Richard Giddey

Okta hones in on thriving ANZ channel opportunities

Okta hones in on thriving ANZ channel opportunities

At Okta’s annual conference, TechDay had a chance to sit down with Ajay Advani, recently appointed Vice President of APJ Channel and Strategic Alliances, to discuss the company’s partner focus for ANZ, including the Elevate programme, the SMB market opportunity, and the role of Oktane in building rapport and knowledge.

As reported by TechDay early September, Advani entered his role with a focus on building a strong partner network to support Okta’s broader business goals.

He said, “With identity management at the core of digital operations, Okta’s mission is to equip organisations with secure identity-led infrastructure, bolstering their digital service capabilities. A strong partner network is critical to achieving this goal.”

Fast forward to early October, and Advani is taking stock of Okta’s existing partner ecosystem and developing the company’s go-to market and channel strategy in the region.

As the company has been operating in ANZ for longer than other APJ regions, it currently trumps the rest in terms of renewal and retention rates, and what matters the most – bringing value to customers.

Throughout ANZ, Okta works with distributors, resellers and technology partners. The latter category helps to provide a full security stack to users and customers, enhancing Identity with the likes of endpoint and network security. At a regional and international level, Okta works with CrowdStrike, Palo Alto, Zscaler, Accenture, AWS and more.

In addition to building out the depth and breadth of partner relationships in ANZ, moving forward Okta is focused on growing the small to medium business (SMB) customer base.

As reported by the Australian Banking Association, of the 2.6 million businesses in Australia, the majority (98 %) are small and medium enterprises. Meanwhile, in New Zealand, the Ministry of Business, Innovation and Employment finds that there are approximately 546,000 small businesses in the country, representing 97% of all firms. They account for 29.3% of employment and contribute over a quarter of the country’s gross domestic product (GDP).

Advani says, “Where we can grow a lot is in the medium and smaller spaces. I’d love to see more of that partner-driven. We’d love to see partners originate more deals, and their legacy partners able to take a deal from the cradle to the grave, from the start to the end, so that’s also an area of potential growth.”

Okta’s Elevate Partner Program is based on this notion of building the deal, incentivising not only transactions but long-term customer success. As Advani says, it’s about building closer relationships with partners, helping to develop the likes of turnkey solutions and enabling systems integrators, distributors and resellers to enhance their offering with Okta.

Advani says, “We don’t want to drop the product and say “see you later”. We want the partners to have shared responsibility with us to make sure customers are a success. We want to make informed decisions that are best for the market and our customers.”

“One way we do this is to compensate for existing accounts in exactly the same way as a net new logo, meaning partners have just as much incentive to ensure the existing account becomes successful. That’s a core principle for us.”

Okta’s Oktane conference saw a big turnout of APJ partners, who made up 10% of the 12,000 attendees. Comprising both executives and practicitions, the partners in attendance took the opportunity to meet with Okta in person, understand the developments of the solutions- including Okta’s artificial intelligence play, and seek guidance on how to maximise accounts.

One of the partners in attendance was NEXTGEN’s Group CEO, John Walters. On the partnership with Okta he says, “We proactively sought out Okta in 2019 as a Partner we wanted to take to market, and we became Okta’s first distributor outside of the North America.”

“The journey in Australia and New Zealand has been expanded more recently into ASEAN with great support from Okta’s Leadership Team, who have instigated a more channel-focused strategy to support Okta’s capability to scale.”

Walters continues, “NEXTGEN Group has a “Better Together” approach to the cyber market, so Okta coupled with tech alliance partners such as, Crowdstrike and Netskope, provide next-generation cybersecurity solutions for customers and partners. We enjoy Okta’s innovative approach and the announcements and messaging from Oktane 2023 has certainty moved the dial in this regard.”

This content was originally published here.

Okta hones in on thriving ANZ channel opportunities Read More »

Analyzing The Downtrend: A Look Into The 2022-23 Cybersecurity Budget Benchmark Summary

Analyzing The Downtrend: A Look Into The 2022-23 Cybersecurity Budget Benchmark Summary

In a recent publication, the 2023 Security Budget Benchmark Summary Report by IANS Research and Artico Search shed light on the prevailing trends in cybersecurity spending during the 2022-23 budget cycle. The findings reflect a notable 65% reduction in growth, painting a picture of cautious or restrained budgetary allocations towards cybersecurity across various industries, especially within the U.S. and Canada. This detailed examination seeks to provide insights into the factors contributing to this downtrend, the implications on tech firms, and the prospective outlook on cybersecurity preparedness amidst evolving threat landscapes.

