When Companies Get Stuck In A Cybersecurity Loop

Repeating the same actions over and over again and expecting a different result is, to some, the definition of “insanity.” The saying holds a certain logic, but by the same token repeated actions can also serve as an opportunity to practice or improve in some way. When it comes to responding to cyber incidents, it’s always interesting to see which way a company chooses to go. Will they follow the path of insanity, or will they learn, adapt, and improve their cybersecurity?

Last year we discussed lessons from the T-Mobile breach. Yet it seems history is repeating. Here we are again, contending with news of the eighth data breach T-Mobile has endured in the last 5 years. There are so many elements surrounding the cyber-plight of this company that we’re forced to visit the topic again. This time around with a bit more focus – and some very serious questions.

First, the reports on this incident from late January 2023 said the data of some 37 million customers was lost. Apparently, hackers exploited an application programming interface (API) on one of the company’s platforms. Further, the hackers first accessed the data in late November 2022 yet could not be stopped (and were probably not detected) until over two months later, sometime in late January.

T-Mobile: A Significant Target

It’s not much of a secret that T-Mobile is a data-rich target. Its existing and legacy customer base includes millions of accounts, with personal billing information, dates of birth, addresses, and other personal identifiable information (PII). On top of that, T-Mobile has exhibited vulnerability through the sheer number of successful attacks inflicted on them, making the company even more of a target.

Will the eighth time be the charm? We can only hope this incident will serve as a turning point for T-Mobile, a time at which they have asked every question and learned all they can learn, to ultimately build the kind of cybersecurity practice that prevents and reduces incidents, and works proactively to minimize the damage incidents cause. Doing so successfully takes a number of steps that anybody on the outside can predict, and begs the following questions:

  • Has the company’s board held its C-level executives accountable?
  • How much qualified help has the company requested?
  • How can the company’s digital operations be running this far in the dark?
  • Is the company really ready to make effective decisions about its issues?
  • Are the T-Mobile IT organization and IT security organization being truly transparent with their leadership?

And the overarching question: Is the internal T-Mobile IT organization equipped to deal with cyber-threats, or are they better off partnering with experts? We’re not looking to pick on a company when it is down, but for T-Mobile there’s been a lot of time down on the mat.

Making Cybersecurity Decisions (Breaking the Loop)

Cybersecurity is not a one-time project, but a continuous process that requires regular assessments and updates. Unfortunately, many companies view cybersecurity as an afterthought or an expense rather than a critical aspect of their operations. This often leads to a loop of inadequate resources being allocated to cybersecurity, resulting in insufficient protection against threats.

Additionally, many companies do not conduct regular security assessments, or fail to address vulnerabilities identified during the assessments that occur. Among the most common mistakes companies make are not prioritizing cybersecurity and not seeking partnerships to assist in this mission.

Seeking the right outside assistance is a sign of strength, not weakness. It takes leadership to make this decision, but if they are affected by indecision it will eventually bring them back around to the same place – hacked, embarrassed, and an even bigger target than last time. Collaborating with an outside partner to deliver a comprehensive security service is a proactive step towards ensuring the continued success of a business in today’s ever-evolving cybersecurity landscape.

Cyber Impact and Remedies

This time around, T-Mobile’s cybersecurity lessons must be thorough and systemic. They must include the ability to monitor, alert, and react upon their entire digital estate. It’s clear they need an outside perspective and help; what they’ve been doing for the last five years is simply not working. Weeks of unfettered, unauthorized access by an outsider just simply cannot happen again.

Cybersecurity is critical for every company, regardless of size or industry. Companies that make cybersecurity mistakes can put themselves at risk of a cyberattack, which can result in significant financial and reputational damage. It’s essential for companies to prioritize cybersecurity and invest in adequate protection to mitigate the risk of cyberattacks. By doing so, companies can protect their sensitive data and reputations, and ensure the continued success of their business.

This article was originally published in Forbes, please follow me on LinkedIn.

Cybersecurity: Why The C-Suite Should Care

In this age of digital marvels, the cybersecurity challenge weighs heavily on businesses of all sizes. Across the spectrum, companies are regularly fighting through incidents such as breaches, data leaks, advanced persistent threats, and ransomware attacks. Great costs affect those unfortunate enough to find themselves attacked, and attacks can be devastating. Not only that, cybersecurity attacks are ruthlessly agnostic. Cybercriminals don’t care about an organization’s size and target anyone from large-to-mid-size business down to the smallest of shops with the same techniques targeted at major corporations. Cybercriminals don’t discriminate based on type of product or service sold, either.

Mid-Level Hit, Massive Impact

In early February, the largest Canadian online book and music retailer, Indigo, was under attack for several days. The attacks affected customer orders in both retail locations and online. The company was unable to process electronic payments, gift card transactions, or returns during this time. Recently, Indigo representatives provided an update about the ransomware attack and revealed that sensitive past and existing employee data was accessed during the incident.

