Machine Learning and AI in Cybersecurity

Artificial intelligence (AI) and machine learning are positioned to assist today's enterprises as they fight to defend themselves against the rising number of cyber attacks. 

 

Real-time learning and analysis of potential cyber risks is made feasible by AI and machine learning. Additionally, they use computers to create behavioral models, employing these models to forecast cyberattacks as new information becomes available. By accelerating and improving cybersecurity responses, these technologies work together to help businesses strengthen their security defense. 

 

An Effective Tool for Combating Cyber Attacks 

Cyberattacks have increased as more firms adopt digital transformation strategies. According to the Identity Theft Research Center, 2021 has been a record-breaking year in the U.S., with the number of data breaches at the end of the third quarter surpassing all of 2020 by 17 percent. Likewise, ransomware assaults have been rising alarmingly, with the typical incidence costing businesses over $700,000. Today, a ransomware assault occurs every 11 seconds, causing a 21-day company outage average. 

 

AI and machine learning can guard against these advanced threats, which hackers are using to shut down business networks. In fact, these technologies are rapidly advancing into commonplace tools for cybersecurity experts in their continuing battle with malicious actors. 

 

61 percent of firms said they won't be able to recognize major risks without AI, and 69 percent think it would be vital to counteract cyberattacks, according to a survey by Capgemini Research Institute. In fact, it is predicted that the market for AI in cybersecurity would reach $46.3 billion by 2027. 

 

 

Benefits of AI and Machine Learning 

AI and machine learning are having a significant positive impact on cybersecurity programs at organizations. These consist of: 

 

 

Potential Uses 

Although there are risks associated with AI and machine learning, their usage is only anticipated to grow in the future. These technologies have already shown themselves to be quite successful in a variety of application scenarios. The following are some typical use cases where businesses are effectively utilizing AI and machine learning: 

 

 

Planning Your Implementation 

It may be tough to know where to begin when integrating AI and machine learning into one's cybersecurity strategy, which is why many firms find it problematic. As you start implementing your implementation strategy, keep the following advice in mind to get the greatest results: 

 

 

Powerful Tools for An Escalating Problem. 

AI and machine learning are potent tools that may aid firms in becoming more prepared as the volume and sophistication of cyberattacks rise. Your firm can identify and respond to cyberattacks in real-time with the correct technologies in place, while also resolving potential risks before they become major problems. As a consequence, you can better manage the pace and scope of today's risks and discover threats sooner, for less money, and with a security posture that is stronger. 

 

How Lumifi Can Help 

We not only utilize the industry’s leading threat intelligence platforms, but also deliver personalized security recommendations through scheduled calls with a dedicated Engagement Manager. Our suite of services allows you peace of mind knowing your organization is being monitored around the clock by an industry leading SOC which takes pride in its customers' security.   

 

Incident Response in Exabeam: How to Create Playbooks and Automate Security Incident Resolution

Learn how to use the platform's security orchestration, automation, and response (SOAR) solution to quickly investigate and resolve security incidents. 

Exabeam enables security teams to automate their response to security incidents, dramatically reducing the time and resources required to mitigate active attacks. The platform's Incident Responder lets analysts automate time-consuming tasks when investigating incidents and neutralizing attacks, enabling organizations to immediately respond to threats in real time. 

(more…)

NetWitness Announces New Managed Detection and Response Service

Small to mid-size enterprises can now leverage more comprehensive threat detection & response technology delivered remotely.

September 21, 2022 09:00 AM Eastern Daylight Time

BEDFORD, Mass.--(BUSINESS WIRE)--NetWitness, a globally trusted provider of threat detection and response technology and incident response services, today announced the availability of a new Managed Detection and Response (MDR) service to enable companies to leverage NetWitness for expanded cybersecurity in a fully outsourced model. The new NetWitness MDR Service helps customers address the ongoing cyber skills shortage while keeping their organizations well-protected from attacks by combining technology, planning, training, and managed detection into a single, complete offering.

