by Gary Mintchell | Mar 25, 2022 | Automation, Security
All things cybersecurity continue to come my way. They all seem to be jumping on the White House’s industrial control systems cybersecurity initiative to promote how their solution helps solve the problem. This news concerns industrial asset and network monitoring company SysSaber. It has introduced what they tout as the industry’s first vendor-agnostic, palm-sized threat detector.
This small form factor solution can be hosted on any existing infrastructure including DIN-rail and edge devices. They say the device can collect data from anywhere and send everywhere.
“With the introduction of our portable and ultra-scalable SynSaber 1.0 software, we are empowering critical infrastructure, municipality, and co-op CIOs, CISOs, and other asset owners with a level of accessibility and customization never seen before in the industrial marketplace,” said Jori VanAntwerp, CEO and co-Founder of SynSaber.
Key features of SynSaber 1.0 include custom asset identification processor, custom detection engine, and heads-up display allowing the operator to visualize where the data is being collected.
by Gary Mintchell | Mar 23, 2022 | Commentary, Enterprise IT, News, Security
Threats can come suddenly from anywhere. The day after Russia invaded Ukraine traffic from Russia to my website spiked. I have a rather steady, if low, number of page views regularly from that country. Not sure why the spike. But when I turned my site into part of my business rather than a hobby blog, I also signed up with a website defense company.
Cybersecurity news has become a mainstay thread for the past year. I don’t know if the cause is related to the pandemic or if venture money is flowing that direction. They all do studies and reports. This one comes from a company called Red Canary, a managed detection and response provider. It analyzed 30,000 threats in customer environments and uncovered a number of trends, threats, and techniques from the 2021 landscape.
Red Canary, the Managed Detection and Response (MDR) provider that detects threats no one else does, on March 22 launched its fourth annual Threat Detection Report, an extensive report that’s based on analysis of more than 30,000 confirmed threats detected across customers’ environments in the past year.
The findings reveal that ransomware dominated the threat landscape in 2021, with groups adopting new techniques such as double extortion and “as-a-service” models to evade detection and maximize their earnings. The report explores the top 10 threats impacting the majority of Red Canary customers – from adversary favorites like Cobalt Strike to new activity clusters like Rose Flamingo – and the most common techniques that adversaries use to carry out these attacks, including guidance for companies to strengthen their ability to detect these threats.
“These threats are less sensational than you might find elsewhere, but they’re the ones that will impact the majority of organizations,” said Keith McCammon at Red Canary. “This report addresses highly prevalent threats and the tried-and-true techniques that are wreaking havoc on organizations. We take it a step further to explore in depth the adversarial techniques that continue to evade preventative controls, and that can be challenging to detect. We hope that this report serves as a valuable tool for everyone from executives to practitioners, providing the information that’s needed to detect and respond to cybersecurity threats before they negatively impact organizations.”
Red Canary found that adversaries have continued to carry out attacks using legitimate tools. As security tools increase in sophistication, adversaries are finding it more difficult to develop and deploy their own malware that evades defenses. As a result, adversaries rely on administrative tools — like remote management software — and native operating system utilities out of necessity, co-opting tools that are guaranteed or likely to be installed on a device rather than introducing non-native software.
Several of the top 10 threats and techniques highlighted in the report are used by adversaries and administrators or security teams alike, including command and control (C2) tool Cobalt Strike, testing tool Impacket, and open source tool Bloodhound. Cobalt Strike, in particular, has never been more popular, impacting 8% of Red Canary’s customers in 2021. Some of the most notorious ransomware operators, including Conti, Ryuk and REvil, are known to rely heavily on Cobalt Strike. Coming in at the No. 5 ranking, Impacket is a collection of Python libraries that is used legitimately for testing but is abused by ransomware operators. This is another favorite among adversaries, as it’s known to evade detection due to its difficulty to be differentiated as malicious or benign.
Ransomware was top billing for some of last year’s most destructive cyberattacks. The report describes the new tactics that ransomware groups used in 2021, such as double extortion, which applies pressure to victims in more than one way to coerce them to pay a ransom. Last year also brought the rise of the affiliate model, which made tracking malicious activity more difficult because intrusions can often result from an array of different affiliates providing access to different ransomware groups. Examples of this include the Bazar and Qbot trojans, used by adversaries to gain initial access into environments before passing off access to ransomware or other threat groups.
The report analyzes several new ransomware families that became more prevalent in 2021, including BlackByte, Grief, Hive, Yanluowang, Vice Society and CryptoLocker/Phoenix Locker, while also taking a look at the families that tapered off, like Egregor, REvil, BlackMatter and Doppelpaymer. Many of the emergent ransomware families were similar to those that became less or inactive, leading analysts to assess that known adversaries resurfaced using a new name.