Key Highlights from the Report:

1. Dramatic Drop in Growth:

   – The 2022-23 budget cycle witnessed a significant deceleration in cybersecurity spending growth, plummeting to an average increase of 6% from the previous 17%.

2. Budget Stagnation and Reduction:

   – Among the 550+ Chief Information Security Officers (CISOs) surveyed, 37% indicated either stagnant budgets or outright reductions during this period, a significant climb from the prior 21%.

3. Technology Sector Hits the Brakes:

   – Tech firms, previously enjoying a robust 30% growth in security spending, encountered the steepest decline, settling at a mere 5% increase this cycle.

4. Reasons Behind Budget Augmentation:

   – Of the organizations that bucked the trend and increased their budgets, 17% attributed this to heightened risk, while 15% associated it with digital transformation endeavors following major industry disruptions such as high-profile security breaches.

5. Responsive Budgeting:

   – On an encouraging note, organizations that recalibrated their spending in reaction to major incidents amplified their budgets by an average of 27%, indicating a proactive, albeit reactive, financial commitment to bolstering cybersecurity postures.

6. A Cry for Resources:

   – Nick Kakolowski, the Senior Research Director of IANS, voiced concerns over the insufficiency of the incremental budget growth in coping with the expanding scope of challenges security teams encounter. He highlighted the resource crunch many CISOs faced towards the end of Q4 2022 and into 2023, with some even facing budget freezes.

Analysis:

The contained growth in cybersecurity budgets as elucidated in the report underscores a potentially perilous misalignment between the financial commitments and the escalating cybersecurity exigencies. Particularly for tech firms, which historically have been at the vanguard of cybersecurity investment, the sharp deceleration in budget growth may hint at either a misplaced sense of security or budgetary constraints spurred by other organizational priorities.

Furthermore, the relatively higher budget augmentations in response to major incidents indicate a reactive rather than proactive approach to cybersecurity financing. This reactive budgeting strategy, while understandable, may leave organizations perpetually a step behind in the ever-evolving cyber threat landscape.

Future Implications:

The data suggests a pivotal moment for organizations to re-evaluate the adequacy of their cybersecurity investments in the face of burgeoning cyber threats. It beckons a shift from reactive to proactive budgeting to not only address imminent threats but to also build a resilient cybersecurity infrastructure capable of preempting and mitigating future attacks.

The narrative woven by the 2022-23 Security Budget Benchmark Summary Report serves as both a reflection and a forewarning. As digital transformation continues to be a double-edged sword, ushering in innovation alongside increased vulnerabilities, the onus is on organizations to strike a judicious balance between budgetary prudence and cybersecurity vigilance.

This content was originally published here.

Analyzing The Downtrend: A Look Into The 2022-23 Cybersecurity Budget Benchmark Summary Read More »

Boise State’s Cyberdome marks successful first year in cybersecurity

Boise State University’s Cyberdome initiative, in partnership with Stellar Cyber, has marked its first year of operation as a resounding success. The programme, which is part of Boise State’s Institute for Pervasive Cybersecurity, aims to offer top-notch cybersecurity services to rural areas in Idaho, while also providing invaluable hands-on experience to students.

Edward Vasko, director of Boise State’s Institute for Pervasive Cybersecurity, said, “We’ve had a phenomenal year. We’ve partnered with other colleges in our state, and there are now dozens of Idaho students certified on using the Stellar Cyber platform. On the customer side of the programme, we have entered into a pilot programme with the Idaho Digital Learning Association’s Rural Education team, and we’re piloting efforts with them to eventually monitor as many as two dozen school districts, helping them improve their cybersecurity.”

The Cyberdome initiative is a win-win for both students and the rural communities it serves. It focuses on areas such as K-12 school districts, rural counties with election system security, and critical rural city systems that support water and electric districts. Many of these organisations have limited budgets for cybersecurity, making them vulnerable to cyberattacks.