“It’s a natural evolution to offer an MDR service that assures effective detection and response 24/7, so customers receive the maximum benefit of the NetWitness Platform XDR solution, all the time.”

Ultimately, the success of cybersecurity depends on the availability of skilled security analysts and threat hunters, a major challenge due to an ongoing skills shortage. According to the (ISC)2 Cybersecurity Workforce Study, 2021, there’s a worldwide gap of over 2.7 million cybersecurity professionals.

“NetWitness delivers outstanding security visibility, threat detection and response,” said Tod Ewasko, Chief Product Officer at NetWitness. “Yet, cybersecurity also requires experienced and skilled professionals, especially for powerful tools like NetWitness XDR. As customers struggle with the current staffing and skills shortages, trusted services like NetWitness Managed Detection and Response and Incident Response offer a winning strategy.”

“We’ve worked shoulder-to-shoulder with NetWitness customers for decades, helping them respond to ever-more-dangerous incidents,” said David Gaik, Senior Director, NetWitness Professional Services. “It’s a natural evolution to offer an MDR service that assures effective detection and response 24/7, so customers receive the maximum benefit of the NetWitness Platform XDR solution, all the time.”

Customers increasingly request an MDR service that works closely with NetWitness XDR. In this focused model, NetWitness provides customized offerings that deliver whatever organizations need: skilled security analysts who connect directly to a NetWitness Platform XDR infrastructure to perform critical functions including threat hunting, incident management, even system administration and upgrades. Internal staff are freed to do strategic activities like planning and systems hardening.

The NetWitness MDR service is an ideal solution for mid-size or smaller enterprises that seek to partner with trusted analysts and threat hunters that deliver world-class cybersecurity on a proven XDR platform. It is initially available in the U.S. and Canada in conjunction with Lumifi Cyber, a premier provider of managed detection, located in Scottsdale, Arizona. Clients outside North America may be serviced by a different NetWitness certified partner.

To learn more about the new NetWitness MDR service, visit netwitness.com.

About NetWitness

NetWitness, an RSA® Group Business, provides comprehensive and highly scalable threat detection and response capabilities for organizations around the world. The NetWitness Platform delivers complete visibility combined with applied threat intelligence and user behavior analytics to detect, prioritize, investigate threats, and automate response. This empowers security analysts to be more efficient and stay ahead of business-impacting threats. For more information, visit netwitness.com.

 

About Lumifi

Lumifi is a managed detection and response (MDR) services provider of enterprise-grade security for companies of all sizes. They use NetWitness Platform XDR to deliver continuous end-to-end protection against ransomware and the latest security threats. Their state-of-the-art Security Operations Center is staffed by a team of US-based analysts, ex-military and former DoD security experts to continuously monitor and manage customer environments. For more information, visit lumificyber.com.

 

©2022 RSA Security LLC or its affiliates. All rights reserved. RSA and the RSA logo are trademarks of RSA Security LLC or its affiliates. For a list of RSA trademarks visit https://www.rsa.com/en-us/company/rsa-trademarks. Other trademarks are trademarks of their respective owners. RSA believes the information in this document is accurate. The information is subject to change without notice.

Cloud Attacks: Are You Still Safe?

Cloud Attacks: Are You Still Safe? 

95% of respondents are using the cloud, according to the 2016 State of the Cloud Survey. The nature of cloud-based computing offers the prospect of severe cloud security breaches despite its fast expansion, which can significantly harm an enterprise. One of the top worries is data security.

 

How can IT administrators maintain flexibility, data access, and innovation while still protecting themselves (and their companies)?

 

Let's look at 7 recommendations to protect your company against cloud security concerns.

 

1. Educate your employees.

There is a simple reason for the security concerns in the majority of organizations: unaware staff. You may reduce risk and stop cloud security risks by educating your personnel on suitable protection techniques:

 

Include the entire organization. Employees are more inclined to own up to their responsibilities regarding security measures when they actively participate in safeguarding corporate assets. Engage the whole staff in security training and inform them of future best practices.