Attacks against a mid-tier retail operation like Indigo raise important questions. They make you wonder about Indigo – or any business’ – ability to survive. Big companies can metaphorically shrug attacks like this off. They have high cost redundancy, cutting-edge recovery tools, and costly emergency assistance from cyber disaster specialists at their disposal. They also have the deep pockets to pay their way out. Companies such as Amazon, Apple, Sony, Target, or Disney, for example, have strong brands that allow them to recover from compromises in ways that smaller, less recognizable companies simply cannot. Data shows that 60% of small to mid-size companies that suffer a successful cyberattack will not be around in 6 months.

Existential Challenges

For mid-market companies there is no safety net. Cyber-insurance is costly and difficult to obtain, and when the rubber hits the road policies only pay a part of qualified expenses. In a cyber crisis, you still need emergency cash to cover expenses to get back to operational stasis. Thus, there is a massive resiliency distinction between big companies and every company in the mid-market or smaller range.

One of the main reasons cybersecurity incidents can be more dangerous for small and mid-size companies is that they often lack the resources to respond to incidents effectively. These companies may not have an IT team dedicated to cybersecurity, or may not have committed financial resources to hiring outside experts to help prevent and address incidents. This can result in a slower response time and increased risk of further damage to the company’s systems and data.

Too Much to Tackle Alone

When it comes to cyber threats, there are multitudes of challenges afoot for IT operations to take on.

  • Ransomware: Ransomware is on the rise. This plague is getting easier and easier for nefarious actors to use.
  • Protecting Valuable Assets: One of the most significant reasons why CEOs, boards, and investors should care about cybersecurity is that it helps protect valuable assets. Digital assets are just as valuable, if not moreso, than physical assets. A successful cyberattack can result in the loss of valuable data, leading to financial losses, reputational damage, and legal liabilities.
  • Compliance and Regulatory Requirements: Governments and regulatory bodies have implemented strict cybersecurity regulations to protect consumers and businesses. Failure to comply with these regulations can result in significant fines and penalties, plus damage to a company’s reputation.
  • Reputational Damage: A successful cyberattack can also result in near-instantaneous reputational damage, which can have a significant impact on a company’s bottom line. A data breach or attack can erode customer trust, leading to lost business and revenue.
  • Investor Confidence: Mid-size companies often have investors, who possess a vested interest in a company’s cybersecurity posture. A cyber-driven drop in a company’s stock price can lead to a loss in shareholder value. Additionally, investors are increasingly looking at cybersecurity as a key factor when making investment decisions. When risk is high, investment money will go elsewhere.
  • Protecting Employees and Clients: Cyberattacks can result in the loss of sensitive data such as dates of birth, social security numbers, and financial information.

Finding Better IT Strategies

IT departments have a big job to do. Executives of mid-market companies must realize that cybersecurity protections should not be single sourced to the in-house IT department. Those same IT departments may resist, unable to drive outside security sourcing because of the sense of loss. Despite this, security outsourcing has been proven leverage that helps companies operate with greater efficiency, reliability, and improved security. The motive to change cybersecurity operations to include outside organizations requires executive will and directive from the top.

Cybersecurity is Survival

Cybersecurity should be a main critical concern for businesses of all sizes, but with its potentially-devastating impact to mid-size companies, cybersecurity is a matter of survival. It can turn a promising asset into a massive liability for the C-Suite, boards, PE firms, investors, and lenders.

CEOs, boards, and investors alike should care about cybersecurity. It is of immense importance, as it protects valuable assets, helps companies comply with regulatory requirements, prevents reputational damage, instills investor confidence, and protects sensitive data. As cyber threats continue to evolve and become more sophisticated, it’s crucial for businesses to make cybersecurity a regular board-level topic, and for the C-suite to drive investment in robust cybersecurity services.

This article was originally published in Forbes, please follow me on LinkedIn.

Almost Human: The Threat Of AI-Powered Phishing Attacks

Artificial Intelligence (AI) is undoubtedly a hot topic, and has been hailed as a game-changer in many fields including cybersecurity. There is much buzz about it, from the good, to the bad, and everything in between. Even Elon Musk and other tech leaders are advocating for AI development to be curbed, or at least slowed. While there are untold scintillating and amazing implications for AI technology in society, there are also plenty of bad and strange things that could happen. This is something we discussed in detail when the Metaverse was all the craze, but all of the technological scenarios pale in comparison to what happens when the plainest, simplest of threats wind up in the wrong hands.

Think Like a Hacker

As with any technological advancement, with AI there is always the potential for malicious misuse. To understand the impact of AI on cybersecurity, we need to first think like a hacker. Hackers like to use tools and techniques that are simple, easy, effective, and cheap. AI is all those things, especially when applied in fundamental ways. Thus, we can use our knowledge of the hacker mindset to get ahead of potential threats.

Aside from nation-state sponsored groups and the most sophisticated cyber hacker syndicates, the commotion over cyber hackers using AI in advanced technological ways is missing the bigger, more threatening point. AI is being used to mimic humans in order to fool humans. AI is targeting YOU, and can do so when you:

  • Click on a believable email
  • Pick up your phone or respond to SMS
  • Respond in chat
  • Visit a believable website
  • Answer a suspicious phone call

Just as AI is making everyday things easier, it’s making attacks easier for cybercriminals. They’re using the technology to write believable phishing emails with proper spelling and grammar correction, and to incorporate data collected about the target company, its executives, and public information. AI is also powering rapid, intelligent responses to messages. AI can rapidly create payloaded websites or documents that look real to an end-user. AI is also used to respond in real time with a deep faked voice, extracted from recording real voices through suspicious unsolicited spam calls.

