Author: rescue@crimefire.in

Cybercriminals use a variety of tactics all at once and are constantly innovating. Organizations need to do the same and take a multidimensional approach to cybersecurity because biannual training videos aren’t enough to engage employees or protect your business.

A bad actor stole $540 million from an NFT gaming company in July, an attack that started with a fake job offer on LinkedIn. In cases like these, social engineering doesn’t look like a fear-based phishing email demanding bank account information in a 24-hour turnaround. Instead, these attacks prey on people’s ambitions as they seek new opportunities.
Social engineering attacks can present as emails from (what appear to be) friends, asking you for credit card information, or they can be hyper-personal attacks in which fraudsters clone family members’ social media accounts and use personal photos and location information to convince you they’re real.
Social engineering attacks can be financially and emotionally devastating. But your organization isn’t defenseless — the best protection against them is to create a culture of digital literacy that scales with your organization.
Unfortunately, many cybersecurity training strategies don’t prepare employees for scenarios like these.
For example, cybersecurity training programs consisting of biannual training videos often promote content that’s uniform and limited in scope. These videos tend to deliver the same message every six months, with the same rotation of quiz questions.
While these programs are easy to implement, they’re usually dry, and the repetitive nature of the material demotivates employees, making it difficult for them to internalize or deploy training.
Cybercrime is evolving and your organization’s cybersecurity training strategy needs to evolve, too. It’s important to identify training opportunities that not only engage your employees, but better protect your business from social engineering and other attack strategies.
Here are five things to keep in mind as you expand your training strategy.
1. Starting is the hardest part — don’t let it stand in your way
The good news is that you don’t need to begin with a full rollout of new policies and strategies — take it one step at a time and build on your progress.
For example, one starting point could involve the distribution of a security reminder on the first Friday of the month, asking employees to update their devices. As this process becomes routine, add another step: a backup reminder at the end of the month.
Continue developing your cybersecurity strategy, adding new elements that address social engineering and other types of attacks. Before you know it, your organization’s digital literacy will improve as you establish a more robust and comprehensive training cycle.
2. Create clear and specific cybersecurity policies
When organizations draft their cybersecurity policies, they often apply a one-size-fits-all approach. But since your organization consists of a variety of teams and roles, a monolithic approach to cybersecurity policies probably won’t cover the security concerns associated with every role. For example, the cyber threats your finance department faces may differ from the ones faced by HR or the IT team — an HR employee is likely more susceptible to a phishing scam than an IT employee, so they need different training emphases.
Cybersecurity policies require a degree of customization for specific roles and departments. Start by asking questions like: What are the security needs of each department? And how is each department most susceptible to cybersecurity attacks?
3. Acknowledge and address (fear) fatigue
Cybersecurity works like insurance — you don’t see the reward because your actions are often proactive rather than reactive. Employees can get frustrated by a process that doesn’t demonstrate an immediate payoff, so it’s important to emphasize the value of ongoing training in preventing attacks before they occur.
Be careful not to give rise to fear fatigue, which occurs when employees are constantly exposed to bad news or messages that focus on negative outcomes. Cybersecurity training that only plays to fear, like constant alerts to threats, demotivates employees.
When providing training related to social engineering or other types of attacks, strike a balance between communicating the very real consequences of cyber-attacks and more positive messaging, like best practices and cyber hygiene routines.
4. Gamify your training
Gamification presents a significant opportunity for improving digital literacy, because it improves engagement. Instead of watching a video and taking a routine quiz, cybersecurity training happens on a competitive, point-earning platform where employees grow their skills alongside each other. Gamification ultimately makes learning fun, and the lessons are more likely to stick.
Just make sure that as you gamify cybersecurity training, you’re still strategizing. And keep context in mind — while it can be fun to create themed training exercises around celebrations like Halloween, an April Fool’s phishing scheme can come off as tacky or cruel.
5. Empower your employees
Your primary goal is to empower your employees through training and resources. When it comes to cybersecurity, one of the resources your organization should be fully utilizing is your IT team.
Your IT team is most knowledgeable about cybersecurity and cyber-attacks, and they’re best equipped to communicate best practices to your workforce. But communication is a two-way street — IT teams rely on employees to contact them when unusual phishing attacks or cybersecurity issues occur.
Employees are your first line of defense. It’s important to prioritize their role in cybersecurity and preventing breaches caused by social engineering or other types of attacks. The most effective cyber-attacks and social engineers use the full arsenal of tools at their disposal — and you need to do the same. Empower your workforce with diverse and ongoing training opportunities and implement cybersecurity practices that turn your teams into your best defense.