Make a plan. Establish a reaction plan in case staff members believe their privacy has been violated. To ensure that users are always ready, create a document that outlines the actions they should do in various circumstances.

Conduct ad hoc security testing. It's crucial to educate your staff, but only if they remember the knowledge.

 

2. Secure a data backup plan.

The risk of irreversible data loss is increasing as the cloud develops. A secure backup of such data should be prepared for anything.

 

For enhanced security, IT administrators should spread data and applications over several zones and follow industry best practices for disaster recovery, offsite storage, and regular data backup.

 

3. Encryption Is Critical

For protection, cloud encryption is essential. It enables the encryption of text and data before it is uploaded to a cloud storage system.

 

Find out from your provider how data is managed. You may encrypt at the network's edge to guarantee the security of your data before it leaves your company, guaranteeing the transit of data in the cloud is safeguarded. Keep the encryption and decryption keys after the data has been encrypted. If you have both of these, any demands for information will require the owner's involvement even if the data is kept by a third-party supplier. Avoid storing encryption keys in the program that houses your data. IT departments must maintain physical control over encryption.

 

4. Passwords Matter

Considering that passwords are used to encrypt and compressed data, selecting one carefully is crucial. 90% of passwords can be broken in a matter of seconds.

 

According to Duncan Stewart, director of technology for Deloitte Canada, "passwords having at least eight characters, one number, mixed-case letters, and non-alphanumeric symbols were originally regarded to be strong." However, with the development of advanced technology and software, these may be readily hacked.

 

Despite the propensity for password reuse caused by our limited capacity to recall complicated credentials, avoid taking that risk. Create unique, distinctive passwords to fend against hackers.

 

5. Test, Repeat, Test Again

Think like a criminal while putting safeguards in place to secure your cloud. Penetration testing, a process in IT security intended to find and fix vulnerabilities as well as reduce cloud security risks, is one of the best ways to do this.

 

Here are some things to remember:

 

Be careful to alert your cloud provider before starting a penetration test because it resembles an actual assault.

Make a list of the things you need to test, such as servers and apps, and assess your weaknesses.

 

Keep in mind that internal dangers are just as likely as external ones when you develop your cloud penetration testing strategy.

Cyber Corruption: LAPSUS$

What do Microsoft, Okta, T-Mobile, Nvidia, and LG all have in common? Well, for starters, they have all been extorted by one of the most prolific and unpredictable hacking groups of 2022.

 

The group coined, LAPSUS$, remarkably infiltrated and extorted a handful of the largest, pre-imminent tech giants in the world through a unique approach of SIM-swapping, social engineering, malware, and other means to enact their financially-driven motives, such as threatening the public release of proprietary data or simply dumping private data on their digital channels for all to see which certainly separates them from other “successful” hackers and groups of the last several years, not to mention they may all be between 16-21 yrs. old.

 

Let’s take a deep dive into the psyche of LAPSUS$ and what exactly makes them so dangerous, yet so bewildering.

 

Who Is Truly Behind LAPSUS$? 

Uncovering the leader or “brains of an operation” can culminate in immense understanding and ultimately dismantling of a criminal organization, but unfortunately, this cohort seems to work in a decentralized manner, closer to chaos than order. Some of the infamies certainly arise from their childish antics, leading to assumptions of inexperience.

 

The list of high-profile attacks would be enough for most cyber criminals to “hang it up” and relinquish to the dark recesses of the internet to preserve earnings and evade detection, but LAPSUS$ touts these victories via a public “Telegram” channel as well as polling viewers on their next “hit”. The social community seems to be the bread and butter of this group, alluding even further into their adolescent composition.

 

 

The LAPSUS$ group hit headlines in December of 2021, with a barrage of attacks against South American companies, including Brazil’s Ministry of Health and other government agencies in the area, before expanding their scopes onto larger, multinational companies to truly catapult into the limelight. At this point, the group had the full attention of the cybersecurity community and didn’t intend to squander it.