The threat landscape moved toward a Software-as-a-Service (SaaS) economy in 2021, muddying the already murky waters of attribution. While Ransomware-as-a-Service (RaaS) has been widely reported for years, this model has now become the norm for adversaries. While Red Canary has been tracking some “as-a-service” models like TA551 over the years, others are just now coming into focus. In particular, Red Canary tracks multiple phishing affiliates that dropped variants of the Bazar family of malware.
This economic model lowers the technical barrier to entry, allowing operators to purchase capabilities rather than develop them. Between Phishing-as-a-Service, Access-as-a-Service, and Crypters-as-a-Service, it has never been easier to find an adversary for hire.
Download Red Canary’s full Threat Detection Report here.
by Gary Mintchell | Mar 21, 2022 | Automation, Security
Cybersecurity risk and vulnerability reports and solutions continue to flood my inbox. We are connecting more things, collecting ever more data, and storing sensitive manufacturing and production analyses. Inquiring minds might like to know what you know. Or, they may want to hold everything hostage. This Claroty Biannual ICS Risk and Vulnerability Report may help you convince management about the need for continual improvement in this area.
Some key findings include:
• ICS vulnerability disclosures grew 110% over the last four years demonstrating heightened awareness of this issue and the growing involvement of security researchers shifting toward OT environments.
• 34% of vulnerabilities disclosed affect IoT, IoMT, and IT assets, showing that organizations will merge OT, IT, and IoT under converged security management.
• 50% of the vulnerabilities were disclosed by third-party companies and a majority of these were discovered by researchers at cybersecurity companies.
• 87% of vulnerabilities are low complexity, meaning they don’t require special conditions and an attacker can expect repeatable success every time.
• 63% of the vulnerabilities disclosed may be exploited remotely through a network attack vector.
We are fast approaching a time when highly connected cyber-physical systems are the norm, and the lines between information technology (IT), operational technology (OT), and Internet of Things (IoT) security management are blurred beyond recognition.
This is the new paradigm of the Extended Internet of Things (XIoT), one that enhances the need for timely, useful vulnerability information in order to better inform risk decisions.
Claroty published its fourth Biannual ICS Risk & Vulnerability Report. The report was prepared by Claroty’s research arm, Team82, in effort to define and analyze the vulnerability landscape relevant to leading automation products and connected devices used across domains.
While the volume of headline-grabbing attacks dwindled in the second half of 2021 compared to the first six months, those incidents will only fuel the eventual prioritization of XIoT cybersecurity among decision makers. You’ll also see from our analysis in this report that the percentage of vulnerabilities that were disclosed in the second half of last year in connected IoT and medical devices, as well as a growing number of IT vulnerabilities, continues to climb, reaching 34%, up from 29% in 1H 2021.
by Gary Mintchell | Mar 18, 2022 | Automation, Internet of Things, Manufacturing IT, Security
Cloudflare protects my website from nefarious activity. It also provides interesting data—such as reporting this site gets from 150K to 175K visits in total per month. Also interesting was the week after the Russian invasion of the Ukraine. My traffic from Russia ran along at a relatively smooth line on the chart. The chart the first week of the invasion showed a huge spike in traffic for a couple of days. It returned to normal. They (someone?) figured out that a manufacturing site has nothing to do with the war effort?
I don’t follow cybersecurity in depth, but I cannot avoid covering it. A significant portion of the marketing communications traffic to my inbox originates with cybersecurity companies. Much activity comes from there. Here is news from an Israeli company called FirstPoint with cellular security solutions.
FirstPoint Mobile Guard launched its new Protected Cellular Connectivity Suite, built for IoT enterprises. The comprehensive, ultra-secure multi-functional system enables enterprises to securely manage thousands of IoT cellular-connected devices without depending on an operator.
FirstPoint’s cellular cybersecurity technology, which is already implemented at several large IoT organizations, MNOs, MVNOs and governmental agencies, gives enterprises robust control and protection with private, isolated services, quick-start connectivity, and complete roaming control. The network-based integrated platform detects, alerts, and blocks different network vulnerabilities and threats such as denial of service, SMS attacks, malware, mobile IP-data attacks, network fraud, and more.
“Enterprises now have complete control of their IoT cellular connected devices,” said Dror Fixler, Ph.D., CEO of FirstPoint Mobile Guard. “At a time of hyperconnectivity and record levels of cellular hacking, our platform allows enterprises to focus on their business with peace of mind using our ultra-secure protection.”
FirstPoint Mobile Guard delivers holistic cellular operations and security solutions, providing comprehensive oversight, control, and protection for any mobile, IoT, or IIoT device. The technologies enable service providers, MVNOs, and large cellular-IoT organizations to fully manage, control, and secure the connectivity of their cellular connected devices for any operational use case. The solutions are fine-tuned for security-sensitive organizations, including enterprises, critical infrastructure, fleets, smart cities, industrial, financial services, governments, military and more.
by Gary Mintchell | Mar 7, 2022 | Enterprise IT, Operations Management, Security, Software
I used to use Retrospect to back up files on my Macs. Not sure why I stopped, probably a compatibility issue with MacOS at the time. It did the job for me, though. But I was surprised to get some news from StorCentric, the company behind Retrospect, announcing an update. Something I’ll have to check out again.
