the Department of Health and Human Services recently issued a warning to hospitals about prevalent ransomware including PYSA, considered one of the most dangerous ransomware variants targeting the healthcare industry in recent years.   

Threat 2: Vulnerable Medical Devices

Hospitals rely heavily on medical devices, yet more than half of all Internet-connected devices commonly found in hospitals are vulnerable to cyberattacks.  While such devices offer convenience and timeliness, they can create risk. More than 73% of infusion pumps have vulnerabilities that could be exploited to allow attackers to gain access to sensitive data.  Moreover, a vulnerability in dozens of GE Healthcare radiological devices could have allowed access to sensitive data and even make the devices unavailable. Vulnerable devices provide an on-ramp into a hospital system and could allow criminals to lock up the digital network while demanding a ransom. Healthcare cybersecurity calls for protecting these devices via firewalls, anti-malware, intrusion detection systems, and identity management solutions.  

Threat 3: Shadow IT  

Shadow IT—devices or software that are used without the IT team’s awareness or control—can present a type of insider threat. Often installed or acquired by employees who are searching for a quicker, easier way to do their jobs, these devices and applications can leave the hospital open to data loss, exposure to exploitable vulnerabilities, and serious compliance issues. Many lack sufficient access control or fail to encrypt data at rest and in transit, allowing patient data to be intercepted, viewed, and stolen at any point in its journey.  

Threat 4: Exploitable Vulnerabilities 

Known vulnerabilities are easy to find: the National Vulnerability Database provides detailed information on security flaws in operating systems, software, and firmware, and their potential impact. To ensure healthcare cybersecurity, your IT team can apply patches or upgrade to more recent versions. The problem is that it is impossible to patch all vulnerabilities–and not all pose an immediate, critical threat. Your team needs to triage vulnerabilities, determining which are most likely to impact your hospital, and if so, which would be most damaging. By focusing on the most important, impactful systems and vulnerabilities, you can avoid becoming a real-world healthcare cybersecurity breach like Baptist Medical Center, where the private data of more than 1.2 million people was exposed when a website exploit allowed a cybercriminal to access their network.  

Threat 5: Inadequate Risk Assessment

Many hospitals fail to conduct an annual risk assessment or risk quantification study, and are thus unable to detect and close gaps. A risk assessment must take into consideration threats from everywhere: the perimeter, inside the organization, and the supply chain. It should determine the real risk of ransomware, data leaks, phishing attacks, malware, and other threats, categorizing risk based on how vulnerable your systems are, the likelihood of your organization being attacked, and the damage that could result from a breach.  

Conclusion

A thorough analysis of threat sources will show which of the above will most likely impact your organization, and which systems and data are the most vulnerable. Because not all vulnerabilities can or should be mitigated, your focus can be on those that are most likely to do actual harm if exploited. This analysis can translate abstract technical risks into the actual business risk to your organization. Armed with this information, you can be prepared for an eventual breach.  

Plan today for how you will cost-effectively mitigate in the event of a security breach. Beef up identity management, carefully vet medical devices to ensure they can be updated and patched, discover and secure Shadow IT, patch vulnerabilities in critical systems, and institute annual risk assessments. As in every aspect of life, preparedness is key. 

To learn how your organization can assess, quantify, and cost-effectively mitigate cyberthreats, contact CYE for a demo.  

Cyber risk quantification aims to put a dollar figure on cyber risk. It considers the potential financial and business ramification of possible cyberattack scenarios, thus allowing decision-makers to understand the impact of threats and prioritize remediation efforts. Yet not all cyber risk quantification strategies are the same. How do you know which is the best for your organization?  

Here are four considerations for an effective cyber risk quantification strategy. 

1. Does it consider risk context? 

Sometimes, malicious actors can plot attack routes to important business assets by exploiting just a few vulnerabilities. Likewise, a significant number of cyber gaps may seem highly problematic on the surface, but they may not present any serious threat to your most important business assets. This is the reason why an effective cyber risk quantification strategy must consider that context when determining which cyber gaps should be addressed. Otherwise, you may be spending time, effort, and money remediating vulnerabilities that do not pose significant threats.  

2. Does it consider financial context? 

In addition to understanding the risk to business-critical assets, organizations must take into account the dollar value of what a breach to each asset might be. This financial context helps security teams make better decisions about which cyber gaps must be addressed first. For example, a low threat to a $1 billion asset would probably take priority over a high threat to a $1 million asset. Without understanding this context, you may be focusing on closing the wrong gaps. 

3. Does it consider the entire organization? 

Often, businesses may be basing their cyber risk quantification strategy on what has been assessed, which may or may not include the entire organization. A thorough assessment would need to check cyber risk in multiple environments, including on-prem, cloud, perimeter, and OT. Without a comprehensive assessment, your cyber risk quantification strategy may be overlooking areas where threats may exist.  

4. Does it help security leaders communicate cyber risk in business terms?  

Ultimately, an effective cyber risk quantification strategy should help security leaders present a cybersecurity plan to their board members and justify its costs, allowing security leaders to communicate the value of their work to execs. To accomplish this, it’s necessary for security leaders to be aligned with business needs, thus helping security be perceived as a business enabler, rather than a blocker.  

The Ultimate Benefits of Cyber Risk Quantification 

With an effective risk quantification strategy, organizations can ensure having optimized cybersecurity investments that consider both the cost of a possible breach and the likelihood that it will happen. This ROI helps your business save time and money while reducing the chance of a cyber incident.  

For More Information  

Want to learn more about choosing a cyber risk quantification strategy and how CYE can help? Download our guide to learn more about: 

• How cyber risk quantification helps CISOs communicate cyber risk 
• Why not all cyber risk quantification solutions are the same 
• Factors to consider when calculating an organization’s cyber risk 
• How to determine which vulnerabilities truly post a threat to your organization  

Healthcare has always been a significant target for cybercriminals, and with good reason: The data is valuable and widespread—and the security is often completely inadequate.  

Which healthcare cybersecurity breaches stood out in the first half of 2022, and what can we learn from them? Read on for the top five notable ones.  

Shields Healthcare 

What happened? 

From March 7–21, 2022, a malicious actor accessed the Shields Healthcare network, a Massachusetts-based medical services provider. This incident compromised the private data of 2 million people, including names, Social Security numbers, birth dates, addresses, billing information, medical treatment information, and more. Such stolen data can be used for social engineering, phishing, scamming, and in some cases, extortion. 

It was later determined that Shields investigated a security alert around March 18, but was not able to confirm any data theft at the time. This allowed the malicious activity to continue for another three days, and so it was only first discovered on March 28.  

The incident forced Shields to rebuild certain systems. Meanwhile, lawyers are investigating the possibility of a class action lawsuit against Shields, claiming that the data breach was a known and foreseeable risk that Shields should have taken steps to prevent. They also say that the company did not adequately monitor its computer network and that it did not inform patients about the data breach until the beginning of June.  

Takeaways 

This incident illustrates why it is so essential for healthcare organizations to not only comprehensively assess their security posture, but to also have a plan in place in the event of a healthcare cybersecurity breach.  

Broward Health  

What happened? 

In January 2022, the Florida-based Broward Health hospital system announced that it had experienced a data breach in October, when a cybercriminal accessed the personal and medical information of 1.3 million patients and employees. The compromised data included names, addresses, driver’s license numbers, Social Security numbers, insurance information, and more.  

The malicious actor gained access through a third-party medical provider. Broward Health detected the breach in October and notified the FBI and the Department of Justice.  

Following the incident, Broward Health beefed up its security with password resets and by implementing multi-factor authentication for all users. It announced that it was implementing “minimum security requirements for devices not managed by Broward Health Information Technology with access to its network.”  

Takeaways 

This cyber incident underscores the importance of robust third-party security risk management, and in particular, strong access control. Implementing both can unquestionably help prevent similar healthcare cybersecurity breaches.  

Morley 

What happened? 

In February 2022, Michigan-based business services company Morley announced that it had suffered a ransomware attack in August 2021, which resulted in the exposure the data of 521,000 clients and former and current employees. The exposed data included names, Social Security numbers, client identification numbers, and health insurance details.  

Because Morley was also a third-party provider to medical industries, this put the company at risk of violating HIPAA’s requirement of notifying impacted individuals of healthcare cybersecurity breaches within 60 days of discovery.  

Following the attack, Morley said that it had made significant changes to its cyber environment to prevent similar attacks in the future. A class action suit is in progress for those who were affected by the breach.  

Takeaways 

Although Morley is technically not a healthcare company, having access to healthcare data means that it must consider regulations such as HIPAA. Compliance should be top of mind for all organizations, but especially for those businesses that deal with healthcare.  

Texas Tech University Health Sciences Center 

What happened? 

In June 2022, Texas Tech University Health Sciences Center announced that the health information of 1.2 million patients was compromised due to a breach of its electronic medical record vendor, Eye Care Leaders. The exposed data included names, addresses, phone numbers, health insurance information, Social Security numbers, and more.  

Eye Care Leaders said they had detected the breach in early December and disabled the systems within 24 hours. Along with Texas Tech University Health Science Center, the breach also affected eight eye care practices.  

Takeaways 

Once again, this incident indicates a lack of adequate third-party security risk management. There are steps that healthcare organizations can take to prevent breaches like this, including a comprehensive assessment and mitigation plan.  

Baptist Medical Center 

What happened? 

In June 2022, Texas-based Baptist Medical Center announced that a cybercriminal had accessed its computer network after installing a line of malicious code on the system’s website. As a result, the private data of more than 1.2 million people was compromised, including names, dates of birth, Social Security numbers, and sensitive medical information.  

An investigation of the incident revealed that an unauthorized third party was able to access systems and remove data from the network between March 31 and April 24. Baptist Medical Center said that it was bolstering its digital security, improving its monitoring capabilities, and hardening systems to prevent future attacks.  

Takeaways 

Organizations like Baptist Medical Center must find a way to guard its systems more thoroughly, thereby ensuring the security of patient health information.  

How Can Healthcare Organizations Improve Cybersecurity? 

To minimize the risk of being breached, healthcare organizations should be sure to: 

• Conduct a risk assessment and risk quantification annually to stay on top of possible gaps. Be sure to assess the internet perimeter, insider threats, and supply chain. 
• Enhance password security and access control, including MFA, for sensitive systems and outbound connections. 
• Provide security training and awareness for personnel.  
• Update and patch software on a regular basis. 
• Always be on the lookout for new trends and dangers, and mitigate these cyber gaps while considering efficient allocation of resources. 
• Make sure you have either an internal or external SOC, CTI, and IR team ready for an event after you make IR readiness preparations. 

Learn how CYE saved a medical device company from five years of disruption.  

The following are some easy steps that will help improve your security.

1. Authenticator App

Authentication is the first step in access control. To best secure our social media accounts and other services we use, it’s important to add a layer of protection to the sign-in process.

There are three common factors used for authentication:

Something you know

The “something you know” factor is the most common factor used and can be a password or a simple personal identification number (PIN). However, it is also the easiest to hack. 

Something you are

This could be a fingerprint or other biometric method such as hand geometry, retinal or iris scans, handwriting, and voice analysis. While biometrics provide the strongest authentication, it is susceptible to errors. A false rejection error occurs when a system falsely rejects a known user. A false acceptance (although less common) error occurs when a system falsely identifies an unknown user as a known user. Biometric systems typically can be adjusted for sensitivity, but the sensitivity affects the accuracy. 

Something you have

The “something you have” factor adds an extra layer of security to your account, such as a one-time number that you get from a handheld device or from an authenticator app. The number displayed on the token changes regularly, such as every 60 seconds, and the authentication server always knows the currently displayed number. If attackers have access to your password, they will not be able to log in because they will need the one-time number displayed in the app. The three most secure authenticator apps are Google Authenticator, LastPass, and Microsoft Authenticator.  

 2. Two-Step Verification for WhatsApp  

Attackers targeting WhatsApp users can hijack their accounts by impersonating friends and requesting SMS security codes. This scam has been around for years, but by 2021, the attacks spread around the world. Continuing from the previous section where we talked about the importance of adding an extra layer of security by an authenticator app, in WhatsApp, the way to add a layer of protection is by two-step verification. 

Multi-factor authentication (MFA) is a security measure that requires two or more proofs of identity to grant access. MFA makes it harder for cybercriminals to gain initial access to your account by adding more layers of authentication, requiring extra time, effort, and resources to break. Think of adding MFA to your account in the same way you might add a locked security screen to your home. It provides you with an extra layer of protection from criminals trying to break in.  

Once MFA is set up, WhatsApp will periodically ask you to enter your PIN, so it is important to remember the code you have chosen. 

3. Antivirus (AV) 

Just like installing antivirus on a computer, it is recommended to install antivirus on any device with an internet connection. Smartphones are not immune from code injection by attackers and are therefore required to be protected by antivirus. Keep in mind that our smartphones are in daily use and contain all our most personal, business, and sensitive information—more than a personal computer. 

The antivirus works on the smartphone as it works on the computer—it detects malware, spyware, abnormal traffic, etc. The top AVs for android are Avast Mobile Security, AVG Antivirus, Norton 360, and McAfee.

4. Disable Third-Party Apps 

Downloading an application from a third-party app store can infect your smartphone or tablet with malicious software and could enable someone to take control of your device. 

Apple AppStore and Google Play are the two biggest official app stores. Each platform includes native applications that are built for the iOS operating system or for Android devices. Both platforms also include third-party apps in their store. Third-party apps in the official app stores usually follow strict development criteria and are checked to make sure they do not contain malware. Google Play and the Apple AppStore continuously work to protect our devices and data and routinely remove problematic apps.

External third-party apps, however, which have not been tested and supervised by Google or Apple can potentially: 

• Infect your mobile device with malicious codes like ransomware and adware. even the ads or codes can be “injected” into popular apps you might download through a third-party store. 
• Sell or share your data with other parties. 
• Copy and store your data on their servers and the data could be stolen from there. 
• Make it tough for you to delete your data. 

If you decide to download apps from a third-party store instead of an approved store, we highly recommend you compare hashes prior to installation. 

To avoid installing third-party apps, it is necessary to regularly block the download option of these apps as shown below: 

 5. The Dangers of Public Wi-Fi 

Free internet access is very appealing, especially when you are traveling abroad, and data SIM cards are expensive. Public Wi-Fi is usually free internet that can be found in popular places like airports, coffee shops, malls, restaurants, and hotels. However, it could be risky to use public Wi-Fi when you log on with your username and password to check your social media account, read an email, or check your bank account.

The first risk is that these public networks often lack security. The second risk is a common threat called a man-in-the-middle (MITM) attack. When a computer connects to the internet, data is sent from point A (smartphone) to point B (service/website), and an attacker can get in between these transmissions without anyone noticing and “read” them. In effect, everything that happens in this communication range is exposed and can be passed on to third parties that can trade the information. The third risk by sophisticated attackers is to make victims connect to Wi-Fi that seems like a legitimate network.  

Our recommendation is to never connect to a public network. However, if this can’t be avoided, you need to secure your information by using a virtual private network (VPN) to make sure your connections are private.

As part of CYE’s baseline vulnerability and comprehensive assessment activities, a CISO can get a clear picture of security issues within the organization—and there could be many of them. In an ideal world, you would fix everything. Realistically, however, organizations’ budgets and time are limited.  

You are probably asking yourself, how should I start? What should be my focus? How do I prioritize work to yield the most effective results, putting my organization in a better position? 

CYE’s Hyver mitigation planner and prioritization tools are here to help. 

What is Hyver’s mitigation planner? 

Hyver’s visualization mitigation graph provides a clear and concise depiction of every attack route to the organization’s critical assets, allowing the organization to manage, prioritize, and plan the mitigation of vulnerabilities (findings) in order to reduce security risk. 

Hyver’s mitigation graph displays all the attack routes to the customer’s critical business assets and highlights the most severe vulnerabilities. These attack routes are shown as a sequence of arrows drawn from the attack threat source on the left (such as external attackers from the internet, inside attacker, third-party vendor), through the enterprise’s assets (edges), all the way to the organization’s critical business assets on the right (such as employee information, business continuity, and sensitive data). Each route starts from a threat source and ends with a breach of one or more of the enterprise’s critical assets.  

An edge is represented as a line drawn from one position to another. Each edge between two positions typically represents a finding, which is a vulnerability detected by CYE. A finding has a probability/likelihood value of 0-1, reflecting the possibility that a certain finding will be exploited and therefore was detected during an assessment. The likelihood takes into account the complexity, popularity, and the user interaction with the vulnerability/finding. 

An attack route (shown as a sequence of edges/lines), simulates an attack from a threat to business asset.  

How to build an effective mitigation plan 

Hyver’s unique priority mechanism evaluates all findings and attack routes, vulnerabilities with the highest probability, and those that are the most critical to block, which are indicated by a blue solid line and arrow. These are the ones that you should fix first.  

The priority algorithm of Hyver considers a wide range of factors, and the significant factor is determined by: 

Exposure. Findings are prioritized primarily by the exposure of the business assets, which is the likelihood of each business asset multiplied by the cost of breach (impact). Mitigating findings by exposure order reduces the risk of business assets with the highest exposure. 

Importance. Findings are prioritized primarily by the business asset importance. Mitigating findings by importance order reduces the risk of the most important business assets for the organization. 

Hyver’s findings view provides an overview of all prioritized findings (from 1 to n) so that you can plan and prioritize mitigation efforts in order to resolve and disconnect vulnerable attack routes. An edge line is automatically removed from the mitigation graph when a finding is mitigated. 

By building a mitigation plan using Hyver’s Mitigation Planner, you can mark specific findings on the graph as if they were fixed to see their effect on attack route edges. This visual and smart mitigation optimization algorithm tool identifies the routes that will disconnect the maximum number of attack routes. This allows you to mitigate findings in the most efficient manner according to their severity, required budget/resources for remediating each finding, and according to the amount of time required to fix each finding.  

Hyver creates four out-of-the-box mitigation plans that provide insights and a decision–making tool: Critical to Block, Most Probable Route, Lowest Cost Level and Lowest Effort Level. Each one simulates the problems to be fixed and their cost and effort implications so that you can forecast the impact. 

An organization’s environment is constantly changing, and so it is very important to be able to protect the organization as attack methods and landscapes evolve. Therefore, it is recommended to track progress and make changes as necessary. You can save and create multiple plans as necessary. 

You can also select specific findings of interest to add to the mitigation plan. When added, the graph is automatically updated reflecting the impact of fixing the selected finding. This enables you to select the right finding to address first so as to avoid a possible disconnection of business assets. 

How to reduce risk to the organization 

Fixing all Critical to Block findings will directly achieve the most security, the least exposure, and reduce the most risk at the lowest cost. It is recommended to list the organization’s business assets to be protected in the order of their importance to the organization.  

Hyver calculates the probability of attack. This insightful widget enables you to see an at-aglance view of the business assets with the highest impact that are most likely to be attacked. Having the importance, likelihood, and impact (cost of breach) in financial data can provide the CISO and the management team with a clear picture of the exposure and the risk to the organization.  

All organizations seek to avoid losing money and any negative impact on their business. By having a risk exposure value, the business can make smart decisions, including where to invest and how much. 

Conclusion 

In the last year, the cost of data breaches has increased by 10%, and cyberattacks are far from being eliminated. CYE’s Hyver mitigation tools and the use of additional security tools and processes can help you reduce your risk exposure and keep your organization safe. 

An understanding of your business impact—rather than just specific technical aspects—as well as planning, prioritization, and focusing on what impacts the most are the keys to success.  

Want to learn more about how Hyver’s mitigation planner can help your organization? Contact us for more details.  

What kinds of questions should you be prepared for? Here are three common ones:

1. Are we 100% secure?

This, of course, is the ultimate question for any CISO, since you should know better than anyone about any security threats or vulnerabilities that may be present at your organization. CISOs, after all, are tasked with understanding and managing their organizations’ security posture.

The tricky part about this question, however, is that no CISO can honestly claim that a company is 100% secure. That’s not only because there are always new, undiscovered threats that might be lurking, but also because experienced CISOs understand that not every vulnerability is necessarily worth addressing. Some cyber gaps would only result in minimal or no damage to company assets and may be expensive to close. That’s why you should know how to prioritize mitigation plans and be able to demonstrate this to the board.

2. Are we spending enough—and why are we spending so much?

Security spend will always be a major issue for board members, and with good reason: cybersecurity expenses, along with threats, are expected to increase every year. This is why your C-levels want to both be reassured that everything is being done to protect your organization from cyberattacks—and that cybersecurity costs are reasonable and justified.

It’s a tough balance, but cyber risk quantification can help you present your case. By showing your board members the actual price of mitigation versus the price of a possible cyberattack, you can present your budget as being both reasonable and necessary.

3. Are we efficiently allocating resources—and are our investments effective?

Ultimately, your goal will be to present cybersecurity as less of an expense, and more as a wise investment that will ultimately ensure business continuity. To accomplish this, you will need to show that your organization’s cybersecurity strategy is aligned with your business objectives.

For example, if you work for an online retail company, then the goal will likely be to enable sales and profits. This means that your priority should be doing everything in your power to avoid a shutdown, which would result in reduced sales. In addition, protecting your customers’ data privacy would be crucial, because any breach to your company could result in hefty regulatory penalties and a loss of customer trust.

In short, demonstrating that your cybersecurity strategy closely aligns with your business objectives will help you make the case that your investments are sound. To do this, you should be sure to:

• Create a risk profile by identifying attack routes leading to business-critical business assets
• Benchmark your cybersecurity maturity and set goals
• Understand the potential financial impact of cyber incidents
• Build a mitigation plan that reduces the most risk while using the least resources
• Present the required budget and expected outcomes of the mitigation plan

How CYE Helps

CYE uncovers probable threat sources that present real business risks to organizations. Unlike other solution providers, CYE combines technology with red team activity to deliver the most comprehensive and contextual organizational security assessments. Using CYE, you can make better decisions about cyber risk by understanding the true costs of threats and remediation and present those insights to your board members.

Want to learn more about how you can gain insights into your organization’s cyber risk? Contact us today.

Often, we hear about deep and complicated cyberattacks against the financial sector, critical infrastructure, and supply chain companies. These kinds of attacks tend to be eye-catching because the potential outcomes they can cause could not only devastate an organization but also a country when it comes to big companies in the financial sector. This being said, however, we often tend to overlook the simpler, more obvious dangers to the organization.

Defenders and architects are tasked with consistently reviewing, structuring, and creating secure solutions for the different projects and services within their organization. The tasks are done in accordance with the indicated best practices and overall security proposals to best secure their organization.

The attackers, meanwhile, are on the flip side of this coin. Coming with the aim of breaching the organization in any way possible, all they need is one misconfiguration, one control that is not well placed, or just one blind spot that was left open by the different defense stakeholders in order to gain momentum.

The problem for the attackers is a lack of knowledge on how the attacked network works. A big part in the attack process is that the attackers are trying to understand where they “landed” and where to continue from there. After “landing,” they are then tasked with assessing what they should target and how they can stay under the radar. To stay under the radar, attackers must adjust their attacking tools and methods to the environment they find themselves in, and to the security controls they are facing in the specific attack.

In some cases, red teamers enjoy both worlds. They are internal attackers who are familiar with both the network as well as some of its weaknesses. But an internal, dedicated, and well-trained red team is not common in many organizations. Investment in training an attacker, while still having a lot of defensive work to do, is not an easy task.

This fundamentally begs the question, what exactly is the best solution to this common problem?

After trying many different methods, the best answer—at least from my perspective—is that the defender should put on different glasses. Look at the other side of the coin and leverage the excessive internal knowledge in your possession.

Using attacking tools that are available to everyone as an opensource and which are used by many attackers around the world can ultimately provide you with priceless information on your network, security controls, and general security posture. This will allow you to benefit from both the attackers and the defenders’ worlds, identify the gaps, understand the root causes, and mitigate the issues. A real all-in-one superhuman!

Let’s cover the big and main benefits you can receive, using the best-known tools:

Bloodhound — the Silent Misconfiguration Killer

Active directory and Azure active directory are widely used as organizations’ identity management platform, and usually hold the key to all the technical assets within the organization. Taking control over the AD/AAD usually means “game over” for the attacker.

The biggest benefit of Bloodhound lies in the complexity of Microsoft’s features in their identity management environments. There is so much room for error that even the most well-trained and most intellectual team won’t be able to cover every aspect of it when they are planning and maintaining it. Bloodhound takes advantage of this, looking for routes and misconfigurations in the environment to lead attackers from different perspectives (starting points) to the end goal.

The added value a defender has over an attacker using this specific tool is the familiarity with the network and its functionality. Defenders will know their assets, mark them to protect them, and eliminate the routes leading to them. In addition, as an “internal” to the organization, there will be more context behind the results they find—context which the attacker won’t have. This provides a lot of added value about the different assets within the organization, as it may assist in prioritizing the results discovered.

Bloodhound may overwhelm the “regular user” with information. The advantage, therefore, rests with the defender, who has prior knowledge of their network and can therefore navigate through it a lot more easily, greatly benefiting from its information.

Nmap/NetScan — as Simple as That

Aside from identity driven attacks, another major focus for an attacker is network access. Attackers will try understanding “where they landed” in the network and what they can reach next to damage the targeted organization or achieve their goal. To do this, attackers will map the reachable assets, services, and other components in the network to laterally move.

In many cases, monitoring controls may notify an organization when a network scan is conducted, but a patient attacker will scan very slowly or use special methods in order to avoid detection. Mimicking regular communication behavior will also allow the attacker to avoid detection.

At this point, the defenders come in. As an insider to the organization, on a day-to-day basis, they have a slight disadvantage. While they may know and understand how the architecture looks and can look at the firewall rules, the Vlans, and more, they do not see all the holes, misconfigurations, or blind spots. It’s a misconception of the defender—thinking they know how their network is built and all the intricacies within. Meanwhile, the outsider (attacker) specifically knows, and is specifically honed, to look for these holes. Looking for the blind spots and the misconfigurations, in contrast to the planned communication matrixes, and the regular shifting of a “living” network, is crucial for the security of the network.

Using a simple tool such as Nmap and NetScan, defenders should look at their network from different perspectives and identify where they went wrong. The understanding that anyone makes mistakes, that anyone can miss a hole is crucial. After you understand that (and the fact that the attacker is counting on it), you can start with proactively securing your network.

ShareFinder — You Don’t Have to Attack in Order to Create Damage

Attackers have a goal. No one attacks for nothing.

To achieve their goals, attackers do not have to work hard. Nor do they have to fully compromise the attacked network. Something as simple as a folder with sensitive files in it can provide the attackers with the opportunity to have an enormous impact on the organization. Personal information, credit cards, client information, and company secrets are all examples of information that is held within the organization and may be a potential target for the attackers. Policies for information protection are written and deployed around the world, requested by different auditors for different compliance all the time.

We all know that the reality is different. Even with policies and controls, it is very hard to “force” and enforce it on our users. Most people just want to do their jobs and don’t think about security too much in their day-to-day work. In many cases, attackers look for data in file servers, different storage, network shares and more. We want to find it before them.

The attacking tool PowerSploit offers the ability to do just that. The module ShareFinder, offered as part of PowerView, is used by many attackers to map and find sensitive files in network shares, files shares and more. In addition to this, PowerSploit offers share finders the ability to look for those open shares in the network. The tool allows you to look for a short set of key words that are “out of the box” these words include — “password,” “secret,” etc.

The benefit a defender will have over an attacker here would be knowing the sensitive data to look for. Attackers will most likely not know what is supposed to be in a share or files server that they found or what to look for. Looking for the right keywords, in the right places, is the key for success (or failure, if an attacker does it before you…)

To wrap all of this up, it is highly recommended for defenders to utilize attacking tools and attack their own network. Seeing the results that a potential attacker will see, in addition to the prior knowledge the defenders have over their own networks, will grant great visibility over the actual status of the network and its assets. Looking from different perspectives can teach you a lot. All you have to do is try.

Background

The following document is the 6^th one CYE has published regarding the cyber aspects of the Russian-Ukrainian war which started on February 24^th, 2022.

The purpose of this document is to present CYE’s analysis of the geo-cyber situation and provide you with IOC’s we found to be relevant to implement in your systems as well as provide you with recommendations for strengthening your networks according to the TTP’s of the attackers.

CYE continues to monitor and analyze Russian cyber activities in the war with Ukraine. It is our understanding that the war will not end soon. Our findings and analysis are that Russia continues its cyberattacks on Ukrainian targets even stronger than in the first 2 months of the war. At this point, it looks that the main Russian cyber effort is focused on supporting the war in Ukraine after what seems to be a miscalculation of the losses it will sustain. At the same time, it is crucial to note that the west, led by the US authorities, continues to alert and prepare the business sector (mainly critical infrastructures and finance) for possible aggression in the cyber domain by Russia. There is no evidence that attacks of this nature happened in the last 3 months.

At this point, there isn’t a lot of room for escalation in terms of sanctions toward Russia. It seems that the U.S. and European countries have decided on a certain shift in strategy in terms of responding to Russia. Instead of the threats of war, the west is constantly providing Ukraine with the means to fight Russia in both the kinetic and cyber domain through intelligence and cyber support to have Russia lose as many assets in the field as possible. That being said, the Russians are enacting sanctions of their own by cutting relations and stopping the supply of gas to certain countries in Europe.

This, along with significant preparation in the west, might be the reasons why we haven’t seen attacks aimed at critical infrastructures and financial entities. In addition, the coming year will be full of talks about the increase in military expenditure and more European countries pressing to join NATO. The ladder will surely trigger responses from Russia in the form of cyber-attacks.

Strategic Geo-Cyber situation

Timeline of the Russian cyber threat as the war in Ukraine advances:

The tension between the US and Russia is high since the beginning of the war and it continues to rise as more and more sanctions are imposed. We have assessed that the tension and sanctions continue to grow to a point where Russia decides to retaliate through significant Cyber-attacks against American and western targets. This hasn’t happened yet until now, at least, not in the form of aggressive CNA or CNI attacks.

During the last month and a half, the US and western authorities published several alerts regarding possible Russian cyberattacks on western critical infrastructure companies, mainly from the energy and financial sectors. These alerts, as published we published in earlier posts, were concerning different Russian capabilities, mainly ransomware attacks. However, it is important to note that the US also published general alerts facing those sectors, not only ransomware.

One of the highest risks comes from the RaaS (Ransomware-as-a-Service) groups, which might attack on behalf of Russia in order to allow the Russians more deniability options. There are several RaaS groups that are important to note: Conti, LockBit, AvosLocker, Revil, and BlackBasta.

Another important risk to take into consideration is the Russian threat against executives from western countries and companies. We have seen the Russian government, already, threatening to take measures against companies and their executives. This is an evolving threat that we assess is one of Putin’s easiest retaliation steps to take in the near future (we refer you to an article written by our Head of Projects and Executive Solutions at https://www.ibtimes.com/when-it-comes-executive-security-cyber-physical-realms-must-merge-3449234)

Recommendations

In correlation with our assessments, we remind you of our latest recommendations for you to take:

General recommendations:

• High alert of the SOC.
• Preparation of IR teams for fast response in case of an incident.

Vulnerabilities and IOCs:

• Make sure multi-factor authentication (MFA) is enabled on the remote access interfaces and administration interfaces.
• Review all authentication activity for remote access infrastructure. Identify and disable accounts with single-factor authentication.
• Review your IDP (identity provider) for dormant accounts and disable them. Should your external interfaces use a separate IDP (such as local users on a VPN interface), make sure to review them as well.
• Review all authentication activity for remote access infrastructure. Identify and disable accounts with single-factor authentication.
• Monitor your incoming connections for suspicious activity e.g., authenticated accounts without MFA requirements, password brute-force attack, unusual IP location, etc.
• Run a vulnerability scan on your internet-facing devices and critical infrastructure. Identify vulnerable entities and take action to patch them ASAP.
• Verify your critical systems are backed up. Make sure your backups are detached from your networks or are saved in an offline manner. If possible, perform a restore operation to verify the backup system is in order.
• Use the attached indicators of compromise (IOC) to investigate whether they exist in your environment. If found, address it immediately.
• Verify that your email protection features are enabled, and policies are in “block” mode.
• Verify your EDR / XDR solution is deployed throughout the network, specifically on your internet-facing entities and critical servers. Make sure it is updated with the latest Yara rules and signatures.
• On a windows environment, enable the Controlled Folder Access (CFA) feature in Microsoft Defender for Endpoint to prevent MBR/VBR modification.

• Confirm your monitoring capabilities are operational. Verify critical assets are monitored and privileged users receive specific monitoring rules.

Websites:

1. Make sure your sites’ infrastructure is up to date with the latest patches. If you’re using WordPress, make sure plugins and themes are updated as well.
2. After you’re done updating, scan your site for vulnerabilities to verify nothing was missed.
3. Make sure your WAF service/appliance is updated with the latest signatures. If possible, enable geo-location and restrict traffic to valid locations.
4. Verify your sites’ backup. If need be, backup your site ASAP and keep it in a secure location.
5. Verify your Anti-DDOS configuration. Make sure your site is under protection.
6. Monitor your sites for suspicious behavior. Instruct your analysts to be on high alert.
7. We recommend conducting proactive threat hunting activities to find malicious activity on the website/web servers.

30.03 Update

Background

The following document is the fifth to be published by CYE regarding the cyber aspects of the Russian-Ukrainian war which started on February 24^th.

The purpose of this document is to present CYE’s analysis of the geo-cyber situation and provide you with IOC’s we found to be relevant to implement in your systems as well as provide you with recommendations for strengthening your networks according to the TTP’s of the attackers.

CYE’s team continues to monitor and analyze Russian cyber activities in the war with Ukraine. Our understanding and findings at this point are that Russia continues its cyberattacks on Ukrainian targets. At the same time, it seems that Russia is preparing to execute more significant cyberattacks on the US and the west.

In addition to what we have seen and published up until today, in the last few days, we noticed that many in the US cyber community, including Biden’s administration, are focused on sending high priority alerts to the US critical infrastructure companies of possible Russian cyberattacks which might occur soon. In addition, there is a specific alert on a ransomware group called “AvosLocker”.

Strategic Geo-Cyber situation

Timeline of the Russian cyber threat as the war in Ukraine advances:

The tension between the US and Russia has been on the rise since the beginning of the war. We have assessed that as the tension continues to grow, Russia’s retaliation mechanism would be in the form of significant Cyber-attacks against American and western targets. In a dangerous turn of events, this might even lead to the activation of red buttons in critical infrastructure that Russia has put in place years prior (the U.S. Accuses 4 Russians of Hacking Infrastructure, Including Nuclear Plant – The New York Times.)

Also, Russia might decide to follow through and act against the executive branch of companies upholding international sanctions or commencing boycotts. CYE’s Head of Projects and Executive Solutions explained thoroughly the motives and potential threats in a briefing on the matter (When It Comes To Executive Security, The Cyber And Physical Realms Must Merge – IBTimes).

During the last week, the US authorities published several alerts regarding possible Russian cyberattacks on American critical national infrastructure companies, mainly from the energy and financial sectors. In one of the alerts, it was even mentioned that Russian hackers conducted a reconnaissance operation against a few companies in the US. The reconnaissance was using scanning tools for the companies’ websites. This activity by the Russians might be a preparatory step to attack these companies (the names of the companies were not published).

In addition, the FBI published an alert regarding a Ransomware-as-a-Service group called AvosLocker. This is an independent group, with no attribution. However, as seen before (and published by CYE on March 9^th), independent groups might join forces with Russia to execute attacks against the west. In addition to extending capabilities, it can allow Russia a large range of deniability when these attacks will happen.

Known Russian IOCs relevant to AvosLocker

(Full FBI alert can be found here)

The following IOCs are in addition to the IOCs sent on February 26^th, March 9^th, March 14^th, and March 21^st

Encryption and the ransom demand

AvosLocker ransomware creates a mutex object for use as an infection marker to avoid infecting a system twice. Before encryption, the ransomware maps accessible drives and enumerated files in directories. It then encrypts files while creating a ransom note named “GET_YOUR_FILES_BACK.txt” in every directory. Some of the encrypted files might have the file extension “.avos”, “.avos2”, or “AvosLinux”. The “GET_YOUR_FILES_BACK.txt” file directs victims to an onion site accessible via a TOR browser, where the victim is prompted to enter an ID provided to them in the ransom note.

Note: It’s essential to look for the .txt file and the file extensions ( “.avos”, “.avos2”, or “AvosLinux”) as an indication that the server was encrypted. And monitor for the appearance of these files as an indication that you might be under a ransom attack.

Affiliation

Persistence mechanisms on the victim’s infected computer/server include the modification of Windows Registry ‘Run’ keys and the use of scheduled tasks.

More tools seem to be associated with AvosLocker ransomware attacks:

• Cobalt Strike
• Encoded PowerShell scripts
• PuTTY Secure Copy client tool “pscp.exe”
• Rclone
• AnyDesk
• Scanner
• Advanced IP Scanner
• WinLister

Vulnerabilities

Microsoft Exchange Server vulnerabilities might be one of the likely intrusion vectors. There were some reports regarding the use of specific vulnerabilities, such as CVE-2021-31207 (Microsoft Exchange Server Security Feature Bypass Vulnerability), CVE-2021-34523 (Microsoft Exchange Server Elevation of Privilege Vulnerability), CVE-2021-34473 (Microsoft Exchange Server Remote Code Execution Vulnerability), and CVE-2021-26855 (Microsoft Exchange Server Remote Code Execution Vulnerability).

Recommendations

In correlation with our assessments, we remind you of our latest recommendations for you to take:

General recommendations:

• High alert of the SOC.
• Preparation of IR teams for fast response in case of an incident.

Vulnerabilities and IOCs:

• Make sure multi-factor authentication (MFA) is enabled on the remote access interfaces and administration interfaces.
• Review all authentication activity for remote access infrastructure. Identify and disable accounts with single-factor authentication.
• Review your IdP (identity provider) for dormant accounts and disable them. Should your external interfaces use a separate IDP (such as local users on a VPN interface), make sure to review them as well.
• Consider changing your privileged users’ passwords. Review your IdP for recently added privileged users and verify they are legitimate.
• Monitor your incoming connections for suspicious activity e.g., authenticated accounts without MFA requirements, password brute-force attack, unusual IP location, etc.
• Run a vulnerability scan on your internet-facing devices and critical infrastructure. Identify vulnerable entities and take action to patch them ASAP.
• Verify your critical systems & data are backed up. Make sure your backups are detached from your networks (i.e., storage device, cloud location) or are saved in an offline manner. If possible, perform a restore operation to verify the backup system is in order.
• Use the attached indicators of compromise (IOC) to investigate whether they exist in your environment. If found, address it immediately.
• Verify your email protection features are enabled, and policies are in “block” mode.
• Verify your EDR / XDR solution and AV is deployed throughout the network specifically on your internet-facing entities and critical servers. Make sure it is updated with the latest Yara rules and signatures.
• On a Windows environment, enable the Controlled folder Access (CFA) feature in Microsoft Defender for Endpoint to prevent MBR/VBR modification.
• Confirm your monitoring capabilities are operational. Verify critical assets are monitored and privileged users receive specific monitoring rules.

Websites:

1. Make sure your sites’ infrastructure is up to date with the latest patches. If you’re using WordPress, make sure plugins and themes are updated as well.
2. After you’re done updating, scan your site for vulnerabilities to verify nothing was missed.
3. Make sure your WAF service/appliance is updated with the latest signatures. If possible, enable geo-location and restrict traffic to valid locations.
4. Verify your sites’ backup. If need be, backup your site ASAP and keep it in a secure location.
5. Verify your Anti-DDOS configuration. Make sure your site is under protection.
6. Monitor your sites for suspicious behavior. Instruct your analysts to be on high alert.
7. We recommend conducting proactive threat hunting activities to find malicious activity on the website/web servers.

21.03 Update

Background

The following document is the fourth to be published by CYE regarding the cyber aspects of the Russian-Ukrainian war which started on February 24^th.

The purpose of this document is to present CYE’s analysis of the geo-cyber situation and provide you with IOCs we found to be relevant to implement in your systems as well as provide you with recommendations for strengthening your networks according to the TTPs of the attackers.

CYE’s teams continue to monitor and analyze Russian cyber activities in the war with Ukraine. Our understanding and findings at this point are that Russia is applying some of its cyberattacks capabilities against Ukrainian targets.

In addition to what we have seen and published up till today, in the last few days, we noticed that the Russian attacks are focused on the following vector:

• The exploitation of default MFA protocols and a known vulnerability called “PrintNightmare” (CVE-2021-34527)

Strategic Geo-Cyber situation

Timeline of the Russian cyber threat as the war in Ukraine advances:

At the beginning of the war, we assessed that Russia might conduct CNI attacks against western targets, mainly in the form of websites’ defacements. Our understanding at this stage is that Russia conducted and still conducts CNI attacks against western targets by using ransomware attacks. However, we have not seen full capability cyber-attacks by Russia at this point. We assess that most of the offensive cyber capabilities of Russia are focused on the support for the kinetic war, hence, attacking Ukrainian targets to gain military achievements.

Still, due to the tensions that are raising between the West, mainly the US, and Russia, our assessment is that as the war continues, these tensions will be translated into Russian cyber-attacks against western targets with CNA purposes, based on possible “red buttons” that Russian hackers have around the world.

Currently, we see the usage of a windows vulnerability by Russian APTs, even though it was published and patched by last July:

• Russian APTs have gained access to different networks by the exploitation of default MFA protocols and the PrintNightmare vulnerability. These attacks started in May 2021 targeting mainly NGOs around the world. The vulnerability is a critical Windows Print Spooler vulnerability (CVE-2021-34527) to run arbitrary code with system privileges. The Russian attack, in one case, targeted an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration. (Please see full CISA’s warning)

Known Russian IOCs relevant to these attacks

The following IOCs are in addition to the IOCs sent on February 26^th, March 9^th, and March 14^th.

Processes

• Ping[.]exe – frequently used by actors for network discovery.
• Regedit[.]exe – A standard Windows executable file that opens the built-in registry editor.
• Rar[.]exe – A data compression, encryption, and archiving tool.
• Ntdsutil[.]exe – It is possible this tool was used to enumerate Active Directory user accounts.
• In addition – Actors modified the c:\windows\system32\drivers\etc\hosts file to prevent communication with the Duo MFA server: 0.0.1 api-<redacted>.duosecurity.com

IPs

• 45.32.137[.]94
• 191.96.121[.]162
• 173.239.198[.]46
• 157.230.81[.]39

Recommendations

In correlation with our assessments, we remind you of our latest recommendations for you to take:

General recommendations:

• High alert of the SOC.
• Preparation of IR teams for fast response in case of an incident.

Vulnerabilities and IOCs:

• Make sure multi-factor authentication (MFA) is enabled on the remote access interfaces and administration interfaces.
• Review all authentication activity for remote access infrastructure. Identify and disable accounts with single-factor authentication.
• Review your IDP (identity provider) for dormant accounts and disable them. Should your external interfaces use a separate IDP (such as local users on a VPN interface), make sure to review them as well.
• Review all authentication activity for remote access infrastructure. Identify and disable accounts with single-factor authentication.
• Monitor your incoming connections for suspicious activity e.g., authenticated accounts without MFA requirements, password brute-force attack, unusual IP location, etc.
• Run a vulnerability scan on your internet-facing devices and critical infrastructure. Identify vulnerable entities and take action to patch them ASAP.
• Verify your critical systems are backed up. Make sure your backups are detached from your networks or are saved in an offline manner. If possible, perform a restore operation to verify the backup system is in order.
• Use the attached indicators of compromise (IOC) to investigate whether they exist in your environment. If found, address it immediately.
• Verify your email protection features are enabled, and policies are in “block” mode.
• Verify your EDR / XDR solution is deployed throughout the network specifically on your internet-facing entities and critical servers. Make sure it is updated with the latest Yara rules and signatures.
• On a Windows environment, enable the Controlled folder Access (CFA) feature in Microsoft Defender for Endpoint to prevent MBR/VBR modification.
• Confirm your monitoring capabilities are operational. Verify critical assets are monitored and privileged users receive specific monitoring rules.

Websites:

1. Make sure your sites’ infrastructure is up to date with the latest patches. If you’re using WordPress, make sure plugins and themes are updated as well.
2. After you’re done updating, scan your site for vulnerabilities to verify nothing was missed.
3. Make sure your WAF service/appliance is updated with the latest signatures. If possible, enable geo-location and restrict traffic to valid locations.
4. Verify your sites’ backup. If need be, backup your site ASAP and keep it in a secure location.
5. Verify your Anti-DDOS configuration. Make sure your site is under protection.
6. Monitor your sites for suspicious behavior. Instruct your analysts to be on high alert.
7. We recommend conducting proactive threat hunting activities to find malicious activity on the website/web servers.

