Expert(s):
EMEA Directorfeature_status*/ ?>
Vectra

Comments Dotted : 11
December 14, 2020

Expert Reacted On US Treasury And Commerce Departments Targeted In Cyber-attack
A threat actor can then, with a few clicks, reconfigure email rules, compromise SharePoint and OneDrive file stores.
This is significant example of a well-executed supply chain attack compromising a popular IT administration tool as a penetration mechanism. The subsequent exploitation of authentication controls enabled the threat actor to pivot to the cloud and operate undetected for an extended time in Microsoft 365, which allowed them to gather intelligence. The US Government’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive calling on “all US federal civilian.....Read More
This is significant example of a well-executed supply chain attack compromising a popular IT administration tool as a penetration mechanism. The subsequent exploitation of authentication controls enabled the threat actor to pivot to the cloud and operate undetected for an extended time in Microsoft 365, which allowed them to gather intelligence. The US Government’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive calling on “all US federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately. As organisations increasingly become hybrid cloud environments, we’ve seen attackers focus on privileged access and the use of legitimate tools for malicious actions. For example, in a recent study of 4 million Microsoft 365 accounts, we identified that 96% of organisations exhibited lateral movement behaviours including multifactor authentication (MFA), and embedded security controls that are being bypassed. A threat actor can then, with a few clicks, reconfigure email rules, compromise SharePoint and OneDrive file stores, and set up persistent reconnaissance and exfiltration capabilities using built-in M365 tools such as eDiscovery and Power Automate. Opportunities for these kind of attacks like this are vast and growing. It highlights the need for security teams to be able to tie together all host and account interactions as they move between cloud and on-premise environments in a consolidated view. Security teams also need to drastically reduce the overall risk of a breach by gaining instant visibility and understanding of who and what is accessing data or changing configurations, regardless of how they are doing it, and from where.  Read Less
December 04, 2020

Experts On Clop Ransomware Attacking Retail Giant E-Land
This can be done at a speed and scale that humans and traditional signature-based tools simply cannot achieve.
This is a timely reminder that Ransomware operators have changed their tactics and become far more targeted. Not only are they performing data theft and public bullying, but they remain active inside an organisation for extended periods prior to detection. In this case, valuable credit card details were stolen from retail Point of Sale systems- such systems are often unable to be covered by end point security software. In situations such as these, the performance and analytical power of AI is .....Read More
This is a timely reminder that Ransomware operators have changed their tactics and become far more targeted. Not only are they performing data theft and public bullying, but they remain active inside an organisation for extended periods prior to detection. In this case, valuable credit card details were stolen from retail Point of Sale systems- such systems are often unable to be covered by end point security software. In situations such as these, the performance and analytical power of AI is needed to detect the subtle indicators of ransomware behaviours and the misuse of privileged credentials from networks and the cloud. This can be done at a speed and scale that humans and traditional signature-based tools simply cannot achieve. Ransomware will continue to be a potent tool in cybercriminals’ arsenals as they attempt to exploit, coerce, and capitalise on organisations’ valuable digital assets. For those looking to transfer the financial risk of ransomware to insurers should also take note that S&P recently predicted a 20-30% hike in cyber insurance premiums, and even some policies containing ransomware specific restrictions. This means the ability to quickly and accurately detect and respond to the early stages of a ransomware operation compromising your systems, will become even more critical.  Read Less
October 19, 2020

Experts Reacted On News: British Airways Fined £20m For Data Breach
All defenses are ultimately imperfect.
Attackers invariably need to seek and gain privileged access. The details of the BA attack contained in the ICO’s report should serve as a salutary yet cautionary tale for security leaders and architects. Single-factor authentication VDI remote desktop services, storage of password in plain text and hardcoding credentials in scripts aiding lateral movement and privilege escalation, and a lack of network monitoring and detection capabilities to detect privilege abuse and attacker movement,.....Read More
Attackers invariably need to seek and gain privileged access. The details of the BA attack contained in the ICO’s report should serve as a salutary yet cautionary tale for security leaders and architects. Single-factor authentication VDI remote desktop services, storage of password in plain text and hardcoding credentials in scripts aiding lateral movement and privilege escalation, and a lack of network monitoring and detection capabilities to detect privilege abuse and attacker movement, all stand out in today’s £20M GDPR penalty notice filing. All defenses are ultimately imperfect, which is why early detection and response to an active attacker inside your organisation can make the difference between a contained security incident or a damaging and costly breach.  Read Less
September 01, 2020