Marty Gang, Chief Technology Officer for Lewis-Clark State College, a Cyberdome client, noted, “The Cyberdome has provided resources and information we have not been able to afford ourselves being a small college. Being provided insight into activities on our network that we didn’t have visibility into before has been very useful.”

Between January and July of 2023, students involved in the Cyberdome initiative monitored over 5,000 assets, analysed over 53,000 possible attacks, and notified clients of 350 potential real-time attacks. This has been crucial in ensuring that Idaho communities and school districts have the information they need to stay secure.

Dan Smith, Technology Director and IETA Region 2 Representative for the Kendrick Joint School District 283, another Cyberdome client, said, “The Cyberdome has been tremendous. It’s been a premium product being offered as a critically needed service, especially for the K-12 space. We absolutely need this, especially for smaller districts. It’s amazing to see that it’s actually here and available. We now have this overarching product and support system in place that is actually looking out for us.”

The collaboration between Boise State University and Stellar Cyber has also been mutually beneficial. “Through our relationship with Stellar Cyber, our team provides feedback about product enhancements, providing our students with first-hand knowledge of the technology provider market. Stellar Cyber enables our students like no other technology partner,” Vasko added.

Jim O’Hara, Chief Revenue Officer at Stellar Cyber, highlighted the broader implications of the programme. “There’s a huge shortage of cybersecurity analysts worldwide, and through our partnership in Boise State University’s Cyberdome programme, we’re helping address that issue,” he said.

The Cyberdome programme has received grants for student internships from the Idaho Global Entrepreneurship Mission’s Higher Education Research Council (IGEM-HERC) and Idaho’s Workforce Development Council, further solidifying its role as a cornerstone in cybersecurity education and rural community support.

This content was originally published here.

Boise State’s Cyberdome marks successful first year in cybersecurity Read More »

Google to bolster phishing and malware delivery defenses in 2024

Google will introduce new sender guidelines in February to bolster email security against phishing and malware delivery by mandating bulk senders to authenticate their emails and adhere to stricter spam thresholds.

“Last year, we started requiring that emails sent to a Gmail address must have some form of authentication,” said Neil Kumaran, Group Product Manager for Gmail Security & Trust.

“And we’ve seen the number of unauthenticated messages Gmail users receive plummet by 75%, which has helped declutter inboxes while blocking billions of malicious messages with higher precision. That’s great progress, but there’s much more we need to do — starting with new requirements for large senders.”

Starting February 1st, 2024, Google will require senders dispatching over 5,000 messages daily to Gmail accounts to set up SPF/DKIM and DMARC email authentication for their domains to strengthen defenses against email spoofing and phishing attempts.

These senders must also provide Gmail recipients the option to unsubscribe from commercial emails with a single click. Additionally, they must handle unsubscription requests within a two-day timeframe.

Going forward, email senders must adhere to a specific spam rate threshold to avoid flooding Gmail users’ inboxes with unwanted content.

They’ll have to uphold spam rates below 0.3%, as indicated in Postmaster Tools, and avoid impersonating Gmail in their emails’ “From” headers. Failure to comply with these new regulations could lead to email delivery issues, as Google intends to enforce a DMARC quarantine policy.

“You shouldn’t need to worry about the intricacies of email security standards, but you should be able to confidently rely on an email’s source. Ultimately, this will close loopholes exploited by attackers that threaten everyone who uses email,” said Kumaran.

“If you don’t meet the requirements [..], your email might not be delivered as expected, or might be marked as spam,” Google explains in a support article.

Google claims that Gmail’s artificial intelligence-driven defenses successfully prevent over 99.9% of spam, phishing attempts, and malware from infiltrating its customers’ inboxes, effectively blocking nearly 15 billion unwanted emails daily.

This content was originally published here.

Google to bolster phishing and malware delivery defenses in 2024 Read More »

Majority believe malicious AI will circumvent cybersecurity: Enea

Majority believe malicious AI will circumvent cybersecurity: Enea

76% of cybersecurity professionals believe the world is very close to encountering malicious artificial intelligence (AI) that can bypass most known cybersecurity measures. Over a quarter (26%) see this happening within the next year, and 50% in the next five years. 

Phishing, social engineering tactics, and malware attacks are those most likely to become more dangerous with the use of AI. These are some sobering findings published in a new report by Enea and Cybersecurity Insiders. 