Just the Beginning

Many of the hacks on the rise today are driven by AI, but in a low-tech way. AI tools are openly available to everyday people now, but have been in use in dark corners of the internet for a while, and often in surprisingly simple and frightening ways. The surging success rate for phishing campaigns, MITM (Man in the Middle attacks), and ransomware will prove to be related to arrival of AI and the surge of its adoption.

The use of AI in phishing attacks also has implications for the broader cybersecurity landscape. As cybercriminals continue to develop and refine their AI-powered phishing techniques, it could lead to an “arms race” between cybercriminals and cybersecurity professionals. This could result in an increased demand for AI-powered cybersecurity solutions, that might be both costly and complex to implement.

Cybersecurity Response

To protect against AI-powered phishing attacks, individuals and businesses can take several steps including:

  • Educating about the risks of phishing attacks and how to identify them
  • Implementing strong authentication protocols, such as multi-factor authentication
  • Using anti-phishing tools to detect and prevent phishing attacks
  • Implementing AI-powered cybersecurity solutions to detect and prevent AI-powered phishing attacks
  • Partnering with a reputable Managed Security Services Provider (MSSP) who has the breadth, reach, and technology to counter these attacks

AI is becoming ubiquitous in homes, cars, TVs, and even space. The unfolding future of AI and sentient technologies is an exciting topic that has long captured the imagination. However, the dark side of AI looms when it’s turned against people. This is the beginning of an arms escalation, although there is no AI that can be plugged into people (yet). Users beware.

This article was originally published in Forbes, please follow me on LinkedIn.

CONTI Hacker Group: The Young “For-Profit” Super-Cybercriminal Threat

As I wrap up my “know thy cyber-enemy” series, I have saved the “best” for last. Having emerged in late 2020, the CONTI hacker group is a relatively new player in the shadowy world of cybercrime. Despite its short history, the group has made a name for itself as a sophisticated and aggressive threat to businesses and organizations around the world.

Beyond providing education on adversarial hacker groups such as CONTI, this series has examined their behavior, targeting, tactics, and motivations. The resulting insights provide valuable, preemptive perspective on what kind of operational cybersecurity initiatives to pursue, what kind of technologies to invest in, and where vulnerability gaps in an organization’s operations may lie. To best mitigate risks, you must first understand the enemies beyond.

Double Extortion in a Wide Net

CONTI’s calling card is its extended use of ransomware. The group uses malware to encrypt victims’ data, then demands payment in exchange for the decryption key. Unlike other ransomware groups, however, CONTI has developed a reputation for using particularly aggressive tactics and demanding higher-than-average ransom payments. One of the most notable aspects of CONTI’s operations is its use of double extortion tactics. This involves not only encrypting the victim’s data, but also stealing sensitive information such as financial data, intellectual property, or personally identifiable information (PII). CONTI then threatens to release this information publicly if the victim does not pay the ransom.

The group’s operations are highly sophisticated and often involve multiple stages, including spear-phishing emails, network infiltration, and deployment of custom-built malware. CONTI’s malware is known for its ability to evade detection by antivirus software and to spread rapidly through an organization’s network. The group also adapts and evolves its tactics in response to changes in the cybersecurity landscape. For example, the group has been known to use the Ryuk ransomware strain in some attacks, which has been linked to other cybercriminal groups such as Wizard Spider and TrickBot.

While CONTI is relatively new on the scene, it has already made a significant impact. According to some estimates the hacker group has already earned millions of dollars in ransom payments from its victims, making it one of the most lucrative cybercriminal groups currently in operation. While other groups such as REVILAPT10, or APT33 are affiliated with Russian, Chinese, and Iranian intelligence services respectively, CONTI is a bit different. CONTI operates largely from Russia and Eastern Europe and is thought to be operating for members’ profit while also supporting the Russian invasion of Ukraine.

To date, CONTI has targeted a wide range of businesses and organizations including healthcare providers, government agencies, and educational institutions. While some groups focus on specific industries, CONTI has shown a willingness to target any organization it believes can be successfully compromised. One of the most high-profile attacks attributed to CONTI occurred in February 2021 when the group targeted the Accellion file transfer service, compromising the data of dozens of organizations around the world. CONTI has also been linked to the May 2021 attack on Ireland’s health service that caused significant disruption to the country’s healthcare system.

A Significant Threat to Businesses

The CONTI hacker group has quickly established itself as a significant threat to businesses and organizations worldwide. The group’s use of double extortion tactics and aggressive ransomware attacks has resulted in millions of dollars in ransom payments and the compromise of sensitive data. The challenge that stems from this ruthlessly efficient and threatening hacker group is ugly and significant. With its aggressive tactics and willingness to target organizations in a wide range of industries, CONTI is likely to continue to pose a significant risk for years to come.

Understanding the behavior, targeting, tactics, and motivation of adversarial hacking groups like CONTI can guide organizations in designing strong cybersecurity strategies. To mitigate the threat posed by CONTI and other hacking groups, businesses and organizations need to have a multi-layered security program that includes endpoint protection, continuous user awareness and training, vulnerability assessments, incident response planning, and collaboration with other organizations and industry groups.