Experts Reacted On Musk Confirms Russian Hack Targeted Tesla Factory
Ransomware operators have evolved into using “name and shame” tactics whereby the victim’s data is exfiltrated prior to encryption.
Ransomware attackers seek internal access to privileged entities associated with accounts, hosts, and services given the unrestricted access they can provide and the ease of replication and propagation.  In this case, the recruitment or coercion of a Tesla insider to aid the attempted deployment of malware tools to stage their attack shows the lengths ransomware groups will go to. Ransomware operators have evolved into using “name and shame” tactics whereby the victim’s data is.....Read More
Ransomware attackers seek internal access to privileged entities associated with accounts, hosts, and services given the unrestricted access they can provide and the ease of replication and propagation.  In this case, the recruitment or coercion of a Tesla insider to aid the attempted deployment of malware tools to stage their attack shows the lengths ransomware groups will go to. Ransomware operators have evolved into using “name and shame” tactics whereby the victim’s data is exfiltrated prior to encryption and used to leverage ransomware payments. These bullying tactics are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate. These attackers will attempt to exploit, coerce, and capitalise on organizations’ valuable digital assets. Attackers will maneuver themselves through a network and make that step from a regular user account, to a privileged account, which can allow them to deploy their tools and identify the data they need in order to finalise their ransomware attack and bribe their victims. Kudos to Tesla and the FBI in identifying and thwarting the reported attack but in most cases, organisations can’t rely on external prior notification or assistance. Therefore, security teams need to be agile as time is their most precious resource in dealing with ransomware attacks and malicious insider behaviors. Early detection and response are key to gaining back control and stopping the attackers in their tracks before they can propagate across the organisation, stealing and denying access to data and services.  Read Less
August 06, 2020

Expert Commentary: Canon ransomware attack
Attackers will maneuver themselves through a network and make that step from a regular user account, to a privileged account.
Maze Group ransomware operators use “name and shame” tactics whereby victim’s data is exfiltrated prior to encryption and used to leverage ransomware payments. The bullying tactics used by such ransomware groups are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate. These attackers will attempt to exploit, coerce, and capitalise on organisations’ valuable digital assets. Ransomware attackers tend to seek privileged .....Read More
Maze Group ransomware operators use “name and shame” tactics whereby victim’s data is exfiltrated prior to encryption and used to leverage ransomware payments. The bullying tactics used by such ransomware groups are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate. These attackers will attempt to exploit, coerce, and capitalise on organisations’ valuable digital assets. Ransomware attackers tend to seek privileged entities associated with accounts, hosts, and services due to the unrestricted access they can provide and to ease replication and propagation. Attackers will maneuver themselves through a network and make that step from a regular user account, to a privileged account which can allow them to deploy their tools and access all the data they need in order to finalise their ransomware attack and coerce their victims. Therefore, security teams need to be agile as time is their most precious resource in dealing with ransomware attacks. Early detection and response is key to gaining back control and stopping the attackers in their tracks before they can propagate across the organisation, stealing and denying access to data.  Read Less
May 20, 2020

UK airline easyJet data breach impacts 9M customers – expert commentary
As 9 million customers’ data has been accessed, it is a significant breach.
Transportation as part of critical national infrastructure is a tempting target for nation state threat actors and cybercriminals alike. Whilst EasyJet characterise this attack as coming “from a highly sophisticated source” we’ve yet to see details that corroborate the sophistication or attacker attribution. It may well be the case that, like the British Airways attack, they’ve had a web application compromised which has been used to gain unauthorised access. As 9 million customers’.....Read More
Transportation as part of critical national infrastructure is a tempting target for nation state threat actors and cybercriminals alike. Whilst EasyJet characterise this attack as coming “from a highly sophisticated source” we’ve yet to see details that corroborate the sophistication or attacker attribution. It may well be the case that, like the British Airways attack, they’ve had a web application compromised which has been used to gain unauthorised access. As 9 million customers’ data has been accessed, it is a significant breach. Even if EasyJet were found to be significantly accountable by the ICO I doubt there would be much appetite for a big GDPR fine when the sector is already on its knees and close to collapse for some airlines.  Read Less
March 16, 2020

Security Expert On IMDA Plans To Introduce Rules For Safer Experience Of IoT Devices
The CLS’ proposed “security rating” scheme aims to indicate and differentiate products “with better cybersecurity provisions”.
The intention to educate and enable consumers around better security practices for their IoT devices is clearly positive and fills an unmet need. That said, voluntary schemes such as Singapore’s recently announced Cybersecurity Labelling Scheme for IoT devices will likely only get picked up by the sub-set of vendors that are proactive about their customers’ and product’s security. The CLS’ proposed “security rating” scheme aims to indicate and differentiate products “with better.....Read More
The intention to educate and enable consumers around better security practices for their IoT devices is clearly positive and fills an unmet need. That said, voluntary schemes such as Singapore’s recently announced Cybersecurity Labelling Scheme for IoT devices will likely only get picked up by the sub-set of vendors that are proactive about their customers’ and product’s security. The CLS’ proposed “security rating” scheme aims to indicate and differentiate products “with better cybersecurity provisions” appears to be a simple idea focusing on basic good practices but could be complex to ensure ratings are kept up to date as software gets revised and vulnerabilities get identified. I think Singapore’s CLS announcement is more of a positive statement of intent that needs more development in order to be robust and pervasively used. Here in the UK, the government initially pursued a similar voluntary scheme around IoT security but soon realised it would have no teeth, and so turned to legislation instead.  Read Less
February 21, 2020