 

Fame and fortune stood around the corner as the group shifted to the pillars of international tech giants as their next prey, hoping to utilize their immense influence and coverage to the group’s advantage.

 

As stated via their Telegram channel, LAPSUS$ negates any state or political motives for their extortion attacks, leading some to question the seemingly randomized actions of the group. Is there a collective goal beyond notoriety and wealth?

 

 

How Does LAPSUS$ Operate? 

Microsoft released a ground-breaking report in March of 2022, outlining LAPSUS$’s operational inner workings with speculation on how they were able to extort the largest tech giants in the world. The report did not divulge the members of the group, but rather their model of pure destruction and social engineering methodologies used to extract data from even the most secure of systems.

 

While the group may be comprised of juvenile counterparts, Microsoft repeatedly spoke on the intricate, elaborate, and downright cunning methods used, similar to the most mature threat actors.

 

Let’s take a look at their strategies.

 

Telegram Channel 

LAPSUS$ proved time and time again, that they are to be taken seriously regardless of the make-up of their group, forcing C-suite cybersecurity executives to take notice swiftly. Microsoft stated they tend to gain seemingly impossible access via “social engineering” involving the bribing of employees at targeted locations within customer support call centers and/or various help desks.

 

Microsoft wrote, “Microsoft found instances where the group successfully gained access to target organizations through recruited employees (or employees of their suppliers or business partners)”

 

LAPSUS$ recruits “insiders” via social media channels since the beginning of their attacks, using nicknames such as “Oklaqq” and “WhiteDoxbin” to name a couple. These recruitment posts offered upwards of $20k/week to informants employed within companies like AT&T, Verizon, and T-Mobile. Their message was simple, just get us in the door and we will do the rest.

 

 

SIM-Swapping Method 

SIM swapping is most simply described as transferring one’s mobile phone number (the target) to another device owned by the hacker. This opens the doors for attackers to receive those unique one-time codes & passwords for easy access to protected systems, while potentially gaining the ability to reset passwords for total control.

 

“Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft explained.

 

Unit 221B, an advanced cybersecurity consultancy from New York, shadows cybercriminals performing SIM-swapping as well as keeping tabs on members of LAPSUS$ before their group ever formed (and still does). The group’s techniques, while wildly effective, are not unique, as this form of SIM-swapping has been heavily focused on within major phone companies for many years. Allison Nixon, Chief Research Officer of Unit 221B, exclaimed, “LAPSUS$ may be the first to make it extremely obvious to the rest of the world that there are a lot of soft targets that are not telcos,” Nixon said. “The world is full of targets that are not used to being targeted this way.”

 

The group also employs a malicious malware program called, “RedLine Stealer” or simply “RedLine”, which can be found on hacker forums for purchase and is commonly used for theft of information and infection of entire systems. Logins, passcodes, autofill data, and even stored payment info can be uncovered and extracted to access a plethora of personal accounts such as:

 

RedLine Stealer was once again put into action by LAPSUS$ against Electronic Arts (EA), threatening to reveal 780 GB of proprietary source code, unless a hefty payment was received. The hackers revealed they gained control of EA’s data via authentication cookies purchased from the dark web in a marketplace called, Genesis.

 

“The existence of this leak was initially disclosed on June 10, when the hackers posted a thread on an underground hacking forum claiming to have EA data, which they were willing to sell for $28 million. The hackers said they used the authentication cookies to mimic an already-logged-in EA employee’s account and access EA’s Slack channel and then trick an EA IT support staffer into granting them access to the company’s internal network,” wrote Catalin Cimpanu for The Record.

 

 

Social Engineering & Corporate Extortion 

Social engineering attacks work by stealing credentials that allow for data theft and other debilitating means via psychological manipulation of individuals to release critical data to attackers. Microsoft stated LAPSUS$ received “intimate knowledge” of various companies through these tactics allowing them unbelievable front-door access to systems.

