Expert(s):
Head of Security Analyticsfeature_status*/ ?>
Vectra

Comments Dotted : 5
January 28, 2021

Emotet Takedown – What’s Next
The good news is I see signs of law enforcement learning how to better coordinate global efforts to respond to what are international threats.

Emotet was large and far-reaching. What is impressive/concerning is how it has persisted for so long. That stability and length of time is what has made Emotet so lucrative and widely adopted by other criminal organisations. There will be an immediate impact. Crime organisations operate based on a cost and efficiency model much like any legitimate organisation.

 

Taking down Emotet is the equivalent of taking down an AWS or Azure major datacenter. The immediate impact would be felt, but

.....Read More

Emotet was large and far-reaching. What is impressive/concerning is how it has persisted for so long. That stability and length of time is what has made Emotet so lucrative and widely adopted by other criminal organisations. There will be an immediate impact. Crime organisations operate based on a cost and efficiency model much like any legitimate organisation.

 

Taking down Emotet is the equivalent of taking down an AWS or Azure major datacenter. The immediate impact would be felt, but eventually, organisations leveraging that infrastructure would look to move services elsewhere, including potentially internally managed. This could take some time depending on the capabilities and funding of the organisations leveraging that infrastructure. 

 

The good news is I see signs of law enforcement learning how to better coordinate global efforts to respond to what are international threats. This is a good start of what I hope to be a long and ongoing collaboration in targeting these types of organisations that can operate beyond any specific countries borders.

  Read Less
January 20, 2021

Expert Comment On New Malware Strain Found In SolarWinds Hack
While the malware strains might slightly vary, and I’m sure more will be exposed.

So we are now getting into the semantics of minutia of how different malware worked so they can be named and detected with a signature. This is all great after the fact once we already know the attack occurred, but it did not help when it mattered most.

 

While the malware strains might slightly vary, and I’m sure more will be exposed, the fact is the behaviours related to the malware has been consistent – network reconnaissance for user accounts and passwords (primarily AD) followed by

.....Read More

So we are now getting into the semantics of minutia of how different malware worked so they can be named and detected with a signature. This is all great after the fact once we already know the attack occurred, but it did not help when it mattered most.

 

While the malware strains might slightly vary, and I’m sure more will be exposed, the fact is the behaviours related to the malware has been consistent – network reconnaissance for user accounts and passwords (primarily AD) followed by lateral movement to targeted systems with privilege escalation.

 

Attackers can modify code and find different ways to execute the attack lifecycle, but no matter what they do the behaviours stay the same and are surprisingly consistent. During an attack, it does not matter who is responsible or how they are executing commands. It only matters that it is happening right now and what they are doing so that the organisation can mitigate it. This is where behaviours are strong with no prior knowledge of malware.

  Read Less
April 01, 2020

Industry Leaders And Cybersecurity Experts Insight On Marriott International Data Breach
Vectra research shows that privileged access from unknown hosts occurs inside every industry.
Vectra research shows that privileged access from unknown hosts occurs inside every industry, leading to unintended exposure of critical systems. Yet these privileged accounts rarely receive direct oversight or technical control of how they are used, even when privileged access management tools are in place. It is this lack of oversight or understanding of how privileged accounts are being used that creates the operational and financial risk for organizations. If used improperly, privileged.....Read More
Vectra research shows that privileged access from unknown hosts occurs inside every industry, leading to unintended exposure of critical systems. Yet these privileged accounts rarely receive direct oversight or technical control of how they are used, even when privileged access management tools are in place. It is this lack of oversight or understanding of how privileged accounts are being used that creates the operational and financial risk for organizations. If used improperly, privileged accounts have the power to cause much damage, including data theft, espionage, sabotage, or ransom.  Read Less
January 15, 2020

Expert Advises On Microsoft To End Update And Patch Distribution For Windows 7
A user should never use an unsupported operating system for public facing internet use.
Windows 7 will keep working come January 15. Nothing will change overnight. It is true that Windows 7 will be more vulnerable to attack. That is the expectation. But I don’t think the actual impact will be catastrophic. For home users that want to cling on for whatever reasons, many of the potential problems could be mitigated using other tools and methods, like VPN, encryption, security software, and a good secure home router. For many enterprises, they will simply sign up for Windows 7.....Read More
Windows 7 will keep working come January 15. Nothing will change overnight. It is true that Windows 7 will be more vulnerable to attack. That is the expectation. But I don’t think the actual impact will be catastrophic. For home users that want to cling on for whatever reasons, many of the potential problems could be mitigated using other tools and methods, like VPN, encryption, security software, and a good secure home router. For many enterprises, they will simply sign up for Windows 7 Extended Security Updates for the next three years of coverage. This covers anything deemed critical or important. Which means not much will change in the attack landscape for enterprises with the Windows 7 Extended Security Updates. Most major apps like Google Chrome browser will also continue to be supported with updates for all users. For everyone else, an update to Windows 10 or a move to another supported OS should have already happened. A user should never use an unsupported operating system for public facing internet use, like browsing the web or for email. It is bad practice. For most people, an upgrade should be as simple as a license key. The hardware requirements are fairly low compared to modern hardware. Almost any PC from the last 10 years should be able to support Windows 10. That in itself I would consider incredibly old. Most users are running Windows 7 on more modern hardware simply because they like using Windows 7 and opted to. Windows 10 has been the default OS on a new PC for some time. If a users current hardware does not support Windows 10 or a newer OS, it is likely old hardware that doesn’t support any of the latest versions of apps either. This means not only the OS is out of date, but everything is most likely out of date, which is a much bigger problem. I’d recommend for those users to buy new hardware.  Read Less
September 18, 2019

Experts Comments: Personal Records Of Most Of Ecuador’s Population Leaked
Especially when it is private data a government has shared with a third-party private company. That in itself is a bit scary.
This is yet another example of how poorly configured AWS S3 buckets could lead to an extensive number of individuals personal data being exposed, which leaves them at a significant risk of identity fraud and social engineering. We know that poorly configured servers in AWS is something many administrators struggle with understanding, including how to properly limit access to the data they store there. This is not even about company size or maturity. Whilst cloud computing’s instant.....Read More
This is yet another example of how poorly configured AWS S3 buckets could lead to an extensive number of individuals personal data being exposed, which leaves them at a significant risk of identity fraud and social engineering. We know that poorly configured servers in AWS is something many administrators struggle with understanding, including how to properly limit access to the data they store there. This is not even about company size or maturity. Whilst cloud computing’s instant provisioning and scale are valuable benefits, cloud administrators must know what they’re doing and ensure appropriate access controls are in place to protect their data. As no system or person is ever perfect, the ability to detect and respond to unauthorised or malicious access to Platform or Infrastructure cloud services can make the difference between a contained security incident and a full-blown breach of the magnitude that these Ecuadorian citizens are now facing. The bigger question I have is why is that level of personal data from a government given to a marketing analytics company? What purpose does it serve? The number one rule of data protection is to not have the data. Especially when it is private data a government has shared with a third-party private company. That in itself is a bit scary. Furthermore, the exposure of this data isn’t much different than what was leaked by Equifax, showing that we haven’t learnt from previous breaches as this information was all in a searchable online database that anyone can use. Elasticsearch databases in AWS are known to be publicly accessible, and as this is a common setup so it’s important that organisations work with their partners to ensure their data is secure.  Read Less