Category: Detect

We’re pleased to announce the availability of the 2023 AT&T Cybersecurity Insights™ Report: Focus on Healthcare. It looks at the edge ecosystem, surveying healthcare IT leaders from around the world, and provides benchmarks for assessing your edge computing plans. This is the 12th edition of our vendor-neutral and forward-looking report. Last year’s focus on healthcare report documented how we secure the data, applications, and endpoints that rely on edge computing (get the 2022 report).

Get the complimentary 2023 report.

The robust quantitative field survey reached 1,418 professionals in security, IT, application development, and line of business from around the world. The qualitative research tapped subject matter experts across the cybersecurity industry.

At the onset of our research, we established the following hypotheses.

  • Momentum edge computing has in the market.
  • Approaches to connecting and securing the edge ecosystem – including the role of trusted advisors to achieve edge goals.
  • Perceived risk and perceived benefit of the common use cases in each industry surveyed.

The results focus on common edge use cases in seven vertical industries – healthcare, retail, finance, manufacturing, energy and utilities, transportation, and U.S. SLED and delivers actionable advice for securing and connecting an edge ecosystem – including external trusted advisors. Finally, it examines cybersecurity and the broader edge ecosystem of networking, service providers, and top use cases.

The role of IT is shifting, embracing stakeholders at the ideation phase of development.

Edge computing is a transformative technology that brings together various stakeholders and aligns their interests to drive integrated business outcomes. The emergence of edge computing has been fueled by a generation of visionaries who grew up in the era of smartphones and limitless possibilities. Look at the infographic below for a topline summary of key findings.

In this paradigm, the role of IT has shifted from being the sole leader to a collaborative partner in delivering innovative edge computing solutions. In addition, we found that healthcare leaders are budgeting differently for edge use cases. These two things, along with an expanded approach to securing edge computing, were prioritized by our respondents in the 2023 AT&T Cybersecurity Insights Report: Edge Ecosystem.

One of the most promising aspects of edge computing is its potential to effectively use real-time data for patient care, revolutionizing healthcare outcomes and operational efficiency. While mobile devices and personal computers are still extremely popular in healthcare, their ubiquitous availability and connectivity make them vulnerable to cyberattacks. Successful cyberattacks can disrupt services, highlighting the need for robust cybersecurity measures.

Edge computing brings the data closer to where decisions are made.

With edge computing, the intelligence required to make decisions, the networks used to capture and transmit data, and the use case management are distributed. Distributed means things work faster because nothing is backhauled to a central processing area such as a data center and delivers the near-real-time experience.

With this level of complexity, it’s common to re-evaluate decisions regarding security, data storage, or networking. The report shares the trends emerging as healthcare embraces edge computing. One area that’s examined is expense allocation, and what we found may surprise you. The research reveals that the allocation of investments across overall strategy and planning, network, application, and security for the anticipated use cases that organizations plan to implement within the next three years.

How to prepare for securing your healthcare edge ecosystem.

Develop your edge computing profile. It is essential to break down the barriers that typically separate the internal line of business teams, application development teams, network teams, and security teams. Technology decisions should not be made in isolation but rather through collaboration with line of business partners. Understanding the capabilities and limitations of existing business and technology partners makes it easier to identify gaps in evolving project plans.

The edge ecosystem is expanding, and expertise is available to offer solutions that address cost, implementation, mitigating risks, and more. Including expertise from the broader healthcare edge ecosystem increases the chances of outstanding performance and alignment with organizational goals.

Develop an investment strategy. During healthcare edge use case development, organizations should carefully determine where and how much to invest. Think of it as part of monetizing the use case. Building security into the use case from the start allows the organization to consider security as part of the overall cost of goods (COG). It’s important to note that no one-size-fits-all solution can provide complete protection for all aspects of edge computing. Instead, organizations should consider a comprehensive and multi-layered approach to address the unique security challenges of each use case.

increase your compliance capabilities. Regulations in the healthcare industry can vary significantly across different jurisdictions, including countries, states, and municipalities. This underscores the importance of not relying solely on a checkbox approach or conducting annual reviews to help ensure compliance with the growing number of regulations impacting healthcare organizations. Keeping up with technology-related mandates and helping to ensure compliance requires ongoing effort and expertise. If navigating compliance requirements is not within your organization’s expertise, seeking outside help from professionals who specialize in this area is advisable.

Align resources with emerging priorities. External collaboration allows organizations to utilize expertise and reduce resource costs. It goes beyond relying solely on internal teams within the organization. It involves tapping into the expanding ecosystem of edge computing experts who offer strategic and practical guidance. The healthcare industry is familiar with the concept of engaging external subject matter experts (SMEs) to enhance decision-making. Involving outside SMEs can help prevent expensive mistakes and accelerate the deployment process. These external experts can help optimize use case implementation, ultimately saving time and resources.

Build-in resilience. Consider approaching edge computing with a layered mindset. Take the time to ideate on various “what-if” scenarios and anticipate potential challenges. For example, what measures exist if a private 5G network experiences an outage? Can patient data remain secure when utilizing a public 4G network? How can business-as-usual operations continue in the event of a ransomware attack?

Successful healthcare edge computing implementations require a holistic approach encompassing collaboration, compliance, resilience, and adaptability. By considering these factors and proactively engaging with the expertise available, healthcare organizations can unlock the full potential of edge computing to deliver improved patient outcomes, operational efficiency, and cost-effectiveness in the ever-evolving healthcare landscape.

The post Get the AT&T Cybersecurity InsightsTM Report: Focus on Healthcare appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

As organizations across every sector come to rely more and more heavily on digital data storage, digital work platforms, and digital communications, cyber attacks are becoming increasingly common. Enterprising cyber attackers see opportunities abound with the widespread digital transformation across industries. Social engineering cyber attacks present a particularly potent threat to organizations. 

In this article, we will take a look at why training your employees to become aware of social engineering cyber attacks is key to protecting your business. We will explore the most common forms of social engineering attacks. Finally, we’ll also share key actionable advice to help educate and defend your employees against social engineering schemes. 

Why cybersecurity awareness is important

Oftentimes the most vulnerable element in any organization’s cybersecurity defense system is an unaware employee. When someone does not know the common features of a social engineering cyber attack they can easily fall for even the most widespread cyber attack schemes. 