The report, Artificial Intelligence in Cybersecurity, will be published on October 5, and the results of the survey on which the report is based will be discussed by AI specialists from Enea, Arista Networks, and Zscaler in a webinar presentation on the same day.

The report provides an in-depth, holistic view of how cybersecurity professionals see AI and its impact on the industry, including their anticipations, apprehensions, and various strategies for integrating AI into their network defences. The results are complemented by insights and recommendations, established through collaboration with Enea analysts, on how to build the capabilities, confidence, and resilience required to counter the emerging use of AI to execute cyberattacks.

The report breaks down key survey findings into fears, hopes, and plans around AI/ML in cybersecurity. 

In addition to the concern about offensive AI outpacing defensive AI, 77% of professionals express serious worries about rogue AI, where AI behaviour veers from its intended purpose or objectives and becomes unpredictable and dangerous. Phishing, social engineering, and malware attacks are the top threats AI will strengthen. Still, identity fraud, data privacy breaches, and distributed denial-of-service (DDoS) attacks were also cited as likely to become more effective.

Respondents are nonetheless optimistic about AI’s positive impact on cybersecurity. AI is anticipated to bolster threat detection and vulnerability assessments, with intrusion detection and prevention identified as the domain most likely to benefit from AI. Deep learning for detecting malware in encrypted traffic holds the most promise, with 48% of cybersecurity professionals anticipating a positive impact from AI. Cost savings emerged as the top KPI for measuring the success of AI-enhanced defences. At the same time, 72% of respondents believe AI automation will play a key role in alleviating cybersecurity talent shortages.

While a majority (61%) of organizations are yet to deploy AI in any meaningful way as part of their cybersecurity strategy, 41% consider AI a high or top priority. And a hopeful 68% of respondents expect a budget increase for AI initiatives over the next two years.

Half (50%) of cybersecurity leaders report that their organization has “extensive knowledge” regarding AI/ML in cybersecurity, and another 19% report “moderate knowledge,” with the remaining roughly one-third reporting no-to-minimal knowledge. When asked what steps organizations should take to prepare for sophisticated or overwhelming AI attacks, 68% cited increased cybersecurity training and awareness for employees.

Developing AI-specific incident response plans followed close behind (65%), and 61% said regular security assessments and audits. Over half of all respondents said that strengthening traditional security controls such as zero-trust protocols, multifactor authentication, next-gen firewalls, and threat intelligence was vital to preparing for sophisticated AI attacks.

“Understanding the profound impact of AI on cybersecurity is crucial for navigating the evolving threat landscape,” says Laura Wilber, senior industry analyst at Enea. “That begins by listening closely to the concerns and hopes of cybersecurity leaders and their teams on the front lines.”

“This report confirms growing concerns around the malicious use of AI, but it also highlights some remarkable innovations in the use of AI to streamline and automate defenses. Significant gains have already been made, such as a reduction in the average time it takes to detect and contain threats. However, AI is not a one-size-fits-all solution – it’s essential that businesses take a clear and methodical approach to implementing AI strategies in order to achieve maximum readiness and resilience. As we say at Enea – don’t be surprised, be ready.”

This content was originally published here.

Majority believe malicious AI will circumvent cybersecurity: Enea Read More »

Check Point discovers new phishing scam on Dropbox

Check Point discovers new phishing scam on Dropbox

A new business email compromise 3.0 attack involving the file hosting service, Dropbox has been discovered by Check Point Research. 

In the first two weeks of September, CPR observed 5,440 attacks, just another example of hackers masquerading behind legitimate sites with the hope of scamming unsuspecting users via social engineering tactics.

Phishing via Dropbox

A burgeoning attack involving Dropbox is making the rounds. In the first two weeks of September, we saw 5,440 of these attacks.

Hackers are using Dropbox to create fake login pages that eventually lead to a credential harvesting page.

It’s yet another example of how hackers are utilizing legitimate services in what we call BEC 3.0 attacks. Business Email Compromise 3.0 attacks refer to the usage of legitimate sites—like Dropbox—to send and host phishing material. The legitimacy of these sites makes it nearly impossible for email security services to stop and end-users to spot.

“These attacks are increasing, and hackers are using all your favorite productivity sites—Google, Dropbox, QuickBooks, PayPal and more,” CPR says.

