Bio image courtesy of Edgar / Background image courtesy of KrulUA / iStock / Getty Images Plus James Edgar’s wide range of experience protecting public- and private-sector organizations from cybersecurity threats has helped him hone his ability to see the whole picture when it comes to cybersecurity. Edgar came up through the ranks in network engineering, earning his first information security officer role at the Georgia Department of Corrections after working as a consultant for the agency. “At the time, the state of Georgia was looking to form a new organization called the Georgia Technology Authority, pulling the technology areas of all different agencies within the state.” With that initiative, the state developed cybersecurity standards and established the information security officer position. At the Georgia Department of Corrections, the second-largest agency in the state, Edgar helped integrate the technology functions of each Georgia agency under the Georgia Technology Authority umbrella while securing the data of the state’s 34 correctional facilities. After securing the Department of Corrections’ networks for a number of years, Edgar stepped into a new role at ChoicePoint, now owned by LexisNexis, to help build out their cybersecurity function as the company dealt with a breakdown in business practices and an FTC audit. “It was a great opportunity to step into an environment and a program that was obviously under a lot of scrutiny, but getting a lot of support from executives.” There, Edgar played an integral role in maturing the organization’s cybersecurity function, overseeing encryption practices and expanding the corporate cybersecurity policy. Edgar then moved to Cox Communications, where he grew into senior management roles, leading their security architecture program and third-party risk management efforts. From there, he moved to Elavon, a payment processer and subsidiary of U.S. Bank, where he led their security architecture and assurance teams and helped to mature the financial organization’s cybersecurity program. As he rose through the cybersecurity ranks, Edgar developed programs that matured alongside his career. Now, Edgar holds the role of Senior Vice President, Chief Information Security Officer (CISO) at FLEETCOR, a corporate services and business payment firm. As the organization’s second-ever CISO, Edgar leads the company’s Global Information Security team, which covers North America, South America, the U.K. and Europe, with some connections in the APAC region. The Global Information Security team covers a number of cybersecurity goals within the organization and with its external partners. One team within Global Information Security focuses on incident response, security operations and vulnerability identification and remediation. The security engineering & consulting team ensures that FLEETCOR and its clients have the proper controls in place to support growth and update existing solutions. “They’re kind of the frontline to ensure that as we develop, grow and build up frameworks around our program, they are being applied properly and we have the right controls, tools and processes in place.” Another team works on IT governance, compliance and risk efforts, covering over 20 audits and assessments that the organization undergoes each year to ensure a competitive and compliant cybersecurity posture. FLEETCOR has BISOs throughout its regions as well, who help to infuse the company’s cybersecurity practices with location-specific intelligence. “As organizations get bigger and they get spread out, it’s very difficult to manage everything from a central location. When everything is funneled through one area, it helps to have engagement with the lines of business (LOBs),” says Edgar. “That’s why these business information security officers are so critical to success. They ensure that local CIOs are engaged with our cybersecurity program, that we’re meeting compliance requirements, and that risk is being addressed within those LOBs.” Growth has been a common theme throughout Edgar’s career, and FLEETCOR is no exception. “We’ve quadrupled the Global Information Security team since I started here. With a truly global team, we’ve been able to bring in a lot more maturity to the program.” A business-critical aspect of FLEETCOR’s cybersecurity team is ensuring the security of the company’s mergers and acquisitions (M&As). FLEETCOR has acquired over 100 companies in the last decade, and Edgar’s team works to reduce risk and ensure compliance as those organizations merge. Edgar foregrounds compliance to ensure security during these business transitions. “Of course, every acquisition is unique, but there are fundamentals that you want to follow. From a security standpoint, it helps to start with a compliance framework. From there, because a lot of these companies are private, smaller businesses that didn’t grow up in the world of SOX regulations, you go in and help them understand what it means to be part of FLEETCOR.” Training newly acquired companies on how to deal with that cybersecurity “culture shock,” as Edgar calls it, is one of the most critical aspects of securing a business during and after M&As. By taking the time to explain the cybersecurity programs implemented in their environment after an M&A, large companies can help small businesses understand the need for cyber compliance, says Edgar. “It may not happen overnight,” he says, but emphasizing and expanding policies, security standards and compliance can help provide a framework for acquired businesses to bolster their cybersecurity programs. “It really comes down to instilling a culture. We need to make sure that security is everybody’s job. Everyone’s a part of that process, and it only takes one person to click on the wrong link.” That security culture conversation extends from M&As to internal boardrooms as well. Edgar says he’s seen a shift in the way cybersecurity & compliance are talked about in the C-suite. “Businesses realize the importance of engaging security,” he says. “Security is really about enabling the business and helping them understand that if we want to be more competitive, security is a big part of that. At the end of the day, compliance doesn’t equal security, but if you do security right, you’ll be compliant.” Edgar says that throughout all of the industries in which he’s worked, protecting data comes down to building a security-minded culture within the organization. Whether it’s impressing upon a corrections officer the importance of avoiding suspicious websites or training executives not to click phishing links, cybersecurity starts with everyone building security awareness across the organization. “Cybersecurity really is a team sport. As I’ve gone through my career and moved up the ladder, it becomes more and more important.”