 

LAPSUS$ was known to frequently dial help desks, sometimes bribing or tricking employees into resetting critical account information, and then learning how they handled these security invasions by listening in on comm channels like Teams and Slack. The group used this “training session” to truly understand the methods and protocol these organizations went through to deter the very attack the group planned to carry out. This insider knowledge allowed them to circumnavigate all security points and remain hidden within the system while formulating further plots for extortion.

 

Microsoft released a statement, “The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure. Observed actions have included DEV-0537 answering common recovery prompts such as “first street you lived on” or “mother’s maiden name” to convince help desk personnel of authenticity.”

 

Initial access is granted through various methods, such as using RedLine, searching public code repositories, and even purchasing remote access credentials via the dark web. Of course, more straightforward approaches such as directly paying employees for access also proved worthwhile.

 

Multi-factor authentication seems like a safeguard with minuscule security lapse but LAPSUS$ manages to override these systems through session token replay and even repeatedly spamming account holders with MFA prompts after they successfully gained the password. The hacker group stated in their Telegram chatroom, that upon targeting users during the middle of the night with MFA prompts, their success rates were much higher, since people tend to simply select, “Accept” rather than be interrupted during their precious hours.

 

Data Harvesting and VPNs 

Virtual private networks, also known as VPNs, are another key on the keychain of LAPSUS$, which utilized them in a way that prevented any “impossible travel alerts” from being triggered within the system. These alerts, connected to cloud monitoring services, detect any suspicious activity of all users and logins, making notes on any consecutive login attempts from let’s say Colorado and then another from New York, 5 minutes apart. Hence, the “impossible” nature since one person could not possibly access a system quickly from these locations. Bypassing this feature is a critical step to remain hidden long enough to exfiltrate target data.

 

Microsoft reported, “DEV-0537 has been observed leveraging access to cloud assets to create new virtual machines within the target’s cloud environment, which they use as actor-controlled infrastructure to perform further attacks across the target organization.”

 

Once inside, LAPSUS$ had the power to knock out the business from its cloud platform, giving it absolute control. Next, all inbound and outbound email was to be directed to its infrastructure where data would be harvested before the total deletion of systems. Finally, the group would either publicly unveil the stolen data or use their many extortion tactics to prevent data release.

 

All good things must come to an end…right?

 

Arrests 

Bloomberg releases a breaking report stating the entire operation is being driven by a 16-year-old teenager from Oxfordshire, UK with seven arrests following on March 24th.

 

The 16 yr. old boy's father told the BBC: "I had never heard about any of this until recently. He's never talked about any hacking, but he is very good at computers and spends a lot of time on the computer. I always thought he was playing games."

 

All arrested were immediately released, pending a deeper investigation, with confirmation coming on April 2nd that two individuals were charged with connection to LAPSUS$ and the attacks of numerous tech giants.

 

Offenses included: 

3x counts of unauthorized access w/ intent to impair the operation of or hinder access to a computer.
2x counts of fraud by false representation
1x count of causing a computer to perform a function to secure unauthorized access to a program

 

Both individuals are reportedly on bail with limited details available due to their status as minors.

 

As a cybercriminal group, letting your voice be heard can be an opportunity for increased notoriety, but also lead to increased investigation and scrutiny by law enforcement agencies around the world. The above arrests of a 16 & 17 yr. old came just days after the public unveiling of source code for mobile apps belonging to these companies on March 30th:

 

LAPSUS$’s Payday 

You might be wondering, with the insane prestige included on their “hit list”, how lined is the group’s wallet? Well, speculation has risen that LAPSUS$ has amassed upwards of $160 Million in revenue.

 

This finding is not concrete and has yet to be confirmed by members of LAPSUS$, but their public Telegram channel released details on their crypto wallet containing (3,790.62159317 bitcoin).

 

Where Are They Now? 