source

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Actions to take today to mitigate cyber threats from ransomware:
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.
Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL (reachable through the Tor browser). Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.
FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
For a downloadable copy of IOCs, see
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection.[1] In addition to encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom.
Royal actors gain initial access to victim networks in a number of ways including: 
Once Royal actors gain access to the network, they communicate with command and control (C2) infrastructure and download multiple tools [T1105]. Legitimate Windows software is repurposed by Royal operators to strengthen their foothold in the victim’s network. Ransomware operators often use open-source projects to aid their intrusion activities; Royal operators have recently been observed using Chisel, a tunneling tool transported over HTTP and secured via SSH [T1572], to communicate with their C2 infrastructure. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but has not yet determined if Royal ransomware exclusively uses Qakbot C2s.
Royal actors often use RDP to move laterally across the network [T1021.001]. Microsoft Sysinternals tool PsExec has also been used to aid lateral movement. FBI has observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim’s network [T1133]. In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to remotely log on to the domain controller [T1078]. Once on the domain controller, the threat actor deactivated antivirus protocols [T1562.001] by modifying Group Policy Objects [T1484.001].
Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.
Note: In reference to Cobalt Strike and other tools mentioned above, a tool repository used by Royal was identified at IP: 94.232.41[.]105 in December 2022.
Before starting the encryption process, Royal actors: 
FBI has found numerous batch (.bat) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user [T1078.002], force a group policy update, set pertinent registry keys to auto-extract [T1119] and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs [T1070.001].
Malicious files have been found in victim networks in the following directories:
See table 1 and 2 for Royal ransomware IOCs that FBI obtained during threat response activities as of January 2023. Note: Some of the observed IP addresses are several months old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action, such as blocking.
IOC
Description
.royal
Encrypted file extension
README.TXT
Ransom note
Malicious IP
Last Activity
102.157.44[.]105
November 2022
105.158.118[.]241
November 2022
105.69.155[.]85
November 2022
113.169.187[.]159
November 2022
134.35.9[.]209
November 2022
139.195.43[.]166
November 2022
139.60.161[.]213
November 2022
148.213.109[.]165
November 2022
163.182.177[.]80
November 2022
181.141.3[.]126
November 2022
181.164.194[.]228
November 2022
185.143.223[.]69
November 2022
186.64.67[.]6
November 2022
186.86.212[.]138
November 2022
190.193.180[.]228
November 2022
196.70.77[.]11
November 2022
197.11.134[.]255
November 2022
197.158.89[.]85
November 2022
197.204.247[.]7
November 2022
197.207.181[.]147
November 2022
197.207.218[.]27
November 2022
197.94.67[.]207
November 2022
23.111.114[.]52
November 2022
41.100.55[.]97
November 2022
41.107.77[.]67
November 2022
41.109.11[.]80
November 2022
41.251.121[.]35
November 2022
41.97.65[.]51
November 2022
42.189.12[.]36
November 2022
45.227.251[.]167
November 2022
5.44.42[.]20
November 2022
61.166.221[.]46
November 2022
68.83.169[.]91
November 2022
81.184.181[.]215
November 2022
82.12.196[.]197
November 2022
98.143.70[.]147
November 2022
140.82.48[.]158
December 2022
147.135.36[.]162
December 2022
147.135.11[.]223
December 2022
152.89.247[.]50
December 2022
179.43.167[.]10
December 2022
185.7.214[.]218
December 2022
193.149.176[.]157
December 2022
193.235.146[.]104
December 2022
209.141.36[.]116
December 2022
45.61.136[.]47
December 2022
45.8.158[.]104
December 2022
5.181.234[.]58
December 2022
5.188.86[.]195
December 2022
77.73.133[.]84
December 2022
89.108.65[.]136
December 2022
94.232.41[.]105
December 2022
47.87.229[.]39
January 2023
Malicious Domain
Last Observed
ciborkumari[.]xyz
October 2022
sombrat[.]com
October 2022
gororama[.]com
November 2022
softeruplive[.]com
November 2022
altocloudzone[.]live
December 2022
ciborkumari[.]xyz
December 2022
myappearinc[.]com
December 2022
parkerpublic[.]com
December 2022
pastebin.mozilla[.]org/Z54Vudf9/raw
December 2022
tumbleproperty[.]com
December 2022
myappearinc[.]com/acquire/draft/c7lh0s5jv
January 2023
Tool
SHA256
AV tamper
8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375
TCP/UDP Tunnel over HTTP (Chisel)
8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451
Ursnif/Gozi
be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1
Exfil
B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20
Remote Access (AnyDesk)
4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7
PowerShell Toolkit Downloader
4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce
PsExec (Microsoft Sysinternals)
08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c
Keep Host Unlocked (Don’t Sleep)
f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee
Ransomware Executable
d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681
Windows Command Line (NirCmd)
216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5
System Management (NSudo)
19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618
Batch Scripts
Filename
Hash Value
2.bat
585b05b290d241a249af93b1896a9474128da969
3.bat
41a79f83f8b00ac7a9dd06e1e225d64d95d29b1d
4.bat
a84ed0f3c46b01d66510ccc9b1fc1e07af005c60
8.bat
c96154690f60a8e1f2271242e458029014ffe30a
kl.bat
65dc04f3f75deb3b287cca3138d9d0ec36b8bea0
gp.bat
82f1f72f4b1bfd7cc8afbe6d170686b1066049bc7e5863b51aa15ccc5c841f58
r.bat
74d81ef0be02899a177d7ff6374d699b634c70275b3292dbc67e577b5f6a3f3c
runanddelete.bat
342B398647073159DFA8A7D36510171F731B760089A546E96FBB8A292791EFEE
See table 3 for all referenced threat actor tactics and techniques included in this advisory.
Initial Access
Technique Title
ID
Use
Exploit Public Facing Application
T1190
The actors gain initial access through public-facing applications.
Phishing: Spear phishing Attachment
T1566.001
The actors gain initial access through malicious PDF attachments sent via email.
Phishing: Spearphishing Link
T1566.002
The actors gain initial access using malvertising links via emails and public-facing sites.
External Remote Services
T1133
The actors gain initial access through a variety of RMM software.
Command and Control
Technique Title
ID
Use
Ingress Tool Transfer
T1105
The actors used C2 infrastructure to download multiple tools.
Protocol Tunneling
T1572
The actors used an encrypted SSH tunnel to communicate within C2 infrastructure.
                                                              Privilege Escalation
Technique Title
ID
Use
Valid Accounts: Domain Accounts
T1078.002
The actors used encrypted files to create new admin user accounts.
Defense Evasion
Technique Title
ID
Use
Impair Defenses: Disable or Modify Tools
T1562.001
The actors deactivated antivirus protocols.
Domain Policy Modification: Group Policy Modification
T1484.001
The actors modified Group Policy Objects to subvert antivirus protocols.
Indicator Removal: Clear Windows Event Logs
T1070.001
The actors deleted shadow files and system and security logs after exfiltration.
Remote Desktop Protocol
T1021.001
The actors used valid accounts to move laterally through the domain controller using RDP.
Automated Collection
T1119
The actors used registry keys to auto-extract and collect files.
                                                                         Impact  
Technique Title
ID
Use
Data Encrypted for Impact
T1486
The actors encrypted data to determine which files were being used or blocked by other applications.
FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Royal ransomware. These mitigations follow CISA’s Cybersecurity Performance Goals (CPGs), which provide a minimum set of practices and protections that are informed by the most common and impactful threats, tactics, techniques, and procedures, and which yield goals that all organizations across critical infrastructure sectors should implement:
FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Royal actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details requested include: a targeted company Point of Contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, host and network based indicators.
FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at https://www.cisa.gov/report.
The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.
[1] Royal Rumble: Analysis of Royal Ransomware (cybereason.com)
[2] DEV-0569 finds new ways to deliver Royal ransomware, various payloads – Microsoft Security Blog
[3] 2023-01: ACSC Ransomware Profile – Royal | Cyber.gov.au
Recorded Future, Coveware, Digital Asset Redemption, Q6, and RedSense contributed to this CSA.
Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.