Cyber security is vital as it protects people and devices from falling prey to cyber-attacks. Download The Economic Times News App to get Daily Market Updates & Live Business News. More Read Complete Print Edition
In a span of 13 months, cyber scamsters allegedly swindled people out of over Rs 335 crore even as the Haryana Police’s cyber cell is now scrambling to identify the conmen and put them behind bars. The cell’s priority is also to put on hold the fraudulent transactions and recover the swindled money from the possession of the accused. From January 1, 2022, to December 31, 2022, the cyber cell received over 66,784 complaints in which the complainants alleged that they were duped of Rs 301,48,30,788 (approx Rs 301 crore). Taking cognisance of the complaints, the cyber cell has so far managed to put the transactions on hold or recover Rs 46,91,10,031 (approx Rs 47 crore). Out of these over 66,784 complaints, 33,532 complaints are pending and under process, while 31,087 have been disposed of. Also, 2,165 criminal cases have been registered and more than 1,065 people have so far been arrested in these criminal cases. In January 2023, another Rs 34.80 crore has allegedly been swindled by cyber scamsters, out of which the cyber cell has been able to recover over Rs 2.78 crore. In this month, 166 criminal cases were registered of which 61 accused have so far been arrested. Haryana Chief Minister Manohar Lal Khattar on February 8 reviewed the law and order situation in the state and expressed concern about growing cyber crimes. “Cyber crime has become a threat not only to individuals but also to the government sector, thus endangering national security,” Khattar had said while chairing the law and order review meeting that was attended by state’s home minister Anil Vij and top police officers of the state. Haryana Police department is being technologically strengthened to meet the ongoing challenges posed by cyber crimes. The state police is opening new cyber police stations and will also be launching a special awareness drive across the state telling people about the safety tips and precautions that are required to be taken to avert cyber frauds. Officials told The Indian Express that in the last 13 months, over 1.81 lakh calls have been received on the cybercrime helpline number 1930. Till February 4 this year, the cyber cell had got over 22,444 bank accounts of suspected cyber criminals blocked and are initiating further action. Over 30,029 mobile phone numbers that were allegedly being used to commit cybercrimes have been uploaded on the “Cyber Safe” Portal for blocking, while a technical opinion is being sought from the central agencies/experts through CyCord Portal in 236 cases. The cyber cell has also analysed that the cyber criminals are using “Rainbow Table Attacks” for hacking passwords. “Rainbow table attack is a password hacking method that involves using rainbow hash tables. Whenever a password is stored on a system, it’s encrypted using a ‘hash’. In order to bypass this, hackers maintain directories that record passwords and their corresponding hashes, often built from previous hacks. Rainbow tables make password cracking much faster than earlier methods, such as brute-force attacks and dictionary attacks. Rainbow tables store a pre-compiled list of all possible plain text versions of encrypted passwords based on a hash algorithm,” an officer said. Explaining the modus operandi, a senior official said, “As password databases are often poorly secured, criminals are able to gain access to leaked hashes in order to carry out rainbow table attacks. The process is simplified as a search-and-compare operation, as all of the values in a rainbow table are already computed. In rainbow table attacks, the exact password doesn’t need to be known. Authentication is possible as long as the hash matches. Such attacks are specific to given password hash and password types. The sheer volume of possible combinations means rainbow tables can be enormous, often hundreds of gigabytes in size. Rainbow table attacks are possible on various kinds of passwords such as 8&9-character new technology LAN Manager passwords; and cyber criminals steal password hashes and decrypt the passwords of every user from a web application/network which is using outdated password hashing techniques.” Steve Smith on standby for captaining; Cameron Green fit to be back- Report Varinder BhatiaVarinder is Deputy Resident Editor, The Indian Express, Chandigarh. Wi… read more
ANI | Updated: Feb 16, 2023 17:21 IST New Delhi [India], February 16 (ANI): Advancing India’s cyber-preparedness, KAVACH-2023, a national-level hackathon was launched on Thursday to identify innovative ideas and technological solutions for addressing the cyber security and cybercrime challenges of the 21st century.
All India Council for Technical Education and the Bureau of Police Research and Development jointly launched the national-level Hackathon.
While addressing the media, TG Sitharam, Chairman, All India Council for Technical Education (AICTE), said that KAVACH-2023 is a unique kind of national hackathon to identify innovative ideas and technological solutions for addressing the cyber security and cybercrime challenges of the 21st century faced by our law enforcement agencies and common citizens.
Speaking on the occasion Balaji Srivastava, Director General, Bureau of Police Research and Development (BPR&D), said that it will be a 36-hour long event, during which youth from educational institutions across the country and registered start-ups will participate to find robust, secure and effective technological solutions for cyber security by using their technical expertise and innovative skills.
“It will advance the blockage of cyber security crimes with robust system monitoring and safety provisions,” he added. (ANI)
SPOTLIGHT – The number of breaches dipped in the second half of the year, but the number of people affected rose sharply, according to a new report. Nearly 50 million Americans were affected by data breaches involving health records in 2022. That’s the disturbing figure from a new analysis released Wednesday by Critical Insight, a cybersecurity company. The number of breaches actually dropped in the second half of 2022, the report found. There were 313 breaches from July through December, down from 345 in the first half of the year, a 9% decline. However, even as the number of breaches dropped, more individuals were affected by those breaches in the latter part of the year. There were 28.5 million Americans affected by breaches in the second half of 2022, compared to 21.1 million during the first six months of the year, which represents a 35% increase. In the last six months of the year, the average health data breach affected more than 91,000 individuals. Health systems still have a lot of work to do to protect patient records from cyberattacks, said John DeLano, a co-author of the report and the vice president of ministry and support services at CHRISTUS Health. “We feel like we've made some progress, because overall, the breach numbers are down,” he said. “But realistically, when you look at it, the number of records affected are up. And so that, to me, is the bigger problem.” There were 658 breaches in 2022, down from 711 in 2021. The report found that 49.6 million Americans were affected by breaches in 2022, which actually represents a drop from 53.4 million in 2021. Still, the impact of breaches has grown substantially in recent years. In 2020, 34.4 million Americans saw private information exposed in breaches. There were 662 breaches in 2020, which is virtually the same number as in 2022, but last year’s attacks and breaches affected 15 million more people. (We talked with John Delano about the cybersecurity report in this video. The story continues below.) More sophisticated attacks Attackers are starting to shift some of their efforts to gain access to health records. While criminals are targeting hospitals and healthcare providers, they are also gaining access by going after the other businesses health systems rely on every day, including third-party vendors, accounting, billing and lawyers. In the second half of the year, more records were exposed due to breaches occurring at business associates (48%) than at healthcare providers (47%). Over the course of 2022, 71% of all health data breaches occurred in healthcare providers, while 17% of breaches were linked to business associates, and 12% of breaches came from health plans, according to the report. Delano said healthcare organizations are paying more attention to the security of data being handled by third-party vendors and other business associates, and they are spelling out legal requirements to protect that patient information. But it’s a difficult task. “It's hard for organizations, because we deal with a lot of third parties, we deal with a lot of business associates, and having the bandwidth to be able to periodically check in on them and make sure that they're treating your data the way you would treat it, becomes very difficult. And that's hard to maintain,” Delano said. Attackers did their most damage by obtaining records from network servers, according to the report. “Network servers were the jackpot for hackers,” accounting for 90% of the records that were breached, according to the report. Attackers are apparently finding more success in gaining access to electronic medical records, the report states. While breaches involving electronic medical records were nonexistent in the past, the report said 7% of breaches involved EMRs in the first half of the year, and 4% of breaches in the last six months of 2022. For the year, 6 million patient records were exposed due to EMR-related breaches, according to the report.. “When you've got a database of records that could span 10 or 15 years, you're going to have a lot of patients that are impacted,” Delano said. Some breaches are becoming more damaging because attackers are getting more sophisticated. In the past, health systems built defenses against “script kiddies, people that just kind of Googled how to hack something, and they're looking for commonly known vulnerabilities, but they don't really know what they're doing,” Delano said. Now, Delano said, “They're more sophisticated. And so, that is becoming a challenge, because it used to just be that you had to protect from some common known stuff, and now people are actually doing real hacking.” Among the larger breaches of the year, CommonSpirit Health suffered a ransomware attack that impacted 600,000 patient records, the report noted. The system took its electronic medical records offline and had to reschedule some patient appointments. Health systems still continue to see breaches occurring through email. In the second half of 2022, 20% of breaches occurred via email, which was down from 30% in the first half of the year. “A lot of organizations do phishing campaigns, and I think that's helped,” Delano said. “Although phishing campaigns are getting more sophisticated as well. It used to be pretty easy to spot one now. Now it's a lot more difficult.” ‘You can’t do nothing’ Healthcare leaders need to be engaged in helping their systems improve their cybersecurity, Delano said. “You can't make excuses,” he said. “You can't do nothing. So, start talking to your board, if you're not talking to your board, about the challenges, about the concerns. Make sure that your executives are aware of the challenges, aware of the threats. And, you know, don't sit on the sidelines.” Ransomware attacks continue to frustrate hospitals and health systems. In a recent survey of healthcare IT professionals by the Ponemon Institute, nearly half (47%) said their organizations experienced a ransomware attack in the past two years. More IT professionals are saying the attacks led to complications in patient care, with 45% reporting complications from medical procedures due to ransomware attacks, up from 36% in 2021 Regal Medical Group, based in California, said last week that a ransomware cyberattack exposed patient information. More than 3 million people could have been affected, according to a database of breaches kept by the U.S. Department of Health & Human Services. Delano said he was encouraged by the recent success of the FBI in disrupting the Hive ransomware gang, which has targeted hospitals and health systems. The Justice Department said last month that the FBI managed to penetrate Hive’s systems and thwart up to $130 million in ransom demands. “Certainly a small healthcare organization’s not going to have the resources to combat that,” Delano said. “So getting the DOJ or the FBI involved, and helping to kind of work some of these gangs or criminal activity that's happening out there, is a benefit to everyone.”
The cybersecurity workforce has reached an all-time high, with an estimated 4.7 million professionals, but there’s still a global shortage of 3.4 million workers in this field, according to the 2022 (ISC)2 Cybersecurity Workforce Study released Thursday. And that shortage persists, despite the addition of 464,000 more cybersecurity positions this year, the report found. In the U.S. alone, there are more than 700,000 unfilled cybersecurity jobs, data from Cybersecurity Ventures shows. As the need for cybersecurity talent grows, wages and other benefits should follow. Currently, the median salary for cybersecurity professionals in the U.S. is $135,000, according to (ISC)2. The study also shows that 27% of cybersecurity professionals enter the industry for the potential of high salaries and strong compensation packages. “Cybersecurity salaries appear to be driven by several factors, including years of experience, sector employed, certifications attained and even geographic location like large concentrations of professionals in areas with high costs of living like Washington D.C. Scarcity of talent is most likely a driver as well,” Clar Rosso, CEO of (ISC)2, tells Fortune. “The good news for new people entering the field is that salaries remain strong.” In addition to the growing talent gap, there’s another dynamic at playin cybersecurity: The number of cybersecurity attacks companies are facing each year is growing. Between 2020 and 2021, the average number of cybersecurity attacks per year rose 31%, to 270 attacks, according to Accenture’s State of Cybersecurity Report 2021. Companies, on average, fell victim to 29 attacks last year. Cyber attacks have also been more prevalent recently in a year of “geo-political and macroeconomic turbulence,” according to the (ISC)2 study. One of the major events was the Russian cyberattacks on the Ukrainian government at the beginning of the war. “The modern cybersecurity landscape have galvanized passion and persistence within its workforce—which continues to change and evolve with the world around it,” reads the (ISC)2 study. “The global cybersecurity workforce is growing, but so is the gap in professionals needed to carry out its critical mission.” Cybersecurity workers know they’re in high demand. Nearly 70% of these workers feel as if their organization doesn’t have enough cybersecurity staff to be effective, the (ISC)2 study shows, and more than half of the employees at organizations with workforce shortages see their company as being at moderate or extreme risk of a cyberattack. Attracting and retaining top cybersecurity talent requires collaboration among departments, Rosso says. Frequent communication between cybersecurity managers and human resources can help when it comes to figuring out what works and what doesn’t when trying to recruit cybersecurity workers. “Collaboration between HR and cybersecurity hiring managers is key to attracting and retaining talent,” Rosso says. “HR professionals should have regular check-ins with cybersecurity hiring managers to discuss and co-develop job descriptions to ensure they are realistic, achievable and can attract the right talent rather than be an obstacle.” Part of attracting and retaining top cybersecurity is finding the right amount to pay people. Reports from industry leaders show that cybersecurity wages continue to grow year-over-year. Between 2020 and 2021, some cybersecurity salaries jumped by more than 16%, to well over the six-figure mark, according to a 2021 report from Dice, a tech recruiting platform. Another key benefit for cybersecurity workers is access to continuing education and certifications. In fact, more than 60% of cybersecurity workers seek new certifications for skills growth and stay current with security trends, the (ISC)2 study shows. “Professionals are saying loud and clear that corporate culture, experience, training and education investment and mentorship are paramount to keeping your team motivated, engaged and effective,” Rosso says. “Team members of different ages and experience levels need different levels of support from their organizations. Success here means investing in education, professional development, mentorships, flexible work arrangements, and career pathing.” A good starting place for organizations looking to jumpstart their cybersecurity education efforts is to encourage employees to pursue new certifications and trainings, Rosso adds. “In addition to helping encourage employees to invest in educational resources, organizations should recognize these achievements as it helps to keep people engaged for the long term,” he adds. See how the schools you’re considering fared in Fortune’s rankings of the best master’s degree programs in data science (in-person and online), nursing, computer science, cybersecurity, psychology, public health, and business analytics, as well as doctorate in education programs and MBA programs (part-time, executive, full-time, and online).