“It’s one of the cleverer innovations we’ve seen, and given the scale of this attack thus far, it’s one of the most popular and effective.”

Business Email Compromise has undergone a pretty rapid evolution.

It was only a few years ago that we were writing about so-called “Gift card” scams. These were emails that pretended to come from a CEO or an executive, asking an underling to purchase “gift cards”. The idea is that the hackers would then use the gift cards for personal gain. These emails typically came from spoofed Gmail address-think CEO@gmail.com, not CEO@company.com.

CPR says companies might also see impersonation of domains and partners, but these were always spoofs, not the real deal.

The next evolution came from compromised accounts. This may be an internal user compromised, such as someone in finance, or even a partner user compromised. These attacks are even trickier because it comes from a legitimate address. But you might see a link to a fake O365 login page, or stilted language that NLP can pick up on.

But now we have BEC 3.0, which are attacks from legitimate services. NLP is useless here—the language comes directly from legitimate services and nothing is awry. URL scanning isn’t going to work either, since it’s going to direct the user to a legitimate Dropbox or other site.

These attacks are incredibly difficult to stop and identify, for both security services and end-users, CPR says.

“Starting with education is critical. End users need to ask themselves—do I know this person sending me a document?  And even if you do click on the document, the next thing to ask: does a OneDrive page on a Dropbox document make sense? Asking those questions can help. As can hovering over the URL on the Dropbox page itself,” CPR says.

“But that’s asking a lot of the user. That’s why these attacks are increasing in frequency and intensity.”

Check Point researchers reached out to Dropbox to inform them of this campaign on September 18th.

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

Adopt AI-powered technology capable of analysing and identifying numerous phishing indicators to proactively thwart complex attacks. 
Embrace a comprehensive security solution that includes document and file scanning capabilities. 
Deploy a robust URL protection system that conducts thorough scans and emulates webpages for enhanced security.
 

This content was originally published here.

Check Point discovers new phishing scam on Dropbox Read More »

Xenomorph Android malware now targets U.S. banks and crypto wallets

Xenomorph Android malware now targets U.S. banks and crypto wallets

Security researchers discovered a new campaign that distributes a new version of the Xenomorph malware to Android users in the United States, Canada, Spain, Italy, Portugal, and Belgium.

Analysts at cybersecurity company ThreatFabric have been tracking Xenomorph activity since February 2022 and note that the new campaign launched in mid-August.

The latest version of Xenomorph is targeting users of cryptocurrency wallets and various U.S. financial institutions.

Xenomorph background

Xenomorph first appeared in the wild in early 2022, operating as a banking trojan that targeted 56 European banks through screen overlay phishing. It was distributed through Google Play, where it counted over 50,000 installations.

Its authors, “Hadoken Security,” continued development, and in June 2022, they released a rewritten version that made the malware modular and more flexible.

By then, Xenomorph was on Zimperium’s top ten most prolific banking trojans, so it had already achived the “major threat” status.

In August 2022, ThreatFabric reported that Xenomorph was being distributed via a new dropper named “BugDrop,” which bypassed security features in Android 13.

In December 2022, the same analysts reported about a new malware distribution platform dubbed “Zombinder,” which embedded the threat into legitimate Android apps’ APK file.

Most recently, in March 2023, Hadoken released the third major version of Xenomorph, featuring an automated transfer system (ATS) for autonomous on-device transactions, MFA bypass, cookie stealing, and the ability to target over 400 banks.

New campaign

In the latest campaign, the malware operators opted to use phishing pages, luring visitors to update their Chrome browser and trick them into downloading the malicious APK.

Fake Chrome update notice
Fake Chrome update notice (ThreatFabric)

The malware continues to use overlays to steal information. However, it has now expanded its targeting scope to include financial institutions from the United States and multiple cryptocurrency apps.

Overlay mechanism in latest Xenomorph
Overlay mechanism in latest Xenomorph (ThreatFabric)

ThreatFabric explains that each Xenomorph sample is loaded with roughly a hundred overlays targeting different sets of banks and crypto apps, depending on the targeted demographic.

Number of targets seen in recent samples
Number of targets seen in recent samples (ThreatFabric)
“[..]this latest campaign also added plenty of financial institutions from the United States, together with multiple crypto-wallet applications, totaling more than 100 different targets per sample, each one using a specifically crafted overlay to steal precious PII from the victim’s infected device.” – ThreatFabric
Banking trojans targeting U.S. institutions
Banking trojans targeting U.S. institutions (ThreatFabric)

Latest version

Although the new Xenomorph samples aren’t vastly different from previous variants, they come with some new features indicating that its authors continue to refine and enhance the malware.

First, a new “mimic” feature can be activated by a corresponding command, giving the malware the capability to act as another application.

Additionally, mimic​​ has a built-in activity named IDLEActivity, which acts as a WebView to display legitimate web content from the context of a trusty process.

This system replaces the need to hide icons from the app launcher post-installation, which is flagged as suspicious behavior by most mobile security tools.

Xenomorph's new mimic system
Xenomorph’s new mimic system (ThreatFabric)

Another new feature is “ClickOnPoint,”, which allows Xenomorph operators to simulate taps at specific screen coordinates.

This allows the operators to move past confirmation screens or perform other simple actions without employing the full ATS module, which might trigger security warnings.

Finally, there’s a new “antisleep” system that prevents the device from switching off its screen by means of an active notification.

This is useful for prolonging the engagement and avoiding interruptions that require re-establishing command and control communications.

Other findings

By taking advantage of weak security measures from the malware operator, ThreatFabric analysts could access their payload hosting infrastructure.

There, they discovered additional malicious payloads, including the Android malware variants Medusa and Cabassous, the Windows information stealers RisePro and LummaC2, and the Private Loader malware loader.

Users should be cautious with prompts on mobile to update their browsers, as those are likely part of malware distribution campaigns.

Xenomorph’s distribution alongside potent Windows malware suggests collaboration between threat actors or the possibility of the Android trojan being sold as Malware-as-a-Service (MaaS).

This content was originally published here.

Xenomorph Android malware now targets U.S. banks and crypto wallets Read More »

Chatbots lower the barrier for entry into cybercrime

Chatbots lower the barrier for entry into cybercrime

The potential risk posed by AI/chatbots in cybercrime has dominated headlines recently. A new report considers how these tools are leveraged to create highly targeted phishing campaigns.  

Egress, a cybersecurity company providing intelligent email security, has released its second Phishing Threat Trends Report. The report’s findings demonstrate the evolving attack methodologies used by cybercriminals that are designed to get through traditional perimeter security including secure email gateways. 

The report delves into key phishing trends, including the most phished topic, explores prevalent obfuscation techniques being used to bypass perimeter defenses, and examines whether chatbots have really revolutionised cyberattacks.

All phishing threat data and examples contained within this report were taken from Egress Defend, an Integrated Cloud Email Security solution that uses intelligent technology to detect and defend against the most sophisticated phishing attacks.

“Without a doubt chatbots or large language models (LLM) lower the barrier for entry to cybercrime, making it possible to create well-written phishing campaigns and generate malware that less capable coders could not produce alone,” says Jack Chapman, VP of Threat Intelligence, Egress.

“However, one of the most concerning, but least talked about applications of LLMs is reconnaissance for highly targeted attacks. Within seconds a chatbot can scrape the internet for open-source information about a chosen target that can be leveraged as a pretext for social engineering campaigns, which are growing increasingly common,” Chapmn says. 

“I’m often asked if LLM really changes the game, but ultimately it comes down to the defense you have in place. If you’re relying on traditional perimeter detection that uses signature-based and reputation-based detection, then you urgently need to evaluate integrated cloud email security solutions that don’t rely on definition libraries and domain checks to determine whether an email is legitimate or not,” he says.

Phishing Threat Trends Report (October 2023): Key trends

As threats evolve, the cybersecurity industry must work together to continue to manage human risk in email.  To shed light on evolving attack techniques and to keep cybersecurity professionals informed, the Egress Phishing Threat Trends Report offers an in-depth look into key phishing trends and includes: 

Most phished topics of the year:

From RingCentral to alias impersonation attacks and leveraging social media to security software impersonations and sextortion, there has been no shortage of phishing attacks in 2023. The number one phishing topic was missed voice messages, which accounted for 18.4% of phishing attacks between January to September 2023, making them the most phished topic for the year so far. Many of these attacks use HTML smuggling to hide their payload.

Can you detect if chatbots are being used to write phishing emails?