source

AI and machine learning (ML) are becoming attackers’ preferred technologies, from designing malicious payloads that defy detection to writing customized phishing emails. The recent GoDaddy multiyear breach has all the signs of an AI-driven cyberattack designed to evade detection and reside in the company’s infrastructure for years. 
Cybercriminal gangs and sophisticated advanced persistent threat (APT) groups actively recruit AI and ML specialists who design malware that can evade current-generation threat detection systems. What attackers lack in size and scale, they more than make up for in ingenuity, speed and stealth.
“I’ve been amazed at the ingenuity when someone has six months to plan their attack on your company — so always be vigilant,” Kevin Mandia, CEO of Mandiant, said during a fireside chat with George Kurtz at CrowdStrike’s Fal.Con conference last year. 
Nearly three-quarters (71%) of all detections indexed by CrowdStrike Threat Graph were malware-free intrusions. CrowdStrike’s Falcon OverWatch Threat Hunting Report illustrates how advanced attackers use valid credentials to facilitate access and persistence in victim environments.
Another contributing factor is the rate at which new vulnerabilities are disclosed and the speed with which adversaries can operationalize exploits using AI and ML. 
Attackers are using ChatGPT to refine malware, personalize phishing emails and fine-tune algorithms designed to steal privileged access credentials.
As Shishir Singh, CTO of cybersecurity at BlackBerry notes: “It’s been well documented that people with malicious intent are testing the waters, but over this year, we expect to see hackers get a much better handle on how to use ChatGPT successfully for nefarious purposes; whether as a tool to write better mutable malware or as an enabler to bolster their ‘skillset.’ Both cyber pros and hackers will continue to look into how they can utilize it best. Time will tell who’s more effective.”
In fact, a recent survey by BlackBerry found that 51% of IT decision-makers believe there will be a successful cyberattack credited to ChatGPT within the year. 
Amazon Web Services, CrowdStrike, Google, IBM, Microsoft, Palo Alto Networks and other leading cybersecurity vendors are prioritizing investment in AI and ML research and development (R&D) in response to increasingly complex threats and requests from enterprise customers for new features.
Charlie Bell, Microsoft’s EVP for security, compliance and identity and management said of AI’s role in cybersecurity: “It’s basically having the machinery to just continuously go fast, especially in ML. All the model training, data stuff and everything else is a super-high priority. Microsoft has a tremendous amount of technology in the AI space.”  
CrowdStrike’s many new announcements at Fal.Con last year, along with Palo Alto Networks’ Ignite ’22, illustrate how effective their DevOps and engineering teams are at translating R&D investment into new products.
Amazon Web Services’ hundreds of cybersecurity services and Microsoft Azure’s zero trust developments reflect how R&D spending on AI and ML is a high priority in two of the largest cloud platform providers. Microsoft sunk $1 billion in cybersecurity R&D last year and committed to spending $20 billion over the next five years on cybersecurity R&D (beginning in 2021). Microsoft’s security business generates $15 billion annually.
Ivanti’s continual stream of new announcements, including those at RSA and many successful acquisitions followed by rapid advances in AI development, are cases in point. Each of these cybersecurity vendors knows how to translate AI and ML expertise into cyber-resilient systems and solutions faster than competitors while fine-tuning the UX aspects of their platforms.
AI and ML are defining the future of e-crime, with cybercriminal gangs and APT groups ramping up AI hacker-for-hire programs and ransomware-as-a-service while expanding their base of AI-enabled cloaking techniques — and more. It’s why security teams are losing the AI war. 
These factors, combined with the continued resiliency of cybersecurity spending, lead to optimistic forecasts about investment in AI. VentureBeat has curated the most interesting forecasts, noted below:
Core to the zero trust frameworks that organizations are standardizing today is real-time visibility and monitoring of all activity across a network.
AI-based behavioral analytics provides real-time data on potentially malicious activity by identifying and acting on anomalies. It’s proving effective in allowing CISOs and their teams to set baselines for normal behavior by analyzing and understanding past behavior and then identifying anomalies in the data. 
Leading cybersecurity vendors rely on AI and ML algorithms to personalize security roles or profiles for each user in real time based on their behavior and patterns. By analyzing several variables, including where and when users attempt to log in, device type, and configuration, among others, these systems can detect anomalies and identify potential threats in real time.
Leading providers include Blackberry Persona, Broadcom, CrowdStrike, CyberArk, Cybereason, Ivanti, SentinelOne, Microsoft, McAfee, Sophos and VMWare Carbon Black.
CISOs and CIOs tell VentureBeat that this approach to AI-based endpoint management decreases the risk of lost or stolen devices, protecting against device and app cloning and user impersonation. With these techniques, enterprises can analyze endpoint protection platforms (EPPs), endpoint detection and response (EDR), unified endpoint management (UEM) and transaction fraud detection to improve authentication accuracy.
IBM’s Institute for Business Value study of AI and automation in cybersecurity finds that enterprises that are using AI as part of their broader strategy are concentrating on gaining a more holistic view of their digital landscapes. Thirty-five percent are applying AI and automation to discover endpoints and improve how they manage assets, a use case they predict will increase by 50% in three years. 
Vulnerability and patch management is the second most popular use case (34%), predicted to increase to more than 40% adoption in 3 years.
These findings indicate that more AI adopters are looking to the technology to help them achieve their zero trust initiatives.
In an Ivanti survey on patch management, 71% of IT and security professionals said they see patching as overly complex and taking too much time away from urgent projects. Just over half (53%) say that organizing and prioritizing critical vulnerabilities takes up most of their time.
Leading vendors with AI-based patch management solutions include Blackberry, CrowdStrike Falcon, Ivanti Neurons for Patch Intelligence and Microsoft.  
“Patching is not nearly as simple as it sounds,” said Srinivas Mukkamala, chief product officer at Ivanti. “Even well-staffed, well-funded IT and security teams experience prioritization challenges amidst other pressing demands. To reduce risk without increasing workload, organizations must implement a risk-based patch management solution and leverage automation to identify, prioritize and even address vulnerabilities without excess manual intervention.”
Ivanti’s approach uniquely uses contextual intelligence derived from ML to streamline patch deployments. Ivanti Neurons Agents run independently on a set schedule, eliminating the need for time-consuming inventory techniques that waste IT teams’ time. Ivanti Neurons for Patch Intelligence helps enterprises reduce the time-to-patch, offloading manually-intensive tasks that IT teams would otherwise have to do.
Gartner categorized AI use cases by comparing their business value and feasibility. Transaction fraud detection is the most feasible use case, and it delivers high business value. File-based malware detection is considered nearly as feasible and also delivers strong business value.
Process behavioral analysis also delivers substantial business value, with a medium feasibility level to implement. Finally, abnormal system behavior detection delivers high business value and feasibility; Gartner believes this solution can be successfully implemented in enterprises. (Source: Gartner, Infographic: AI Use-Case Prism for Sourcing and Procurement, Refreshed October 14, 2022, Published March 30, 2021.)
The market size for AI in cybersecurity is predicted to be $22.4 billion in 2023 and is anticipated to reach $60.6 billion by 2028, reflecting a compound annual growth rate (CAGR) of 21.9%. Increasing the contextual intelligence of IOAs with AI is one of the core catalysts driving the rapid growth of AI in the broader cybersecurity market.
By definition, IOAs focus on detecting an attacker’s intent and trying to identify their goals, regardless of the malware or exploit used in an attack.
Conversely, an indicator of compromise (IOC) provides the forensics needed as evidence of a breach occurring on a network. IOAs must be automated to deliver accurate, real-time data on attack attempts to understand attackers’ intent and kill any intrusion attempt. 
CrowdStrike, ThreatConnect, Deep Instinct and Orca Security are leaders in using AI and ML to streamline IOCs.
CrowdStrike is the first and only provider of AI-based IOAs. According to the company, the technology works in conjunction with existing layers of sensor defense, including sensor-based ML and existing IOAs, asynchronously.
The company’s AI-based IOAs combine cloud-native ML and human expertise on a common platform, which was invented by the company more than a decade ago. CrowdStrike’s approach to AI-based IOAs correlates the AI-generated IOAs (behavioral event data) with local events and file data to assess maliciousness.
“CrowdStrike leads the way in stopping the most sophisticated attacks with our industry-leading indicators of attack capability, which revolutionized how security teams prevent threats based on adversary behavior, not easily changed indicators,” said Amol Kulkarni, chief product and engineering officer at CrowdStrike. 
One notable achievement of CrowdStrike’s AI-powered IOAs is their identification of more than 20 adversary patterns that had never been seen before. These patterns were discovered during testing and implemented into the Falcon platform for automated detection and prevention.
AI-based Indicators of Attack (IOAs) fortify existing defenses using cloud-based ML and real-time threat intelligence to analyze events at runtime and dynamically issue IOAs to the sensor. The sensor then correlates the AI-generated IOAs (behavioral event data) with local and file data to assess maliciousness.
Another IDC survey found that cybersecurity is a top investment area across all regions; however, demand varies. Forty-six percent of North American respondents identified cybersecurity as a priority, driven by high levels of investment in cloud applications and infrastructure. In contrast, only 28% and 32% of EMEA and Asia/Pacific respondents, respectively, identified cybersecurity as a top investment area.
Precedence Research found that fraud detection and the anti-fraud segment of the cybersecurity AI market accounted for 22% of global revenues in 2022. The research firm predicts AI’s fastest-growing areas will include battling fraud, identifying phishing emails and malicious links, and identifying privileged access credential abuse. Its study also found that increasingly complex cloud infrastructures comprised of multicloud and hybrid cloud configurations drive the need for AI-based cybersecurity solutions to protect them.
AI delivers its potential when integrated into a broader zero trust security framework designed to treat every identity as a new security perimeter. The most robust use cases for AI and ML in cybersecurity began with a clear vision of what the technology and its solution protect. AI and ML-based technologies are proving effective at scaling to secure each use case when it’s an identity, either as a privileged access credential, container, device or a supplier or contractor’s laptop. 
Detection dominates use cases because more CISOs and leading enterprises know that becoming cyber-resilient is the best way to scale cybersecurity strategies. And with the C-suite expecting risk management reductions to be measured financially, cyber-resilience is the best direction forward. 
Additional sources of information:
Bloomberg, Microsoft’s New Security Chief Looks to AI to Fight Hackers: Q&A, September 23. 2022
Capgemini, Reinventing Cybersecurity with Artificial Intelligence: The new frontier in digital security podcast 
Gartner’s Market Guide for AI Trust, Risk and Security Management, January 2023
IBM, AI Guide for CISOs, Artificial intelligence (AI) for cybersecurity
McKinsey & Company, The unsolved opportunities for cybersecurity providers, January 5, 2022
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.
Want must read news straight to your inbox?
© 2023 VentureBeat. All rights reserved.