An official website of the United States government Here’s how you know Official websites use .gov A .gov website belongs to an official government organization in the United States. Secure .gov websites use HTTPS A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites. Search The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organization’s cyber posture. Actions to take today to harden your local environment: In 2022, CISA conducted a red team assessment (RTA) at the request of a large critical infrastructure organization with multiple geographically separated sites. The team gained persistent access to the organization’s network, moved laterally across the organization’s multiple geographically separated sites, and eventually gained access to systems adjacent to the organization’s sensitive business systems (SBSs). Multifactor authentication (MFA) prompts prevented the team from achieving access to one SBS, and the team was unable to complete its viable plan to compromise a second SBSs within the assessment period. Despite having a mature cyber posture, the organization did not detect the red team’s activity throughout the assessment, including when the team attempted to trigger a security response. CISA is releasing this CSA detailing the red team’s tactics, techniques, and procedures (TTPs) and key findings to provide network defenders of critical infrastructure organizations proactive steps to reduce the threat of similar activity from malicious cyber actors. This CSA highlights the importance of collecting and monitoring logs for unusual activity as well as continuous testing and exercises to ensure your organization’s environment is not vulnerable to compromise, regardless of the maturity of its cyber posture. CISA encourages critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA—including conduct regular testing within their security operations center—to ensure security processes and procedures are up to date, effective, and enable timely detection and mitigation of malicious activity. Download the PDF version of this report: Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the appendix for a table of the red team’s activity mapped to MITRE ATT&CK tactics and techniques. CISA has authority to, upon request, provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and provide operational and timely technical assistance to Federal and non-Federal entities with respect to cybersecurity risks. (See generally 6 U.S.C. §§ 652[c][5], 659[c][6].) After receiving a request for a red team assessment (RTA) from an organization and coordinating some high-level details of the engagement with certain personnel at the organization, CISA conducted the RTA over a three-month period in 2022. During RTAs, a CISA red team emulates cyber threat actors to assess an organization’s cyber detection and response capabilities. During Phase I, the red team attempts to gain and maintain persistent access to an organization’s enterprise network while avoiding detection and evading defenses. During Phase II, the red team attempts to trigger a security response from the organization’s people, processes, or technology. The “victim” for this assessment was a large organization with multiple geographically separated sites throughout the United States. For this assessment, the red team’s goal during Phase I was to gain access to certain sensitive business systems (SBSs). The organization’s network was segmented with both logical and geographical boundaries. CISA’s red team gained initial access to two organization workstations at separate sites via spearphishing emails. After gaining access and leveraging Active Directory (AD) data, the team gained persistent access to a third host via spearphishing emails. From that host, the team moved laterally to a misconfigured server, from which they compromised the domain controller (DC). They then used forged credentials to move to multiple hosts across different sites in the environment and eventually gained root access to all workstations connected to the organization’s mobile device management (MDM) server. The team used this root access to move laterally to SBS-connected workstations. However, a multifactor authentication (MFA) prompt prevented the team from achieving access to one SBS, and Phase I ended before the team could implement a seemingly viable plan to achieve access to a second SBS. The CISA red team gained initial access [TA0001] to two workstations at geographically separated sites (Site 1 and Site 2) via spearphishing emails. The team first conducted open-source research [TA0043] to identify potential targets for spearphishing. Specifically, the team looked for email addresses [T1589.002] as well as names [T1589.003] that could be used to derive email addresses based on the team’s identification of the email naming scheme. The red team sent tailored spearphishing emails to seven targets using commercially available email platforms [T1585.002]. The team used the logging and tracking features of one of the platforms to analyze the organization’s email filtering defenses and confirm the emails had reached the target’s inbox. The team built a rapport with some targeted individuals through emails, eventually leading these individuals to accept a virtual meeting invite. The meeting invite took them to a red team-controlled domain [T1566.002] with a button, which, when clicked, downloaded a “malicious” ISO file [T1204]. After the download, another button appeared, which, when clicked, executed the file. Two of the seven targets responded to the phishing attempt, giving the red team access to a workstation at Site 1 (Workstation 1) and a workstation at Site 2. On Workstation 1, the team leveraged a modified SharpHound collector, ldapsearch, and command-line tool, dsquery, to query and scrape AD information, including AD users [T1087.002], computers [T1018], groups [T1069.002], access control lists (ACLs), organizational units (OU), and group policy objects (GPOs) [T1615]. Note: SharpHound is a BloodHound collector, an open-source AD reconnaissance tool. Bloodhound has multiple collectors that assist with information querying. There were 52 hosts in the AD that had Unconstrained Delegation enabled and a lastlogon timestamp within 30 days of the query. Hosts with Unconstrained Delegation enabled store Kerberos ticket-granting tickets (TGTs) of all users that have authenticated to that host. Many of these hosts, including a Site 1 SharePoint server, were Windows Server 2012R2. The default configuration of Windows Server 2012R2 allows unprivileged users to query group membership of local administrator groups. The red team queried parsed Bloodhound data for members of the SharePoint admin group and identified several standard user accounts with administrative access. The team initiated a second spearphishing campaign, similar to the first, to target these users. One user triggered the red team’s payload, which led to installation of a persistent beacon on the user’s workstation (Workstation 2), giving the team persistent access to Workstation 2. The red team moved laterally [TA0008] from Workstation 2 to the Site 1 SharePoint server and had SYSTEM level access to the Site 1 SharePoint server, which had Unconstrained Delegation enabled. They used this access to obtain the cached credentials of all logged-in users—including the New Technology Local Area Network Manager (NTLM) hash for the SharePoint server account. To obtain the credentials, the team took a snapshot of lsass.exe [T1003.001] with a tool called nanodump, exported the output, and processed the output offline with Mimikatz. The team then exploited the Unconstrained Delegation misconfiguration to steal the DC’s TGT. They ran the DFSCoerce python script (DFSCoerce.py), which prompted DC authentication to the SharePoint server using the server’s NTLM hash. The team then deployed Rubeus to capture the incoming DC TGT [T1550.002], [T1557.001]. (DFSCoerce abuses Microsoft’s Distributed File System [MS-DFSNM] protocol to relay authentication against an arbitrary server.[1]) The team then used the TGT to harvest advanced encryption standard (AES)-256 hashes via DCSync [T1003.006] for the krbtgt account and several privileged accounts—including domain admins, workstation admins, and a system center configuration management (SCCM) service account (SCCM Account 1). The team used the krbtgt account hash throughout the rest of their assessment to perform golden ticket attacks [T1558.001] in which they forged legitimate TGTs. The team also used the asktgt command to impersonate accounts they had credentials for by requesting account TGTs [T1550.003]. The team first impersonated the SCCM Account 1 and moved laterally to a Site 1 SCCM distribution point (DP) server (SCCM Server 1) that had direct network access to Workstation 2. The team then moved from SCCM Server 1 to a central SCCM server (SCCM Server 2) at a third site (Site 3). Specifically, the team: The team also moved from SCCM Server 1 to a Site 1 workstation (Workstation 3) that housed an active server administrator. The team impersonated an administrative service account via a golden ticket attack (from SCCM Server 1); the account had administrative privileges on Workstation 3. The user employed a KeePass password manager that the team was able to use to obtain passwords for other internal websites, a kernel-based virtual machine (KVM) server, virtual private network (VPN) endpoints, firewalls, and another KeePass database with credentials. The server administrator relied on a password manager, which stored credentials in a database file. The red team pulled the decryption key from memory using KeeThief and used it to unlock the database [T1555.005]. At the organization’s request, the red team confirmed that SCCM Server 2 provided access to the organization’s sites because firewall rules allowed SMB traffic to SCCM servers at all other sites. The team moved laterally from SCCM Server 2 to an SCCM DP server at Site 5 and from the SCCM Server 1 to hosts at two other sites (Sites 4 and 6). The team installed persistent beacons at each of these sites. Site 5 was broken into a private and a public subnet and only DCs were able to cross that boundary. To move between the subnets, the team moved through DCs. Specifically, the team moved from the Site 5 SCCM DP server to a public DC; and then they moved from the public DC to the private DC. The team was then able to move from the private DC to workstations in the private subnet. The team leveraged access available from SCCM 2 to move around the organization’s network for post-exploitation activities (See Post-Exploitation Activity section). See Figure 1 for a timeline of the red team’s initial access and lateral movement showing key access points. While traversing the network, the team varied their lateral movement techniques to evade detection and because the organization had non-uniform firewalls between the sites and within the sites (within the sites, firewalls were configured by subnet). The team’s primary methods to move between sites were AppDomainManager hijacking and dynamic-link library (DLL) hijacking [T1574.001]. In some instances, they used Windows Management Instrumentation (WMI) Event Subscriptions [T1546.003]. The team impersonated several accounts to evade detection while moving. When possible, the team remotely enumerated the local administrators group on target hosts to find a valid user account. This technique relies on anonymous SMB pipe binds [T1071], which are disabled by default starting with Windows Server 2016. In other cases, the team attempted to determine valid accounts based on group name and purpose. If the team had previously acquired the credentials, they used asktgt to impersonate the account. If the team did not have the credentials, they used the golden ticket attack to forge the account. With persistent, deep access established across the organization’s networks and subnetworks, the red team began post-exploitation activities and attempted to access SBSs. Trusted agents of the organization tasked the team with gaining access to two specialized servers (SBS 1 and SBS 2). The team achieved root access to three SBS-adjacent workstations but was unable to move laterally to the SBS servers: However, the team assesses that by using Secure Shell (SSH) session socket files (see below), they could have accessed any hosts available to the users whose workstations were compromised. Conducting open-source research [1591.001], the team identified that SBS 1 and 2 assets and associated management/upkeep staff were located at Sites 5 and 6, respectively. Adding previously collected AD data to this discovery, the team was able to identify a specific SBS 1 admin account. The team planned to use the organization’s mobile device management (MDM) software to move laterally to the SBS 1 administrator’s workstation and, from there, pivot to SBS 1 assets. The team identified the organization’s MDM vendor using open-source and AD information [T1590.006] and moved laterally to an MDM distribution point server at Site 5 (MDM DP 1). This server contained backups of the MDM MySQL database on its D: drive in the Backup directory. The backups included the encryption key needed to decrypt any encrypted values, such as SSH passwords [T1552]. The database backup identified both the user of the SBS 1 administrator account (USER 2) and the user’s workstation (Workstation 4), which the MDM software remotely administered. The team moved laterally to an MDM server (MDM 1) at Site 3, searched files on the server, and found plaintext credentials [T1552.001] to an application programming interface (API) user account stored in PowerShell scripts. The team attempted to leverage these credentials to browse to the web login page of the MDM vendor but were unable to do so because the website directed to an organization-controlled single-sign on (SSO) authentication page. The team gained root access to workstations connected to MDM 1—specifically, the team accessed Workstation 4—by: While interacting with Workstation 4, the team found an open SSH socket file and a corresponding netstat connection to a host that the team identified as a bastion host from architecture documentation found on Workstation 4. The team planned to move from Workstation 4 to the bastion host to SBS 1. Note: A SSH socket file allows a user to open multiple SSH sessions through a single, already authenticated SSH connection without additional authentication. The team could not take advantage of the open SSH socket. Instead, they searched through SBS 1 architecture diagrams and documentation on Workstation 4. They found a security operations (SecOps) network diagram detailing the network boundaries between Site 5 SecOps on-premises systems, Site 5 non-SecOps on-premises systems, and Site 5 SecOps cloud infrastructure. The documentation listed the SecOps cloud infrastructure IP ranges [T1580]. These “trusted” IP addresses were a public /16 subnet; the team was able to request a public IP in that range from the same cloud provider, and Workstation 4 made successful outbound SSH connections to this cloud infrastructure. The team intended to use that connection to reverse tunnel traffic back to the workstation and then access the bastion host via the open SSH socket file. However, Phase 1 ended before they were able to implement this plan. Conducting open-source research, the team identified an organizational branch [T1591] that likely had access to SBS 2. The team queried the AD to identify the branch’s users and administrators. The team gathered a list of potential accounts, from which they identified administrators, such as SYSTEMS ADMIN or DATA SYSTEMS ADMINISTRATOR, with technical roles. Using their access to the MDM MySQL database, the team queried potential targets to (1) determine the target’s last contact time with the MDM and (2) ensure any policy targeting the target’s workstation would run relatively quickly [T1596.005]. Using the same methodology as described by the steps in the Plan for Potential Access to SBS 1 section above, the team gained interactive root access to two Site 6 SBS 2-connected workstations: a software engineering workstation (Workstation 5) and a user administrator workstation (Workstation 6). The Workstation 5 user had bash history files with what appeared to be SSH passwords mistyped into the bash prompt and saved in bash history [T1552.003]. The team then attempted to authenticate to SBS 2 using a similar tunnel setup as described in the Access to SBS 1 section above and the potential credentials from the user’s bash history file. However, this attempt was unsuccessful for unknown reasons. On Workstation 6, the team found a .txt file containing plaintext credentials for the user. Using the pattern discovered in these credentials, the team was able to crack the user’s workstation account password [T1110.002]. The team also discovered potential passwords and SSH connection commands in the user’s bash history. Using a similar tunnel setup described above, the team attempted to log into SBS 2. However, a prompt for an MFA passcode blocked this attempt. See figure 2 for a timeline of the team’s post exploitation activity that includes key points of access. The team used third-party owned and operated infrastructure and services [T1583] throughout their assessment, including in certain cases for command and control (C2) [TA0011]. These included: The red team executed 13 measurable events designed to provoke a response from the people, processes, and technology defending the organization’s network. See Table 1 for a description of the events, the expected network defender activity, and the organization’s actual response. Measurable Event Description MITRE ATT&CK Technique(s) Expected Detection Points Expected Network Defender Reactions Reported Reactions Internal Port Scan Launch scan from inside the network from a previously gained workstation to enumerate ports on target workstation, server, and domain controller system(s). None
Comprehensive Active Directory and Host Enumeration Perform AD enumeration by querying all domain objects from the DC; and enumerating trust relationships within the AD Forest, user accounts, and current session information from every domain computer (Workstation and Server). Collection process stopped before completion. Host isolated and sent for forensics. Data Exfiltration—1 GB of Data Send a large amount (1 GB) of mock sensitive information to an external system over various protocols, including ICMP, DNS, FTP, and/or HTTP/S. None Malicious Traffic Generation—Workstation to External Host Establish a session that originates from a target Workstation system directly to an external host over a clear text protocol, such as HTTP. None Active Directory Account Lockout Lock out several administrative AD accounts
Develop response plan None Local Admin User Account Creation (workstation) Create a local administrator account on a target workstation system. None Local Admin User Account Creation (server) Create a local administrator account on a target server system. None Active Directory Account Creation Create AD accounts and add it to domain admins group None Workstation Admin Lateral Movement—Workstation to Workstation Use a previously compromised workstation admin account to upload and execute a payload via SMB and Windows Service Creation, respectively, on several target Workstations.
None Domain Admin Lateral Movement—Workstation to Domain Controller Use a previously compromised domain admin account to upload and execute a payload via SMB and Windows Service Creation, respectively, on a target DC. None Malicious Traffic Generation—Domain Controller to External Host Establish a session that originates from a target Domain Controller system directly to an external host over a clear text protocol, such as HTTP. Develop response plan None Trigger Host-Based Protection—Domain Controller Upload and execute a well-known (e.g., with a signature) malicious file to a target DC system to generate host-based alerts. Malicious file was removed by antivirus Ransomware Simulation Execute simulated ransomware on multiple Workstation systems to simulate a ransomware attack. Note: This technique does NOT encrypt files on the target system. N/A Four users reported event to defensive staff The red team noted the following key issues relevant to the security of the organization’s network. These findings contributed to the team’s ability to gain persistent, undetected access across the organization’s sites. See the Mitigations section for recommendations on how to mitigate these issues. The team noted the following additional issues. The red team noted the following technical controls or defensive measures that prevented or hampered offensive actions: CISA recommends organizations implement the recommendations in Table 2 to mitigate the issues listed in the Findings section of this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. See CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Issue Recommendation Insufficient host and network monitoring Lack of monitoring on endpoint management systems KRBTGT never changed Excessive permissions to standard users and ineffective separation of privileged accounts Hosts with Unconstrained Delegation enabled Use of non-secure default configurations Lack of server egress control Large number of credentials in a shared vault Inconsistent host configuration Potentially unwanted programs Mandatory password changes enabled Additionally, CISA recommends organizations implement the mitigations below to improve their cybersecurity posture: As a long-term effort, CISA recommends organizations prioritize implementing a more modern, Zero Trust network architecture that: CISA encourages organizational IT leadership to ask their executive leadership the question: Can the organization accept the business risk of NOT implementing critical security controls such as MFA? Risks of that nature should typically be acknowledged and prioritized at the most senior levels of an organization. In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. See CISA’s RedEye tool on CISA’s GitHub page. RedEye is an interactive open-source analytic tool used to visualize and report red team command and control activities. See CISA’s RedEye tool overview video for more information. REFERENCES [1] Bleeping Computer: New DFSCoerce NTLM Relay attack allows Windows domain takeover See Table 3 for all referenced red team tactics and techniques in this advisory. Note: activity was from Phase I unless noted.
Technique Title ID Use Gather Victim Identity Information: Email Addresses T1589.002
The team found employee email addresses via open-source research. Gather Victim Identify Information: Employee Names
The team identified employee names via open-source research that could be used to derive email addresses. Gather Victim Network Information: Network Security Appliances T1590.006 The team identified the organization’s MDM vendor and leveraged that information to move laterally to SBS-connected assets. Gather Victim Org Information T1591 The team conducted open-source research and identified an organizational branch that likely had access to an SBS asset. Gather Victim Org Information: Determine Physical Locations T1591.001 The team conducted open-source research to identify the physical locations of upkeep/management staff of selected assets. Search Open Technical Databases: Scan Databases
T1596.005 The team queried an MDM SQL database to identify target administrators who recently connected with the MDM.
Technique Title ID Use Acquire Infrastructure T1583 The team used third-party owned and operated infrastructure throughout their assessment for C2. Establish Accounts: Email Accounts T1585.002 The team used commercially available email platforms for their spearphishing activity. Obtain Capabilities: Tool T1588.002 The team used the following tools:
Technique Title ID Use Phishing: Spearphishing Link T1566.002 The team sent spearphishing emails with links to a red-team-controlled domain to gain access to the organization’s systems.
Technique Title ID Use Native API T1106 The team created a policy via the MDM API, which downloaded and executed a payload on a workstation. User Execution T1204 Users downloaded and executed the team’s initial access payloads after clicking buttons to trigger download and execution.
Technique Title ID Use
Account Manipulation T1098 The team elevated account privileges to administrator and modified the user’s account by adding Create Policy and Delete Policy permissions. During Phase II, the team created local admin accounts and an AD account; they added the created AD account to a domain admins group. Create Account: Local Account T1136.001 During Phase II, the team created a local administrator account on a workstation and a server. Create Account: Domain Account T1136.002 During Phase II, the team created an AD account. Create or Modify System Process: Windows Service T1543.003 During Phase II, the team leveraged compromised workstation and domain admin accounts to execute a payload via Windows Service Creation on target workstations and the DC. Event Triggered Execution: Windows Management Instrumentation Event Subscription T1546.003 The team used WMI Event Subscriptions to move laterally between sites. Hijack Execution Flow: DLL Search Order Hijacking T1574.001 The team used DLL hijacking to move laterally between sites.
Technique Title ID Use Abuse Elevation Control Mechanism T1548 The team elevated user account privileges to administrator by modifying the user’s account via adding Create Policy and Delete Policy permissions.
Technique Title ID Use Valid Accounts: Domain Accounts T1078.002 During Phase II, the team compromised a domain admin account and used it to laterally to multiple workstations and the DC.
Technique Title ID Use OS Credential Dumping: LSASS Memory T1003.001 The team obtained the cached credentials from a SharePoint server account by taking a snapshot of lsass.exe with a tool called nanodump, exporting the output and processing the output offline with Mimikatz. OS Credential Dumping: DCSync T1003.006 The team harvested AES-256 hashes via DCSync. Brute Force: Password Cracking T1110.002 The team cracked a user’s workstation account password after learning the user’s patterns from plaintext credentials. Unsecured Credentials T1552 The team found backups of a MySQL database that contained the encryption key needed to decrypt SSH passwords. Unsecured Credentials: Credentials in Files T1552.001 The team found plaintext credentials to an API user account stored in PowerShell scripts on an MDM server. Unsecured Credentials: Bash History T1552.003 The team found bash history files on a Workstation 5, and the files appeared to be SSH passwords saved in bash history. Credentials from Password Stores: Password Managers T1555.005 The team pulled credentials from a KeePass database.