LAPSUS$ announced via its Telegram channel, “We created a Element/Matrix chat in the case this Telegram is deleted!

We advise everyone to join it!”

 

This is the last known message of the group, leading to speculation of potential regrouping while finding new paths of attacks after cutting it close with law enforcement. All of these intrusions mentioned in the blog occurred during a 3-month span, so potentially the master plan was to strike hard, and strike fast while jumping out before everything came crashing down.

 

Let us know what you think, have we heard the last of LAPSUS$, or is this just the dawn of a new era of cybercrime?

 

 

Attack Timeline

 

 

Public WiFi: Top Dangers for Remote Work

Public Wifi & Working From Home

By 2025, upwards of 36 million Americans will have entirely remote or flexible occupations, an 87 percent post-pandemic rise, according to some analysts. One might infer that having the opportunity to work outside of the office has led many employees to select open areas like cafés, diners, railway stations, terminals, and other public locations to do their tasks, increasing the vulnerability of organizations and people to cyberattacks via the dangers of public wifi.

 

Cyber Attacks Are On the Rise

You may believe, "I always use public wifi, and I've never had an issue!" Yes, at least not that you are aware of. The worrying reality is that cyberattacks are increasing along with the number of remote workers, putting everyone who uses public wi-fi in danger. Cyberattacks were ranked as the fifth top risk for businesses in the public and private sectors in a Global Risk Report that was issued in 2020, and it is anticipated that they will soon move up the list. The FBI assessed the financial cost at more than $4.2 billion and recorded 791,790 complaints of suspected cyber crime in 2020, which is 300,000 higher than reported in 2019. The need to safeguard oneself against the dangers of public wifi has never been greater.

 

What Are the Top Dangers of Public Wi-Fi for Businesses?

Most individuals who use public wi-fi networks while working are blissfully oblivious to the danger they run of unintentionally disclosing sensitive, secret, or essential information, which might pose a serious threat in the hands of an experienced hacker. You have probably used the convenience of free public wifi. The top seven risks of using public wifi for business, nevertheless, should be taken into consideration because this is not without significant risk.

 

Malware, Viruses, and Worms

The forced installation of malware, commonly referred to as malicious software, on user devices is one of the main hazards you may encounter when using public wi-fi. All programming and applications developed to damage devices or intercept information fall under this general heading. Hackers can infect the public wifi network, which subsequently spreads to the connected devices. Malware may cause havoc and spy on the systems it infects and comes in a variety of ways. In contrast to worms, which may multiply independently and do much more damage, viruses are a sort of malware that propagates through a host file and are activated and duplicated by a person.

Unencrypted Connections

Hackers may track all file sharing and data transferred between the individual and the server on a public wi-fi network when there is no encryption in place. In an unprotected network, a well-positioned attacker may simply follow the network users who are logged into the router and introduce malicious JavaScript onto their equipment.

Network Snooping

Network spying, which occurs when a hacker employs malicious software on an open wi-fi network to remotely observe the behavior on a third party's laptop, is another popular attack technique. Hackers can use this method to monitor any information transmitted, including passwords, credit card numbers, and other sensitive information.

Log-in Credential Vulnerability

Weak and obvious passwords lead to log-in credential vulnerability. Ensure all of your passwords for websites, applications, and wifi networks are strong and distinctive to avoid this kind of security issue.

System Update Alerts

Hackers are continuously coming up with new techniques to take control of smartphones. False system update alerts with the ability to exfiltrate data are one cunning kind of information theft that targets Android devices.

Session Hijacking

Public wifi networks provide a platform for a practice known as session hijacking, which involves abusing a valid online surfing experience. This is another way that hackers may access a network user's device's data without authorization, making any data about your company incredibly exposed.

 

How Can Businesses Stay Safe on Public Networks?

You must create a solid cybersecurity plan for your web presence and apps to ensure the protection of corporate communications, sensitive data, and other assets.

Here are some strategies for protecting your company from the dangers of open WiFi: