APT28 Aka Fancy Bear: A Familiar Foe By Many Names

We are looking at the biggest threats on the cybersecurity scene – and the most nefarious hacker groups behind them – and this week the spotlight turns to APT28, or Fancy Bear. Don’t let the name fool you. There is nothing cute about Fancy Bear, also known as APT28, Pawn Storm, Sednit, STRONTIUM, and Sofacy. Just like John Wick is known in the Russian underworld as ‘Baba Yaga,’ this group has Russian roots and probably has additional names on that scene.

A Big Name Among Big Names

APT28 is a notorious cyber espionage group that has been active since at least 2007. APT28 has been known to target governments, military organizations, and other high-value targets in various countries using their signature techniques. The group has been linked to several high-profile cyberattacks, including the alleged 2016 US presidential election hack and the 2017 NotPetya malware attack.

One of the most notable campaigns associated with APT28 is the 2016 hack of the Democratic National Committee (DNC) in the United States. This attack resulted in the theft of sensitive emails and other information that were later leaked to the public and was seen as an attempt to interfere with the US presidential election. It was widely condemned. More recently, CISA said it discovered the Russian hacking group had infiltrated a satellite communications provider with critical infrastructure customers.

A Profile in Malice

APT28 is considered to be a highly sophisticated and well-funded state-sponsored group backed by the Russian government. The group has been the subject of several high-profile reports and warnings from cybersecurity companies and government agencies, including the US Department of Homeland Security. It targets governments, military organizations, media, research, and private sector companies for the purpose of gathering intelligence, stealing sensitive information, and criminal financial gain.

Tactics

APT28 is known for its use of advanced malware and hacking techniques to gain access to its targets’ networks. In addition to using advanced malware and spear-phishing tactics, the group is also known for using “watering hole” attacks, where it infects websites that are known to be frequented by targets. It also uses “living-off-the-land” tactics, whereby the group utilizes legitimate tools and infrastructure already present on a victim’s network in order to move laterally and evade detection.

APT28 is known for using a variety of command and control (C2) infrastructure to communicate with its malware and to exfiltrate stolen data. This infrastructure often uses a combination of different protocols, such as HTTP and DNS, making it difficult to detect and block. One of the group’s most well-known tools is Sednit, which has been used in several APT28 campaigns. Sednit is a sophisticated piece of malware that can steal sensitive information and maintain a persistent presence on a victim’s network.

The group also uses spear-phishing campaigns to target specific individuals and gain access to their networks. These campaigns often use social engineering tactics, such as sending emails that appear to be from a trusted source, to trick victims into clicking on malicious links or attachments.

Defending Against APT28

Organizations can protect themselves against APT28 and other advanced threat actors by implementing strong cybersecurity measures. These include:

  • Partnerships with reputable Managed Security Providers (MSSPs)
  • Regular software updates and patching
  • Employee education and training on security best practices
  • Incident response plans
  • Managed and comprehensive security monitoring and mitigation
  • Immediate action in the case of suspected breaches

APT28 is one of the most serious threats in existence today, and it’s important for organizations and individuals to be aware of its tactics in order to better protect themselves from attacks.

This article was originally published in Forbes, please follow me on LinkedIn.

Spotlight on APT10

To kick off our series highlighting the most notorious and dangerous hacker groups in the industry today, we will focus on a group called APT10. APT10, also known as Stone Panda or Red Apollo, is a state-sponsored Chinese hacking group that has been active since at least 2009. The group targets a wide range of organizations including government agencies, military organizations, and businesses in various industries. 

Who is APT10 

APT10 is not a standalone group, but part of a larger Chinese cyber espionage campaign known as Operation Cloud Hopper, which targets managed service providers (MSPs) to gain access to their clients’ networks. In 2018, two Chinese nationals associated with the Chinese Ministry of State Security (MSS) were indicted by the US Department of Justice for their role in APT10’s cyber espionage activities. This was a significant development in the ongoing effort to combat state-sponsored cyber attacks. 

APT10 Aims High 

APT10 knows no boundaries when it comes to attacks. For example, one of the group’s most notable campaigns was in 2014 when it targeted the US Office of Personnel Management (OPM) and stole the personal information of over 21 million government employees. This was considered one of the largest breaches of federal government data in US history. 

APT10 is also known for its focus on intellectual property theft, particularly of sensitive business and technological information. APT10 is believed to have targeted multiple organizations in the aerospace, defense, and energy sectors, as well as technology and engineering fields. Because of this targeting and the exfiltration of data, this group poses a significant national threat, especially from the Chinese state. 

Methods of APT10 Attacks 

APT10’s use of advanced techniques such as custom malware and spear-phishing campaigns make the group technically unique. They use a variety of tools and techniques to infiltrate and maintain access to target networks, including remote access trojans (RATs) and web shells. 

In addition, APT10 uses the technique of “living off the land” to evade detection and maintain access to target networks. This involves using legitimate tools and processes already present on a system, rather than introducing new malware or other malicious software. 

APT10 also uses “watering hole” attacks, where the group compromises a website likely to be visited by its intended targets in order to infect their systems with malware or steal sensitive information. This technique allows the group to focus on the most valuable targets. 

In recent years, APT10 has been observed using various malware families such as PlugX, Quasar, and RedLeaves. These malware families are used to establish a foothold on a target network and gain persistence. The group has also been known to use infrastructure leased from legitimate, but unaware, hosting providers, making it difficult to trace the origin of the attack. 

Preparing for APT10 

It is difficult to prepare for APT10’s attacks due to the limitless cloud and datacenter perimeters. The best approach is to be aware and implement multiple layers of security.  

With the growing number of cyber-attacks and concern about state-sponsored hacking groups like APT10, organizations need to take a proactive approach to protection. This includes implementing strong and comprehensive full-stack security measures such as managed firewalls, intrusion detection and prevention systems, and regular updates to software and systems. Most importantly, professional 24×7 active technical monitoring is a necessity for a well-protected computing system environment. 

Organizations can take several steps to protect themselves against APT10 and other state-sponsored hacking groups: 

  • Implement strong security measures: This includes using fully managed firewalls from a trusted third party, fully managed intrusion detection, end point protection and prevention systems, and regularly updating software and systems. 
  • Technical monitoring: Active technical monitoring is critical to a well-protected environment. Organizations should partner with a trusted managed security operations center provider to gain access to tools and techniques that detect unusual network activity and potential threats. 
  • Incident response plans: Organizations should have incident response plans in place, including procedures to minimize damage and a team or partner ready to respond quickly to an attack. 
  • Awareness and education: Employees should be trained on the importance of cybersecurity and how to detect and report suspicious activities. 
  • Partner with security experts: Organizations can partner with security experts familiar with numerous threats across industries, and leverage their knowledge and experience to stay ahead of threat actors. 
  • Use multiple layers of security: With the increasing number of cyber attacks, organizations need to use multiple layers of security including network security, endpoint security, and application security. 
  • Regularly assess and update security measures: Organizations should regularly assess and update their security and compliance measures to stay ahead of the latest threats. 

A Significant Threat 

That is just a quick look at APT10, the well-known and dangerous Chinese state-sponsored hacking group that’s been active for over a decade. This sophisticated and well-funded group has been responsible for a number of high-profile cyber attacks and, as APT10 continues to evolve its tactics and techniques, it poses an ongoing threat to organizations around the world.  It should be a critical mission for organizations to be aware of the group and to take steps to protect themselves from APT10.

This article was originally published in Forbes, please follow me on LinkedIn.

The Art of Cyberwar: Understanding Your Enemy

The ancient book on war, “The Art of War” by Sun Tzu, holds many lessons that are surprisingly applicable to today’s cybersecurity operations. One of the most important lessons is captured in the following line:

“If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Cyber adversaries are often referred to as “hackers,” but in reality they come in many forms and have varying motivations and techniques. Some groups are well-organized, while others are loosely structured. Some are government-affiliated, while others are purely criminal or terrorist organizations. 

As Sun Tzu advised, it is crucial to have a deep understanding of one’s enemies. In this series of articles, we will examine the major global hacking groups and discuss the best ways to protect against them.

Beset by Dangers: The Most Notorious Groups

Cyber threats are becoming increasingly common and sophisticated in today’s digital age, and hacker groups comprise a significant part of this threat landscape. They are well-funded entities that use their skills to infiltrate, steal, or ransom sensitive information from governments, businesses, and individuals.  

A complete list of these groups would be voluminous, but below I highlight some of the most dangerous hacker groups currently operating: 

  • APT10, also known as Stone Panda or Red Apollo, is a Chinese state-sponsored group that targets intellectual property and business information. The group has been active since at least 2009, and has been linked to several high-profile breaches such as those of the U.S. Navy and the Australian government. APT10 employs a variety of techniques, including phishing, malware, and supply chain attacks, and is believed to focus on technology and manufacturing companies as well as government agencies. 
  • Lazarus Group is a hacker group believed to be operating out of North Korea. The group has been linked to several high-profile cyber attacks, including the Sony Pictures hack in 2014 and the WannaCry ransomware attack in 2017. Lazarus Group uses sophisticated tactics, such as zero-day vulnerabilities and custom malware, to infiltrate its targets. The group has also been linked to several high-profile financial crimes, such as the theft of $81 million from the Bangladesh central bank in 2016. 
  • Turla is a Russian state-sponsored group known for stealing sensitive information from governments and businesses. The group has been active since at least 2007, and focuses on government and diplomatic organizations. Turla uses tactics like watering hole attacks, spear-phishing, and custom malware to infiltrate its targets. 
  • APT33, also referred to as Elfin or Holmium, is an Iranian-linked group that has been active since 2013. The group targets aerospace and energy companies, as well as government organizations, and employs tactics like spear-phishing and custom malware. APT33 is also known for using “living-off-the-land” tactics that leverage legitimate tools and software to evade detection. 
  • FIN7, also known as the Carbanak Group, is a financially motivated hacktivist group that has been active since 2013. FIN7 targets the retail and hospitality industries with point-of-sale malware and uses advanced social engineering tactics to infiltrate targets. The group is believed to have stolen millions of dollars from its victims. 
  • REvil, also known as Sodinokibi, is an infamous ransomware group that has been active since 2018. The group uses ransomware to encrypt victims’ data and demands large sums of money for the decryption key. REvil made headlines in 2020 and 2021 with large-scale attacks on companies and government organizations. 
  • Lapsus is a criminal organization that is involved in various illegal activities such as cybercrime, fraud, and hacking. The group is known for its advanced tactics, the technique of bribing key insider employees, and for using the communication platform Telegram, which have allowed them to carry out successful attacks on high-profile targets.

Be Aware and Prepare 

The threats posed by hacker groups are growing more severe and sophisticated. These groups are known to be highly skilled and well-funded, and to use advanced tactics. They can cause serious damage and pose a significant threat to organizations and individuals. It is important for organizations to be aware of the myriad risks and take appropriate measures to protect themselves. By staying informed and taking proactive and comprehensive steps to secure IT infrastructures, networks, data, applications, and endpoints, organizations can better defend against cyber threats. Additionally, organizations should be prepared to recover in a timely manner should an attack be successful. Organizations should also have a comprehensive program in place to remain vigilant in monitoring for suspicious internal and external activities, and be prepared to respond quickly in the event of a breach. 