Retrospect, a StorCentric company, announced the general availability (GA) of Retrospect Backup 18.5, featuring new anomaly detection, customizable filtering and thresholds, and enhanced ransomware protection to help businesses quickly detect and protect against malicious attacks. With deeper Microsoft Azure Blob integration for Immutable Backups and integrated cloud bucket creation, Retrospect Backup 18.5’s anomaly detection and ransomware protect bolsters StorCentric’s data-centric security approach to organizations’ critical infrastructure.
According to Coveware, most corporate targets are small and medium businesses. 72% of targeted businesses have fewer than 1,000 employees, and 37% have fewer than 100. Businesses are projected to have paid out $20B in 2021, a 100% Y-o-Y increase for the last four years, and it’s only going to get worse with new business models like RaaS: ransomware-as-a-service. With Retrospect Backup 18, businesses can protect their infrastructure with immutable backups for ransomware protection.
Included in Retrospect Backup 18.5
▪ Anomaly Detection: Detect anomalies in systems based on customizable filters and thresholds tailored to individual environments.
▪ Retrospect Management Console Integration: View anomalies across a business or partner’s entire client base in a single pane of glass.
▪ Improved Microsoft Azure Blob Integration: Set individual immutable retention policies for different backup sets within the same Azure Storage Container.
▪ Streamlined Immutable Backup User Experience: Automatically create cloud buckets with immutable backups supported by default.
▪ LTO-9 Support: Includes support for LTO-9, with capacities up to 18TB (45TB compressed).
by Gary Mintchell | Mar 2, 2022 | Automation, Security
News coming my way over the past couple of years has changed. There is very little from automation, control, instrumentation, and even networking. Two consistent visitors to my inbox are combined in this news from the Linux Foundation—Open Source and Security. This news touts the growth of the Open Source Security Foundation.
The Open Source Security Foundation (OpenSSF) a cross-industry organization hosted at the Linux Foundation that brings together the world’s most important open source security initiatives, announced 19 new organizations have joined OpenSSF to help identify and fix security vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. It is also announcing the latest milestones achieved across a variety of its technical initiatives, all of which underscore the cross-industry momentum taking place as a result of increasing awareness in the wake of recent security incidents and since the recent White House Open Source Security Summit and recent Congressional hearings.
“The time is clearly now for this community to make real progress on software security. Since open source is the foundation on which all software is built, the work we do at OpenSSF with contributions from companies and individuals from around the world is fundamental to that progress,” said Brian Behlendorf, executive director at OpenSSF. “We’ve never had more support or focus on building, sustaining and securing the software that underpins all of our lives, and we’re happy to be the neutral forum where this can happen.”
New Premier Member commitments come from 1Password, Citi, Coinbase, Huawei Technologies, JFrog and Wipro. New General Member commitments come from Accuknox, Alibaba Cloud, Block, Inc., Blockchain Technology Partners, Catena Cyber, Chainguard, DeployHub, Gravitational Inc., MongoDB, NCC Group, ReversingLabs, Spotify and Wingtecher Technology. New Associate Members include Institute of Software, Chinese Academy of Science (ISCAS), MITRE and OpenUK. A complete review of the OpenSSF member roster.
These commitments come on the heels of the recent White House Open Source Security Summit where the Linux Foundation and OpenSSF represented hundreds of its project communities and discussed how best to support software security and open source security posture going forward. This underscored a major milestone in the Linux Foundation’s engagement with the public sector and underscores its position to support not only the projects it hosts but all of the world’s most critical open source infrastructure.
Following are examples of community work.
OpenSSF also recently announced the Alpha-Omega Project to improve the security posture of open source software (OSS) through direct engagement of software security experts and automated security testing. It is initially supported by Microsoft and Google with a combined investment of $5 million. The Project improves global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open source code, and get them fixed. “Alpha” will work with the maintainers of the most critical open source projects to help them identify and fix security vulnerabilities, and improve their security posture. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.
Scorecards is an OpenSSF project that helps open source users understand the risks of the dependencies they consume. OpenSSF members GitHub and Google recently announced Scorecards v4, which includes Scorecards GitHub Workflow Action to automate identification of how changes to a project affected its security. It also includes License Check to detect the presence of a project license and Dangerous-Workflow check to detect dangerous usage of the pull_request_target trigger and risks of script injections in GitHub workflows. The Scorecards project has also increased the scale of scans from 50,000 projects to one million projects identified as most critical based on their number of direct dependencies, giving a more detailed view of the ecosystem and strengthening supply chain security as users see improved coverage of their dependencies.