Educating employees on signs to look out for that might indicate a hidden cyberattack attempt and training employees on security policies and appropriate responses is essential to creating a resilient company-wide cybersecurity policy. 

Three common types of social engineering attacks

To understand how to identify, trace, and respond to social engineering cyber attacks, it is important to get to know the most common forms that social engineering attacks can take. 

A social engineering attack occurs when a bad actor contacts an unsuspecting individual and attempts to trick them into providing sensitive information (such as credit card details or medical records) or completing a particular action (such as clicking on a contaminated link or signing up for a service). 

Social engineering attacks can be conducted over the phone, or via email, text message, or direct social media message. Let’s take a look at the three most common types of social engineering cyber attacks:

  • Phishing

Phishing is a type of social engineering attack that has bad actors posing as legitimate, and oftentimes familiar, contacts to extort valuable information from victims, such as bank account details or passwords. 

Phishing attacks can come in the form of emails claiming to be from legitimate sources- such as a government body, software company you use, or relative. Bad actors can hack someone’s legitimate account, making the communication seem more convincing, or they can impersonate an official organization, copying their logo and content style. 

  • Pretexting

Pretexting attacks occur when a bad actor invents a story to gain an unsuspecting victim’s trust. The bad actor then uses this trust to trick or convince the victim into sharing sensitive data, completing an action, or otherwise accidentally causing harm to themselves or their affiliated organizations. 

Bad actors may use pretexting to manipulate an individual into downloading malware or compromised software, sending money, or providing private information, including financial details. 

  • Baiting

Baiting is a similar type of social engineering attack to pretexting. While in a pretexting attack the bad actor lulls a victim into a sense of false security with a compelling narrative, a baiting attack uses enticing promises to trick a victim into completing an action or providing information. 

Essentially baiting involves a bad actor setting a trap for victims. This trap could be an email attachment or file sent through social media messaging that at first seems legitimate, but includes malware. Victims may not even be aware that they have fallen for a baiting scheme, as the malware could be downloaded onto their device without them knowing about it. Bad actors can also use baiting to steal bank details or other personal data from victims. 

How to educate employees to recognize social engineering attacks

Each employee should be able to adequately recognize and respond to social engineering attack attempts; when every employee knows how to do this your organization will have a robust level of human security defending the organization against cyber breaches. 

  • Conduct regular security awareness training

Make sure that cybersecurity is a priority for employee education. The more your employees are reminded of the importance of cybersecurity, the more likely they will be to remember the correct course of action to take in the event of an attack attempt. Include cybersecurity information posters on the walls of your office, upon which you can try integrating QR codes to provide a multimedia and more secure way for employees to access this information while on the go. 

Encourage employees to read up on the latest cybersecurity protocols and attack methods. And schedule regular mandatory cybersecurity training sessions to refresh employees on how to stay vigilant against cyber attacks and where to report suspicious activity when it occurs. 

  • Utilize Multi-factor Authentication

Multi-factor Authentication, or MFA, maintains a higher level of security against each attempt to access your company networks and files. Multi-factor authentication can require employees to answer security questions, provide a one-time-only code that is sent to their email or phone number, or pass through secure restricted access digital gateways using another method that verifies their identity and right to access that digital space. 

With multi-factor authentication in place, hackers who successfully access one employee’s phone number, login info, or email address will still not be able to compromise the security of the entire organization. 

Track company KPIs

Your organization should create a shared checklist that employees can consult and reference in the event of a suspected (or successful) cybersecurity breach. 

This document should contain all relevant security KPIs, or key performance indicators, that provide measurable metrics. Employees will be able to trace and evaluate the robustness of your organization’s security system based on whether or not these individual metrics are performing at the appropriate level. 

  • Implement strong password requirements

Ensure that every employee is maintaining good password hygiene. Each employee should utilize a unique combination of letters, numbers, and symbols, including both uppercase and lowercase levels. 

Employees should never use the same password for multiple accounts, and they should avoid using any phrases or words that may be easy for hackers to guess. Birthdays, anniversaries, pet names, and song lyrics should never be used as passwords. 

  • Establish company-wide cybersecurity policies

Confusion about your organization’s expectations and standards can lead to further weak spots, vulnerable points, and openings for enterprising cyber attackers to exploit. Make sure every employee has a clear understanding of company policies surrounding cybersecurity. 

Organizations that are hiring freelance employees, for example, will need to be on extra high alert. Freelancers or independent contractors your company works with may not always comply with the basic security guidelines and expectations that full-time employees hold to. 

To avoid this, establish clear cybersecurity expectations from the start of the professional working relationship by laying out cybersecurity policies in the freelancer contract. Look for freelancing contract templates that come with flexible customization options, so you can be sure to include the relevant section about cybersecurity policy agreements for freelancers and contractors. 

  • Use common sense

It may sound obvious, but following up on a hunch to double-check whether or not an offer or request seems legitimate is a great way to defend against social engineering scams. If you receive an email that seems suspicious, for example, try contacting the original sender- whether that was a colleague, a friend, or a company. Use another method to contact them and double-check whether it was indeed them trying to contact you. 

If a request seems suspect, there is a good chance it is a scam. If a bad actor is trying to scam you, then taking the extra time to verify can save you hours of cleanup, not to mention financial damages and reputation loss. Employees can report suspicious phone calls or text messages directly to their phone carriers, who may be able to track the perpetrator and restrict their access. Or employees can file a complaint with the FBI Internet Crime Complaint Center

Final thoughts

Defending against sophisticated social engineering attacks can be a daunting challenge for any organization. The best method of protecting sensitive data and preventing unwanted access to restricted organization networks is to implement a multilayered approach to cybersecurity. 

Provide each employee with the training and education that will eliminate accidental individual cybersecurity slip-ups and you will have a more robust, well-rounded, and dynamic cybersecurity defense system. 

Make use of common sense, encourage employees to report suspicious activity, conduct frequent employee security training sessions, track KPIs with shared checklists, and establish clear company-wide security policies. Ensure that every employee knows how to create a secure password, and set up multi-factor authentication procedures. 

With a highly aware workforce, your organization will be better equipped to prevent phishing, pretexting, baiting schemes, and other forms of social engineering cyber attacks.

The post The human element of Cybersecurity: Nurturing a cyber-aware culture to defend against social engineering attacks appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Today’s companies operate in a complex security environment. On the one hand, the threat landscape is growing. Bad actors are becoming more and more refined as they get access to new tools (like AI) and offerings (like hacking-as-a-service). On the other hand, companies are dealing with more sensitive data than ever before. This has prompted consumers and regulators alike to demand for better security practices.

To top it all off, companies are operating in an increasingly decentralized digital model. Gone are the days of firewalls. Employees want to be able to access work from anywhere, and on their own networks and devices. This has heightened the prevalence of insider threats, making it much easier for employees to inadvertently (or intentionally) share corporate data with others.

One way that insider threats have become particularly problematic is through social media. In this article, we’re taking a closer look at how social media can compromise data security for organizations — and what they can do to address this concern.

The challenge with social media

Depending on the platform, social media encourages users to share information about their life and experiences in varying degrees. When it comes to employees, social media can easily be a channel to discuss work-related topics, whether that’s sharing excitement about an upcoming product feature, posting a photo of a company event, or even sharing sensitive information with a colleague via private chat features. This degree of sharing — both of personal and corporate information — can pose a number of challenges for businesses.

For starters, there’s a risk of accidentally sharing information. An employee could post a picture of their desk on Instagram to show off their lunch for the day or the view from their office and forget to blur the sensitive information on their computer screen. Alternatively, a software developer might seek out peers on a Reddit forum to try and solve a particular issue with their code, and inadvertently share proprietary code when asking for help.

Some social media channels also allow for a certain degree of anonymity. A disgruntled employee could take to Twitter or Reddit and make corporate secrets widely available to competitors or regulators.

On the other side of the equation, cybercriminals use social media platforms as resources for their attacks. These bad actors understand that people are prone to sharing information, so they access public profiles to try and glean useful information that can then be used for sophisticated social engineering attacks. In addition, they can use the likes of LinkedIn to map out an organizational structure, get access to corporate email addresses, and even identify when core individuals are on vacation. They can also review an individual’s follower or contact list, create a fake account for someone at the company that’s not on the list, and encourage the employee to share sensitive information.

All of these challenges can put a business at risk of sophisticated threats including phishing and other forms of social engineering, brand impersonation aimed at tricking customers, data theft, and even large-scale data breaches. Despite the potential impact of a social media leak, it’s notoriously difficult for companies to control the egress of data through these platforms. That said, below are some of the things companies can proactively do to mitigate these threats.

Staying ahead of social media threats

Businesses can’t dictate what their employees say on their personal social media accounts — that’s a given. That said, they can educate their users on the dangers of disclosing too much information and the best ways to protect their data, credentials, and corporate details. This can be done through onboarding training, gamified security weeks where employees are given challenges to identify and act out security best practices, as well as lunch and learns dedicated to security.

For companies that provide their employees with mobile devices, there’s also an opportunity to set clear expectations around what can be posted from a corporate device or not. They can also encourage individuals to change their phone passwords often, and to use a password manager for their social accounts.

There are also services and technologies that can help here. For example, companies can hire social media scanning services to identify fraudulent accounts and flag them to employees. In addition, a comprehensive data loss prevention tool can also be instrumental in identifying when sensitive data has been exposed and kickstarting an immediate response.

Evolving with the times

When it comes to maintaining robust security measures, companies have a responsibility to keep up with cultural shifts and the adoption of new platforms. Security practitioners need to be continually aware of any new threat vectors, incorporating new measures and policies as needed and keeping up with best practices. This is why having a robust, comprehensive, and iterative cybersecurity strategy — one that accounts for both insider and external threats — is more important than ever. 

The post How social media compromises information security appeared first on Cybersecurity Insiders.

Introduction

Whether you are new to the world of IT or an experienced developer, you may have heard of the debugging concept of the ‘programmer’s rubber duck’. For the uninitiated, the basic concept is that by speaking to an inanimate object (e.g., a rubber duck) and explaining one’s code or the problem you are facing as if you were teaching it, you can solve whatever roadblock you’ve hit. Talking to the duck may lead to a “eureka!” moment where you suddenly discover the issue that has been holding you back, or simply allow you to clarify your thoughts and potentially gain a new perspective by taking a short break.

This works because as you are “teaching” the duck, you must break down your code step by step, explaining how it works and what each part does. This careful review not only changes how you think about the described scenario but also highlights flaws you may not have otherwise identified. Since the rubber duck is an inanimate object, it will never tire or become disinterested during these conversations. Understandably, this also means that the duck cannot provide you any actual support. It won’t be able to help you summarize your ideas, offer recommendations, point out flaws in syntax or programming logic.

Enter now the tool taking the world by storm, ChatGPT. Even at its most basic tier ChatGPT offers incredible value for those who learn how to work with it. This tool combines in one package all the benefits of the rubber duck, patience, reliability, support, while also being able to offer suggestions. While it provides the patience and reliability of the classic ‘rubber duck’, ChatGPT also has the ability to offer helpful suggestions, review code snippets*, and engage in insightful dialogue.

ChatGPT has the opportunity to significantly speed up development practices and virtually eliminate any form of “coders-block” without needing any complex setup or advanced knowledge to use effectively. The tool can also remove many barriers to entry that exist in programming, effectively democratizing the entire development pipeline and opening it up to anyone with a computer. The premise of a rubber duck extends beyond the realm of programming. Individuals across various professions who require an intuitive, extensively trained AI tool can benefit from ChatGPT – this modern interpretation of the ‘rubber duck’ – in managing their day-to-day tasks.

*This is highly dependent on your use-case. You should never upload sensitive, private, or proprietary information into ChatGPT, or information that is otherwise controlled or protected.

Benefits

ChatGPT offers numerous benefits for those willing to devote the time to learning how to use it effectively. Some of its key benefits include:

  • Collaborative problem-solving
  • Ability to significantly reduce time spent on manual tasks
  • Flexibility
  • Ease of use

Drawbacks

The tool does come with a few drawbacks, however, which are worth considering before you dive into the depths of what it can offer. To begin with, the tool is heavily reliant on the user to provide a clear and effective prompt. If provided a weak or vague prompt it is highly likely that the tool will provide similar results. Another drawback that may catch its users by surprise is that not a replacement for human creativity or ingenuity. You cannot, thus far, solely rely on the tool to fully execute a program or build something entirely from scratch without the support of a human to guide and correct its output.

Suggestions

Although ChatGPT is a fantastic tool I recognize that using it can be overwhelming at first, especially if you are not used to using it. ChatGPT has so many capabilities it is often difficult to determine how best to use it. Below are a few suggestions and examples of how this tool can be used to help talk through problems or discuss ideas, regardless of whether you’re using it for programming or not.

Structure your prompt

When making any request that does not have a clearly defined scope or conclusive answer, you must construct your prompt appropriately. To help craft the perfect prompt, it can be helpful to write out what you are looking to accomplish, and what you are looking for ChatGPT to assist with before you begin writing your prompt. Using that information, you can extract the key information to form your request. You can improve the output provided by ChatGPT in a few ways, including:

  • Adding as much information as you have. The more you give it, the better it will be able to assist. This may include:
    • Your industry or role
    • Examples of similar topics, or references you want its output to mimic
    • Additional supporting information such as location, budget, age, or other relevant details
  • Making your request clear, and specific.
  • Refining its output as you go (e.g., asking it to expand on a topic)

Ask directly

If you know what you’re looking for, it can be helpful to directly ask ChatGPT what it needs to help you solve your problem. For example, you may structure your prompt like this:

“I need help doing . I would like you to provide guidance on completing it, as well as any suggestions you deem relevant. What information do you need from me to assist you?”

At this point, ChatGPT will give you a breakdown of what information it needs to assist you. This often comes in a well-structured list, with a sentence or two of description attached to each category to help you understand what it is looking for.

Elaborate, elaborate, elaborate

As you work through the collaborative process, it can be helpful to amend your initial ask by providing additional details or insight. At any point during the back-and-forth, you are encouraged to elaborate on your initial point, or any area you feel it is struggling. This may include giving more details on your project or problem, providing examples of what you have already tried, or asking the tool to change how it is giving you information. Occasionally you may also need to ask it to ignore previous information, or to alter the course it is taking.

Useful prompts

I’ve listed some other useful prompts below along with some use cases to give you some ideas how to use this tool.

  • “I want you to act as and assist me with .”
  • “Please write about improving as a .”
  • “Using please .”
  • “Create of suggestions, considering .”

Sample conversation

Provided prompt: Please write about ways to improve security implementation into a CI/CD pipeline**.

Response: Implementing security into a Continuous Integration/Continuous Deployment (CI/CD) pipeline can ensure that the software you deliver is free from vulnerabilities. Continuous security, often known as DevSecOps, is about infusing security practices into your DevOps process. Here are several ways to improve security implementation into a CI/CD pipeline:

  1. Static Application Security Testing (SAST): Use SAST tools in the CI pipeline to analyze source code for potential security vulnerabilities. These tools can help you identify issues before they become significant problems, and they’re most effective when used early in the development cycle. The process should be configured to break the build if issues of a certain severity level are discovered.
  2. Dynamic Application Security Testing (DAST): Use DAST tools in the CD pipeline to analyze your web applications in their running state for vulnerabilities. DAST can effectively detect issues that appear only in a running application, like injection attacks and cross-site scripting.
  3. Dependency Scanning: Most projects use a lot of dependencies, and it’s crucial to regularly check these for vulnerabilities. Automated dependency checkers can alert you about insecure libraries and suggest safer alternatives or updates.

**This prompt was submitted to ChatGPT 4. Its response was truncated to only list the first three recommendations.

Conclusion

From helping developers solve problems, to empowering small businesses to compete in ways they never imagined, the new age of AI-powered technology is certain to bring numerous changes to the way people and businesses operate. While this technology is certainly still in its infancy, it has astronomical potential to reimagine how we do our work. The current features offer numerous opportunities to act as a force multiplier when paired with subject matter experts, and can handle a lot of work that is currently handled manually.

Even when you can’t share specific details due to security or privacy concerns, ChatGPT and similar tools can be used to brainstorm ideas on a more generalized level. It is essential for all organizations, and individuals, to stay abreast of new technologies as they become available so that appropriate use cases can be developed and implemented. This is not to say that the tools available today are without fault, or should be relied on to the exclusion of all else, however. In the business environment, every new tool should be reviewed and approved for specific use where necessary. Individually, we must each take some responsibility for how we use technology and ensure it is employed in both an ethical and effective manner.  

I encourage you to test drive the tool yourself so you can see what it can do for you, or for your business. ChatGPT can be applied to many industries and numerous topics, and is primarily limited by your own creativity. Even with its current drawbacks, this tool has the potential to become a fulcrum for us to apply the lever of human ingenuity against to reap incredible results.

The post ChatGPT, the new rubber duck appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In the realm of data security, there exists a captivating technique known as whitespace steganography. Unlike traditional methods of encryption, whitespace steganography allows for the hiding of sensitive information within whitespace characters, such as spaces, tabs, and line breaks.

This inconspicuous approach to data concealment has gained significant attention in recent years as a means of secure communication. In this blog, we will delve into the world of whitespace steganography, exploring its techniques, applications, tools, and ethical considerations for educational purposes.

Whitespace steganography is a method of concealing data within whitespace characters that are often overlooked or deemed insignificant. By strategically modifying the frequency or arrangement of whitespace characters, hidden messages can be embedded within a text document. To the naked eye, the document appears normal, but those aware of the encoding technique can retrieve the concealed information.

In whitespace steganography, several techniques are employed to conceal information effectively. These techniques include altering the frequency of whitespace characters, such as adding or removing spaces, tabs, or line breaks. Another approach involves manipulating the arrangement of whitespace characters to represent encoded data. Various algorithms, such as the Least Significant Bit (LSB) technique, can be utilized to embed and extract hidden messages from whitespace.

Whitespace steganography finds applications in a range of scenarios where secure communication and data protection are paramount. Some common use cases include:

  • Covert communication: Whitespace steganography allows individuals to exchange sensitive information discreetly, evading detection and interception.
  • Document protection: Concealing critical information within whitespace characters can help protect sensitive documents from unauthorized access or tampering.
  • Digital watermarking: Hidden within whitespace, digital watermarks can be embedded in images or documents to protect intellectual property or verify authenticity.

Numerous open-source tools are available that facilitate whitespace steganography. These tools provide features and functionalities for encoding and decoding hidden messages within whitespace characters. Notable examples include Snow, Steghide, OpenStego, and Whitespace. There are also closed source or commercial whitespace steganography tools that offer advanced capabilities and additional security features. These tools often provide user-friendly interfaces, encryption algorithms, and integration with other security technologies. Some popular closed-source tools include SilentEye, OutGuess, and Masker.

In this blog, we will use Snow (Steganographic Nature of Whitespace) to see a working example of whitespace steganography -the tool can be downloaded from here.

As per the documentation, The Snow program runs in two modes – message concealment, and message extraction. During concealment, the following steps are taken.

Message -> optional compression -> optional encryption -> concealment in text

Extraction reverses the process.

Extract data from text -> optional decryption -> optional uncompression -> message

Now, let’s look on a working example.

We have downloaded the 32-bit version of Snow, and we’ve ensured that Java runtime environment (JRE) is installed on our system. Once everything is in place extract Snow to the desired directory. To run Snow, you will need to run command prompt as administrator and move to the directory where you have extracted Snow.

running Snow

Once you are in the directory, you will need an input file (we are using a text file for demonstration)

Snow input file

Now, let us try to conceal a message “Hello There.” using Snow.
Snow concealing message 

In the above example we concealed a message in the input file and created an output file using Snow (to avoid any contradiction we kept the input file in same directory as Snow)

In the above example we used -C for compression, -p for password and -m for message.

Now let us take a look at the output file.

Snow output file

Now let’s see if there are any differences in size of input and output files.

properties of files

We can observe that there is a difference in size – however, when we open the output file it looks the same as the input file.

Now, let’s try to read the hidden message. Let’s run the command prompt as administrator and move to the directory of Snow where the output file is located.

So, I tried with wrong password once and then with the correct password as you can see below:

Snow to read

This was a demonstration of whitespace steganography using Snow and is purely for educational and research purposes to understand how it works in real life scenarios.

Steganalysis: Detecting steganography

Steganalysis refers to the detection and analysis of hidden messages within digital content. While whitespace steganography can be difficult to detect, specialized techniques and tools are available to identify potential instances of concealment. Steganalysis plays a vital role in identifying potential misuse and ensuring responsible use of steganography. We’ll dive deep into steganalysis in coming blogs.

Ethical usage and disclosure are crucial when it comes to steganography. It is important to adhere to legal regulations and privacy laws governing data security and communication. Whitespace steganography should be used responsibly for educational purposes only, emphasizing the importance of obtaining proper consent and ensuring ethical practices.

Whitespace steganography offers a remarkable approach to secure communication and data protection. By harnessing the power of seemingly innocuous whitespace characters, sensitive information can be concealed within plain sight. Understanding the techniques, applications, and tools associated with whitespace steganography enables individuals to navigate the field responsibly. As technology continues to advance, the future of whitespace steganography holds the potential for further innovations in secure communication and data privacy.

The post Unveiling the secrets: Exploring whitespace steganography for secure communication appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In the current geopolitical climate, the energy sector, which powers our modern society – from homes and businesses to critical infrastructure and national defense systems, finds itself under the growing threat of cyberattacks.

With the energy sector’s growing dependence on digital technologies and interconnectivity, the attack surface for cybercriminals has expanded. This situation is further complicated by incidents such as the SolarWinds and Colonial Pipeline attacks years ago, which compromised numerous value chains, along with recent escalations in cyber threats. These circumstances highlight the urgent need for a robust and proactive cybersecurity strategy in the energy sector.

Why the energy sector is vulnerable

According to McKinsey, the energy sector is particularly vulnerable to cyber threats due to several characteristics that amplify the risk and impact of attacks against utilities:

  1. The threat landscape has expanded, with nation-state actors, sophisticated players, cybercriminals, and hacktivists targeting infrastructure providers. This diverse range of threat actors poses varying levels of sophistication and potential disruptions to electric power and gas operations.
  2. The geographically distributed nature of organizations’ infrastructure further complicates cybersecurity efforts. Maintaining visibility across both information technology (IT) and operational technology (OT) systems becomes challenging, not only within utility-controlled sites but also in consumer-facing devices that may contain cyber vulnerabilities, thereby compromising revenue or the overall security of the grid.
  3. The organizational complexity of the energy sector exposes vulnerabilities to cyberattacks. Utilities often rely on multiple business units responsible for different aspects of energy generation, transmission, and distribution. This diversity introduces separate IT and OT policy regimes, making it difficult to ensure the network’s overall security.

To illustrate the potential impact across the entire value chain, it’s worth noting that electric organizations, in particular, could face cyber threats capable of disrupting various stages, including generation, transmission, distribution, and network segments.

  • Generation stage: Potential disruptions in this stage could stem from service interruptions and ransomware attacks targeting power plants and clean-energy generators. The primary vulnerabilities lie in legacy generation systems and clean-energy infrastructure that were not originally designed with cybersecurity in mind.
  • Transmission stage: The large-scale disruption of power to consumers could occur through remote disconnection of services. This is possible due to physical security weaknesses that allow unauthorized access to grid control systems, leading to potential disruptions.
  • Distribution stage: Disruptions at substations could result in regional service loss and customer disruptions. The root cause of such disruptions can be traced back to distributed power systems and the limited security built into Supervisory Control and Data Acquisition (SCADA) systems.
  • Network stage: Cyber threats at this stage could lead to the theft of customer information, fraudulent activities, and service disruptions. These threats are driven by the extensive attack surface presented by Internet of Things (IoT) devices, including smart meters and electric vehicles.