Adversary-in-the-middle: LLMNR/NBT-NS Poisoning and SMB Relay T1557.001 The team ran the DFSCoerce python script, which prompted DC authentication to a server using the server’s NTLM hash. The team then deployed Rubeus to capture the incoming DC TGT. Steal or Forge Kerberos Tickets: Golden Ticket T1558.001 The team used the acquired krbtgt account hash throughout their assessment to forge legitimate TGTs. Steal or Forge Kerberos Tickets: Kerberoasting T1558.003 The team leveraged Rubeus and DFSCoerce in a NTLM relay attack to obtain the DC’s TGT from a host with Unconstrained Delegation enabled.
Technique Title ID Use System Network Configuration Discovery T1016 The team queried the AD for information about the network’s sites and subnets. Remote System Discovery T1018 The team queried the AD, during phase I and II, for information about computers on the network. System Network Connections Discovery T1049 The team listed existing network connections on SCCM Server 1 to reveal an active SMB connection with server 2. Permission Groups Discovery: Domain Groups T1069.002 The team leveraged ldapsearch and dsquery to query and scrape active directory information. Account Discovery: Domain Account T1087.002 The team queried AD for AD users (during Phase I and II), including for members of a SharePoint admin group and several standard user accounts with administrative access. Cloud Infrastructure Discovery T1580 The team found SecOps network diagrams on a host detailing cloud infrastructure boundaries. Domain Trust Discovery T1482 During Phase II, the team enumerated trust relationships within the AD Forest. Group Policy Discovery T1615 The team scraped AD information, including GPOs. Network Service Discovery T1046 During Phase II, the team enumerated ports on target systems from a previously compromised workstation. System Owner/User Discovery T1033 During Phase II, the team enumerated the AD for current session information from every domain computer (Workstation and Server).
Technique Title ID Use Remote Services: SMB/Windows Admin Shares T1021.002 The team moved laterally with an SMB beacon. During Phase II, they used compromised workstation and domain admin accounts to upload a payload via SMB on several target Workstations and the DC. Use Alternate Authentication Material: Pass the Hash T1550.002 The team ran the DFSCoerce python script, which prompted DC authentication to a server using the server’s NTLM hash. The team then deployed Rubeus to capture the incoming DC TGT. Pass the Ticket T1550.003 The team used the asktgt command to impersonate accounts for which they had credentials by requesting account TGTs.
Technique Title ID Use Application Layer Protocol T1071 The team remotely enumerated the local administrators group on target hosts to find valid user accounts. This technique relies on anonymous SMB pipe binds, which are disabled by default starting with Server 2016. During Phase II, the team established sessions that originated from a target Workstation and from the DC directly to an external host over a clear text protocol. Application Layer Protocol: Web Protocols T1071.001 The team’s C2 redirectors used HTTPS reverse proxies to redirect C2 traffic. Application Layer Protocol: File Transfer Protocols T1071.002 The team used HTTPS reverse proxies to redirect C2 traffic between target network and the team’s Cobalt Strike servers. Encrypted Channel T1573 The team’s C2 traffic was encrypted in transit using encryption keys stored on their C2 servers. Ingress Tool Transfer T1105 During Phase II, the team uploaded and executed well-known malicious files to the DC to generate host-based alerts. Proxy: External Proxy T1090.002 The team used redirectors to redirect C2 traffic between the target organization’s network and the team’s C2 servers. Proxy: Domain Fronting T1090.004 The team used domain fronting to disguise outbound traffic in order to diversify the domains with which the persistent beacons were communicating.
Technique Title ID Use Account Access Removal T1531 During Phase II, the team locked out several administrative AD accounts.
Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.
The Sunshine Coast has been selected as the location for a new national organisation aimed at protecting the nation against cyber criminals. The Critical Infrastructure – Information Sharing and Analysis Centre (CI-ISAC), featuring some of the nation’s best and brightest when it comes to “threat intelligence’’, has started operations from Maroochydore today (February 6). Under the guidance of CI-ISAC’s Chief Executive Officer David Sandell, the not-for-profit industry-based organisation provides comprehensive information and analysis advice to assist its membership base protect Australia’s most critical infrastructure. The membership will be drawn from 11 key industry sectors representing almost 11,000 entities that include everything from banking, water and power grids to supermarkets and mining. Mr Sandell said the Sunshine Coast had been steadily building its credentials in the cyber and tech space and this had not gone unnoticed for an organisation that is focussed on addressing digital defence-in-depth across Australia’s ICT networks. “Assets that Sunshine Coast Council has been building alone or in partnership over the years were all key drivers to locate such an important organisation to a region location,” Mr Sandell said. “No one else in regional Australia has the assets we need, including the fastest fibre cable to Asia, diversity of data path to Sydney, a fully fibre-enabled city centre and a new international runway with rapidly growing regional aviation connections. “The local university and TAFE are doing some great things to develop the skilled workforce we need and the future on the Sunshine Coast looks bright.” The new organisation is being led by some of Australia’s best, brightest, and most experienced in the field of threat intelligence and response. Chair of the CI-ISAC Board is Brigadier (retired) Steve Beaumont, who previously served as Director-General of Intelligence, Surveillance, Reconnaissance, Electronic Warfare and Cyber with the Australian Department of Defence. Also playing a key role in the organisation is Dr Gary Waters, who has worked in the defence and national security space for more than five decades Sunshine Coast Council Acting Mayor Rick Baberowski welcomed the news that CI-ISAC would be calling the Sunshine Coast home, joining our emerging tech eco-system that already included key corporate players like Next DC, and industry leading bodies such as the Sunshine Coast Tech Industry Alliance. He congratulated board members and founders, Scott Flower and David Sandell, on their decision to create a base and invest on the Sunshine Coast with such an important initiative designed to combat the acceleration in cyber-threats. “A significant part of Australia’s critical infrastructure is owned or managed by local government, and I encourage all 537 Australian local governments to consider the considerable value in becoming a community of cyber defenders,” Acting Mayor Baberowski said. “The concept is clear-cut. If we act together and share cyber threat intelligence, we can only get better at pre-empting attacks, while contributing to defending Australia’s data highway and all of the sensitive and personal data public services and businesses collect. “We are proud that the Sunshine Coast will host and participate in an important new sector to develop solutions that can benefit all Australians.” For more information on how to become a member or partner of the CI-ISAC, navigate to https://ci-isac.com.au/