Preparation and Response

The CONTI threat profile highlights the importance of endpoint protection and detection through EDR, application protection, Cloud Access Security, and other systems that protect endpoints, applications, and workloads in a variety of operational environments. It also emphasizes the need for continuous user awareness and training as well as continual incident monitoring.

The group also highlights the importance for businesses and organizations to be vigilant in their monitoring and response to potential security incidents. This includes conducting regular vulnerability assessments, training employees on the risks of social engineering tactics such as spear-phishing emails, and implementing a well-defined incident response plan. These components of a multi-layered security program are critical to mitigating the CONTI threat.

By remaining vigilant and proactive and implementing robust cybersecurity measures, as well as through partnership with reputable Managed Security Service providers (MSSP), organizations can minimize the risk of falling victim to CONTI and other cybercriminal groups. They can also safeguard their data and systems for the future.

This article was originally published in Forbes, please follow me on LinkedIn.

CFO Focus on Cybersecurity: NIST and Ntirety

C-Levels, and specifically CFOs and other financial executives, have increasingly used NIST standards to respond to cybersecurity requirements and the significant data risks they address. This transition of framework practices is possible in large part due to the existence of similar controls and measures in traditional finance operations. 

The NIST framework helps organizations define full-cycle solutions for assisting in planning and management, measurement and analysis, and response systems. The systems can provide answers and refinement to issues such as: 

  • Defining asset protection in strategy and planning 
  • Plans to meet the requirements of critical infrastructure operations 
  • Evaluation of incident response capabilities  
  • Evaluation of incident communication plans
  • Identification of critical assets, along with risks and vulnerabilities 
  • Plans to meet the standards of regulatory requirements 

The list expands from there and, as described in the previous article, an organization can use the NIST framework to quickly build a roadmap to better security. Perhaps the biggest takeaway is that effective cybersecurity programs are proactive and continuous, aligning with operational strategies throughout. Additionally, frameworks can serve as a specific backbone towards maintenance and improvement.  

NIST Highlights 

Let’s dig into the tenants of the NIST Cybersecurity Framework, which is composed of the following five elements: 

  • Identify: Identify the cybersecurity risk (vulnerabilities) to systems, people, assets, data, and capabilities 
  • Protect: Safeguard to ensure delivery of critical services 
  • Detect: Identify the occurrence of a cybersecurity event 
  • Respond: Take action regarding a detected cybersecurity incident 
  • Recover: Support timely recovery to normal operations to reduce the impact from a cybersecurity incident 

The framework helps companies create measures for practical cyber-incident prevention, response, and overall security design.  

Ntirety: Beyond NIST 

At some point, cybersecurity framework outcomes need to align with efforts. Cybersecurity is unique because of the systems and requirements involved; when cybersecurity is applied in a company environment, it is always layered through activities that build towards a complete solution. Complete is what we should all strive for, where nothing is left unmonitored, unverified, or unanswered. 

Ntirety answers the total solution by leveraging its approach to NIST outcomes. Ntirety groups the five elements outlined above into two broad categories: Protection and Recovery. It wraps the elements within an Assurance service designed to ensure the enterprise meets any outside requirements and the standards it has set for itself.

Figure 1: Ntirety Cybersecurity Framework Grouping – Comprehensive Compliant Security

Finance leaders will recognize the following categories, which are contextually analogous to NIST frameworks. First, we can regroup the NIST framework elements by dividing them into the two primary categories that define Internal Control frameworks, which are: 

Preventive

  • Identify: Finding the vulnerabilities 
  • Protect: Implementing the systems and applications to close the identified vulnerabilities

Detective or Mitigating

  • Detect: Identify the occurrence of cybersecurity events 
  • Respond: Take action against the CS event 
  • Recover: Timely return to normal operations, minimizing the impact of the cybersecurity incident

Most Competitors are Single Track 

By comparison, every competitor falls into an approach that offers these general services: 

Protection Focus

  • Assessment Firms: Primarily do project-based work to identify cybersecurity vulnerabilities 
  • Protection Technology Firms: Often hardware or application vendors (i.e. firewall firms, endpoint protection technology companies)

Detection/Mitigation Focus

  • Managed Detection & Response (MDR) Service/Technology Providers  
  • Firms that specialize in mitigating cybersecurity incidents by identifying and addressing the cybersecurity event.  These firms are mix of technology providers to facilitate MDR and service providers

DRAAS & Backup Service Providers

  • A mix of application and service providers, providing technologies or the DR or backup service.  These are often not focused on security, but only in providing recovery from a platform or application failure 

COMPREHENSIVE Compliant Security is Different 

Unlike the competition, Ntirety’s comprehensive security solutions encompass both Protection and Mitigation in the context of financial controls. Further, unlike MDR firms Ntirety provides Secure Disaster Recovery as a Service (DRaaS) and Backup services. The competition generally addresses only a portion of the five elements of the NIST Cybersecurity Framework, leaving the enterprise to manage the interoperation of various services, technologies, and applications – and often to execute the response actions provided by their MDR service providers.

Ntirety: NIST Foundation and Financial Sanctity 

Corporate governance, auditing, and frameworks allow executives, employees, and shareholders to keep financials in line with expectations. In cybersecurity, similar measures help guide a countless number of companies on their journey to improved operations and capability to respond and recover from cybersecurity incidents. Ntirety has built an industry-unique Comprehensive Compliance Security system that covers the complete NIST framework, adding Assurance to its features. With comprehensive Ntirety services, clients excel on their cybersecurity initiatives and benefit from more than 25 years of experience in designing, building, operating, and securing client environments.

Inside The Shadowy World Of Iranian Cyber Espionage Group APT33

Several of the most threatening cybercrime groups today carry the inside industry name of “APT.” APT stands for Advanced Persistent Threat, and an advanced persistent threat (APT) is a clandestine type of cyberattack or group that uses APT techniques in which the attacker gains and maintains unauthorized access to a targeted network and remains undetected for a significant period of time. During the time between infection and remediation, the hacker will often monitor, intercept, and relay information and sensitive data. APTs often use social engineering tactics or exploit software vulnerabilities in organizations with high value information.

Despite having similar names, each “APT” group is distinct with separate history, tactics, and targeting. In our hacker series, we already covered APT 28 (Fancy Bear) and APT 10 (Stone Panda). Today, we focus on APT33.

Who is APT33

APT33, also known as Elfin, is a cyber espionage group operating since at least 2013. APT33 is believed to operate out of the geographic boundaries of the Islamic Republic of Iran and has been linked to attacks on targets in the Middle East, Europe, and the United States. The group’s focus is on gathering intelligence on organizations in the aerospace, energy, and petrochemical sectors, as well as on government agencies and academic institutions.

Sophisticated International Threat

APT33 is significant because its tactics are highly sophisticated and involve the use of custom-built malware and advanced social engineering. The group typically gains access to targets through spear-phishing emails, exploiting vulnerabilities in software, or using stolen login credentials. Once inside a network, APT33 will often spend months or even years mapping out an organization’s systems and stealing sensitive data before exfiltrating it back to its command-and-control servers.

One of the most concerning aspects of APT33’s operations is its use of “watering hole” attacks, which involve compromising a website known to be frequented by a particular group of users. This allows APT33 to infect the computers of its intended targets without the need for spear-phishing emails or other direct methods of attack.

APT33 Targets Matter

While APT33 could conceivably target companies in any industry, a key characteristic of this group’s operations is its focus on specific industries and sectors, particularly those related to aerospace, energy, and petrochemicals. This furthers the evaluation that the group is working on behalf of the Iranian government or the Iranian Republican Guard, working to acquire sensitive technology and intelligence to further its geopolitical goals. Organizations operating in these industries should remain vigilant, and take steps to review sign-in and behavior logs, research threats and anomalies, and sweat the “small stuff” that might be tied to this specific threat group.

The Critical Importance of Understanding This Enemy

It cannot be overstated that cybersecurity enemies are continually evolving and becoming more sophisticated in their tactics and approaches. This makes the challenge of keeping pace more difficult for organizations. However, by understanding the tactics and motivations of cybercriminals it is possible for companies to stay ahead of potential threats and develop effective defense strategies. For example:

  • Understanding cybersecurity enemies can help companies identify potential vulnerabilities, capability gaps, and weaknesses in their security infrastructure.
  • Analyzing past cyberattacks and understanding the motivations behind them allows companies to anticipate potential attacks and take proactive, preventative measures. These can include implementing additional security such as firewalls or intrusion detection systems, or training employees to recognize and avoid common phishing attacks.
  • Understanding cybersecurity enemies can help companies respond more effectively to attacks when they do occur and empower them to develop effective incident response plans to minimize the damage caused by an attack and quickly restore systems and data.

There’s Always More To Do

Organizations face an increasing risk from cybercriminals like APT33, who use advanced tactics to exploit vulnerabilities and compromise digital assets. To safeguard their digital estate and data from such threats, businesses must adopt a multi-layered cybersecurity approach and seek the guidance of security experts. One such expert partner is a Managed Security Services Provider (MSSP) who can offer expertise, technology, and infrastructure to address their security needs, while simultaneously reducing the complexity and cost of managing security in-house.

As cybercriminals continue to evolve and become more sophisticated, it is critical to understand their approaches and motivations. By analyzing past cyberattacks MSSPs can anticipate future attacks and take proactive measures against them. This can include anything from firewalls or intrusion detection systems, to implementing tools like Machine Learning and Artificial Intelligence to recognize common phishing attacks or threat hunting. MSSPs have a unique perspective on the threat landscape, as they manage thousands of customers and see threat vectors and attacks ahead of what a single enterprise can see.

Ultimately, the best defense against APT33 and other advanced, persistent threats is a proactive and collaborative approach to cybersecurity informed by a deep understanding of the threat landscape. With the right combination of advanced technology, regular employee training, heightened awareness of potential risks, and partnership with an MSSP, organizations can mitigate the threat of these rogue and dangerous APT groups.

This article was originally published in Forbes, please follow me on LinkedIn.