Recommendations for enhancing cybersecurity in the energy Sector

To further strengthen cybersecurity practices in the energy sector, the following key recommendations should be considered:

  1. Develop strategic threat intelligence: Establish dedicated teams to monitor and analyze threats, providing a proactive view of potential risks. Integrate intelligence reporting into strategic planning and exercise incident response plans regularly.
  2. Integrate security across regions and organizations: Create a unified approach to cybersecurity by establishing common security standards across all regions and business units. Foster a culture of security awareness and streamline processes for information sharing and decision-making.
  3. Design clear and safe network architectures: Implement clear network segmentation and micro-segmentation strategies to limit the spread of cyberattacks within the network. Define security zones and establish secure demilitarized zones (DMZs) between IT and OT networks.
  4. Promote industry collaboration: Engage in partnerships and industry-wide collaborations to develop common standards and best practices for cybersecurity. Participate in regional corporations to share knowledge and discuss security concerns specific to shared power grids. Advocate for security by design in IT and OT technologies, especially in smart-grid devices that may lie outside the utilities’ direct control. Additionally, organizing future-facing industry-wide exercises can help predict and preemptively address emerging threats to broader grid security.
  5. Strengthen employee training and awareness: Build a culture of cybersecurity awareness within energy companies by conducting regular training sessions for employees. Educate them on identifying and responding to potential threats, emphasizing the importance of following established security protocols and reporting any suspicious activities.
  6. Implement robust email security measures: Recognizing that phishing attacks often serve as entry points for cybercriminals, energy companies should prioritize comprehensive email security measures. These measures can include advanced spam filters, email authentication protocols (such as DMARC, SPF, and DKIM), and user awareness campaigns to identify and avoid phishing attempts.
  7. Ensure secure remote access solutions: With remote work becoming increasingly prevalent, energy companies must ensure the security of remote access solutions. This involves implementing strong authentication methods, such as multi-factor authentication (MFA), virtual private networks (VPNs) with robust encryption, and strict access controls to minimize the risk of unauthorized access.
  8. Regular software updates and patch management: Keeping all software systems and applications up-to-date is crucial in protecting against known vulnerabilities that cybercriminals often exploit. Energy companies should establish robust patch management processes to ensure timely updates and apply security patches promptly.
  9. Backup and recovery planning: Developing comprehensive backup and recovery plans is essential for mitigating the impact of cyberattacks. Regularly backing up critical data and systems and maintaining off-site or offline backups can help organizations quickly recover in the event of a breach or system compromise. Testing the effectiveness of backup and recovery plans through regular drills and simulations is also recommended.

Securing energy infrastructure is an ongoing task

Given the increasing integration of IT and OT environments, it’s important to highlight that 94% of IT security incidents have also impacted the OT environment. This underscores the ongoing and comprehensive task of securing energy infrastructure from cyber threats.

In this evolving landscape, effective cybersecurity is not a standalone effort but hinges on several key elements:

  • Cross-regional and cross-departmental integration
  • Secure network architectures and demilitarized zones
  • Recognition of the sector’s unique vulnerabilities
  • Implementation of layered defense strategies to significantly mitigate risks
  • Strategic threat intelligence that enables proactive responses to threats
  • Prioritization of staff training, robust email security, and secure remote access solutions
  • Regular software updates and industry-wide collaboration

By adhering to these recommendations and fostering a proactive cybersecurity mindset, we can safeguard our critical infrastructure and ensure a resilient energy future.

The post Protecting energy infrastructure from cyberattacks appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

When it comes to protecting data in an evolving threat landscape, two common strategies are at the forefront: incident response and threat hunting. While both processes can safeguard an organization’s data, their approaches, objectives, and execution differ significantly.

Understanding the differences between the two strategies is critical for organizations aiming to:

  • develop a comprehensive cybersecurity approach,
  • effectively manage incidents,
  • proactively detect threats, 
  • and build a skilled cybersecurity workforce.

Incident response vs. threat hunting: The basics

Incident response is a reactive process that typically begins when a security breach occurs. It involves a set of processes and procedures used to manage and respond to a cyberattack. The goal is to identify and respond to any unanticipated, disruptive event and limit its impact on the business, minimizing damage and recovery time. Examples of cyberattacks include network attacks such as denial of service (DoS), malware, or system intrusion, to more internal incidents like accidents, mistakes, or system or process failures.

Robust incident response requires the right team, a well-developed plan, and excellent communication.

According to the National Institute of Standards and Technology, the four crucial elements of a robust Incident Response Plan (IRP) should include:

  • Preparation
  • Detection and analysis
  • Containment and eradication
  • Post-incident recovery approach

Threat hunting, on the other hand, is about being more proactive. It systematically analyzes an organization’s security posture to identify potential threats before they become active. Threat hunting typically involves looking for threats within your environment and resources that are either compromised or have the potential to be compromised. Risks run the gamut from vulnerabilities with outdated software, insecure access control, or misconfiguration.

In most organizations, threat hunting is conducted by traditional IT security teams and even Incident Response teams. Organizations that have a security operations center (SOC) will often have that team on the frontlines.

Organizations without a SOC or dedicated security team may not be capable of performing threat hunting, but in today’s evolving threat landscape, someone needs to be responsible.

The interplay between incident response and threat hunting

First things first: incident response and threat hunting are not mutually exclusive. In fact, they complement each other as crucial elements of a well-rounded cybersecurity strategy.

Threat hunting can significantly enhance incident response. What this means is that by proactively identifying potential threats, organizations can prevent incidents from occurring in the first place. When incidents do occur, the insights gained from threat hunting can help incident response teams understand the nature of the threat faster and respond more effectively.

So it only makes sense then that incident response can boost threat hunting efforts. By analyzing incidents after they occur, organizations can gain valuable insights into the tactics, techniques, and procedures (TTPs) used by adversaries. These insights can then be used to enhance threat hunting strategies, making them more effective at identifying potential threats.

Empowering organizations through understanding

Understanding the difference between incident response and threat hunting empowers organizations to develop a more comprehensive cybersecurity approach. By knowing when to use each strategy and how they can complement each other, security teams can more effectively manage incidents, proactively detect threats, and protect their systems, data, and reputation.

This knowledge can also help organizations build a more skilled cybersecurity workforce. By training (or hiring) employees in both incident response and threat hunting, organizations can ensure they have the expertise needed to respond to a wide range of cybersecurity challenges.