16.03 Update

Background

The following is the third document published by CYE’s team regarding the cybersecurity state of affairs relating to the Russian-Ukrainian war which started on February 24^th.

The purpose of this document is to present CYE’s analysis of the geo-cyber situation and provide you with IOC’s we found to be relevant to implement in your systems, as well as provide you with recommendations for strengthening your networks according to the TTP’s of the attackers.

CYE’s teams continue to monitor and analyze Russian cyber activities in the war with Ukraine. Our understanding and findings at this point are that Russia is applying some of its cyberattacks capabilities against Ukrainian targets.

In addition to what we have seen and published up till today, in the last few days, we noticed that the Russian attacks are focused on two main vectors:

• Phishing emails against Ukrainian targets
• RagnarLocker Ransomware against western targets

We also assess that in the near future we might cyber campaigns against the executive branch of companies that either fulfilled international sanctions or have taken a stand of their own against Russia. This has implications for the threat assessment and preparation that organizations should take.

Strategic Geo-Cyber situation

As the Russia – Ukraine war continues, Russian cyber warfare is still on a “low profile” outside Ukraine. Lately, however, we have seen the first indications of Russian cyber activity against the west in the form of ransomware called “RagnarLocker.” At the same time, we predict that Russian cyberattacks against western targets are expected to increase. Since Russia is not interested in war with the west, we assess that cyber-attacks against western entities will be Russia’s strategy to retaliate against sanctions, support for Ukraine, and more anti-Russia activities.

Currently, we are seeing Russian cyber activities in two additional vectors:

• Phishing emails against Ukrainian targets
• RagnarLocker Ransomware against western targets – The FBI first became aware of RagnarLocker in April 2020. As of the last few weeks, the FBI has identified (since January 2022) around 50 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors. RagnarLocker is identified by the extension “. RGNR_,” where there is a hash of the computer’s NETBIOS name. The actors, identifying themselves as “RAGNAR_LOCKER,” leave a .txt ransom note with instructions on how to pay the ransom and decrypt the data. RagnarLocker uses VMProtect, UPX, and custom packing algorithms and deploys within an attacker’s custom Windows XP virtual machine on a target’s site. Ragnar Locker uses Windows API GetLocaleInfoW to identify the location of the infected machine. (You can view the full FBI report regarding this ransomware here).

Since the US and UK imposed sanctions on the Russian oil and gas market, we assess that companies relevant to these domains might be potential targets of Russian hackers.

Known Russian IOCs

The following IOCs are related to tools and attacks conducted by Russian cyber attackers and are in addition to the IOCs sent on February 26^th and March 9^th.

RagnarLocker

IPs

• 185.138.164[.]18
• 185.172.129[.]215
• 45.144.29[.]2
• 23.106.122[.]192
• 45.90.59[.]131
• 149.28.200[.]140
• 193.42.36[.]53
• 45.63.89[.]250
• 190.211.254[.]181
• 142.44.236[.]38
• 37.120.238[.]107
• 95.216.196[.]181
• 162.55.38[.]44
• 116.203.132[.]32
• 49.12.212[.]231
• 193.42.39[.]10
• 193.111.153[.]24
• 178.32.222[.]98
• 23.227.202[.]72
• 159.89.95[.]163
• 50.201.185[.]11
• 108.26.193[.]165
• 108.56.142[.]135
• 198.12.81[.]56
• 198.12.127[.]199
• 45.91.93[.]75
• 217.25.93[.]106
• 45.146.164[.]193
• 89.40.10[.]25
• 5.45.65[.]52
• 79.141.160[.]43

Email addresses

• ShingXuan7110@protonmail[.]com
• scanjikoon@yahoo[.]com
• alexeyberdin17@gmail[.]com
• titan_fall572cool@gmail[.]com
• Vivopsalrozor@yahoo[.]com
• Gamarjoba@mail[.]com
• shadow98@gmail[.]com
• shawn.brown2@gmail[.]com
• Alexey_Berdin@list[.]ru
• sh0d44n@gmail[.]com
• alexeyberdin437@gmail[.]com
• alexeyberdin38@gmail[.]com
• alexeyberbi@gmail[.]com

Phishing emails

Domain names

• id-unconfirmeduser[.]frge[.]io
• hatdfg-rhgreh684[.]frge[.]io
• ua-consumerpanel[.]frge[.]io
• consumerspanel[.]frge[.]io
• accounts[.]secure-ua[.]website
• i[.]ua-passport[.]top
• login[.]creditals-email[.]space
• post[.]mil-gov[.]space
• verify[.]rambler-profile[.]site

MD5

• 7b2f41b57b9ab4151eb37ed69db9fdf8

SHA-256

• 8a7fbafe9f3395272548e5aadeb1af07baeb65d7859e7a1560f580455d7b1fac

SHA-1

• 2f46a7ed5d7a303c0f25d5e4a18bcbf01ce9af26

Recommendations

In correlation with our assessments, we remind you of our latest recommendations. We are available for any type of consultation our customers need. Please let us know if you have further questions.

General recommendations:

• Employee awareness for phishing campaigns and possible attack surfaces.
• Put your SOC on high alert and reevaluate the defense perimeter.
• Preparation of IR teams for fast response in case of an incident.
• Map out the executive team that might be high value targets for CNA, CNE and CNI attacks.
• Analyze and assess the high value assets of the organization and reassess the cyber defense put in place for them including digital services such as email, social networking, cell phone, and pc.

Vulnerabilities and IOCs:

• Run a vulnerability scan on your internet-facing devices and critical infrastructure. Identify vulnerable entities and take action to patch them ASAP.
• Verify your critical systems are backed up. Make sure your backups are detached from your networks or are saved in an offline manner. If possible, perform a restore operation in order to verify the backup system is in order.
• Use the attached indicators of compromise (IOC) to investigate whether they exist in your environment. If found, address it immediately.
• Review all authentication activity for remote access infrastructure and look for suspicious abnormalities. Identify and disable accounts with single-factor authentication.
• Make sure multi-factor authentication (MFA) is enabled on the remote access interfaces and administrative interfaces.
• Verify that your email protection features are enabled, and policies are in “block” mode.
• Verify your EDR / XDR solution is deployed throughout the network, especially on your internet-facing entities and critical servers. Make sure it is updated with the latest Yara rules and signatures.
• On a Windows environment, enable the Controlled folder Access (CFA) feature in Microsoft Defender for Endpoint to prevent MBR/VBR modification.
• Confirm your monitoring capabilities are operational. Verify critical assets are monitored and privileged users receive specific monitoring rules.
• Make your employees aware of the current risks and phishing attempts.

Websites:

1. Make sure your sites’ infrastructure is up to date with the latest patches. If you’re using WordPress, make sure plugins and themes are updated as well.
2. After you’re done updating, scan your site for vulnerabilities to verify nothing was missed.
3. Make sure your WAF service/appliance is updated with the latest signatures. If possible, enable geo-location and restrict traffic to valid locations.
4. Verify your sites’ backup. If need be, backup your site ASAP and keep it in a secure location.
5. Verify your Anti-DDOS configuration. Make sure your site is under protection.
6. Monitor your sites for suspicious behavior. Instruct your analysts to be on high alert.
7. We recommend conducting proactive threat hunting activities in order to find malicious activity on the website/web servers.

09.03 Update

Background

The purpose of this document is to present CYE’s analysis of the geo-cyber situation and provide you with relevant IOCs to implement in your systems. This document also serves to provide you with recommendations for strengthening your networks according to the TTPs of the attackers.

We will continue to update this document as new developments that are relevant to your cyber security are exposed.

CYE’s teams continue to monitor and analyze Russian cyber activities in the war with Ukraine. Our understanding and findings at this point are that Russia is applying some of its cyberattack capabilities against Ukrainian targets.

Thus far, the Russian cyberattacks have focused on several tactics:

• Wiper malware – In addition to “WhisperGate” and “HermeticWiper”, we have also seen a new malware called Cyclops Blink with which the attacks have been conducted. According to the US and UK authorities, this new malware is attributed to the Sandworm threat actor [which is linked to Russia’s Main Intelligence Directorate (GRU)].
• DDOS attacks on Ukrainian websites.
• Ukrainian website cloning to spread the malware.
• The ransomware-as-a-service group CONTI is acting pro-Russia

Strategic Geo-Cyber situation

As Russia continues its military campaign against Ukraine, cyber warfare against targets outside of Ukraine is expected to grow. Our assessment is that since Russia is not interested in war with the West, cyber-attacks against Western entities will be its way to retaliate for sanctions, support for Ukraine, and more anti-Russia activities.

We are currently seeing Russian cyber activities in the following areas:

• Wiper malware – As aforementioned, we have seen the use of “WhisperGate”, “HermeticWiper”. and Cyclops Blink. This malware is sophisticated and modular with basic core functionality. The malware ultimately enables the device to beacon information back to a server enabling the attacker to download and execute files as desired. In doing this it also increases the functionality of the attackers’ movements as they are able to attack the software whilst the malware is running This allows Sandworm to implement additional capability as required. (Please note the US CISA alert on this issue for more information – https://www.cisa.gov/uscert/ncas/alerts/aa22-054a).
• A Large amount of DDOS attacks against numerous Ukrainian websites, including military, government, and banking.
• Website cloning to spread the malware. This is a very effective tool used by Russian attackers.
• The RaaS CONTI group is in favor of Russia. This group is a well-known and notorious group that appears to be a replacement for the Ryuk group. The group works for financial gain and gives services to anyone who pays. In the last few days, we saw that the group is acting for Russian purposes (a full explanation regarding this group can be found in TrendMicro’s document).

Following all of the preceding factors, we assess that Russian hackers might execute attacks against Western companies, – with a specific focus on those that are related to governments that have imposed- or will impose Russian sanctions. At this stage, these attacks will probably focus on the defacement of websites, phishing campaigns, and possibly targeted attacks on executives. We do not assess that CNA attacks will be conducted against Western companies at this point, however, as the war situation progresses, we do note, that more aggressive attacks against the West, including attacks on infrastructures such as gas, energy, and oil may occur.

Known Russian IOCs

The following IOCs are related to tools and attacks conducted by Russian cyber attackers and are in addition to the IOCs sent on February 26^th.

Conti SHA-256

• 0fd062f86151b9d49d65b8f12c52737600bff8bb3462aba7bf23d820bf4d5518
• 844cc2551f8bbfd505800bd3d135d93064600a55c45894f89f80b81fea3b0fa1
• 931e35c0d941d79c9ee11b9e1f114a3917fb520b8a9e920ba7c3c858edd1ae43
• d21c71a090cd6759efc1f258b4d087e82c281ce65a9d76f20a24857901e694fc
• d598d3ba492f156725ab5c69aaf882240b7d14ad136ec3a11ca8aed10bde2d05
• eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe

Conti Hashes

• 911c16d41f49198482aa4d75054cb0e10b07d68c
• 3a81355ccfd6d3846fa435b5893ea5cd18e6c9fa
• a803a4b305415b66f22ed29d08017c286b8cb9ef
• b9505c86dd3ae120c0be1201e51af44de4266b36
• 655269c264f7b044d8f406cd980fc00c3b8e21ca
• 38cd341de09c7d393adf93596b691e7237d0a2e7
• 6c7b35e36830c1cc613fb08280ee25e5fbba9937
• 5bf5551cee1635709598c90836733550727245ba
• 5f27447dcc66c1c4152e23decb47f82c32883080

Decoy ransomware Hash

f32d791ec9e6385a91b45942c230f52aff1626df

C&C servers of the malwares

• http://8003659902[.]space/wp-adm/gate[.]php
• http://smm2021[.]net/wp-adm/gate[.]php
• http://8003659902[.]site/wp-adm/gate[.]php

a payload’s URL –

• hxxp://<IP address of deep.deserts.coagula[.]online>/barefooted.cfg<Current Time + 1 second> (e.g. hxxp://10.172.0[.]3/barefooted.cfg2022/02/03%2020:49:31)

Recommendations

In correlation with our assessments, we recommend you take the following actions:

General recommendations:

• Employee awareness for phishing campaigns and possible attack surfaces.
• High alert of the SOC.
• Preparation of IR teams for fast response in case of an incident.

Vulnerabilities and IOCs:

• Run a vulnerability scan on your internet-facing devices and critical infrastructure. Identify vulnerable entities and take action to patch them ASAP.
• Verify that your critical systems are backed. Ensure that your backups are detached from your networks or are saved in an offline manner. (If possible, preform a restore operation in order to verify that the backup system is in order.)
• Use the attached indicators of compromise (IOC) to investigate whether they exist in your environment. If found, address it immediately.
• Review all authentication activity for remote access infrastructure and look for suspicious abnormalities. Identify and disable accounts with single-factor authentication.
• Make sure multi-factor authentication (MFA) is enabled on the remote access interfaces and administration interfaces.
• Verify your email protection features are enabled, and policies are in “block” mode.
• Verify your EDR / XDR solution is deployed throughout the network specifically on your internet-facing entities and critical servers. Make sure it is updated with the latest Yara rules and signatures.
• On a Windows environment, enable the Controlled folder Access (CFA) feature in Microsoft Defender for Endpoint to prevent MBR/VBR modification.

• Confirm your monitoring capabilities are operational. Verify critical assets are monitored and privileged users receive specific monitoring rules.
• Make your employees aware of the current risks and phishing attempts.

Websites:

1. Make sure your sites’ infrastructure is up to date with the latest patches. If you’re using WordPress, make sure plugins and themes are updated as well.
2. After you’re done updating, scan your site for vulnerabilities to verify nothing was missed.
3. Make sure your WAF service/appliance is updated with the latest signatures. If possible, enable geo-location and restrict traffic to valid locations.
4. Verify your sites’ backup. If need be, backup your site ASAP and keep it in a secure location.
5. Verify your Anti-DDOS configuration. Make sure your site is under protection.
6. Monitor your sites for suspicious behavior. Instruct your analysts to be on high alert.
7. We recommend conducting proactive threat hunting activities in order to find malicious activity on the website/web servers.

25.02 Update

Background

CYE’s teams have been monitoring and analyzing Russian cyber activities in the war with Ukraine for three weeks. As part of it, we understand that there is a possibility that companies outside of the direct conflict will suffer from Russian cyberattacks, for different reasons.

As part of our readiness process, we would like to provide you with some updated IOCs of known Russian tools. we highly recommend that you implement active monitoring of these IOCs in your networks.

Known Russian IOCs

The following IOCs are related to tools and attacks conducted by the Russian APTs during the last two weeks.