The REvil Gang Story: The “Good Guys” Can Still Prevail

Out of all the cybercrime gangs out there, mention the name “REvil” and you will get a palpable response based on the threat this notorious Russian-based group posed. REvil, also known as Sodinokibi, was a notorious ransomware gang that was active from at least April 2019 until (officially) it was dismantled in January 2022. Leading up to its demise, REvil became one of the most successful and damaging cybercrime syndicates in the world. The group was responsible for some of the most high-profile ransomware attacks in recent history.

Ruthless REvil

In May 2021, REvil was found to behind the attacks on JBS and Colonial Pipeline, which disrupted operations at poultry and pork processing plants across the world and resulted in fuel shortages in the southeastern United States. In July 2021 they targeted Kaseya, a software company that provides IT services to thousands of businesses around the world. The attack impacted an estimated 1,500 companies in total.

Needless to say, REvil’s methods were sophisticated and highly effective. The group typically gained access to targets through spear-phishing emails, exploiting vulnerabilities in software, or using stolen login credentials. Once inside a network, REvil actors would spend weeks, or even months, mapping out the organization’s systems and stealing sensitive data before launching a ransomware attack.

The consequences of REvil attacks were devastating for the industry and enterprises they affected. The group’s ransom demands were often in the millions, and paying the ransom provided no guarantee data would be restored. Even worse, REvil was among the hacker groups that went beyond “normal” ransomware attacks and exfiltrated data before encrypting it. This means that if the victim pays the ransom, the attackers may still leak stolen data or use it for future attacks.

The End of REvil

Thankfully, beginning in mid-2021 the wheels started to come off for REvil until eventually they were stopped. Initially, REvil seemed to remove their sites and infrastructure from the internet. Then, bit by bit, community-based efforts helped undo the damage they had inflicted through open decryption tools. This subverted their trusted position in underground communities, and ultimately, a joint, multinational effort disrupted the group’s networks, servers, and backups. In a matter of weeks, indictments and arrests were announced.

A Tale of Victory

The REvil episode is a tale of victory that showed it’s possible to conquer a sophisticated and dangerous hacker group, and also illustrated how. REvil’s story showcased some important steps law enforcement agencies can take to help combat cybercrime:

  • Collaborate: One of the most important steps law enforcement agencies can take is to collaborate with other agencies, both international and domestic. By working together, law enforcement agencies can pool resources and share information to track down and apprehend groups.
  • Develop Intelligence: This involves gathering information on a group’s activities, methods of attack, and members. Law enforcement agencies can use a variety of methods to gather intelligence, including monitoring online forums and social media, conducting interviews with suspects, and using forensic analysis to gather digital evidence.
  • Legal Tooling: Law enforcement agencies can use a range of legal tools to stop hacker groups. For example, they can obtain warrants to search suspects’ computers and devices, and use wiretaps to monitor communications. Additionally, forfeiture laws can be used to seize assets that were obtained through illegal means.
  • Increase Awareness: Another important step is to increase awareness of cybercrime and its consequences. Law enforcement agencies can work with businesses and organizations to ensure they understand the risks.
  • Invest in Security Services: A recent Gartner survey shows the majority of organizations are pursuing security vendor consolidation in 2022. This trend indicates that organizations are looking to simplify their security infrastructure and streamline security operations. Consolidation can help organizations reduce costs, improve security effectiveness, and increase operational efficiency. By reducing the number of security vendors and products, organizations can focus their resources on a smaller set of solutions and better integrate their security tools. This approach can also help organizations improve visibility into their security posture, as well as better manage and respond to security incidents.

Fighting back against criminal cyberhacker groups is a formidable, challenging mission, but not an impossible one. Ultimately, the fight against cybercrime requires a multi-faceted approach that involves both law enforcement agencies and other stakeholders working together.

A Stark Reminder

The REvil gang serves as a stark reminder of the ongoing threat posed by cybercrime – and the importance of being proactive in our fight against it. It is crucial that law enforcement agencies, businesses, and individuals work together to combat cybercrime and protect ourselves from its devastating consequences.

As IT professionals and executives, we have a responsibility to do our part in this fight. We must prioritize cybersecurity measures and educate our employees about the risks of cybercrime. We should be willing to collaborate and share information with others in our industry, as well as law enforcement agencies, to stay ahead of emerging threats.

While the fight against cybercrime may seem daunting, the demise of the REvil gang is a testament to the power of collaborative efforts and a multi-faceted approach. By working together and leveraging technology, we can prevail against even the most sophisticated and dangerous cybercriminals. In the end, it is up to us to stay vigilant and take action to protect ourselves, our businesses, and our communities.

This article was originally published in Forbes, please follow me on LinkedIn.

CFO Focus on Cybersecurity: Why NIST Cybersecurity Frameworks Matter

From the moment any data system comes online, it is at risk of breach. Modern workloads and data reside, change, and grow in a medium of capabilities and simultaneous risk. In the wild, more than a million cyberattacks occur on the web on average each day. The odds of avoiding becoming a target are simply not very good. The need for continual cybersecurity measures is extremely prevalent, and there is a call for programs that feature heightened vigilance and performance in the face of modern threats.