Sun Tzu’s Timeless Advice  

By focusing on specific hacker groups in subsequent posts, we can begin to understand the motivations behind these operations, the methodologies each group uses, the specter of business impact to communities at large, and ways to defend against attacks through a comprehensive security approach. The key to success in defending against cyber threats is to be proactive and have an encompassing security program in place. By staying informed, taking appropriate measures to secure networks and data, and preparing for and responding to incidents, organizations can minimize their risk of becoming the victim of a cyber attack.  By following Sun Tzu’s timeless advice to “know your enemy,” organizations can better understand hacker groups – and thus better defend against them.

This article was originally published in Forbes, please follow me on LinkedIn.

Dark Web Of Cybersecurity Concerns Rising With Gig Economy

The dark web has made a black market gig economy where cybercriminals thrive, and the targets are unsuspecting people, corporations and governments alike. Ntirety CEO Emil Sayegh makes the case for how a comprehensive security posture can mitigate risks and keep organizations from being caught off guard.

 

Dark Web Of Cybersecurity Concerns Rising With Gig Economy

Economic conditions combined with opportunity and technological advancements have set the foundation for the gig economy. Freelance, temporary, and flexible jobs are a noticeable component of our modern economy and so, employer names like Upwork, Uber, Lyft, Fiverr, and many others are as common as traditional jobs now. In technology specifically, we always had freelance developers as well.

Those same economic factors, however, have created a little-known gig-economy for technological skills that include cyber hacking and cybercrime.

Amongst our modern technological landscape, cybersecurity skills are in demand, and we are suffering from a real cybersecurity talent drought with a forecast of 3.5 million cybersecurity jobs unfilled by 2025. The technology employment market is faced with a continual need for personnel and skills to fill its operational needs. Cybersecurity professionals could find themselves fully or fractionally employed in many situations at many organizations. Some of that employment includes what is called “white hat” or ethical hacking – hackers that exploit, test, and report on vulnerabilities of an organization. With the right mix of cybersecurity and continued vigilance, organizations can leverage these kinds of services towards continually improving their cybersecurity posture.

The Underground: Cybercriminal Buyers and Sellers

On the dark web however, any semblance of ethical boundaries goes completely out the window. The dark web is a thriving, active underground network of information exchange that is in no way static and isn’t indexed by search engines, or visible to the casual users. Cybercriminal activities are often traced back to these dark web origins and much of the activity takes place in an underground marketplace that is built around cybercriminal mischief. Much like the gig economy itself, factors such as inflation, world events, social unrest, and opportunity are pushing skilled and opportunistic actors into this market.

The Wild West of Buyers and Sellers

This global cyber underground marketplace features unique wares and services and is driven by buyers and sellers of all types. You won’t find physical buildings, walls, or phone numbers to call. On any given day, you will find open conversations about targets, tactics, and conversations about cyber hacking expertise. Both buyers and sellers need to beware. Buyers need to beware that they are dealing with criminals, and sellers need to beware because the dark web is also frequented by undercover law enforcement and foreign intelligence agencies. Payments are made with trades of information, hacking tools, and difficult to track cryptocurrency. It is about as open as it can be and untraceable as can be, which makes it very attractive for upstarts, would-be buyers, and those looking to make some cash.

A Dark, Dark Market

Dark market operations have grown to become a central component for many upstart international cyber threat operations. Hack wares are becoming more proactive in nature than ever, bolstering a market that is destined to boom in terms of products and services sold, and products and services bought.

Available black hat services available on the dark web include:

  • Hack a website – Looking to buy a hack of a site or web services? This might set you back a couple of hundred US dollars. Need those admin credentials or data? Double that amount.
  • Target a phone or computer – Looking to get to a specific computer or smartphone? A little phishing, payloaded files, or even ransomware will get the job done. Available for any platform.
  • Target a person – This attack incurs perhaps the most effort and prices vary accordingly. However, you can buy a whole lot of trouble for the target of your choice. Services rendered can result in legal problems, reputation problems, or financial compromise for said victim. A recent example of this type of targeting, is the latest rumored high profile compromise alleged to be a hack by underground 4chan users into the iCloud account of Hunter Biden.
  • Records manipulation – Need something changed? Social engineering and technological compromise could be your ticket. Official school transcripts, address verification, and any number of records can be changed as requested.
  • Email hacks – There are many ways to get into your average email account, meaning you can buy this service along with the choice of quietly spying on an account, simple access, or creating copies of all the data inside of a mailbox’s contents. The infamous hack in 2016 of then presidential candidate Hillary Clinton’s emails may have cost her the presidency.
  • DDoS attacks – A Distributed Denial-of-Service (DDoS) attack is a type of cyber-attack in which hackers render a network of computers unavailable to the users by flooding the targeted system with requests. You can typically choose to pay for targeted DDoS attacks in one-hour time increments, for as long as you want. Countless options abound as you can just name your target, begin and end dates, and level of attack bandwidth.
  • Social attacks – You can buy a hijack of a targeted social account for the right price. Hackers have been doing this one for years, with high-profile hacks against major corporations on properties like Twitter, Facebook, and more.

Cyberweapons for Sale

You can also buy, trade, and sell data – including military-made cyberweapons that are available on the dark web. In fact, the market was already going in this direction when the United Arab Emirates was exposed targeting human rights activist Ahmed Mansoor in 2016. The virtually impossible-to-detect iPhone spyware tool they used was called Pegasus, made by an Israeli group known as the NSO Group. The Pegasus spyware is classified as a weapon by Israel and any export of the technology must be approved by the government. It is only approved to be sold to governments, and not private enterprises but invariably falls in the wrong hands. Reports of this spyware potentially implicated it in a number of attacks across the world targeting human rights activists and journalists such as murdered Saudi dissident Jamal Khashoggi. Pegasus is the iOS variant for Apple devices while the Android variant is called “Chrysaor.” It is similar in nature to the original Trojan viruses that were used to spy on computers, except this spreads via text messages and targets mobile devices. Back in 2014, a group known as Hacking Team, based out of Italy, was also found selling specific spyware to other country’s intelligence agencies. Each of these incidents involved hackers for hire, custom tools, and nation-state entities.