Files used after DDOS Attack “Katana” on a Windows file system

• 978672b911f0b1e529c9cf0bca824d3d3908606d0545a5ebbeb6c4726489a2ed
  SHA-256
  Link
• 82c426d9b8843f279ab9d5d2613ae874d0c359c483658d01e92cc5ac68f6ebcf
  SHA-256
  Link
• 7504ac78e531762756e8ca8e94adc71fa2179104
  SHA-1
  Link
• db8cc8adc726c3567b639c84ecf41aa5
  MD5
  Link

Master Boot Records (MBR) Wiper, Destructive malware windows systems,

(See Microsoft Warns of Destructive Malware Targeting Ukrainian Organizations | CISA for more details)

• a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
  SHA-256
  Link
• dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
  SHA-256
  Link
• cmd.exe /Q /c start c:\stage1.exe 1> \\127.0.0.1\ADMIN$\__[TIMESTAMP] 2>&1
  Command-line
• http://5[.]182[.]211.5/rip[.]sh
  URL
• 5.182[.]211.5
  IP

IOCS of Cyclops Blink part of the VPNFilter malware

(see full malware report Cyclops-Blink-Malware-Analysis-Report.pdf (ncsc.gov.uk) Including IOCS and Yara signatures.

IOC’s

Path:

• /usr/bin/cpd
  Path location of Cyclops Blink executable
• /pending/bin/install_upgrade
  Path location to backed-up legitimate install_upgrade executable
• /var/tmp/a.tmp
  Default path location for downloaded files

Filename:
rootfs_cfg
Name of file used to persist C2 server IP addresses on the device filesystem

C2 server IP addresses:

• 100.43[.]220.234
• 96.80[.]68.193
• 188.152[.]254.170
• 208.81[.]37.50
• 70.62[.]153.174
• 2.230[.]110.137
• 90.63[.]245.175
• 212.103[.]208.182
• 50.255[.]126.65
• 78.134[.]89.167
• 81.4[.]177.118
• 24.199[.]247.222
• 37.99[.]163.162
• 37.71[.]147.186
• 105.159[.]248.137
• 80.155[.]38.210
• 217.57[.]80.18
• 151.0[.]169.250
• 212.202[.]147.10
• 212.234[.]179.113
• 185.82[.]169.99

The Following IOCs relate to HermeticWiper

See detailed report: HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine – SentinelOne

• 912342F1C840A42F6B74132F8A7C4FFE7D40FB77
• 61B25D11392172E587D8DA3045812A66C3385451
• Win32/KillDisk[.NCV] trojan 6/n

Since the morning of March 22, a few publications were made regarding an attack by the Lapsus$ group on OKTA. The publications detailed the attackers’ intentions to gain information about OKTA’s customers. The Lapsus$ group is relatively new and is known for its special attacking method, in which it pays insiders in big companies in exchange for credentials and VPN access to these companies. Once the relevant credentials are received, Lapsus$ essentially has full and legitimate control over the network as well as access to the customers.  It is extremely important to emphasize that the group manages a telegram channel, as well as private chats on telegram, to offer and receive candidates to use in their attacks. According to OKTA officials, this attack was conducted in January.

At this point, we don’t see a connection to state-sponsored support for this attack group. However, we cannot be 100% certain at this point that there isn’t a state-sponsored component.

The purpose of this document is to present CYE’s analysis of the abovementioned attack and provide you with recommendations for strengthening your networks accordingly.

CYE’s CTI team continues to monitor and analyze the attacking group as well as the incident in OKTA. The extent of the incident is still undefined and it is still possible that this incident is still not completely contained. In the meantime, companies should prepare for the worst outcome possible. In addition, our DFIR teams are on high alert and ready to engage and support wherever necessary 24/7. For your use, we are attaching our recommendations on readiness & procedures, Narrowing Attack Surface, Monitoring, and IdP Replacement.

Recommendations

Readiness & procedures

1. Since the extent of the breach is unknown, we advise preparing for the worst and having a playbook ready for such an event. Refresh the managerial awareness for incidents like this;the dangers of an inside job and its implications.
2. Conduct a proactive CTI effort for early warning and detection of campaigns against the company and its subsidiaries to help accurately assess your cyber risk and potential incidents.
3. Make the necessary preparations to conduct an IR operation including Threat Hunting, Crisis Management, Identification, Containment, and Eradication procedures to reduce the risk of cyberattacks in their preliminary stages. Also, be ready for threat hunting activities in the company’s environment if indeed you are breached.

The approach for handling this delicate situation should be divided into three efforts: Narrowing attack surfaces, monitoring, and IdP replacement plan. The latter will be put to use only if the Okta is completely compromised and an IdP.

Narrowing Attack Surface

1. Consider changing users and API passwords, as well as the Okta administrator users. In case Lapsus$ access to Okta no longer exists, their previously owned credentials will no longer be valid after the password change.
2. Identify top critical assets which are using Okta.

1. Consider placing a bastion host in front of critical assets. Access to it will be performed with local users with MFA, or any other authentication method other than Okta. Additionally, access to the critical systems will have to be restricted to the bastion host.

1. If possible, enable IP whitelisting on any apps that support it, allowing only incoming connections from your network or known IPs (for internal apps, SaaS etc.)
2. If your Remote-Access method is using Okta, consider changing it. Make sure MFA requirement is enabled.

Monitoring

1. Review Okta Administrator panel logs and identify suspicious logins. Create an alert for any login and examine it.
2. Create an alert for suspicious application logins e.g., IP geolocation, unusual source host, etc.
3. Create an alert for abnormal API calls e.g., quantity, behavior, request source, etc.

IdP Replacement

Map all apps using OKTA. Keep in mind the following:

Customer websites:

• External interfaces
• SaaS services – consider disabling SSO with OKTA and move to work with local users for sensitive interfaces.

Prepare a plan for migrating to a different IdP. Review vendors, understand what they offer, how the integrations are supposed to work, etc.

In the months prior to Russia firing the first shot at Ukraine, we have been seeing widespread use of cyber warfare as an integral part of the Russian offensive. Through this, we see a rising trend whereby the use of cyber tools against civilians has been exponentially expanding.

One example of this growing trend occurred in 2021, when Iranian hackers hacked into Atraf – a popular LGBTQ dating site and targeted thousands of Israelis. The hackers stole sensitive personal details including the victim’s sexual orientation and HIV status. Leaking this information could have had devastating consequences for every single one of the victims’ lives. This attack is part of a new and growing movement whereby states are engaging in cyberterrorism. This type of cyberterrorism targets civilian infrastructure and services, endangers lives, and causes fear and panic – just like traditional terrorism. As cyberterrorists can attack remotely (– simply with the click of a button); the consequences have the potential to be much more far-reaching than physical attacks such as suicide bombers or missiles.  

Lately we have learned about, yet another campaign run by the APT group Antlion. Presumed to be active since 2011, Antlion is believed to be a government backed group engaged in multiple firms in Taiwan in what is presumed to be an espionage campaign. Judging from the concentration placed on Taiwanese firms and the use of multiple tools, malware, CVE’s and inhouse tools we assess that this cannot be the job of just one or two individuals, but rather, is the work of well-built, well-trained groups from China.

Over the course of an attack campaign conducted, Antlion infiltrated financial targets in Taiwan whilst using a custom backdoor called xPack and a few others. The group relied heavily on c++ and Eternal Blue exploits following their initial access which was likely gained whilst using methods such as web application or service exploitation, or through sending malicious emails.

• EHAGBPSL loader – custom loader written in C++ – loaded by JpgRun loader
• JpgRun loader – customer loader written in C++ – similar to xPack, reads the decryption key and filename from the command line – decodes the file and executes it
• CheckID – custom loader written in C++ – based on loader used by BlackHole RAT
• NetSessionEnum – Custom SMB session enumeration tool
• ENCODE MMC – Custom bind/reverse file transfer tool
• Kerberos golden ticket tool based on the Mimikatz credentials stealer

After the initial access, the attackers used custom-built malware and regular malware to execute commands while also installing keyloggers and running Mimikatz, harvesting credentials while using legitimate company technologies such as WMI commands and SMB shares. This wide set of preliminary actions allowed them to gain a firm grip on the network and granted them permission to enter and exit as they pleased. Through this, the attackers were then able to exfiltrate the data whenever they chose whilst simultaneously conducting reconnaissance and prepping for their next exfiltration packages.

The dominant factor to take away from this event, is that the hackers (Antlion) were acting quietly and patiently. After infiltrating the network, they were able to act inside for over a year, returning from time to time to exfiltrate data and credentials as needed. Our assessment is that an actor like this did not only plan on not getting caught, but that they were planning a prolonged stay within the firm. An attack like this has the potential to escalate to Computer Network Attack (CNA) activity within the organizations waiting for command. Therefore, our suggestion for you to minimize both your susceptibility and the threat from such malicious conduct by cyber actors, is to monitor and limit the use of system tools such as PowerShell and RDP to specific users and only from specific IP addresses. This attack not only highlights the importance of a well-tuned EDR and an up-to-date defense system but also shows the importance of conducting timely threat hunting operations.

After months of force build-up, preparations and cyber-attacks, Russia began its “special military operation” In Ukraine. Throughout the first 10 days of fighting, Russian forces engaged Ukrainian armed forces and civilians in land, sea, and air battles – also opening another front in Belarus. Whilst the conversation surrounding the effectiveness of Russia’s actions is hard to discern as President Putin’s goals remain unclear, one thing is becoming clearer and clearer. Despite viewing some Ukrainian territories as detached pieces of Russian land, Russia had refrained from retaking charge of them so long as they did not compromise Russia’s national security and /or self-interests. 

From its looks, Russia has decided to engage with Ukraine and is doing so in the cyber domain by attacking multiple governments, non-profit, and information technology organizations. Thus, it is highly likely that this malware is, in fact, Russian, although it has yet to be recognized as one officially. We can say with a fair amount of certainty that if Russia decides to escalate this confrontation, a ground military assault would include more cyber-attacks.

So far, these acts have helped build up tension but are still under the bar for escalation into a kinetic response. Judging from experience with Russia, this attack might very well precede a full military attack – but that is for Russia to decide. In the meantime, governments in Europe and the US are warning of the possible ramifications if these events escalate.

This is not exactly what we would call a novel attack, but it is cunning. The way this attack was conducted would indicate that a lot of thought was put into it, and furthermore, it has been in the works for a long time, allowing the actors to know their targeted systems. To our assessment, the goal of this group, given that it is indeed Russian, is to disrupt life in Ukraine in many aspects across the board.

This malware succeeds in doing just that. It not only makes the victims spend time in damage assessments and backup restoration efforts, but before it was discovered that the malware had no restoration tool built into it, it also might have sent them on a futile and costly effort to pay the attacker wasting precious time. Furthermore, the existence of the two stages would suggest that this malware was aimed at different types of organizations. For the government organization (who are probably using old OS and hardware) that keep data on the cloud/network drive and less on the machine, the first stage affects the machine’s MBR and thus prevents the pc from performing a boot sequence taking it out of working order. The second stage corrupts files and is aimed at newer OS’s and hardware (probably in technological organizations) that tend to save files on the machine.

To mitigate threats like this, we recommend every organization to have a Cyber Response Plan (CRP) based on the organization’s Advanced Cyber Talents (ACT). This plan should include a baseline assessment to get to know the organization, its threats, and possible attack vectors. Also, use an up-to-date antivirus installed on your stations that would update as soon as malware hashes are identified in the wild. We should, however, state that it is relatively easy for a group like this to evade antiviruses, thus resetting the clock on the identification and prevention process, so it is highly recommended to have a behavior-based cyber security system (EDR) to help mitigate the risk. Either way it is recommended to work with up-to-date OS’s and use EUFI secure boot.

To further lower the risk, conduct proactive measures such as a continued CTI effort to help identify and assess emerging threats and “FIND EVIL” operations within the organization.

As we mentioned before, Russia’s APT’s are known to have acted against regime targets in social, psychological, and financial attacks in many countries. Now, there is no doubt that the attacks that started to surface last month are a part of their standard for a military campaign. These tools used on Ukrainian assets are just a small example of Russian capabilities.

The first of them (branded WhisperGate) was the alleged ransomware that wasn’t really a ransomware but more of a two-phase malware designed to either destroy all data on the HDD or render the machine unusable.

Another example, observed the same day the military assault has begun, is a wiper HermeticWiper or KillDisk.NCV. however, samples of this malware were dated to the end of December, making it clear that these attacks had been in the works for a long time. This wiper abuses legitimate drivers to conduct its destructive actions and in at least one case was launched from Windows domain controller. We should mention that this attack was coordinated with a massive DDOS attack against several Ukrainian government and banking institutions.

Lastly, we also saw Cyclops Blink which exploited hundreds of thousands of home and small business’s devices and was attributed to the Russian-backed Sandworm hacking group that previously attacked Ukrainian targets.

We cannot be sure that this was the goal for Russia from the get-go, but at this point every move we will see in the coming days will have a consciousness goal built into it. As these events continue to unfold, we will continue to watch closely and learn from it. Furthermore, as Europe and the United States continue their protests from the outside through (financial) sanctions the chances for cyber-attacks to widen into government and financial entities to the rest of Europe and the United States with both disruptive tools and defacements are pretty high.

We recommend for companies to Make sure your sites’ infrastructure is up to date with latest patches. If you’re using WordPress, make sure plugins and themes are updated as well. After you’re done updating, scan your site for vulnerabilities to verify nothing was missed. Make sure your WAF service/appliance is updated with the latest signatures. If possible, enable geo-location and restrict traffic to valid locations. Verify your sites’ backup. If need be, backup your site ASAP and keep it in a secure location. Verify you Anti-DDOS configuration. Make sure your site is under protection. Monitor your sites for suspicious behavior. Instruct your analysts to be on high alert.

Read their take on protecting apps, enterprises and individuals or watch the recording on demand.

They’re after your data

Sharon Halperin: In most attacks on mobile companies and mobile apps, we’re trying to protect the data.

We can start by looking at the attack surface of the mobile app itself, meaning the phone and the network to which this mobile phone is connecting. However, securing the phones on which the apps run and securing the networks through which they communicate is really out of app developers’ hands for the most part.

More importantly, we must think about the data that the app is actually collecting and processing. That’s what we want to protect the most! Mobile apps can collect different types of information about you. For instance, a mobile app can have your location at all times and could be used for additional monitoring. On the other hand, processed data is not stored on your mobile app, at least not for the long-term. It’s probably stored in a data center or at a cloud provider somewhere.

Depending on what an attacker is after, they’ll use different routes, meaning whether you (as a person) are specifically the target of an attack, or whether they’re trying to attack the company in order to get a hold of a lot of data. Of course, we’re also protecting the app itself, like using secure login (MFA). When there’s an option, we also make sure there’s no data leaks in the app and things like that.

Tomi Tuominen: As an enterprise, you’re mostly interested in existential things – things that could really kill your enterprise completely.

As an enterprise, you’re obviously mostly interested in existential things. After you have identified those, the data usually takes center stage. You want to minimize the attack surface, which might be internet-facing APIs or making sure the requests that reach your API endpoints have actually originated from the phone.