Cybersecurity continues to be a major area for investment among businesses, and today a startup building solutions for smaller enterprises is announcing a funding round to meet that demand. CyberSmart — a U.K. startup that has built an all-in-one platform providing cybersecurity technology for small and medium businesses, and cyber insurance if things go wrong regardless — has closed a Series B of £12.75 million ($15.4 million). CyberSmart currently has 4,000 customers in the U.K., with 1,800 of them also taking the company’s insurance policies as well — the tip of the iceberg in a market with 5.5 million small and medium enterprises (SMBs) overall — but Jamie Akhtar, the co-founder and CEO, said there is a lot of interest out there and it’s about meeting that demand right now, so the plan is to use the funding to continue developing its product, to potentially make some acquisitions, and to expand its channel partners, and customers, in its home market as well as further afield in Europe, Australia and New Zealand. The funding is being led by Oxx — the European VC that focuses on growth rounds for SaaS startups — with strategic and other interesting backers participating. They include British Patient Capital (the commercial subsidiary of the U.K. government’s British Business Bank), Legal & General Capital (affiliated with the insurance giant) and Solano Partners; previous backers IQ Capital, Eos Venture Partners, Winton Ventures and Seedcamp are also participating. The company had previously raised £8 million and it’s not disclosing its valuation with this round but Akhtar said it was oversubscribed. Investor and customer interest for a company like CyberSmart speaks to a bigger shift we’ve been seeing in the market. Small and medium businesses used to be overlooked when it came to cybersecurity. That was for a combination of reasons: criminals typically focused attention on the biggest targets as the biggest prizes, SMBs are not known to be big spenders when it comes to any kind of IT, and for those reasons the companies building the most interesting cybersecurity tech weren’t focused on them as target use cases and customers. That has changed significantly over time. Not only are incidents of cybercrime continuing to grow — up by 38% in 2022 globally, estimates Checkpoint Research — but SMBs have become a prime target for these attacks, accounting for 58% of them, according to 2019 research from the Global Cyber Alliance. The small and medium business segment, as a result, has increasingly become a target for those building cybersecurity solutions. That’s included others like Cowbell and Guardz, which are mixing the propositions for security and insurance together, as well as those focused only on tech, and specifically kinds of security incidents, such as ActZero and its focus on ransomware in particular. “SME’s are notoriously under-protected from the rising cyber threat, and existing cybersecurity and insurance propositions are neither fit for purpose nor affordable,” said Phil Edmondson-Jones, partner at Oxx, in a statement. “We have spent a long time searching for the right business model that can enact a step-change in this important & enormous market. CyberSmart’s category leading SME security product; combined with its unique ability to collect ‘inside-out’ data on real-time risk indicators, will propel the business to become a core part of the infrastructure for cyber protection and insurance. We are thrilled to support CyberSmart and its stellar team in driving urgent adoption in the market, and rapidly expanding internationally.” He’s also joining the board with this round. A lot of activity may be new, but CyberSmart itself is not: The company is actually six years old, and is thus something of an early mover in identifying and targeting SMBs with cybersecurity technology. The startup was initially incubated at an accelerator run by GCHQ, the U.K. equivalent of the NSA, with Akhtar building the business out of his own experience after working for more than a decade in cybersecurity at other firms. “I could see that SME security was broken,” he said. “So many of them were unaware of cyber risks, and they didn’t have the tools and resources to tackle it anyway. We approached the problem from that perspective.” The product is aimed squarely at the “S” end of SMB (or SME as it’s commonly called in the U.K.), with average customer sizes ranging between 10 and 50 employees, and no plans to expand to much larger businesses, the mid-market or anything else. And its primary sales route speaks to the market that CyberSmart has identified and understands: It sells mainly through channel partners, which consult smaller businesses on their overall IT needs sell them packages of IT hardware and software as part of that, with CyberSmart taking on the security piece of that offering. “As cyber-attacks grow increasingly sophisticated, the technology needed to protect against them must do so as well. For many SMEs, this is a difficult challenge to tackle, either because of financial constraints or a lack of in-house expertise,” added Catherine Lewis La Torre, CEO of British Patient Capital. “CyberSmart was created to address this problem, providing not only affordable and easy-to-use cyber protection but also training, certification and insurance. We are delighted to be supporting such a dynamic and ambitious business on its growth journey.” That security piece comes in the form of its flagship product Active Protect, which Akhtar describes as a “baseline” security tool that can be installed and used without any need for IT experts to integrate or manage it. Active Protect is distributed to staff via a link, which can be downloaded on any device used on a company’s network, and after it’s installed it provides continuous monitoring, with proactive information and advice when it spots any kind of suspicious activity, as well as prompts for people to go through training to be more aware of and vigilant against typical attack vectors (email phishing for example being one of the most common that comes down to humans making sound calls). It describes its aim as the “most common” vulnerabilities. Alongside this, CyberSmart has built out an insurance product in partnership with Aviva and Superscript. It comes bundled with Active Protect but it only kicks in as a policy once a user has followed all of the instructions to secure devices, address security issues when they are identified and go through training when it is recommended. The aim here is two-fold: Akhtar believes that a lot of SMBs might not typically take out cyber insurance because of the premiums, so offering something as a free add-on will get more people to sign up for its security product. But in addition to cost, Akhtar believes that a lot of cyber insurance aimed at the SMB market is a hard sell because of the relatively strict parameters that need to be met for support. Linking it directly to how a security policy is managed makes the most sense. (These are likely two big reasons why we are seeing a number of other companies bundling cybersecurity solutions with insurance, too.) Notably, Akhtar tells me that since the company launched the insurance product over a year ago, there hasn’t been a single claim made against it — a sign, he believes, of his startup’s formula working as it should. Yet there are some gaps in what CyberSmart is providing to the market — for example, if the most common vulnerabilities are being addressed, isn’t it just a matter of time before hackers start tackling SMBs with increasingly more sophisticated approaches? And if the main approach to remediation currently is providing guidance to a company’s team of human employees, is there scope for complementing that also with more automated approaches, or tech that can tackle more sophisticated attacks? These are areas where CyberSmart will either likely be building more tech itself, or bringing in additional functionality by way of acquisitions. On the acquisitions front, Akhtar noted that his own fundraising journey this time around really laid bare the state of the market right now. “I spoke to hundreds of VCs over nine months,” he told me (and if I was asked to use an emoji to describe his expression at that moment, it would be the one of the face with the slightly uneasy smile and bead of sweat running down the side: 😅). In the event of CyberSmart, he said part of this was also because he and his team were being selective and were looking for partners that could help with business growth, not just bank account growth. But more generally, it emphasizes how hard it is right now to close rounds for a lot of businesses, and there will be promising technologists out there who are running out of runway, or getting bad financing offers, who might be willing instead to sell at a lower price and team up with a partner to grow something together. Even further down the line, the plan will be to raise a bigger Series C to enter the U.S., Akhtar said.