Personal Details Of 10.6M MGM Hotel Guests Posted On A Hacking Forum – Cybersecurity Experts React
As organizations increasingly use the cloud to underpin digital transformation.
MGM has acknowledged a cloud “server exposure”. This could have easily been caused by poor cloud configuration and security hygiene, or from offensive attacker behaviors. As practitioners, we need to stop treating cloud separately from a security perspective. As organizations increasingly use the cloud to underpin digital transformation, it is critical that security operations teams have the ability to pervasively detect and respond to attacks and unauthorized access wherever they.....Read More
MGM has acknowledged a cloud “server exposure”. This could have easily been caused by poor cloud configuration and security hygiene, or from offensive attacker behaviors. As practitioners, we need to stop treating cloud separately from a security perspective. As organizations increasingly use the cloud to underpin digital transformation, it is critical that security operations teams have the ability to pervasively detect and respond to attacks and unauthorized access wherever they happen. Attackers don’t operate in silos of local mobile, network, data centers, or cloud - neither should our security capabilities.  Read Less
February 12, 2020

Kwampirs Malware – FBI Issues Warning To US Private Sector
The FBI’s report that threat actors are using digital supply chain infections as a distribution.
Remote Access Trojans (RATs) are an insidious set of attacker tools that invade our systems, data and privacy. With so much legitimate remote access happening across our networks and hosts, there’s plenty of opportunities for RATs to operate undiscovered as they hide in plain sight. The FBI’s report that threat actors are using digital supply chain infections as a distribution means for Kwampirs opens the door for the possibility of widespread deployments. Consider the scope and impact of.....Read More
Remote Access Trojans (RATs) are an insidious set of attacker tools that invade our systems, data and privacy. With so much legitimate remote access happening across our networks and hosts, there’s plenty of opportunities for RATs to operate undiscovered as they hide in plain sight. The FBI’s report that threat actors are using digital supply chain infections as a distribution means for Kwampirs opens the door for the possibility of widespread deployments. Consider the scope and impact of NotPetya which was embedded into an update service of the popular Ukrainian accounting application M.E. Doc, or the malware that was stealthily placed inside the updates for Avast’s CCleaner. Whilst it’s good to see government agencies warn about, and provide identification signature profiles for RATs such as Kwampirs, the pathways and services that RATs exploit remain open and hard to monitor for many organizations. Signatures exist for the most common RATs, but skilled attackers can easily customize or build their own RATs using common remote desktop tools such as RDP to exert remote access. This is held up by some recent analysis we made on live enterprise networks that found that 90% of surveyed organizations exhibit a form of malicious RDP behaviors. This type of behavioral detection approach (instead of trying to perfectly fingerprint each RATs’ signature) can be achieved with machine learning models designed to identify the unique behaviors of RATs. By analyzing large numbers of RATs, a supervised machine learning model can learn how traffic from these tools differs from normal legitimate remote access traffic and so spot “RATish” behavior without prior knowledge of the attack, or individual RAT’s code.  Read Less
February 03, 2020

Bouygues Construction Paralysed By A Major Cyber Attack – Experts Insight
With these type of high velocity attacks time is the defending security team’s most precious resource.
We’ve recently seen multiple Maze ransomware attacks and data leaks, particularly in the US which prompted the FBI to put out warnings late last year. The attacks on Bouygues are thought to have spread from their US operations and widely disrupted their global IT operations. Ransomware is an insidious threat spreading virulently at machine speed across the victim’s internal networks, and there are no perfect defences. With these type of high velocity attacks time is the defending.....Read More
We’ve recently seen multiple Maze ransomware attacks and data leaks, particularly in the US which prompted the FBI to put out warnings late last year. The attacks on Bouygues are thought to have spread from their US operations and widely disrupted their global IT operations. Ransomware is an insidious threat spreading virulently at machine speed across the victim’s internal networks, and there are no perfect defences. With these type of high velocity attacks time is the defending security team’s most precious resource. Early detection and response can make the difference between a contained, minimised incident or the situation of facing massive business disruption, a reported 10M euro ransom and all the reputational damage risks that Bouygues now face. We’re increasingly seeing cybercriminals gangs adapt their attics to become more targeted and focused on economic efficiency for their efforts, even to the point that attackers seek to publicise their attacks to increase pressure on the victims. So, seeing media attention, such large ransom demands, and threats of data leaks isn’t surprising.  Read Less