Every time a security boundary is crossed, such as when registering a user, making a purchase or doing some changes, there’s always a risk of fraud. For example, during initial user registration, the app is exposed to things like SMS fraud or text message fraud and you run the risk of spamming random users when you try to validate the email addresses.

The potential gain from a mobile device is mainly the ability to listen to everyone around you.

Rubi Aronashvili: You can see everything that is going on there, and you have the associated GPS that goes along with it. So in general, you have millions of perfect civilian devices deployed throughout the world, and if you’re able to get access to those items, you’re in very good shape.

It’s harder to do, but the impact of a mobile device breach is quite significant.

Are phones harder to breach than computers?

Tomi Tuominen: Your mobile phone is very likely the most secure device that you own. Phones need permissions for each and every app that is installed. Phone owners are alerted when the camera is turned on, when your location is accessed or when your contacts are accessed. Supposedly laptops don’t have that. Your mobile device was designed without the security or technical debts that legacy computer systems have.

Android vs. iOS

Tomi Tuominen: Only one of these companies goes on record saying that privacy is a fundamental human right and I can tell you, it’s not Google who’s saying that.

Android was basically done by the largest ad agency in the world. Whereas iOS (meaning Apple) devices are completely manufactured and controlled by Apple – just because they want to protect their business model.

Mobile devices, especially the ones from Apple, are well-designed. iOS devices have been designed extremely well and they are extremely robust. It’s not because Apple wanted to make the most secure device on the planet. It’s just because they wanted to protect their business model. They’re getting a large percentage of each and every app sold in the App Store. That was their motivation for designing a very, very secure thing.

Rubi Aronashvili: Their architecture is harder to breach than a PC or other computer environments.

We’ve seen multiple attacks against mobile devices.

It’s more difficult to extract really beneficial things from mobile devices, it’s not bullet proof.

Is it just harder to breach mobile phones or is it just because there’s just less experience out there doing it?

Sharon Halperin: Yes, mobile devices are newer systems, the architecture is more sophisticated, it’s more tightened down, but it’s good that most of us regularly update our phones right away. We’re all smarter and we’re developing in a smarter way. But we have to remember that our competition and the attackers are also getting better at figuring out how to hack them.

David Bental: We have been seeing some approaches and methodologies that are equivalent to classic ones for attacking mobile devices and laptops. For an example, injecting something into a mobile device. Once you’re in there, you can use different kinds of approaches, and there are various ways to manipulate private APIs on the iOS. But there’s a another issue. While we’ve been focusing on static and dynamic analysis, we have been seeing attacks on the hardware itself, meaning on a lower level than the app level.

Supply chain attacks are on the rise

Martin Miller: In our previous webinar with David B. Cross – CISO of SaaS Cloud – Oracle, Nir Tzuk – Founder & CTO – Palo Alto and Cohavit Almagor – Director of Engineering – Google, we discussed how supply-chain attacks are on the rise.

Sharon Halperin: All consumer-facing and non-customer facing companies are heavily dependent on third parties or vendors, which causes that supply chain risk, because it’s really very hard for us to control. Vendors must have access to our environment, so we must do our due diligence of all of our vendors, including our security vendors and understand their security posture before we let them in.

Tomi Tuominen: This whole supply chain thing is already happening, and it is one of the hardest problems out there to solve. I might be a bit biased because I have pretty good visibility into how the Apple App Store works. I think that a large scale compromise would be very, very difficult to achieve. I mean, if there’s one thing that Apple is very good at, it is designing these kind of things. Maybe Google should ask them how to do it properly.

Sharon Halperin: What’s safe today does not necessarily stay that way – third-party vendor risk is probably the biggest risk we have right now.

We might have tested it to know whether it is safe, but that can change. It can happen that they were inserted with malware and then that inserted malware into system updates that we all downloaded.

None of us can develop any product without being reliant on vendors and third parties.

We need their help to produce our products. That’s the reality that we live in today. And that is why I think that third-party vendor risk is probably, the biggest risk we have right now.

David Bental: I agree. If an attacker wants to run a simple recon on a target or to target a specific enterprise company, no matter what size, all they need to do is to go to their privacy policy and check their sub-processor list. So they can usually start there. And from that point on, they can basically know the app’s third parties and fourth parties.

How do you prepare for malware inserted into third-party/vendors?

Rubi Aronashvili: The bad news is that if someone is determined enough, if someone has the focus and the determination to do it, as well as the access to the code, then it’s probably possible.

In my previous life working for the government, I can tell you one thing for sure, if you want to add a code snippet into a large source code you can stay under the radar. Even with all the procedures, like static code analysis, dynamic code analysis, manual source code review and managerial review, it is something that is hard to avoid.

Sharon Halperin: Attacking a company is probably an inefficient way for the attacker to get what they want, even if it’s a mobile-app-direct-to-consumer company. Attackers probably want to go to where the data is and not attack the app directly.

Tomi Tuominen: I think that for an attacker, altering the source code is not the best idea to begin with. I mean, if I were an attacker, I would rather use something like post commit hooks on GitHub or just on your Jenkins server. Everybody and their neighbor is running Jenkins or some sort of other CI/CD pipeline.

Hyper-growth creates hyper risks

Rubi Aronashvili: When you start to grow, the attack surface grows as well.

Initially, as a small startup, the only consideration is the business and nothing else is important. But when you start to grow, the attack surface starts to grow as well. When you have more people, you have more assets to protect and not everything is black and white.

The key to handling security during growth is visibility

Companies must what they have, what is at risk, make smart decisions about prioritizing mitigation and then maintain that over time.

In cybersecurity, you will hear that everything is important and everything is critical and everything needs to be done now – monitoring, and incident response and everything. Everything might be important, but you can’t do everything at the same time. You have to prioritize.

Sharon Halperin: Cybersecurity Must be a Business Enabler and Not a Business Blocker

Rubi Aronashvili: At CYE, we see some very absurd cases where companies have no cybersecurity, then they add cybersecurity professionals who implement various cybersecurity processes. But then they block the business. Cybersecurity must be a business enabler, not a business blocker. Once your cybersecurity control/concept/capabilities block the business, something is wrong.

Visibility comes first, then understating the risk and then prioritization of risk mitigation.

This is a very simple concept and if you don’t follow it, you can get lost very quickly.

Tomi Tuominen: In a modern company, you can’t be a blocker. If you’re going to use your security certification power to block actions, people are going to go like – “Well, that’s a nasty thing to do on your last day of working here!”.

Aim to remediate complete vulnerability classes

If you’re joining a company as a VP of security or CSO or something like that, I’ll give you one piece of advice – on your first day, Delete all the S3 buckets. All the latest compromises have started from these S3 buckets that had confidential information in them.

But to answer a little bit more seriously, I think that the biggest difference between a hyper-growth company and a regular company is that you are not able to concentrate on a single vulnerability or any single bug.

You must take actions that will actually remediate complete vulnerability classes.

David Bental: It’s important right from the start to nurture a very security-aware culture.

As startup/bootstrap/seed level companies grow, this crucial stage must be the start of forming a security-aware culture. People must start separating tasks into domains, so that each person has a responsibility for a specific domain (like IT and security) with its own KPIs and strategies, instead of 10 or 20 people running around doing everything.

Hyper growth means hyper changes – you need to be able to react quickly

Rubi Aronashvili: During hyper growth, things are happening very, very fast. You need to be agile enough to support fast-growing and fast-changing kinds of environments. The old-fashioned approach of let’s plan five years ahead, won’t work.

Sharon Halperin: Developers today need a lot of access. You must be able to run alongside your business and be an enabler. These days we are seeing continuous development and deployments – there’s no breaks in the process. You must constantly be aware of what’s going on and put those rules where they are needed in order to make sure you’re catching things and staying ahead of the latest changes.

Security work is not easy

Sharon Halperin: There’s so much work for the security team to do on so many different channels. We have our compliance channel, because we want to enable the business, we need to look at our assets, we have to have IT security and we need to look at our cloud environment.

There’s risks everywhere. And we don’t want to be crying wolf all the time. So we must strategize and prioritize what we decide to tackle.

David Bental: I always like to say that what happens in this fast paced environment is that “we build the plane while it’s in the air – meantime, the flight attendants are walking around the plane holding trays and serving guests.” In a growth company, initially the security guys usually bump heads with product, because product thinks that too many security processes damage the funnel.

Tomi Tuominen: You need to make sure that everything that you do actually integrates into the developer’s experience without making them change their workflow.

Your job is to offer them the tools and the guidance in a way that it is part of their usual daily workflow.

Sharon Halperin: We must teach them and partner with them in order to increase knowledge and awareness, and to make sure that they are more security minded. Sometimes partnering with the senior staff works better, because they’ve been around the block and understand the value of security and can help us instill awareness in a younger generation of developers.

Tips for growing companies

Individuals

David Bental: Security-minded individuals should go with the basic concept of – something you know and something you have – basic MFA.
Educate yourself and try to understand what it means to agree to an app’s permission requests.

Tomi Tuominen: Handle your personal finances (online banking/payments) on an iPad or iPhone.

Sharon Halperin: Use passwords on your phone and use MFA whenever you can. Don’t ignore security updates!
Get into the habit of deleting apps. Unused apps just increase your attack surface.
Have your own business continuity or disaster recovery plan in case your phone is lost or stolen.

Rubi Aronashvili: Always assume a breach kind of situation when you’re in the shower. If you want to hear music on your phone, at least don’t aim the camera directly at yourself. Once you understand that potentially your phone can be used in a malicious way, you have another layer of defense – the human defense.

Security Professionals

David Bental: We must always stay on top of our game and continually learn, read, sharpen our skills and conduct technical conversations, while communicating and creating awareness in our organizations. Things change quickly.

Tomi Tuominen:  Security professionals should adopt the mentality that their job as a security leader is to support the business in any way they can. Their business is to make everybody else succeeds and to be pretty damn humble about it.

Sharon Halperin: Have a risk-based vulnerability program that is aimed at finding your security holes and back doors. Find a few trusted red team vendors that you like and rotate them so that you get different findings in different flavors.

Rubi Aronashvili: I really connect with what Tommy said. As a supporting function in the organization, you need to know how to tell them how to do what they want in a secure way.
Choose your cyber security battles, meaning what you are going to do, what you’re going to fix, what you’re going to mitigate and where you’re going to invest.

Although Log4Shell was discovered a week and a half ago, multiple related attacks still take place. Just a few days ago, the Belgian Defense Ministry office was attacked using Log4Shell. Multiple ransomware events targeting enterprises also used Log4Shell as the initial vulnerability that enabled attackers to breach perimeter defenses.

In addition, a few days after Log4Shell became public, additional vulnerabilities related to Log4j and the similar Logback library were discovered. All vulnerabilities were assigned with CVEs:

• Log4Shell – CVE-2021-44228 (CVSS score: 10.0) | A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
• CVE-2021-45046 (CVSS score: 9.0) | An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
• CVE-2021-45105 (CVSS score: 7.5) | A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
• CVE-2021-4104 (CVSS score: 8.1) | An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.1)
• CVE-2021-42550 (CVSS score: 6.6) | Malicious configuration leads to remote code execution vulnerability, affecting Logback version 1.2.7 and prior (fixed in version 1.2.9)
• CVE-2021-44832 (CVSS score: 6.6) | Malicious configuration leads to remote code execution vulnerability, affecting Node4j version 2.17 and prior (fixed in version 2.17.1)

7 steps to stay safe from Log4Shell attacks

CYE team shares the seven most important actions CISOs and security teams should take to keep their organizations safe.

1. Update software products

First and foremost, update all vulnerable software.
Updating lists of vulnerable software, versions, and current status can be found here and here.

All software using Log4j should be upgraded to use Log4j version 2.17.1 (for Java 8 and later), 2.12.4 (for Java 7), or 2.3.2 (for Java 6).
All software using Logback should be upgraded to use Logback version 1.2.9 or above.

2. Scan Java software files

Java packages (JAR, WAR, etc.) can be scanned and fixed using automated dedicated scanners.
CYE examined this scanner and its’ frequent updates and found it effective for discovering and fixing Log4Shell related vulnerabilities.

Note that upgrading Log4j and Logback to the latest versions is still the preferred mitigation.

3. Update inbound communication policy

Defensive products such as WAFs and in some cases IPS (Intrusion Prevention Systems) can protect web interfaces against Log4Shell. It is recommended to update all defensive products’ policies, and specifically WAFs’. WAFs policy and incoming HTTP traffic inspection products should search and block all requests that contain the following payloads:

• ${jndi:
• ${::-j}${
• %24%7bjndi:
• ${${lower:j
• $%7Bjndi:
• {${env:
• %2524%257Bjndi
• ${::-l}${
• %2F%252524%25257Bjndi%3A
• ${base64:JHtqbmRp

Please mind that these payloads are strict and should only be used if JNDI is never used.

Live testing and modifications (if needed) of these payloads should be made in order to prevent false positives.

These payloads can also be used for monitoring and for past log analysis, to detect past and current Log4Shell exploitation attempts.

4. Update outbound communication policy

Log4Shell is often detected using outbound DNS requests that interact with attacker-controlled DNS servers,
using out-of-band services. If these services are not used for legitimate purposes, the following domains can be blocked:

• interactsh.com
• interact.sh
• dnslog.cn
• burpcollaborator.net
• canarytokens.org

In addition, the most common exploitation techniques of Log4Shell are using several protocols: LDAP, LDAPS, RMI, CORBA and IIOP.
Therefore, if these protocols are not needed for regular usage (for example for Azure Active Directory which uses LDAP),
it is recommended to block these protocols in products that support stateful Inspection, and to block the following outgoing communication ports:

• 389, 1389 and 636 TCP (LDAP and LDAPS)
• 1099 TCP (RMI)
• 3702 UDP (CORBA)
• 900 TCP (IIOP)

5. Vulnerability scanning

Most known scanners, such as Nessus for example, can detect vulnerable servers.
If an internal scanner exists, it is recommended to initiate a thorough scan of internal and external assets
to detect vulnerable servers. In addition, free dedicated utilities can be found here.

CYE is using, among others, the recommended Nuclei vulnerability scanning utility:

alongside its Log4Shell template

6. Source code scanning

Vulnerable Log4Shell software as well as related vulnerabilities can be found using static source code analysis. Proprietary source code should be scanned using SAST (static application security testing)
utilities such as Checkmarx, Snyk, Github’s built-in scanner, and other SAST utilities. Free dedicated utilities can be found in the links above.

7. Web scanning

Different Java systems and software use Log4j in different ways. If a system logs an internal HTTP parameter value using a vulnerable log4j library, the system might be vulnerable.
Therefore, it is recommended to scan all software using DAST (dynamic application security testing) tools such as Acunetix, Netsparker, and other DAST utilities. The free OWASP ZAP DAST utility contains an experimental log4shell detection rule.

How can we help?

At CYE we believe that the best security decisions are driven by real-world data and business impact. We can help you scan your assets, both internal and internet-facing, in order to find servers that are vulnerable to the Log4Shell vulnerability and create a risk-based and effective mitigation plan.