Threats to Financial Teams

Financial teams are in an especially exposed position. Their data is a high-value target treading in a mass of computing largesse, and any leak could pose an existential threat to their careers, not to mention the company itself. The implications of just one successful attack could cost millions, and thus CFOs have grown to be shared custodians of cybersecurity initiatives. CFO executives have started to focus on cybersecurity solutions with more emphasis than ever before, and to explore the depths of current cybersecurity threat conditions. What this exploration has revealed is that the familiar benefits of frameworks can be applied towards solutions.

The Familiarity of Frameworks

Framework systems build on basic concepts and controls, and work as scaffolding systems that guide efforts through reporting, analysis, and workflows. Financial professionals are familiar with frameworks, as the framework is the core of financial operations. Without it, a business would lose control over finances and ultimately fail to succeed.  

Over the years, as threat and risk conditions have escalated, the setting for advanced cybersecurity measures has moved out of the server room (and the hands of information technology teams) and to the executive table. Championed by the CFO and other executives, this change demands direct access to the board and the budget planning process. Cybersecurity investments are critical and significant, and along with those characterizations the familiar standards of frameworks have proven to provide valuable measurement of risks, controls, and performance.

The NIST Standard 

One of the most accepted cybersecurity frameworks is the NIST standard known as the “NIST Cybersecurity Framework.” The NIST Cybersecurity Framework covers five key functions:

  • Identify
  • Protect
  • Detect
  • Respond 
  • Recover

Organizations are leveraging this framework as an anchor to build an approach that is repeatable, flexible, prioritized, cost-effective, and based on performance. In other words, the NIST framework checks all the boxes as it offers guidance and assistance toward the management of cybersecurity risks. Prevention, ruling measures, and the ability to recover in the event of an attack are all rolled into the framework.  

The NIST framework has gained merit with C-suites, boards, and CFOs, and it’s important to recognize its value in the cybersecurity conversation – and in providing a high-level overview of the business and its protections. Digging deeper, specific NIST publications (SP 800-171 and SP 800-53, as examples) offer more than 100 controls and measures and provide a roadmap to a better secured, lower risk future. These serve as the vehicle of justification for cybersecurity initiatives, creating greater success in the mission and for the business. 

Cybersecurity as Business Imperative 

Once relegated to information technology teams, cybersecurity has taken on an appropriate scope of enterprise-wide focus. Financial executives have stepped up to the risks and challenges of an age where traditional security mindsets cannot meet the standards of acceptance. Due to its existential nature and massive financial implications, cybersecurity has become the most significant risk to the business. Security frameworks have created a consumable channel at the executive table, providing valuable guidance towards better security practices and technologies.  

With any framework in place, the business begins to gain insight into and confidence in its measures. This applies in both financial matters and cybersecurity. With cybersecurity frameworks, organizations can leverage the virtual blueprints that emerge to create effective actions that feed directly into their cybersecurity infrastructure. These frameworks can take their place in technology decisions, as planning plus action equals results and improvements. Cybersecurity frameworks such as NIST help organizations assess and build actionable plans and determine exposure to risks.  

Cybersecurity guidance that is derived from a framework approach offers the most value when tactical points are matched up to actions. Organizations can pragmatically build out on a custom cyber-resilience strategy that aligns with the extremely individual context of an organization’s assumption of risks.  

How Ntirety Can Help 

Ntirety Compliance Services provide a comprehensive and reliable solution for ensuring your business remains compliant with industry regulations and NIST standards. Our team of experienced compliance experts will work closely with you to assess your current compliance posture, identify any potential gaps, and develop a customized plan to help your organization achieve and maintain compliance. With Ntirety services, you can feel confident your business is meeting all the necessary requirements and avoid costly penalties or other negative consequences. By choosing Ntirety Compliance Services, you can focus on running your business while we take care of the complicated compliance issues.

Teenagers Leveraging Insider Threats: Lapsus$ Hacker Group

Of all the threatening hacker groups out there, one of the most notorious is the Lapsus$ gang. While we covered APT10APT28, and Turla in prior articles, Lapsus$ presents some of the most significant threats on the cyber landscape. In this post, the fifth in our Hacker Series, we’ll look at Lapsus$, important highlights about the group, and all we can do about their presence on the threat scene.

Who is Lapsus$?

Lapsus$ is a hacker group that has been active since at least 2019, and whose mastermind is rumored to be a 16-year-old teenager from Oxford, England. The group is believed to be highly organized and well-funded, with members from various countries around the world.

Lapsus$ is known for their high-profile cyberattacks on government and corporate targets, as well as their use of sophisticated malware and encryption techniques.

By leveraging insiders through social engineering or bribery, the Lapsus$ group has a proven track record of successful attacks on high-profile targets which have resulted in significant financial losses and raised concerns about national security. In March 2022, Lapsus$ became well known for a series of daring cyberattacks against tech company darlings including Microsoft, Nvidia, and Samsung.

The group’s motivations and goals are not entirely clear, but they have been known to demand large sums of money in exchange for not releasing stolen information. They are also thought to have political motivations, as some of their attacks have targeted government agencies.

Notorious Attacks and Methods

One of Lapsus$’ most notable socially engineered attacks was on the U.S. Department of Defense in 2020. During this attack they were able to gain access to sensitive information, and caused significant disruption to the agency’s operations. The group has also targeted several major banks, stealing millions of dollars in the process.