EDR, XDR, and MDR: How they help with threat detection and response

The role of Endpoint Detection and Response (EDR)

Endpoint detection and response (EDR) is a critical component of both incident response and threat hunting. EDR solutions provide visibility into activities surrounding endpoints and allow companies to detect and respond to threats that might not trigger traditional prevention rules. This often leads to faster, more effective incident response.

In the context of threat hunting, EDR solutions can provide valuable insights into endpoint activities, helping organizations identify potential threats before they become active issues. This proactive approach can significantly reduce the time between intrusion and discovery, as time is the most crucial factor in the event of a breach or incident.

The role of Extended Detection and Response (XDR)

Extended Detection and Response (XDR) is an emerging category in cybersecurity that extends the capabilities of Endpoint Detection and Response (EDR). XDR not only focuses on endpoints but also integrates multiple security products into a cohesive security incident detection and response solution. This approach provides broader visibility and context, enabling security teams to detect and respond to threats across various attack vectors, including networks, cloud, endpoints, and applications.

XDR provides several benefits, including improved visibility, simplified security operations, and scalability.

Automated threat hunting is a core component of advanced EDR and XDR solutions. By automating threat hunting activities, organizations can focus their resources on incident investigation and rapid response. This can significantly enhance both incident response and threat hunting, leading to faster detection and response times and improved overall security.

The Importance of Managed Detection and Response (MDR)

Managed Detection and Response (MDR) is a service that combines technology with human expertise to detect and respond to threats in real time. MDR providers use advanced analytics, threat intelligence, and human expertise to monitor, detect, investigate, and respond to threats on behalf of their clients.

MDR services provide some key benefits for organizations that need help with threat hunting and incident response:

24/7 Monitoring and response: MDR providers monitor an organization’s environment around the clock, ensuring that threats are detected and responded to promptly, minimizing potential damage.

Access to expertise: MDR services give organizations access to a team of cybersecurity experts. This is particularly beneficial for organizations that lack the resources to build and maintain an in-house security team.

Proactive threat hunting: Unlike traditional managed security services, MDR providers proactively hunt for threats in an organization’s environment, helping to detect and mitigate threats before they can cause damage.

Cost efficiency: MDR services can be more cost-effective than building and maintaining an in-house SOC. They provide access to advanced security capabilities without the need for significant upfront investment in technology and personnel.

The importance of centralized security visibility

Centralized security visibility is a key piece of the unified cybersecurity platform puzzle. Visibility is crucial for both incident response and threat hunting as you can’t detect or respond to things you can’t see. Essentially, visibility allows organizations to detect and respond to threats wherever they unfold, whether in cloud or on-premises environments.

It’s also important to note that centralized security visibility also simplifies compliance efforts. By consolidating security monitoring and compliance management into a single platform, organizations can more easily demonstrate compliance during audits. With more compliance rules and regulations coming into effect, the ability to reduce the time, resources, and costs associated with compliance can be a game-changer.

How AT&T Cybersecurity can help with incident response and threat hunting

In today’s increasingly complex threat landscape, you need a comprehensive, unified solution that can handle both incident response and threat hunting. USM Anywhere from AT&T Cybersecurity offers a unified platform that combines multiple security capabilities, including EDR, SIEM, network intrusion detection, File Integrity Management (FIM), vulnerability assessment, and more.

This approach provides a single pane of glass for security monitoring, reducing cost and complexity.

If you don’t have the resources to handle incident response or threat hunting internally, AT&T Cybersecurity can help. With our Incident response services, AT&T has experts who can support or supplement your team when suspected unauthorized activities are detected with a full incident management program that includes detection, triage, response, and containment and prevention planning.

Or, you can have your entire organization protected with 24×7 security monitoring from AT&T Cybersecurity Managed Extended Threat Detection and Response, powered by our award-winning USM Anywhere platform and AT&T Alien Labs™ threat intelligence.

Don’t wait for a security breach to occur before taking action. Proactively protect your organization today.

Take the next step to fortify your organization’s security.

Contact AT&T Cybersecurity today to explore how our incident response and threat hunting solutions can empower your business. Don’t wait for a security breach to occur—act now and protect your organization.

Learn more

The post What is the difference between incident response & threat hunting? appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In the modern world, cybersecurity and cyber insurance go hand in hand. As we head into the future and the presence of AI in every part of your life grows, so will the responsibilities that need to be taken to ensure security and peace of mind regarding your data and personally identifiable information. As the relatively new cyber insurance industry gets on its feet, it will become more accessible to everyday life, and that trend is already emerging. Teens already are involved in many insurance policies (car, life, health, etc.), so why not add cyber to that and bring the extra reassurance that you are protected against any new threats that could come up?

Insurance is put in place to mitigate your risk against external factors that could cause harm to you, your business, or other entities. Cyber insurance is a sub-industry of this and helps reduce risks from ransomware, data breaches, lawsuits, and more. As more industry gears towards individual cyber insurance, we will likely see policies shifting towards protecting against individual data loss and possible foul play. Cyber insurance is a crucial tool for managing risks in a modern environment. With it, customers can expect to mitigate risks in extortion, identity theft, cybercrimes, and data breaches.

For example, if you were sent a phishing email asking for banking information, you click on it, enter your details, and fall victim to a common scam. You get a wire confirmation not long after. If your policy included wire fraud coverage, you would receive adequate compensation for these problems. This same experience can apply to many other situations and problems. It could range from general cybercrime to identity theft, the commonality being that you would be covered and reimbursed for any associated losses. However, because this insurance genre is so new, every policy is tailored to the individual buyer, so each problem has certain exceptions. To get the best coverage and risk mitigation, you must understand the most important thing for you and your family in an ever-evolving world.

What is Cybersecurity Insurance?

Cyber insurance is a policy that protects you and your personal information online. It’s a way to recover if you’re hacked or experience a data breach. Cyber insurance could cover the cost of repairing your computer, restoring data, and defending yourself if attacked. Cyber insurance is vital because cyber-attacks are becoming increasingly common.

How does it work?