source

In a measure of the hotness of people working in cybersecurity in investment banks, several of Morgan Stanley’s senior cybersecurity professionals seem to have discovered that they can move into jobs elsewhere. 
Morgan Stanley isn’t commenting on the exits from its cyber team, but insiders say there have been several globally in the past year. Instead of going to other banks, people who leave are typically choosing to work for technology firms.
One of the most recent defectors is Arun Kumar, a senior member of Morgan Stanley’s threat hunt analytics and engineering team in Glasgow. Kumar, who resigned a few weeks ago, has joined Fastly, a cloud computing provider. He’d been at Morgan Stanley for over 15 years. 
Other recent exits are more junior. Aviva Cohen, a scenario development program lead at Morgan Stanley in Baltimore, left in June to join TikTok as a team lead in threat defense. 
A similar smattering of exits took place in 2021. Most notably, Karl Anderson, an executive director and distinguished engineer at Morgan Stanley in Baltimore, quit to become a principal security engineer at AWS.  Christina Parry, a former security and data engineer at Morgan Stanley in New York, left after around four years in October 2021 to join Twitter’s detection and response team according to her LinkedIn profile.
The exits come as banks are battling for cybersecurity talent, both with technology firms and with the crypto sector. “It’s extremely difficult to hire world-class people in the cybersecurity space,” says Dean Looney, a headhunter at Rupert Dean Associates. “The problem is that the very best people don’t want to work for banks,” says another technology recruiter. “They don’t necessarily even want to work for the big tech firms – the very best people want to work for themselves.”
Morgan Stanley is currently hiring cyber-professionals for its offices in Glasgow, Baltimore, London, and Singapore. Glassdoor indicates that the bank’s Glasgow cybersecurity specialists earn salaries of £40k-80k, while their London peers earn salaries of up to £125k.
Banks aren’t just hiring traditional cyber talent. JPMorgan recently recruited Charles Lim, a quantum encryption expert, to help prepare for the day when quantum computers render existing methods of encryption obsolete. 
Click here to create a profile on eFinancialCareers. Make yourself visible to recruiters hiring cyber security experts for jobs in financial services. 
Have a confidential story, tip, or comment you’d like to share? Contact: sbutcher@efinancialcareers.com in the first instance. Whatsapp/Signal/Telegram also available (Telegram: @SarahButcher)
Bear with us if you leave a comment at the bottom of this article: all our comments are moderated by human beings. Sometimes these humans might be asleep, or away from their desks, so it may take a while for your comment to appear. Eventually it will – unless it’s offensive or libelous (in which case it won’t.)
Photo by Rayson Tan on Unsplash
 