The potential for cybercriminals to use chatbots to create phishing campaigns and malware has been cause for concern, but is it possible to tell whether a phishing email has been written by a chatbot? The report found that no person or tool can definitively tell whether an attack was written by a chatbot. Because they utilise large language models (LLMs), the accuracy of most detector tools increases with longer sample sizes, often requiring a minimum of 250 characters to work. With 44.9% of phishing emails not meeting the 250-character limit and a further 26.5% falling below 500, currently AI detectors either wont work reliably or wont work at all on 71.4% of attacks.

Obfuscation techniques on the rise:

The proportion of phishing emails employing obfuscation techniques has jumped by 24.4% in 2023, sitting at 55.2%. Obfuscation enables cybercriminals to hide their attacks from certain detection mechanisms. Egress Defend found that almost half (47%) of phishing emails that use obfuscation contain two layers to increase the chances of bypassing email security defenses to ensure successful delivery to the target recipient. Less than one-third (31%) use only one technique. HTML smuggling has proven the most popular obfuscation technique, accounting for 34% of instances.

Graymail dissected:

To understand how graymail impacts cybersecurity, Egress researchers analysed 63.8 million emails that organisations received over four weeks. They found that, on average, one-third (34%) of mail flow can be categorised as graymail (bulk but solicited emails such as notifications, updates, and promotional messages). Additionally, Wednesday and Friday are the most popular days of the week to send or receive graymail. The research found a direct correlation between the volume of graymail and the volume of phishing emails received; people with busier inboxes are more likely to be targeted by phishing campaigns.

Phishing currently has the upper hand as traditional perimeter detection is falling short:

More phishing emails are getting through traditional perimeter detection, so while overall volume hasn’t increased, this report shows attacks are increasing in sophistication and cybercriminals use a multitude of

tactics to successfully get through perimeter email security. The percentage of emails that got through Microsoft defenses has increased by 25% from 2022 to 2023. Likewise, the percentage of emails that got through secure email gateways (SEGs) increased by 29% from 2022 to 2023.

Additionally, there has been an 11% increase in phishing attacks sent from compromised accounts in 2023. Compromised accounts are trusted domains, so these attacks usually get through traditional perimeter detection. Almost half (47.7%) of the phishing attacks that Microsofts detection missed were sent from compromised accounts. The most common type of payload is phishing links to websites (45%), up from 35% in 2022. And all payloads bypassed signature-based detection to some degree.

“We produced this report to equip cybersecurity professionals with insights into advanced attacks, and what we found is that real-time teachable moments really do improve peoples ability to accurately identify phishing emails,” says Chapman. 

“Legacy approaches to email security rely heavily on quarantine barring end users from seeing phishing emails, but as our report highlights, phishing emails will inevitably get through,” he says. 

“This is one of the reasons why we have flipped the quarantine model on its head, adding dynamic banners to neutralise threats within the inbox. 

“These banners are designed to clearly explain the risk in a way thats easy to understand, timely, and relevant, acting as teachable moments that educate the user. Ultimately, teaching someone to catch a phish is a more sustainable approach for long-term resilience.”

This content was originally published here.

Chatbots lower the barrier for entry into cybercrime Read More »

Ransomware acting within 24 hours of access now: Secureworks report

Ransomware acting within 24 hours of access now: Secureworks report

The annual State of the Threat Report from Secureworks indicates that half of all ransomware deployments happen within one day of initial access. This means that threat actors can progress from initiating the ransomware attack to complete system compromise in less than 24 hours, drastically reducing the detection window for businesses.

The report was compiled by the Secureworks Counter Threat Unit (CTU) and identifies key strategies employed by cybercriminals and state-sponsored threat actors in cyberattacks. Noteworthy findings include an increase in “name and shame” attacks where the victims’ details are leaked online. These were largely driven by proliferating ransomware gangs like Lockbit and Cl0p. Russia has notably targeted campaigns at relief efforts, scientific researchers, and weapons suppliers.

Ransomware median dwell time – the time between initial system access and ransomware deployment – has dropped from 4.5 days to less than one day in a year, according to the report. In some cases, ransomware was deployed within five hours of initial access. This significant decrease is attributed to a desire among cybercriminals for a lower chance of detection, as threat actors now focus on simpler and quicker operations rather than complex, enterprise-wide encryption events. However, the risk associated with these attacks remains high, according to Don Smith, VP Threat Intelligence at Secureworks’ CTU. Smith also observes that despite high-profile takedowns and sanctions, cybercriminals continue to adapt and pose a significant threat.