The Unprepared Will Fall

With illicit activities on the rise, an inevitable logical outcome is that many more unprepared organizations will face cyber disasters. In the face of yet another growing threat condition, the case for comprehensive security systems only become stronger by the day. Continuous monitoring, detection, and recovery are components of the comprehensive security solution where so many organizations will fall short.

We cannot stop this scary underground surge, but with a comprehensive security posture, we can wield the tools to detect, mitigate, slow down, and even stop these attacks in their tracks.

This article was originally published in Forbes, please follow me on LinkedIn.  

Answering The Problems Of CIO Turnover

The CIO role has become increasingly paramount as modern organizations’ technology has become increasingly complex and unique. But, within the responsibilities of this role, companies are struggling with turnover rates. In this article, Ntirety CEO Emil Sayegh delves into the turnover of this critical position.

Across industries, we commonly talk about the lifecycle of products, computers, and software, yet we rarely hear about the life cycles of the Chief Information Officer (CIO). When it comes to technology, modern organizations are as complex as they are unique, and it comes down to the CIO to navigate through a wide sea of technology that reaches into every aspect of the organization. With an increasingly heightened importance on the execution of transformative information technology projects, the turnover rates for the CIO position are becoming a challenge for organizations across the spectrum.

Amidst the technological climate of business today, the expectations for organizational success have never been closer to the actions of technology executives and the leadership they provide. Thanks to the rapid evolution of technologies, the role of the CIO has progressively shifted from the person responsible for running IT, to the purchaser of selected services or technologies, to that of a tactical technology strategist. The CIO can affect the very DNA of an organization, making it better, faster, and more able—or sometimes quite the opposite, unfortunately.

The Come and Go of CIOs

Across the Fortune 500, the issue of high turnover rates, even at the executive level, is hardly an industry secret. CIOs average from three to five years of tenure according to various industry reports, making consistency in IT delivery a challenge widely felt throughout the organization. This heightened criticality—combined with the rapid nature of the technology business as well as global technology skills shortages—are all factors that lead to this relatively high degree of CIO turnover. Incumbent CIOs face continual performance reviews from their CEOs and sometimes their company boards. They also have career aspirations; they get poached often and may just get burned out. The overall direction of a company can shift, as we saw with the COVID-19 pandemic, and fresh initiatives create demands for the CIOs and their teams to fulfill. Turnover is rampant when change is about, and change comes with the territory of business and technology.

The Whys of CIO Turnover

The CIO faces challenges across the board, and there are various factors that lead to turnover in this position:

  • Security breaches – A significant security incident has the power to alter and end careers
  • Project failures – Including misses on deadlines, budget, and objective fulfillment
  • Burnout – Accelerated timelines, bureaucratic resistance, and resources challenges
  • Uninteresting work – When the grass is greener somewhere else and the technology goals do not match what the CIO wants to do

Technology executives also report that when they leave on their own terms, they have achieved a state where technology is on the right trajectory, even without their presence. They also share that they have achieved all that they wanted in their scenarios.

Who is Right and Who is Wrong?

Analyzing these overall factors, it is difficult to choose a side. Organizations need capable and experienced executives which means the search for talent can never stop. In some cases, the union between exec and organization can decay. What is more useful is to characterize successful CIOs.

Regardless of tenure, the successful CIO has positioned themselves into a position of an essential nature. Around the office, this is easy to spot. Peers, leaders, and co-workers will naturally gravitate to an effective CIO. They lead through clear missions, and they recognize how to leverage technologies to drive improvements across the organization, create and capitalize on opportunities, and help manage costs. In various scenarios, CIOs are also able to deliver competitive intelligence that is actionable and useful to the organization’s goals. The successful CIO continuously learns on the job and balances risk factors, budgets, utility, and more in new technology scenarios.

Building and Creating Great CIO Stories

Striving for reduced CIO turnover is an exercise in improving outcomes and creating consistency. Whether from the position of the CEO, the board or the CIO, the responsibilities of this critical position are essential to the health of the organization and specific goals can help reduce the short-nature transitions and satisfaction.

  • Think BIG – the CIO should envision the big picture and act with essential intent. Establish that critical connection between bytes, results, and opportunities. Remote work, IoT and AI systems, rapid application development, and global capabilities are just a few of the difference-making journeys that CIOs must embark on.
  • Tap the Untapped: The untapped capabilities for the average organization are essentially limitless. With innovation and proven cloud technologies powering enterprise sails, a lone CIO can be the catalyst that raises the bar across business units and delivers transformative value to the organization.
  • The Customer Experience: The modern technological needs feature an intense focus on user and employee experiences, profitability and 24x7x365 availability that depend on rapid, flexible technologies in addition to well-run operations. The CIO needs to lead this charge with innovation as the technological heart that drives everything forward.
  • “Goldilocks” Partners to Mitigate Challenges – When the challenge is technical, or a security failure, specialized partnerships always produce better results than internal efforts. Find partners that match your needs and can take full ownership, rather than piecemeal. Treat partners well and you can invoke their full knowledge and networks. Bigger is not always better, and too small is often too risky.
  • Recognize Your Top Solution is People – Technology isn’t everything. In fact, it’s not even the first thing—people are. Develop. Coach. Work together. Include end users, developers, IT, and leadership as you work down this route.
  • Focus on Acceleration – At every turn, opportunities through technology and services can change the game and help you achieve goals. Going it alone can be thrifty, but rarely fully delivers.
  • Resolve Conflicts – The waters will rise, the milk might spoil, things might seem destined to go wrong. Navigate these challenges with elegance by finding the best possible solutions.

From CIO 1.0 to CIO 2.0

The Chief Information Officer will further move forward from day-to-day operations to picking up innovation, becoming de facto Chief Innovation Officer formally or informally. With each passing year, the role of CIOs becomes increasingly important to the core operations of a company. With everything that has happened these last two years, technology is more critical today than ever and as we roll into the future, there is no stopping this critical shift. Enterprise goals and achievements are contingent on the success of modern technologies.

Upon reviewing the scenarios between the organization and its CIO, it is clear that objectives are critical and opportunities to evolve the organization drive this relationship. Just as the universe of technologies is boundless and without limits, the CIO can unleash growth through continually questioning, solving, and delivering toward their individual goals and those of the organization.

Check out this piece, originally published in Forbes  and follow me on LinkedIn.

Rising global tensions put us a few lines of code away from a significant cyber event

Cyberthreats are dominating the news headlines. Ntirety CEO Emil Sayegh highlights the current ever-changing cyber landscape and how we can better protect our cyber infrastructures. 

Rising global tensions put us a few lines of code away from a significant cyber event 

Reflecting on the threats and targets that we are most concerned with given the Russia-Ukraine war, cybersecurity is now the front line of our country’s wellbeing. Cyber threats endanger businesses and individuals — they can affect supply chains, cause power grid failures, and much more. 

This growing environment of risks and increasingly aggressive adversaries demand our readiness, yet our national response continues to be largely reactive to threat conditions. History shows how a small event built on daisy-chained circumstances can kick off a catastrophe, or even a shooting war. 

As the war in Ukraine endures and as countries around the world align, a rising threat emerges from Russian sources, adversarial states, unscrupulous opportunists, and a shadow world of 5th column provocateurs. An 800% increase in activities was observed in the first 48 hours of the invasion alone, and scanning and probes on domestic network infrastructures are reaching historic highs. 

Cyber vs kinetic warfare 

This is a heightened condition of hostilities that will continue and extend beyond physical engagements. We must confront the fact that globally sourced cyberattacks are the essence of modern warfare. It is simpler, cheaper, and more impactful to run a cyberattack campaign than a traditional kinetic act of war. 

Cyberattack campaigns make strategic military sense since they are designed to impact communications, impact energy, cripple a population, military readiness, or make any number of dire situations worse. This is why we see intelligence agencies either directly or indirectly involved in cyberwarfare. 

As Russia becomes more isolated from the rest of the world, it is believed that even in the aftermath of current conflicts its leaders, intelligence agencies, and even rogue groups of unemployed hackers will be more apt to deploy cyberattacks, either in retaliation or simply for monetary gain. 

China has targeted the United States for decades and they have done so on every possible front. From the military, to business, to finance, to the global race for resources, China has leveraged every possible point using tools such as political influence, market manipulation, cyber intrusions, partnerships, and military threat. 

Throughout the industry, we can track countless advanced attacks and backdoors to their efforts. In the crosshairs of this force are state departments, contractors, and any organization it can hook itself into. In many cases, their aim is a lot more everlasting, as it is industrial espionage and the theft of intellectual property in addition to ransoms. 

Rebuilding Security 

We are in a position where even a minor escalation of cyberattack characteristics could cripple this nation and cause massive impacts on life and property. Our response positioning must equal and exceed the specter of the overall threats, and our readiness must be comprehensive. 

In addition to the ongoing Congressional efforts to improve our national cybersecurity, we must add the following tasks to the national cybersecurity mission: 

  • Fix the damage. We must put a priority on funding new security initiatives, with an emphasis on new technologies, the growth of intelligent protection, and services that can augment the baseline of overall security posture.
  • Training a nation Quality training systems must be made readily available that address modern kill-chain awareness, attack simulations, and advanced countermeasure techniques.
  • Greater collaboration We must expand the efforts of the Cybersecurity and Infrastructure Security Agency (CISA) to work with the community beyond early warning systems, and to help model comprehensive cybersecurity protection systems by leveraging technologies and services.
  • Pursue criminal activities We must continue to bring cases of cyber theft, cyberespionage, and cyberattack to the point of grand jury indictment. We need these cases as assets in defending our digital sovereignty, even when they will not result in fines or jail time.

Building a secure digital future is an essential task that demands success, and it should be one of our core missions as a nation. We must take measures to improve cybersecurity through increased knowledge, better technologies, and tactics that are built for the modern range of cyberthreat conditions. 

From mobile endpoints to applications, to identity, and onward to the cloud and infrastructure combined, safeguarding critical assets is a comprehensive task that requires the highest possible prioritization. The recent history of cyber-driven disruptions to critical services thus far has only been indicative of warnings of what could happen. 

We must face the threat that we are only a few lines of code away from a very significant event. Our readiness must improve immediately. 

 

Check out this piece, originally published in The Last Watchdog, here and follow me on LinkedIn. 

Cybersecurity Maturity Models Can Be Immature

Cybersecurity maturity models are a great starting point for businesses to understand their most important cyber needs. This piece from Ntirety CEO Emil Sayegh notes the importance of going above and beyond the minimum recommendations to avoid the costly consequences. 

Cybersecurity Maturity Models Can Be Immature 

Like many things in life, cybersecurity posture is a spectrum of states in maturity. Cybersecurity Maturity Model Certifications (CMMC) are all the rage now in IT departments. You can be at one end of the spectrum of cybersecurity maturity, the other end of the spectrum, or maybe somewhere in the middle. The National Institute of Standards and Technology (NIST) and CMMC have defined those security maturity models in five distinct stages. You even often hear some IT departments proudly declare that they are a level three or four or five in terms of their security maturity. We can analytically categorize the levels that compose these security states, and that is a good thing. However, some of these states assume reasonably well-known threat patterns. The challenge is that even with the best possible security posture, novel threats can bring the entire security structure crashing down. This is one of the driving conditions that make a comprehensive cyber security approach an operational and technological necessity. 