 
 
 

source

As AT&T continues its strategy to put all its chips on its core telecom business, the carrier is reportedly considering the sale of its five-year-old cybersecurity business unit.
AT&T is mulling the sale of its five-year-old cybersecurity unit, according to a new report.
The carrier giant’s cybersecurity solutions business, which was launched in 2018, includes assets from AT&’s purchase of open-source threat intelligence firm AlienVault in the same year. The company has been working with Barclays to explore bids for its cybersecurity business, according to a report from Reuters.
Dallas-based AT&T did not respond to CRN’s request for comment on the alleged selloff by publication time.
 [Related: AT&T Dumps Time Warner Business Four Years After $85B Deal ]
The cybersecurity unit was created to make AlienVault’s cybersecurity technologies and AT&T’s existing security capabilities accessible to all businesses, from Fortune 100 companies all the way down the chain to local mom-and-pop stores, the carrier said in 2018. The business unit today offers security consulting services, endpoint security, network security, and threat detection and response services.
In the past five years, however, AT&T has become increasingly focused on its core telecom business. Elliott Management in 2019 revealed a $3.2 billion stake in AT&T and laid out a series of changes intended to boost AT&T’s stock price and help it return to its telecom roots. The company in 2022 spun off its hard-fought $85.4 billion deal for Time Warner, which became WarnerMedia under AT&T. AT&T said last year that the spinoff gave the company room to “focus intensely” on 5G and fiber-based connectivity growth and on revamping its declining business wireline segment.
AT&T has said that it cut its net debt by about $24 billion in 2022 and the company is looking to trim another $32 billion by 2025.
Financial terms of any potential deal have not been disclosed and it’s not clear how much AT&T’s cybersecurity business is worth today, according to the report.
Gina Narcisi is a senior editor covering the networking and telecom markets for CRN.com. Prior to joining CRN, she covered the networking, unified communications and cloud space for TechTarget. She can be reached at gnarcisi@thechannelcompany.com.

source

Understanding why ChatGPT is garnering so much attention takes a bit of background. Up until recently, AI models have been quite “dumb”: they could only respond to specific tasks when trained on a large dataset providing context on what to find. But, over the last five years, research breakthroughs have taken AI to a whole new level, enabling computers to better understand the meaning behind words and phrases.

Leveraging these mechanics and 5 large language models (LLMs), ChatGPT can translate the human language into dynamic and useful machine results. In essence, it allows users to “speak” to their data. It’s not yet perfect, but it’s a major advancement in AI, and we can expect other technology companies to soon release competing models.
As with any new technology, ChatGPT can be used for both good and bad – and this has major implications for the world of cybersecurity. Here’s what we can expect over the coming months.
ChatGPT is a gold mine of insight that removes much of the work involved in research and problem-solving by enabling users to access the entire corpus of the public internet with just one set of instructions. This means, with this new resource at their fingertips, cybersecurity professionals can quickly and easily access information, search for answers, brainstorm ideas and take steps to detect and protect against threats more quickly. ChatGPT has been shown to help write code, identify gaps in knowledge and prepare communications – tasks that enable professionals to perform their daily job responsibilities much more efficiently.
In theory, ChatGPT and similar AI models should help close the cybersecurity talent shortage by making individual security professionals significantly more effective – so much so, in fact, that with AI, one person will be able to accomplish the same output as multiple individuals before. It should also help reduce the cybersecurity skills gap by enabling even junior personnel with limited cybersecurity experience to get the answers and knowledge they need almost instantaneously.
From a business standpoint, ChatGPT will inform a generation of similar AI tools that can help companies access and use their own data to make better decisions. Where a team and a series of database queries responds today, a chatbot with an AI engine may respond tomorrow. Additionally, because the technology can take on menial, data-driven tasks, organizations may soon reallocate personnel to focus on different initiatives or partner with an AI to add business value.
Unfortunately, cybersecurity professionals and businesses aren’t the only parties that can benefit from ChatGPT and similar AI models – cybercriminals can, too. And we’re already seeing bad actors turn to ChatGPT to make cybercrime easier – using it for coding assistance when writing malware and to craft believable phishing emails, for example.
The scary thing about ChatGPT is that it is excellent in imitating human writing. This gives it the potential to be a powerful phishing and social engineering tool. Using the technology, non-native speakers will be able to craft a phishing email with perfect spelling and grammar. And it will also make it much easier for all bad actors to emulate the tone, word selection and style of writing of their intended target – which will make it harder than ever for recipients to distinguish between a legitimate and fraudulent email.
Last but certainly not least, ChatGPT lowers the barrier to entry for threat actors, enabling even those with limited cybersecurity background and technical skills to carry out a successful attack.
Whether we like it or not, ChatGPT and next-generation AI models are here to stay, which presents us with a choice: we can be afraid of the change and what’s to come, or we can adapt to it and ensure we embrace it holistically by implementing both an offensive and defensive strategy.
From an offensive perspective, we can use it to empower workers to be more productive and empower the business to make better decisions. From a defensive standpoint we need to put a strategy in place that protects our organizations and employees from the evolving security risks stemming from this new technology – and this includes updating policies, procedures and protocols to protect against AI-enabled bad actors.
ChatGPT and AI are changing the game for both security professionals and cybercriminals, and we need to be ready. Being aware of the opportunities and challenges associated with this new technology and then putting a holistic strategy in place will help you leverage this new era of AI to drive your business. Ignoring these developments puts it at risk.