Additional useful information and links

• Detailed explanations of the Log4shell vulnerability:
  Lunasec Log4j Zero Day
  Lunasec Log4j Zero Day Update on CVE-2021-45046
  Google Blog on Apache Log4j
• A detailed explanation about all Log4j and Logback vulnerabilities
• An app vulnerable to Log4Shell that can be used to test scanning utilities
• Actual Log4shell payloads captured in the wild
• Log4shell Cheat Sheet

2022 cybersecurity predictions 

Our Chief Critical Cyber Operations Officer, Shmulik Yehezkel explains the emerging trends evolving from 2021, and what we can expect to see more of in 2022: 

The year of supply-chain attacks 

Supply chain attacks were up more than six fold in the first nine months of the year alone. These attacks, including the high-profile SolarWinds incident of late 2020 whose fallout continues to expand, are extremely dangerous because once a hacker gains access to a significant software supplier, they can also sometimes reach the data and code of their subscribers and customers. This provides multiple routes to new targets, including those that were once considered well-protected. 

Another advantage for attackers is deniability, as they can use the supply-chain company as a proxy for another target.  

Attackers’ deniability has grown 

As cyberattacks grew increasingly severe in 2021, they also became harder to trace back to the parties carrying them out. This is because we have seen that more hackers–including state-backed bad actors– use open-source tools that are publicly available—from what we at CYE have seen, mainly on GitHub. This helps cover their tracks, providing them a wide range of deniability, and making it more difficult to target them with counterattacks or other forms of retaliation. 

The anonymous nature of the attacks also allows those who carry them out to avoid dealing with fallout, like being seen as responsible for causing financial damage or human death or injury.  

On the horizon: The increased use of the “hub” attack 

Hackers will increase focus on what we are calling attacks on “hub-companies.” Hub companies are those with extensive digital connections to suppliers as well as customers. These companies can be average-seeming organizations, as well as insurance companies, credit clearing companies, and SaaS providers. These companies provide links to potentially more valuable suppliers and large customers. 

In addition to directly getting into the networks of these higher-value targets, like banks or weapons companies, hackers can find in the hub company valuable intelligence and information, like how a supplier interacts with a vendor, for creating effective phishing campaigns. 

This emerging hub attack is on track to become a preferred method of attack, simply because it is an efficient way to carry out attacks with far-reaching consequences and provides easier avenues to bigger more well-protected targets. 

The emergence of “CN-All” 

We also see change on the horizon for nation state-backed attacks. These attacks have been on the rise in their number and in their success rates over the last year. But going forward, they will become more ambitious. 

Today, the industry classifies attacks into categories: CNE, for computer network exploitation or espionage, CNI, for computer network influence, and CNA for computer network attack; this upcoming year, we are going to see more and more state-level actors carrying out what we call CN-ALL attacks. In this type of attack, state-level actors will combine all of the cyber warfare elements–espionage, influence and disabling systems. These attacks will be particularly challenging because they require response simultaneously on several fronts. 

CISOs need to be prepared to deal with the technical aspects of recovering data and accessing backup systems, while also dealing with law-enforcement and legal teams, addressing the media and, when needed, informing regulatory officials.  

How do you minimize damage and eliminate threats?  

Today, every company, regardless of size, domain, or region of activity, should be aware that it might be a potential target for cybercrime, as well as state-level cyberattacks with a variety of purposes and goals. No one is immune. 

The stakes of attacks are getting bigger, and it remains more important than ever to make sure all employees understand the value of strong passwords, learn how to recognize phishing attempts, and use multi-factor authentication. While sloppiness in these areas has long allowed malicious actors to reach sensitive and valuable data, now, with the growth of hub and CN-All attacks, this human factor can also result not only in severe damage to their organization, but potentially to thousands of others.  

To protect themselves from the growing attacks, companies should consider consulting cybersecurity teams that consist of professionals with hands-on experience in cyber warfare at the state level, in places like the government, military and intelligence services, who experienced interactions with state-backed hacking groups. We call them ACTs – Advanced Cyber Talents. 

With more and more people working remotely and a dramatic increase in ransomware, phishing and supply chain attacks – to name a few, we’ve highlighted a few best practices to help you “Do Your Part” and “BeCyberSmart.”

Access Control & Endpoint Security

Many of the modern-day attacks are possible due to insufficient access control and endpoint security. As a result, we recommend:

1. Always using anti-virus software and firewalls on your personal devices
2. Not downloading, installing or running any software on your work laptop without prior approval of the IT team
3. Not clicking on alarming pop-up windows that say that your computer is infected with a virus

Phishing Awareness

Phishing attacks often seem legitimate but can lead to malicious sites that steal your credentials. You should therefore ensure that you:

4. Use your email for work purposes only and not for personal communications
5. Look for spelling mistakes in the email and on the website address to identify a phishing attempt

Social Media & Information Protection

In other cases, publicly available information can contain useful data for hackers that can be collected from the web or social media. Employees can accidentally leak internal, sensitive information. As a result:

6. Beware of the information you share on social media
7. Do not share work-related sensitive information with third parties, without the manager’s approval
8. Don’t use public WiFi hotspots without using a VPN secure connection

Strong Authentication & Password Policies

Another extremely common vulnerability involves weak authentication and passwords. Writing passwords on sticky notes, for example, is a bad practice. We therefore recommend:

9. Using two-factor authentication and strong passwords that include capital letters, lower case letters, digits and special characters. Our Red Team Expert, Tal Memran, explains in this short video the types of MFA, and the tough ones that are hard to crack.
10. Using strong passwords or pass-phrases. Lior Bar Lev, Customer Success Manager at CYE, dives into some examples of common passwords mistakes and the best ones to use in this video.

Ultimately, you are responsible for your security and for keeping your endpoints safe and your data secure. While National Cyber Security Awareness Month may be coming to an end, cyberwarfare is not. Hackers will continue to attempt to wreak havoc on individuals and organizations, causing significant financial, reputational, legal and physical harm. Yet, it is up to the collective “us” to ensure that we do our part to keep our information safe and #BeCyberSmart.

Watch our Director of Research, Gil Cohen, summarize the security actions in just 4 minutes:

Our founder and CEO Reuven Aronashvili speaks on the CISO Talks podcast with host Danny Murphy about:

• The most common security gaps that CYE’s nation-level experts most frequently see when conducting organizational cybersecurity assessments.
• The need for organizations to be more aware of these vulnerabilities in order to patch them and reduce the likelihood of them being exploited.
• How the most basic items in organizations – for which solutions already exist – are often not covered in an effective or efficient way.

Danny Murphy: Reuven, thanks for coming on the show.

Reuven Aronashvili: It’s great to be here.

Danny Murphy: Last time we spoke, you said that CYE has had around 600 engagements with approximately 250 organizations. Are there common vulnerabilities that you see within these organizations or are they vastly different?

[Listen to the podcast here]

Reuven Aronashvili: Let me give you the secret – the top 5. These are the things that we see in almost all organizations:

1 – Poor Password Quality – Most organizations, even if they are very advanced, have legacy passwords or service accounts, without strong, robust passwords. This is usually how hackers get first access to the organization and their feet in the door.

Danny Murphy: Before you proceed, I was reading that in order to evade these detection systems, rather than guessing loads of passwords to a single account, you go across all the accounts and create basic passwords, which seems to be successful about 60% of the time.

Reuven Aronashvili: We call that password spraying. That means that instead of going to one account with many passwords, you go with one or two passwords that you anticipate the organization would use, like “name of the organization + summer 2021.”  You would be surprised to see how many organizations fall victim to attacks that stem from weak passwords. I know the numbers and I’m still surprised. In a way, it’s very frustrating, but it’s also very human. We conduct password spraying – both to make sure that we’re not locking any accounts to create a denial of service attack and to stay under the radar as much as possible. Password quality is really the number one item we see in many organizations.

2 – Lack of Breach Detection Capabilities – We see that organizations are struggling with being able to identify active breaches and threats within the organization while they’re happening. Lack of breach detection capabilities are not advanced enough in order to be able to deal with the more modern attack routes that we see today. Usually what we see is that those capabilities are very capable against things that are already well-known. There are good solutions out there, but we do still see a gap between the capability of the attacker to move within the organization and the time that the organization is able to identify and respond to the specific issue.

3 – Lack of Network Segmentation – The capability of an attacker to move between different parts of the organization – from user environment to server environment to cloud environment and so on – is something that is still very far away from where it should be.

4 – Lack of Proactive Access Governance – The next item that we often see is administration and privileged access management. When attackers work on technical environments, they want to get access to the administrative account. Once they gain access to the administrative account, like a domain admin, they can often get access to other devices quite quickly. That is something that is very powerful for the attacker. Of course, it’s not the end of the process, but a good step in a way to achieve their targets within the organization.

5 – Basic Hygiene Still Lacking – The last item really surrounds basic cyber hygiene. All the solutions are already in the market, it’s just about proper asset management, as well as policies and procedures to make sure that they are implemented sufficiently. Of course, there are challenges. If it was easy, everyone would do it, but there are challenges, such as impact on production. Critical infrastructures or OT environments do not have the patch and if they do have the patch, are not allowed to install it because they could lose their warranty. If you’re working with an old version of Windows, of course you don’t have the patch to install. Those are inherited problems that you see in organizations – very simply, maybe, and some would even say stupid, but still problems – very tangible and relevant problems.

Those are the top 5. In many cases we also see issues around email protection, which are easy to fix, but often not implemented. The common ground between all of the things I’ve mentioned is that they are all basic foundations for cybersecurity. We hear a lot about “next generation” firewalls or anti-virus, but the basic items in most organizations are not covered in an efficient or complete way. That’s usually what we use to move laterally within organizations and gain access to business critical assets – not because we don’t know how to do other things, but those are the easiest and the attacker will always look for the easiest way in, instead of using the most complicated James Bond – types of attacks.

[Listen to the podcast here]

“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” said Secretary of Homeland Security Alejandro N. Mayorkas.  “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”

Here’s what you need to know

The TSA’s Security Directive, which was announced on May 27, 202, essentially has three parts. It requires owners and operators of “critical” hazardous LNG pipelines and facilities to:

• Designate a “corporate level” cybersecurity coordinator to be available to the TSA and CISA “24 hours a day, seven days a week”
• Report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency “no later than 12 hours after a cybersecurity incident is identified.”
• Perform a cybersecurity assessment to identify any vulnerabilities and develop and implement the necessary remediation measures.

The requirements point to the TSA’s 2018 Pipeline Security Guidelines, which until now have been recommendations, rather than requirements for compliance. The 2018 document notes that the “intent of these guidelines is to bring a risk-based approach to the application of the security measures throughout the pipeline industry” and follows similar categories as the NIST Cybersecurity Framework of Identify-Protect-Detect-Respond-Recover.

According to the TSA’s latest directive, owners/operators must review section 7 of the 2018 document within 30 days and:

• Report on whether current practices sufficiently align to the guidelines
• Identify gaps
• Institute remediation measures

Section 7 guidelines list several cybersecurity measures categorized either as “baseline” or “enhanced,” depending on whether assets are deemed to be “critical” (whereby “enhanced” security measures would apply) or “non-critical” (whereby “baseline” security measures apply).

This classification assumes that pipeline owners and operators have full visibility of all cyber assets, as well as ongoing awareness of both IT and OT systems and networks. They need to be able to identify, evaluate and prioritize risks and determine effective security controls to put in place in order to limit the risk to an acceptable one.

Turning the directive into an opportunity with nation-level cyber experts

Thankfully, they don’t have to do it alone. CYE’s team of national-level cybersecurity experts can help:

• Assess – in real time – the entire organizational environment, including third party vendors.
• Identify where vulnerabilities lie and the attack routes that lead to the business’s crown jewels
• Quantify the risk that each vulnerability poses to business-critical assets based on our unique, mathematical approach
• Translate the regulations into actionable items and work plans that can be transferred to the technical teams
• Review the policies from the perspective of a hacker by infiltrating the organizations, breaching their security systems, executing social engineering campaigns, collecting passwords and bypassing each and every security control.
  • This approach enables organizations to better identify their organizations’ most critical vulnerabilities and prevent attacks before they occur.
• Maintain a risk dashboard in our cloud-based cybersecurity optimization platform, Hyver, to help management and technical teams see the status of each vulnerability, as well as the risk it poses to the organization – in order to manage them accordingly.
• Establish an incident response readiness program to test organizational policies and procedures
• Provide security training to management, technical personnel and general employees and help them react to different cyber attack scenarios
• Build long-term cybersecurity best practices that not only conform to the regulations, but improve overall cyber resilience.

Furthermore, in an effort to provide cyber visibility across all IT, OT and IoT environments, we partnered with OTORIO, the provider of next-generation OT cyber and digital risk management solutions, to provide an integrated solution to companies with converged IT, OT and IoT environments looking for proactive ransomware protection.

By combining forces, CYE and OTORIO complement each other’s solutions by offering:

• A single pane of glass to continuously monitor IT, OT and IoT security postures
• Complete coverage of security visibility, including areas that are currently being shielded by blind spots
• Quantification of risks and identification of exposures across all IT, OT and IoT environments
• Long-term cybersecurity best practices though a combination of technology and services
• Simplified compliance processes

Recent events have highlighted that no company is safe from being targeted by ransomware no matter the size or location. “Businesses of every size are finding it hard to combat the emerging cyber threat either because they lack the financial resources or because they lack the skill set,” says Scott E. Augenbaum, former supervisory special agent at the FBI’s Cyber Division, Cyber Crime Fraud Unit. “The answer lies with the public/private sector taking proactive steps to keep their networks safe by partnering with subject matter experts who develop smart cybersecurity solutions that are easy to install and manage.”

Watch: Expert panel discussion

Click here to watch leading security experts discuss the TSA Pipeline Security Directive and how it can be turned into an actionable work plan.

In response to the devastating impact of these attacks, the Department of Homeland Security’s Transportation Security Administration (TSA) announced a new Security Directive that will require critical pipeline owners and operators to:

• Report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency
• Designate a Cybersecurity Coordinator to be available 24 hours a day, seven days a week
• Require critical pipeline owners and operators to review their current practices and identify any gaps and related remediation measures to address cyber-related risks
• Report the results to TSA and CISA within 30 days

“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” said US Secretary of Homeland Security Alejandro N. Mayorkas in response to the new TSA regulations.

A single-pane solution to identify and quantify industrial cyber risks

Our partnership with OTORIO will help our customers convert the latest regulations into a practical cybersecurity work plan, while improving their overall security postures and safeguarding them against the next crippling attack.

The partnership provides cyber visibility across all IT, OT and IoT environments, enabling organizations to quantify their cyber risks, identify exposures, and build long-term cybersecurity best practices. The fully automated solution simplifies the compliance processes, as well as ongoing risk monitoring.

By proactively identifying exposures and potential attack vectors and addressing them before they become breaches, CYE and OTORIO enable companies to significantly reduce risks, with fewer resources to optimize their cybersecurity investments.