Another notable attack attributed to Lapsus$ occurred in 2020 and was targeted at a major healthcare provider. During this attack, the group was able to access and steal the sensitive personal information of millions of patients. This attack not only resulted in financial losses for the healthcare provider, but also raised serious concerns about the protection of personal data and privacy.

Lapsus$ has also been known to target the energy sector, and oil and gas companies in particular, causing significant disruption to their operations. In one instance the group was able to gain control over the control systems of a major oil refinery, causing a shutdown in their operations and a significant loss of revenue.

They are known to use social engineering attacks using the communication app Telegram, and advanced malware, such as ransomware and trojans, to gain access to and control over their victims’ networks. In addition to their socially engineered cyberattacks, Lapsus$ is also known for their use of encryption and other techniques to hide their tracks and evade detection. While the U.K. arrested a band of seven teenagers affiliated with Lapsus$, the majority of their operatives have been able to successfully evade law enforcement’s efforts to track them down.

The Hunt for Lapsus$

Despite their high-profile attacks and the efforts of law enforcement and cybersecurity experts, Lapsus$ continues to be active and poses a significant threat to governments and corporations worldwide. The group’s use of advanced malware and encryption techniques has made them difficult to track and apprehend, and law enforcement agencies have had limited success in identifying and arresting members of the group. There have been a few reported arrests of individuals believed to be associated with Lapsus$, but it is unclear if these arrests have had any impact on the group’s operations as they re-emerged shortly after.

What You Can Do About Lapsus$

Given the group’s ability to infiltrate insiders, it’s important for organizations and individuals to be aware of the potential threat they pose. Organizations need to stay connected to the cybersecurity community, and take necessary steps to protect themselves from this threat that even industry juggernauts like Microsoft and Nvidea fell for. This includes measures such as regularly updating software and systems, backing up important data, and staying vigilant for suspicious activity on their networks. An approach that’s built on all-around monitoring and anomaly detection can help minimize Lapsus$ group’s advanced threats, insider actions, and malicious attacks.

Overall, the Lapsus$ group continues to be a serious threat to governments, corporations, and individuals. Their ability to evade law enforcement and carry out high-profile attacks highlights the need for continued efforts to improve cybersecurity and bring these cybercriminals to justice.

This article was originally published in Forbes, please follow me on LinkedIn.

Turla Hacking Group: A Persistent International Threat

As we continue our series of articles on state-sponsored cyberattack groups, we turn our focus to the Russia-affiliated Turla hacking group. In previous articles, we examined some of the biggest threats on the cyberattack scene, including APT10 and APT28 (also known as Fancy Bear). These notorious groups are a lurking presence, and Turla is no exception. Active for over a decade, the Turla hacking group is believed to be operating out of Russia and closely affiliated with the FSB, the Russian intelligence agency and successor to the KGB. It is also known by the names “Waterbug” and “Venomous Bear,” and has been linked to numerous high-profile cyberattacks on government agencies, embassies, and organizations around the world.

Destructive Path

Turla has been linked to 45 high-profile attacks, including the German Bundestag in 2014, the Ukrainian Parliament in 2014, and the French TV5 Monde in 2015. The group also targets organizations in the Middle East, particularly in the energy sector. Turla’s use of sophisticated methods and its focus on government and diplomatic targets has led experts to believe the group is working on behalf of the Russian government, although this has yet to be definitively proven.

Methods of Mayhem

Turla is known for using a variety of tactics to compromise networks, including “living off the land” tactics, watering hole attacks, spear-phishing emails, and compromised satellite connections. The group also uses publicly available tools like Metasploit and PowerShell, as well as Command and Control (C2) infrastructure like Google Drive and Dropbox. One of Turla’s primary tactics is the use of “second-stage” malware, which is activated after a victim’s initial infection and used to establish a backdoor into the network. From there, the group can steal sensitive information and move laterally within the network to gain access to other systems.

Turla is especially dangerous due to its use of advanced, next-level tactics. In recent years, the group has been observed using a unique malware called “Turla” or “KRYPTON” that can steal data from air-gapped computers not connected to the internet. The malware uses “audio exfiltration” to transmit data using the computer’s speakers and microphones. The group is extremely sophisticated and can evade detection for long periods of time. In 2014, for example, Turla maintained a foothold in a European government agency’s network for over two years before being discovered.

Wrestling A Bear

Turla is a highly sophisticated and persistent hacking group that has been known to target a wide range of organizations around the world. Without the right tools and partnership, defending against Turla is like wrestling a bear. The group’s use of highly sophisticated second-stage malware and its ability to evade detection make it a formidable threat, and one that organizations should be aware of and take immediate steps to protect against. This includes implementing robust comprehensive security measures such as multi-factor authentication, intrusion detection and prevention systems, and regular security training for employees. Equally as important, organizations should be vigilant in monitoring their networks for signs of compromise and should take prompt action if suspicious activity is detected. Partnering with managed security providers can bring valuable expertise, resources, and technology to those looking to defend against the threat posed by Turla and similar groups. These providers can offer expert round-the-clock monitoring, incident response, and threat intelligence to help organizations stay ahead of the constantly evolving threat landscape.

This article was originally published in Forbes, please follow me on LinkedIn.