Whether it is NIST or CMMC, the five levels of cybersecurity maturity shape up like this: 

  • In the first level, the organization is vulnerable. A lack of preparedness is the most palpable description, along with a general lack of structure, documentation, or processes.
  • At the second level, an organization becomes more aware, but they are still reactive. They can repeat basic efforts, and they have basic documentation of processes available but only in a reactionary manner. This organization can respond in the timeframe of a few days, but they are vulnerable to data loss, operational gaps, and financial impact.
  • Level three marks the beginning of effective security measures. Typically constructed from security, compliance, and regulatory efforts, along with a greater establishment of tight security processes. Security policies and technologies are deployed and are available in documentations for the most critical environments. General assurance of the environment is established, typically including the existence of backups and repeatable issue mitigation. In this scenario, rapid event awareness is the vehicle for enablement, reducing response to hours and sometimes minutes while there is a significant minimization of potential financial loss.
  • The next level escalates to a continually compliant state based on external requirements and internal operational standards. The entire environment is managed, logged, and reviewed on a routine basis and continuous monitoring helps eliminate regulatory penalties and awareness of operations across each discipline.
  • The highest level in this security maturity level is the optimized proactive posture where information security processes are a model of continual improvement. These processes are tightly integrated with information from throughout the environment, offering feedback, external information, and research, and they can introduce needs-based process updates to better serve the organization. Organizations at this level are able to respond in real time, and they can significantly reduce data and application breaches.

Prepared but Still Exposed 

While these five levels sound good, there are still massive risks from novel threats that can make much of the level two and level three preparedness become obsolete, and perhaps severely compromise even a level four organization. A Zero-Day attack is an unforeseen event that bypasses previously established standard security measures. This makes it difficult for security systems and software providers alike, as they don’t know what threat signature might trigger alarms or not— leaving their products vulnerable in the process. 

During a Zero-Day attack, all that preparedness can be undermined as even a limited opportunity slips through the cracks, unknown and unopposed. Preparing for Zero-Day attacks is critical, with a foundation of: 

  • Being proactive
  • Maintaining good data backups
  • Monitoring traffic, security incidents, and accounts
  • Keeping systems up to date
  • Zero-Trust implementation

Zero-Day Blinders and Zero-Day Finders 

A key disadvantage of operating as a single organization with a single infrastructure is reduced visibility. In terms of Zero-Day vulnerabilities, a lone organization may only be subject to a single attack at a given time. This makes it easy to lose sight of looming dangers that are continuously present and just as dangerous. 

Among the benefits of leveraging a massive infrastructure, and a adopting the mission to go beyond the final level of security maturity into Zero-Day conditions, is the ability to see incoming threats across different channels, organizations, industries, and geographies. The imperative of Zero-Day threats across a scaled base requires never-ending active identification and hunting of threats throughout the infrastructure. 

When we speak of comprehensive security, it incorporates everything from process to technology to detection monitoring to recovery. It encompasses everything from designing, building and operating the entirety of the IT environments. Absent this complete approach, even proactive organizations cannot rely on their maturity model designation as a crutch against threats. When the significant risk of Zero-Day threats is unacceptable, no stone can be left unturned. 

 

Check out this piece, originally published in Security Magazine, here and follow me on LinkedIn.  

Citing cyberthreats: Why we should be worried

Complacency is not an option when it comes to cybersecurity. Ntirety CEO Emil Sayegh highlights prominent cyberthreats we are facing today in the following piece. 

 

Citing cyberthreats: Why we should be worried 

In the wake of global conflicts, significant concerns about the security of critical domestic cyber operations have dominated the news. Yet, despite all the urgent alerts and notices, after several weeks of escalated scenarios of aggression, it seems the “big one” hasn’t quite hit. On one hand, our power is still on, our water still flows, and our kids can still walk over to the campus ATM and check their balances. Have our adversaries been holding back? Or is something else happening? Threat activity levels are higher than ever, and it is more likely that cyber chaos is lying in wait. Remember the peace of the Western Front — this is the time to worry the most. 

There is little debate that the primary channel for conflicts in the world today is rooted in offensive cyber capabilities. In recent years, attacks from nation-states and state-sponsored groups have surged and include corporate espionage, ransomware schemes, supply chain software breaches, fundraising for terrorist activities, and more. At times it seems that cybersecurity is a cat and mouse epic battle. 

 The U.S. is The Target 

Let’s be clear; it is not just Russia. Even the slightest indication of undermining security is an opportunity for adversaries and foes. China, Iran, North Korea, and even other actors that claim to be technically our allies will not let an opportunity for technological chaos go to waste. This is our modern Roman arena, and we are not viewed as the lions — we are viewed as the bait, and almost everybody is coming at us. 

One simple fact of these threats is that a history of successful attacks begets continued attacks. Attack vectors, techniques, and tools are shared in private corners of the web. Successful campaigns also create digital wealth-based cryptocurrency schemes that can wage war, sponsor terrorist groups, and spawn new attacks and new attackers. 

 Russian Capability 

Russian offensive cyber operations are highly advanced, and we have seen how many experts have tracked the SolarWinds attack of 2020 to suspected Russian sources. This incident was a sophisticated infiltration of a major software supplier, and the discovery of this incident affected thousands of clients. Operations at that scale take time — incorporating full-cycle targeting, social engineering, payload, and surveillance over the course of many months. 