While notorious threat actors like GOLD MYSTIC (Lockbit) still dominate the ransomware landscape, new groups are emerging, bringing about a significant rise in victim and data leaks. This has made the past four months the busiest period for victim numbers since the start of the “name and shame” attacks in 2019.

The report identifies the three main initial access vectors used by ransomware attackers as scan-and-exploit, stolen credentials, and commodity malware conveyed through phishing emails. Over half of the most exploited vulnerabilities during the report period were known vulnerabilities from 2022 and prior. Despite much discussion about AI-based attacks, most high-profile attacks in 2023 were due to unpatched infrastructure. As Smith says, “cybercriminals are reaping the rewards from tried and tested methods of attack, so organisations must focus on basic cyber hygiene”.

The report also explores the activities and trends of state-sponsored threat groups from China, Russia, Iran, and North Korea. Geopolitics remains the primary motivation behind state-sponsored threat activities. Technological advancements have seen nations diversify tactics, with China focusing on Eastern Europe and Iran using fake personas to hide culpability. Meanwhile, North Korean threat groups have swindled $2.3 billion USD in crypto assets between May 2017 and May 2023.

The Secureworks State of the Threat Report provides an in-depth analysis of the evolving global cybersecurity threat landscape over the last year. It is based on the real-life incident observations of Secureworks’ Counter Threat Unit and offers critical insight into the threats observed on the cybersecurity front line.

This content was originally published here.

Ransomware acting within 24 hours of access now: Secureworks report Read More »

NSA and CISA reveal top 10 cybersecurity misconfigurations

NSA and CISA reveal top 10 cybersecurity misconfigurations

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) revealed today the top ten most common cybersecurity misconfigurations discovered by their red and blue teams in the networks of large organizations.

Today’s advisory also details what tactics, techniques, and procedures (TTPs) threat actors use to successfully exploit these misconfigurations with various goals, including gaining access to, moving laterally, and targeting sensitive information or systems.

The information included in the report was collected by the two agencies’ Red and Blue teams during assessments and during incident response activities.

“These teams have assessed the security posture of many networks across the Department of Defense (DoD), Federal Civilian Executive Branch (FCEB), state, local, tribal, and territorial (SLTT) governments, and the private sector,” the NSA said.

“These assessments have shown how common misconfigurations, such as default credentials, service permissions, and configurations of software and applications; improper separation of user / administration privilege; insufficient internal network monitoring; poor patch management, place every American at risk,” said Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA.

The top 10 most prevalent network configurations discovered during Red and Blue team assessments and by NSA and CISA Hunt and Incident Response teams include:

As stated in the joint advisory, these common misconfigurations depict systemic vulnerabilities within the networks of numerous large organizations.

This underscores the critical need for software manufacturers to adopt secure-by-design principles, thereby mitigating the risk of compromise.

​Goldstein urged software manufacturers to embrace a set of proactive practices, aiming to effectively tackle these misconfigurations and alleviate the challenges faced by network defenders.

These include integrating security controls into the product architecture from the initial stages of development and throughout the software development lifecycle.

Furthermore, manufacturers should stop using default passwords and ensure that compromising a single security control does not jeopardize the entire system’s integrity. Taking proactive measures to eliminate whole categories of vulnerabilities, such as utilizing memory-safe coding languages or implementing parameterized queries, is also essential.

Lastly, Goldstein said it’s imperative to mandate multifactor authentication (MFA) for privileged users and establish MFA as a default feature, making it a standard practice rather than an optional choice.

NSA and CISA also encourage network defenders to implement the recommended mitigation measures to reduce the risk of attackers exploiting these common misconfigurations.

Mitigations that would have this effect include:

Besides applying the outline mitigations, NSA and CISA recommend “exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework” in today’s advisory.

The two federal agencies also advise testing existing security controls inventory to assess their performance against the ATT&CK techniques described in the advisory.

Related Articles:

This content was originally published here.

NSA and CISA reveal top 10 cybersecurity misconfigurations Read More »

Scroll to Top