source

Federal Student Aid (FSA) has developed two new factsheets on how to establish an Incident Response Plan (IRP) and the importance of data sanitization. Additional information is below.

In the event of a cyberattack, an IRP mitigates risk and limits damage by establishing plans, procedures, roles, and responsibilities. To learn more, create, or strengthen your institution’s IRP, visit FSA’s Cybersecurity Incident Planning for Institutes of Higher Education factsheet.

Physical documents, mobile devices, external hard drives, USB drives, memory devices, and computers can harbor abundant sensitive student data. If not properly disposed of, confidential data may be wrongly disclosed. FSA’s Media Sanitization and Disposal Best Practices factsheet details how to permanently destroy media to protect confidential personal data and proprietary information.

A recent Cybersecurity and Infrastructure Security Agency (CISA) report, “Partnering to Safeguard K-12 Organizations from Cybersecurity Threats,” provides recommendations and resources showing how a small number of steps will significantly reduce cybersecurity risk.
Institutes of Higher Education may find the key findings and recommendations useful, including:

develop a cyber incident response plan that leverages the NIST Cybersecurity Framework;

minimize the burden of security by migrating IT services to more secure cloud versions;

build a relationship with CISA and FBI regional cybersecurity personnel;

implement multifactor authentication (MFA);

prioritize patch management;

perform and test backups; and

create a training and awareness campaign.

The full CISA report, along with links to resources, training, and a digital toolkit, is available at: https://www.cisa.gov/protecting-our-future-partnering-safeguard-k-12-organizations-cybersecurity-threats.

If you have any questions about the information included in this announcement, please contact FSASchoolCyberSafety@ed.gov.  
To sign up for FSA’s IHE cybersecurity newsletter, email FSASchoolCyberSafety@ed.gov with the subject line: “Send me the FSA Cybersecurity Newsletter for IHEs.” Created for IT and compliance professionals at institutions of higher education (IHEs), FSA’s cybersecurity newsletter features news, updates, tips, and resources about cybersecurity best practices—all to help protect student data and keep your institution secure.

source

Advertisement
Supported by
The breach exposed information like names, addresses and phone numbers and lasted more than a month, the company reported in a securities filing.
Send any friend a story
As a subscriber, you have 10 gift articles to give each month. Anyone can read what you share.
By Niraj Chokshi
T-Mobile said on Thursday that a hacker had collected data, including names, birth dates and phone numbers, from 37 million customer accounts, the company’s second major breach in less than two years.
In a securities filing, T-Mobile said it first discovered that a “bad actor” was obtaining the data on Jan. 5. With help from outside cybersecurity experts, the mobile service provider stopped the leak the next day, it said.
The company said there was no evidence that its systems or network had been compromised, adding that the mechanism the hacker exploited did not provide access to more sensitive information such as Social Security numbers, government identification numbers, or passwords or payment card information.
“We understand that an incident like this has an impact on our customers and regret that this occurred,” T-Mobile said in a statement.
The exposed information included names, billing and email addresses, phone numbers, birth dates, T-Mobile account numbers, and information such as the lines on an account and plan features. Many of the accounts did not include all of that data. The company said it has started to notify some of the affected customers in accordance with state and federal requirements.
T-Mobile said it was continuing to investigate the exposure and had notified the federal authorities. The company said it believed that the hacker first started retrieving data on Nov. 25 through an application programming interface, a common bit of code that allows software to communicate with other software.
A cyberattack in 2021 exposed data from nearly 77 million T-Mobile customer accounts, including names, Social Security numbers and driver’s license information. As a result, the company agreed both to pay $350 million to settle customer claims and to spend $150 million to enhance its cybersecurity practices and technologies.
In Thursday’s filing, T-Mobile said it had “made substantial progress to date” on those upgrades. It also acknowledged that it could face “significant expenses” from the latest breach.
Advertisement

source

Up to 254,000 Medicare beneficiaries are getting new ID cards due to data breach at subcontractor. What they need to know  CNBC
source