 From the beginning of the war in Ukraine, cyberattacks were first. A prelude to the land attack, these operations destructively took out government agencies, banking facilities, and other critical offices. These were official military actions, but Russia also wields a hidden force of citizens that will see cyber hacking as a form of patriotism and survival as the world continues to pressure economic sanctions upon the country. Attacks could persist for years beyond the cessation of violence. 

 

Attack Signals Not Stopping 

The first quarter of this year is behind us, and we are already seeing high activity in the number of novel methods emerge as well as a heightened and accelerated scale of cyber threat activities across the board. The company I lead has collected an 800% increase in threat activities since the war first started, and it is not abating in any sense of the word. We continue to work with high-level government agencies on a frequent basis to help protect the ecosystem of companies within our client base and beyond. 

We have the Okta situation, new Android malware, reports of suspected Russian and Chinese capabilities to defeat two-factor authentications, and specific failure incidents, such as the report of a major storage provider going through the permanent loss of customer data. If it isn’t clear already, it one day will be — flaws and human interaction can weaken technology, but technology combined with the commitment to thorough security practices can close significant gaps. 

 There is definitive proof that global criminal and perhaps intelligence syndicates are driving this increased activity and the day of the lone hacker is history. Such is a global cyberwar. Companies cannot withstand this escalating onslaught alone. We must take up arms to protect what is ours. This is an invasion of an entirely different kind, and we must protect the homeland in the cloud, on our keyboards, our television, and mobile devices.     

   Preparation and Targets 

We have so much to protect. First, our military and economic foundation are highly dependent on digital terrestrial and satellite technologies. The protection of the backbone is critical, and these are primary targets. However, the frontlines in this battle are everywhere we go, everywhere we live, and so right away and urgently, our national base of cyber readiness must get up to speed on security matters. 

 Only a comprehensive security strategy will solve this once and for all, but until then, we can steel ourselves from this persistent wave of threats with basic actions: 

  •       Lockdown networks and systems
  •       Implement tested and validated backups
  •       Implement Multi-Factor Authentication
  •       Patch systems and software
  •       Turn on monitoring and alerting (everywhere)

 On a personal level, pay attention to your passwords. Change them often and make them complex. Implement multi-factor everywhere possible. Keep aware of phishing attempts, malicious links, and every form of cybersecurity responsibility you bear for yourself and the companies you work for.   

 It is the natural order of things that big-name companies are going to hold a higher target value. Russia, like many other nations that wield cyber threat operations, is in a position where it can completely rely on symbolic victories in its cyber attack campaigns. You can count Coca-Cola, Exxon/Mobil, and even Tesla as organizations that are probably on heightened alert due to their very public business decisions launched in response to Russia’s attack.   

 The Silver Lining 

Industry awareness of these threats has improved, and the fact that we have survived this long ties back to the hardening throughout the industry following two years of pandemic-driven challenges. The fires of that digital chaos and the improved response are positive historical touchstones. We will find that only a complete lifecycle of comprehensive security can protect what is truly essential. 

 Eventually, the Russian crisis on the ground will pass, but another crisis is looming. Silent digital attacks are a prelude to greater actions, and the stillness is a false sign of security. Russia, China, and other global adversaries are stacked up for a global confrontation, hoping that the weakest target may precipitate our fall.  

 

 Check out this piece, originally published in Security Magazine, here and follow me on LinkedIn.  

Anatomy of a Comprehensive Security Response

The frontlines of current cyber threat conditions are an interesting combination of rogue threat actors, state-sponsored groups, and Advanced Persistent Threats (APTs). Their intrusions are characterized by stealth, patience, and slow burn endeavors that are well-funded towards their missions. Namely, these threats are focused on evading detection, reconnaissance, and weaponization in a specialized sequence of escalated changes. Even with multiple layers of technical protection, activities still occur on the most privileged networks. This is an account of how a recent incident in a protected environment was uncovered through diligence and forensic review.  

If you could visualize a successful cyberattack in review, you would see that the journey is a lot like skipping across stones in a river. Here, we are going to dissect such an attack.  The object of cybersecurity protections is to review every stone and successfully stop attacks at every possible point. Uncovering threats can rely on automated detection, artificial intelligence, and alerting to varying degrees. However, information uncovered from these scenarios requires analysis and a threat disposition by actual trained and qualified human beings. 

Anatomy of the Incident 

Let us dissect an actual security incident, so we can gain an appreciation of what it takes to mitigate these millions of incidents that happen every day.  

  • In the pre-dawn hours of a recent morning, the Ntirety Security Operations Center (SOC) received the first of series of behavioral threat alerts for an endpoint system within a client’s environment.  
  • The alert triggered a disposition of a potential network ransom event. 
  • An immediate investigation into this system was launched where it was discovered that a portion of the files on the system were encrypted. 
  • The investigation further showed that the operating system was functional, with no observable impact. 
  • Tier 2 SOC personnel initiated an immediate network containment action to isolate the threat and prevent any possible further lateral movement. 
  • Tier 2 SOC personnel continued to scan logs and immediate network connections for signs of further propagation. As the investigation continued, these findings were negative.  
  • The SOC initiated a Root Cause Analysis and determined that the initial Point of Entry for this ransomware attack initiated from an unpatched, externally facing server that DID NOT have standard security products installed 
  • This server was scheduled for decommissioning. Further, an administrator account for this system had been exploited and had been using a weak, 8-character password that had no history of updates. 
  • The affected server was completely compromised, with evidence of complete system encryption.  
  • A ransomware note and additional tracking evidence showed the attack was most likely Crylock ransomware, a new variant of Cryakl ransomware.  
  • Further investigation uncovered that the attacker(s) were able to log in and install software to maintain remote persistence on the server.  
  • System and Security event logs were unable to be recovered, indicating the logs were scrubbed. 