By combining forces, CYE and OTORIO offer:

• A single pane of glass to continuously monitor IT, OT and IoT security postures
• Complete coverage of security visibility, including areas that are currently being shielded by blind spots
• Quantification of risks and identification of exposures across all IT, OT and IoT environments
• Long-term cybersecurity best practices through a combination of technology and services
• Simplified compliance processes

“The partnership with OTORIO comes at a time when we see a significant uptick in ransomware attacks on companies providing critical services to the public,” said founder and CEO of CYE Reuven Aronashvili. “CYE aims to alleviate the burden on companies that can’t afford any operational downtime, while giving them peace of mind that they are protected against any future need to pay a heavy ransom.”

“Cybercriminals have become as powerful as nation-state adversaries, posing a real threat to operational continuity,” said Daniel Bren, Co-founder and CEO of OTORIO. “Our joint solution with CYE simplifies cybersecurity for converged IT/OT/IoT environments by adopting a proactive risk-reduction approach instead of traditional intrusion detection and response methods.”

Shoring up all defenses to protect industrial companies of all sizes and in all locations

As a result of the ongoing threat posed by industrial ransomware attacks, the US National Security Council noted the private sector’s unique responsibility in helping the federal government strengthen critical assets against these types of destructive attacks. As recent events have highlighted: no company is safe from being targeted by ransomware no matter the size or location.

 “Businesses of every size are finding it hard to combat the emerging cyber threat either because they lack the financial resources or because they lack the skill set,” says Scott E. Augenbaum, a former supervisory special agent at the FBI’s Cyber Division, Cyber Crime Fraud Unit. “The answer lies with the public/private sector taking proactive steps to keep their networks safe by partnering with subject-matter experts who develop smart cybersecurity solutions that are easy to install and manage.”

Watch: Expert panel discussion

Click here to watch leading security experts discuss the TSA Pipeline Security Directive and how it can be turned into an actionable work plan.

After analyzing this phenomenon, we came up with the following conclusions to help organizations increase their cyber resilience:

1. Ditch compliance-driven cybersecurity maturity programs – While compliance is an important part of cybersecurity, it is certainly not enough. The compliance-driven approach applies a “one size fits all” to different organizations, which is not enough to cover the specific and unique challenges of each organization.
2. Shift from using assessment to validating the program to building the program – Instead of starting with a template or compliance-driven approach and testing it at the end of the process, we believe that organizations must do it the other way around: they need to be able to identify weaknesses and vulnerabilities, set the targets and optimize how they build a cybersecurity program to make sure they are taking into account all relevant threats. Additionally, decision-makers need to be able to see the ROI and understand their investments and how the cybersecurity program is reducing the organizational risk and improving their level of resilience.

 Watch the recording: The Data Your Security Program Needs

CYE’s model to achieving data-driven security decisions

1. Defining the threat sources and crown jewels 

Organizations need to be able to identify where their vulnerabilities lie, which business-critical assets they want to protect most and the attack routes that lead to the business’s crown jewels.

Frameworks and algorithms, such as the Max-Flow Min-Cut Theorem from Graph Theory in computer science, help solve this complex optimization problem. When it comes to cyberwar, CISOs need to focus their efforts on the areas that matter most. They need to be able to map out and calculate which routes, if breached, can derail an entire business operation and what is the best way of securing the routes that put the business at the greatest risk for attack.

2. Measuring the security baseline

There are multiple ways of measuring the security baseline, including risk evaluation, risk profiling, penetration testing, red, blue and purple team exercises, and so on. At the end of the process, however, organizations need to understand which threat sources can access which business-critical assets. They need to ask what the best way is of achieving that and, most importantly, how those vulnerabilities are connected to draw a specific risk map of the organization? Organizations then need to be able to understand the likelihood of each vulnerability being identified and exploited.

We believe that organizations should stop focusing on specific vulnerabilities and instead focus on complete attack routes. When looking at mitigation plans, the important part is eliminating attack routes, not eliminating vulnerabilities. If the vulnerability is mitigated, for example, but the attack route still exists, that does accomplish much. However, if vulnerabilities still exist, the attack route is eliminated, significantly increasing the organization’s cyber resilience.

3. Setting the objectives

While there are multiple standards in the market to calculate cybersecurity maturity levels, such as CMMI and CMMC, we take a different approach by separating the different security domains in the organization to evaluate them one by one. We calculate each security domain by measuring the security level of the organization and benchmarking it against industry standards, geolocation and company size to understand where other organizations rank in the same security domain. If we see, for example, that an organization is below average in the industry, we take the industry, add one standard deviation above the average, and make that the maturity level goal that we seek to achieve.

4. Establishing the strategic program

We created a mathematical structure, which enables us to identify the most probable attack routes and prioritize them based on the likelihood of them being exploited. We can calculate and quantify the specific risk reduction that was associated with the attack route. This can provide a clear mathematical evaluation for the cybersecurity risk of the organization, as well as the cost of potential damage and the cost for mitigation that is associated with the plan.

Ultimately, our unique approach:

• Takes cybersecurity from compliance-based to fact, data and mathematical based
• Ensures that mitigation and cybersecurity programs are tailor-made per organization
• Starts with identifying gaps and then tailoring the solution – not vice versa
• Identifies real attack routes and mimics actual hackers – without making assumptions
• Focuses on attack routes, rather than specific vulnerabilities
• Takes the technical impact of cybersecurity to business impact of cybersecurity

With the attack surfaces increasing exponentially and the rapid pace of changes in the external and internal threat landscapes, cybersecurity assessments must be conducted on a continuous basis, using a mathematical approach that ensures that your organization is not only compliant with regulatory standards, but is actually improving and fortifying its cybersecurity maturity score.

Organizations – like big company – that have been the victims of security breaches, know how painful they are and are willing to put a lot of effort and resources into fixing as many security issues as possible.

In order to mitigate the password guessing attack, big company first looked into its password quality security controls. They used a security tool to identify weak passwords – meaning an attacker could guess them easily, even without knowing their hash. It appeared that 10% of their passwords were weak. They used this number as their metric and over the next few weeks, worked to decrease the number. They worked with project owners and employees to change their passwords and after a few months, they again counted weak passwords. The situation was much better – only 1% of passwords were easy-to-guess. While not perfect, it was a significant improvement.

Later that year, CYE was hired to conduct a red-team exercise at big company. Among other things, the CYE team used phishing emails to gain access to the internal network and guessed passwords for sensitive data shares – meaning, they replicated the real-life big company breach after the mitigation project was complete. How could that be?

From the perspective of big company, the risk of password-guessing attacks seemed ten times less likely, but from the perspective of a hacker, the difficulty of such an attack hardly changed. Why? Because once inside the network, the attacker can guess one or two passwords per employee without being detected and blocked. With tens of thousands of systems, users and passwords, 1% of weak passwords still has the potential to put big company at 100% risk. In fact, the metric big company used to measure itself was nearly irrelevant.

This issue appears in many organizations, across different domains. You may be monitoring 99.9% of your hosts, but somehow the attacker is able to find and install malware on the one old host – where your EDR isn’t installed. Or, maybe all of your web applications are up-to-date and secure, but the attacker found the one old website that could be breached in order to gain ground.

Nothing stops sophisticated attackers (who spend countless time and effort understanding organizations and who are savvy and experienced enough to guess countless passwords without getting caught) or opportunistic attackers (who simply try to infiltrate a large array of random organizations) from trying their luck time and time again. This is true when an attacker tries to breach your Internet perimeter, as the cost of getting caught is almost zero. However, even if they gain access to some of your internal assets – be it in your network or on the cloud – they usually have to be noisy and slow in order to get kicked out before seizing the chance to cause damage.

The security of your critical assets is best measured from the attacker’s perspective. That’s why you have to conduct periodic — or, better yet, continuous — penetration tests and security assessments. This does not mean that you should not deploy EDRs, improve your password quality, secure your web applications and so on. However, it does mean that you can identify high priority projects if you look at your security from the attacker’s perspective. It also doesn’t mean security metrics are useless. What it does mean, however, is that choosing the wrong metrics can be very problematic for your organization. Once you start measuring your progress in one way, it can be very difficult to suddenly stop and start measuring it in a different way. CISOs will feel pressure to show that their company’s numbers are improving over time, even if that does not mean much for the organization’s security posture. This can give organizations a false sense of security and get in the way of other, more important cyber-security projects or metrics. Since your time and money are finite, this can actually hurt your security posture.

At CYE, we organize security issues (actually, mitigations that are tied to security issues) in a graph that shows how attackers can exploit them in sequence to access business-critical assets. Then, we measure the improvement of the risk based on the graph. This way, we have a better idea of how best to stop the hacker. Maybe it’s better to do certain things first, like blocking network access to sensitive file shares, deploying multi-factor authentication, revoking access to sensitive files from most employees, or just monitoring password guessing more effectively. It could be a combination of security controls and there could be other, more pressing attack vectors altogether. The best way to find out is to arm your company with the tools, resources and expertise it needs in order to see the picture from the point-of-view of the attacker.

While this gap manifests itself in a variety of ways, it also makes it increasingly difficult for SMEs to protect themselves against cyber threats. In fact, according to Verizon’s 2020 Data Breach Investigations Report, 43% of cyberattacks are targeted at small businesses, while only 14% have put in place the necessary security measures to protect themselves. In addition, according to a 2020 study by Fundera, cybercrime costs SMEs more than $2.2 million a year, while 60% of those that are victims of a cyber attack go out of business within six months.

Introducing Hyverlight: A unique offering for SMEs

In order to help SMEs around the world become increasingly cyber resilient, CYE is partnering with ALSO Holding AG, a leading technology provider and reseller for the ICT industry that is active in 24 countries in Europe and in a total of 90 countries worldwide, who will be reselling CYE’s unique offering, tailored specifically to SMEs. This partnership will enable SMEs to effectively assess their digital risk exposure and implement the appropriate prevention and remediation solutions, without the need for complex IT skills. We’re calling our new offering, which provides SMEs with a single solution to address their cybersecurity threats, “Hyverlight.”

With Hyverlight, SMEs can begin reclaiming control over their cybersecurity. This unique solution offers:

• Continuous, automated assessments of the main threat environments for SMEs
• A single, enterprise-level solution
• Clear visibility of all security threats
• Actionable tasks
• A cost-effective way for SMEs to optimize their cybersecurity investments

In addition, Hyverlight is simple and easy to use and does not require agents, installations or tech knowledge.

The offering includes:

• Attack surface tracker – Provides a pulse into all external-facing assets, both known and unknown.
• Azure security tracker – Tracks the accuracy of Azure security in the cloud, which is essential to businesses, as more companies are moving to the cloud.
• Internet perimeter tracker – Provides a view into the potential entry points that an attacker might take to gain access into an organization.

“As SMEs continue to become increasingly interconnected, they need to ensure that they have the necessary resources and expertise to effectively assess their digital risk exposure and implement appropriate prevention and remediation solutions,” said Founder and CEO of CYE Reuven Aronashvili. “We look forward to a long-time partnership with ALSO, who will help us take Hyverlight to the next level. This partnership will enable SMEs to make informed decisions about their security landscape and regain control of their cybersecurity in order to prevent attacks before they occur, while preventing damage to their reputations, consumers’ trust and revenues.”

“Hyverlight is a great opportunity for our partners,” said Gustavo Möller-Hergt, CEO of ALSO Holdings. “With this tool, they can offer their customers a specific assessment of their cybersecurity risks, as well as an optimization and mitigation plan based on the knowledge and experience of the industry leaders in this area. The service is a key element in implementing cybersecurity particularly in SMEs, as it is affordable and tailored to their needs. It enables resellers to expand their as-a-service portfolio and further monetize the digital workplaces.”

SMEs, don’t let yourselves become sitting ducks for the next cyber attack

As cyber attacks increase in both frequency and sophistication, SMEs can no longer afford to look the other way when it comes to cybersecurity. They need to take a proactive approach to their security in order to ensure that they understand their security risks, how those security risks translate into business risks, and how to best prevent and mitigate possible attacks. SMEs cannot afford to become the victims of the next cyber attack, as they truly are the backbone of the global economy.

Interesting in learning more about Hyverlight? Speak to one of our experts

While certain sectors including energy, finance, and healthcare responded to the rising threat by increasing investment in cyber-security, recent surveys and UK government data show that food and beverage producers continue to lag behind. In fact, only 62% say it is a high priority, vs. 77% of businesses overall. They are also less likely than others to report having up-to-date malware protection (71%, vs. 83% overall) or network firewalls in place (66%, vs. 78% overall).

Food and beverage mafnucaturers remain a prime target for cyber-attack due to several factors, some of which are unique to the sector.

The food industry’s cyber risk factors

1. Insecure and outdated Industrial Control Systems (ICSs)

While the industry has seen major advances in digital technology to revolutionize food processing, they were not accompanied by security improvements. In fact, many food manufacturers still use legacy ICSs that are not configured to handle modern cyber threats. Even new ICSs are missing long-term cybersecurity protections and are unprotected from external access through third-party channels. Moreover, while most ICSs are inherently insecure, in the food industry, ICSs also have specific vulnerabilities, such as rigid controls that rely heavily on physical security.

2. Industry 4.0 and IT/OT Convergence

Being insecure-by-design, ICS is even more challenging to protect when introducing aggressive digital transformation initiatives, which are becoming increasingly common. These efforts improve efficiency, but also introduce an expanded attack surface, by enabling greater connectivity to the manufacturing network, which exposes it to both commodity malware from the IT network (insecure HMI interfaces) and targeted attacks.

3. Cybersecurity skill gap

Operations technology (OT) personnel, those responsible for operating and maintaining ICSs in the food manufacturing industry, are often experts trained in food safety and production — not in cybersecurity. Although ICS cybersecurity standards are well-documented, their complexity and volume overwhelm most food industry personnel. Research has also found that leaders in food processing and manufacturing are typically unaware of the extent of the cyber risk present in their industrial systems and OT/IT networks.

4. Lack of security maturity compared to other sectors

While other sectors focus on hardening security, in the wake of widely publicized cyber-attacks against them, criminals and threat actors move to still-vulnerable, lower-hanging fruit, making cyber immaturity a risk in its own right.

5. Covid-19 and the emerging cyber threat

The pandemic has forced businesses to operate remotely, expanding their attack surfaces and opening new doors for hackers to exploit vulnerabilities. In addition, food producers have had to innovate to keep pace with increased demand, with some introducing technological shifts that further increase the attack surface.

Potential cyber-attack consequences 

The consequences of a successful attack on a food manufacturer could dwarf those in other sectors because disruptions to this industry not only interrupt business continuity and bankrupt the company, but also create contaminated food products that directly harm consumers. Food producers who underestimate the level of risk and  damage that could be caused by a potential breach might face:

• Production line interruptions and shutdowns that could cripple the business
• Degradation of food products, making them unsafe for sale and consumption
• Financial loss as a result of ransomware pay-outs and loss of productivity
• IP breach of food recipes and production processes
• Physical harm to personnel and equipment
• GDPR violations resulting in fines
• Reputational damage