The demand for Cyber Security experts is huge, and pursuing a career in this field means joining a booming industry where openings outnumber qualified candidates.
In recent times a number of cyber incidents have hit the headlines in South Africa, such as the widely reported ransomware attacks on the City of Johannesburg, Transnet, and the Department of Justice in South Africa
Interpol’s African Cyberthreat Assessment Report for 2021 found that Cyber-attacks cost South Africa R2.2 billion per annum, and an Accenture report on digital safety found that South Africa experiences roughly 577 malware attacks per hour.
In light of the massive increase in cyber-attacks in recent years, large and small organisations are focusing on cyber security and are willing to spend large sums of money to ensure that their critical data is kept secure.
There are many certified training courses available, from vendor-specific to general, but before you spend your money and time on certification, it is crucial that you find one that will give you a competitive edge in your career.
 
Here are 7 cybersecurity certifications that will take your career to the next level:
ISO/IEC 27032 Lead Cybersecurity Manager training enables you to acquire the expertise and competence needed to support an organization in implementing and managing a Cybersecurity program based on ISO/IEC 27032 and NIST Cybersecurity framework.
During this training course, you will gain a comprehensive knowledge of Cybersecurity, the relationship between Cybersecurity and other types of IT security, and stakeholders’ role in Cybersecurity.
Who should attend?
Cost: $1,490

Click here for more
The Lead Cloud Security Manager training course enables participants to develop the competence needed to implement and manage a cloud security program by following widely recognized best practices. 
The growing number of organizations that support remote work has increased the use of cloud computing services, which has, in turn, increased the demand for a secure cloud infrastructure proportionally.
This training course is designed to help participants acquire the knowledge and skills needed to support an organization in effectively planning, implementing, managing, monitoring, and maintaining a cloud security program based on ISO/IEC 27017 and ISO/IEC 27018. It provides a comprehensive elaboration of cloud computing concepts and principles, cloud computing security risk management, cloud-specific controls, cloud security incident management, and cloud security testing.
The training course is followed by the certification exam.
Who should attend?
Cost: $1,550
Click here for more
 
Moving up the certification ladder at CompTIA, the CASP is an advanced cybersecurity certification with hands-on experience in security engineering and architecture. Other topics covered include cryptography and governance. Despite the advanced level, this isn’t one of the best cybersecurity certifications for managers; instead, it’s a better fit for professionals who wish to work in technology as architects and engineers.
Prerequisites: No formal requirements, but the exam provider recommends this certification exam only to IT professionals with at least 10 years of experience
Cost: $480
Click here for more
 
ISO/IEC 27001 Lead Auditor training enables you to develop the necessary expertise to perform an Information Security Management System (ISMS) audit by applying widely recognized audit principles, procedures and techniques.
During this training course, you will acquire the knowledge and skills to plan and carry out internal and external audits in compliance with ISO 19011 and ISO/IEC 17021-1 certification process.
Based on practical exercises, you will be able to master audit techniques and become competent to manage an audit program, audit team, communication with customers, and conflict resolution.
After acquiring the necessary expertise to perform this audit, you can sit for the exam
Who should attend?
Cost: $1,370 
Click here for more
 
This certification gives you the tools to excel in the management part of cybersecurity. Some topics of interest include:
Prerequisites: 5 years of experience in a managerial role related to information security
Best for: Programmers interested in solidifying their managerial experience
Cost: $575 for members; $760 for non-members
Click here for more
 
The CISSP is one of the best cybersecurity certifications for programmers and professionals seeking to advance their careers in the industry. It’s certainly not for beginners, requiring 5+ years of experience. It’s not uncommon to see security engineers and chief information officers with this designation; however, they likely have many others as well. The CISSP certification is the most common requirement or preferred qualification for cybersecurity job postings.
Cost: $749
Prerequisites: 5 years of experience in at least two cybersecurity topics areas like Security and Risk Management, Security Engineering, Software Development Security, Communication and Network Security, and more.
Click here for more
 
ISO/IEC 27001 Lead Implementer training course enables participants to acquire the knowledge necessary to support an organization in effectively planning, implementing, managing, monitoring, and maintaining an information security management system (ISMS).
Information security threats and attacks increase and improve constantly. The best form of defense against them is the proper implementation and management of information security controls and best practices. Information security is also a key expectation and requirement of customers, legislators, and other interested parties.
This training course is designed to prepare participants in implementing an information security management system (ISMS) based on ISO/IEC 27001. It aims to provide a comprehensive understanding of the best practices of an ISMS and a framework for its continual management and improvement.
After attending the training course, you can take the exam.
Who Can Attend?
Cost: $1,370
Click here for more
 
These are just a few of the top cyber security certifications out there. Depending on your interests and aspirations, there may be another program that’s more aligned with your career goals. Browse Primus Institute’s website to see all of the online education programs they offer in cyber security.
 
By Primus Institute
 

source