With the successful compromise in place, the attack attempted to escalate, moving laterally to the endpoint system where our detection tools were able to catch it before any further damage could be done.  

As an epilogue, the customer received guidance and recommendations towards decommissioning the server as soon as possible, wiping and imaging the affected workstation, network isolation, strong password enforcement practices, and installation of our advanced security tools throughout all systems in their environment.  

The Comprehensive Response 

Client environments have all kinds of interesting facets to them that can affect overall security. Sometimes there is a bit of baggage, such as a legacy operating system or application that has no available updates or is tied down to legacy by means of licensing, contract, or a functional gap. That legacy OS was the first problem. Missing security tools were the next issue.  

From there, we have an unpatched public-facing system, weak and unmanaged privileged passwords, and an open network hop that allowed the attempt to laterally propagate. You can call that an unfortunate mix of vulnerabilities that could have led to a major problem.  

However, comprehensive practices came through in the detection of anomalous events at the first point possible. Our SOC sprang into action, according to plans, and we were able to fully ascertain this situation and prevent any further incidents. You can see how one unprotected system the potential for significant impact has, but by layering detection and response throughout the environment, we can mitigate the unknown.  

The goals of the Ntirety SOC and application of comprehensive security principles have common targets. We are focused on minimizing the impact of incidents and breaches on our client organizations. To minimize impact, we are focused on responding to incidents quickly and reducing the time it takes to detect and enact our responses. By effectively remediating security conditions and maintaining security baselines throughout our client environments, we work towards preventing major incidents from occurring.  

Detection, analysis, investigation, and remediation are some of the milestone capabilities of our comprehensive defensive systems. In the current and future climate of threat conditions, this is the best available path to uncovering the unknown, to reveal hidden threats and adversarial activities, and to identify attacks before they scale.  

6 Reasons Why Entrepreneurs Should Take Security Seriously

Being an entrepreneur involves some serious hustle in order to make a dream a reality. While it can be tempting to handle everything on your own, cybersecurity requires teamwork.  Read this piece from Ntirety CEO Emil Sayegh, originally published in Forbes, to learn more about why cybersecurity should always be a part of an entrepreneur’s strategy. 

 6 Reasons Why Entrepreneurs Should Take Security Seriously 

 Of all the rules and advice available about running your own business, the best pertains to what mistakes to avoid. At the top of the list of mistakes to avoid  as an entrepreneur, you should not do everything yourself. 

 By default, when an individual chooses to do something, they are choosing not to do something else. Yet despite that simplicity, the inclination to do it all in entrepreneur mode is tempting. We want to know every brick of our business and we are willing to ascribe to the icon of hard work and high rewards. The reality is, there is too much on the line and you could be doing other things that you are much better at. It’s a powerful choice that separates leaders from the rest of the pack. In his book  Good To Great, Jim Collins calls it level V leadership, a level we all aspire to be at. 

 Choosing what your organization does and does not do is one of the most critical leadership tasks imaginable. This choice applies to our most precious digital assets as well. Information needs to get where it needs to get in a way that is safe. 

 You are not an expert at everything in technology even if you are a technologist at heart. If you try, you end up doing less than you could have done on a much more valuable task. Once you can afford it, hiring experts has tremendous advantages, especially when you regain time and opportunities in doing so. 

 When it comes to IT security, however, you just can’t face these challenges alone. Cybersecurity is not a finish line initiative where you can roll out a tool of some sort and call it a day. The threats are ever-changing and escalating, meaning that protecting your business means keeping a continual watch on your assets and you must never let your guard down towards the ever-evolving vulnerabilities. The risks are just too great to “roll your own.” 

 These are the top reasons why, as an entrepreneur, your IT security should be taken seriously. 

 

  1. Impossible Task: Across the globe, more than 30,000 websites are hacked daily. A new attack happens somewhere every 39 seconds. More than 300,000 new pieces of malware are created each day. DDoS attacks, malicious apps, phishing, zero-day attacks, and other security concerns threaten every business, even the small ones. Your adversaries are not individuals but nation states, criminal organizations, and hive-minded hackers. No entrepreneur can do this alone and just because an incident has not happened to you, it does not make you immune. 
  2. Reputation: Nobody is immune to the damage of reputation that comes in the wake of a cyber incident. Consider the value and reputation loss for companies like Solar Winds, FireEye, and others, and the association with their founders, executives, and company boards. 
  3. Financial Losses: An incident can wreck your finances for good. Between recovery efforts, penalties, and loss of income, a cyber incident can affect a small company’s bottom line significantly. A 2017 Ponemon Institute study put the average cost for small businesses at $500,000 per incident. This calculation only scratches the surface of legal costs, compliance penalties for HIPAA, GDPR, lost revenue due to downtime, etc. 
  4. Losing the Board and Investors: The Board of Directors and investors have a stake in the sanctity of the business. There is nothing like a cybersecurity incident and a chain of business ownership crisis to put one at odds with these critical business advocates. The perceived savings of executing your own security is simply not worth it. 
  5. Endanger Employees: Taking on security alone can endanger your employees, who are your most important asset, through the theft of employee data, including sensitive HR files, dates of birth, financial information, and more. 
  6. Financial Theft: Cyber thieves, in many manifestations, are out there. Whether it’s a lone hacker, a team of criminals, or a nation-state organization, there are high values placed on the extraction of financial data and the methods being used are crafty, escalating, and unpredictable. 

 At the risk of repetition, understand that entrepreneurs know their businesses, but they are not experts at everything. When the likes of security giants like FireEye fall to modern, sophisticated cyberattacks as we’ve seen in recent news, you should get a sense of how critical it is to not take on the challenge of cybersecurity alone. Focus on the things you do best, and stop doing the things you shouldn’t be. 

 Check out this piece, originally published in Forbes, here and follow me on LinkedIn