Cyber insurance is like any other type of insurance policy where you pay a monthly or yearly premium to a company, and in return, they cover damages that may occur. In the case of cyber insurance, the policies can vary depending on what you need to be covered. Coverage could include cybercrime, extortion, online identity theft, and data breaches. There are different levels of coverage, such as liability and loss of reputation, when companies suffer data breaches that compromise their customers’ personal information. Overall, cyber insurance is an essential safeguard against cyber threats. A cyber-attack can happen to anyone, and the costs can be staggering. Victims will have to contend with the financial burden without cyber insurance.

AI in the modern era and Cyber Insurance

As technology advances, the threat of AI-driven attacks looms over businesses and consumers alike, making cyber insurance a vital consideration for anyone looking to protect themselves from the consequences of an attack. We, as students, wanted to get an industry experts view on this topic as well, so we sat down with Eric Wistrand, CTO of Couch Braunsdorf Insurance Agency, to discuss the increasing relevance of cyber insurance in modern-day markets as AI ramps up and cybercrime becomes more prevalent.     

In that same ever-evolving world comes the new threat of AI; with it could come new types of impersonations, the potential for far more convincing scams, and overall, the mass reemergence of cybercrimes in many aspects of life. According to Eric Wistrand,  cyber insurance will become increasingly relevant in modern-day markets. As AI ramps up, so will cybercrime; this comes with the potential for litigation no matter what side of the table you’re on. Mr. Wistrand states, “Another aspect of cyber insurance is that it can provide coverage for legal expenses and regulatory fines in the event of a data breach. If a company experiences a breach and customer data is compromised, it may face legal actions from affected individuals or regulatory bodies. Cyber insurance can help cover the costs associated with legal defense and any fines or penalties imposed by regulatory authorities.” As highlighted, this aspect of cyber insurance ensures that companies can navigate potential legal actions and regulatory penalties with financial protection. This cyber insurance legal protection aspect isn’t specific to businesses, and cyber insurance could assist in the realm of cyber-derived individual lawsuits.

It’s worth noting that cyber insurance policies need to be standardized across carriers. Mr. Wistrand explains, “All cyber reliability policies in the market right now are different. So each carrier’s policies are custom, essentially tailor-made for the individual’s needs. Each carrier has its forms and language, making standardization and widespread application more difficult.” As Mr. Wistrand explains, each carrier tailors their policies to meet the specific needs of individuals. This level of .customization ensures that cyber insurance coverage is designed to address the unique requirements of each policyholder. This can be seen as a distinct benefit and hardship for anyone purchasing cyber insurance. On the one hand, there is the potential for far more diverse and specifically tailored coverage; on the other, it could be harder to get. However, this risk may be worth it in today’s ever-changing world, even if it takes a bit longer.

As technology advances, the threat of AI-driven attacks looms over businesses and consumers alike. Mr. Wistrand goes on to state, “Because of the emergence of AI models, we’re going to enter an area where one person that has a concept and is relatively sophisticated but not necessarily off the chart can now launch an attack leveraged by AI, the likes of which we’ve never really seen and it’s gonna be quite scary for businesses and consumers moving forward.” The emergence of AI-powered attacks, which relatively “normal” individuals can now launch, presents unprecedented challenges.

As a result of this sinking level of complexity for these attacks to work, they will become much more common and bring someone who, before the AI revolution, would not be considered a target into the crosshairs of an assailant simply because the resources for these mass attacks are now available. This further reinforces the urgency for consumers to revisit the idea of cyber insurance because, much like when a house fire breaks out, you don’t know when an attack will happen or what the consequences will be. Everyone is a target nowadays, and to be one of the few protected from the results of an attack, looking to cyber insurance may not be a bad idea.

How is it relevant to organizations and modern society?

As a high schooler, protecting your online identity and personal information is essential. While it may seem daunting, it’s a necessary part of life in the modern world. By familiarizing yourself with cyber insurance, you can protect yourself against these threats and enjoy peace of mind. As technology becomes ever more advanced, so too do its risks. Hackers have become more advanced and cyber attacks more frequent.

Cyber insurance has become an indispensable asset to companies that rely heavily on tech in their daily operations and provides coverage against malware attacks, network intrusion, and data loss. Cyber insurance cannot be understated, as the financial repercussions of security breaches can be catastrophic for companies. Cyber insurance provides coverage of costs such as forensic investigations, data restoration services, and legal fees associated with an attack; additionally, it ensures businesses continue operating smoothly after such attacks have taken place by covering losses due to any downtime associated with them.

Overall, cyber insurance is an indispensable risk-management tool in modern business environments. Due to an increasing reliance on technology, businesses face the threat of cyber attacks. Cyber insurance offers companies peace of mind and financial protection should an attack occur; it is a worthwhile investment. Considering its ever-evolving nature, businesses should consider purchasing cyber coverage to safeguard assets while mitigating liabilities.

It is essential to understand the concept of cyber insurance and how it can protect individuals and organizations from cyberattacks or data breaches. Cyber insurance is similar to home and driver’s insurance because it covers unforeseen events. Just as home insurance protects homeowners from damage to their property, cyber insurance protects organizations from damage to their digital property. School districts, for example, are a prime target for cybercriminals, making cyber insurance necessary. Cyber liability insurance protects school districts in the event of cyberattacks or data breaches, covering the costs schools could incur from legal fees, credit monitoring, financial losses, and other services. Cyber insurance for schools is essential to protect educational institutions, students, and staff records.

Like driver’s insurance, cyber insurance premiums can be lowered by preventative measures. Organizations in the education sector can lower their cyber insurance premiums by implementing cybersecurity measures such as regular software updates, employee training, and risk assessments.

It is important to note that cyber insurance is not typically included in general liability insurance policies, just as flood insurance is not typically included in home insurance policies. Therefore, purchasing a separate cyber insurance policy ensures proper coverage in the event of a cyberattack or data breach.

In conclusion, cyber insurance protects organizations from cyberattacks or data breaches. Just as home and driver’s insurance cover unforeseen events, cyber insurance offers coverage for digital property. As a high schooler, it is essential to understand the importance of cyber insurance and how it can protect individuals and organizations from cyber threats.

About the authors:

The co-author, John (Jack) Schlenker, is a Freshman at Ridge High School interested in all things business, finance, and education. He enjoys learning through experiences and always finds it interesting to see activities and topics from a new perspective, especially internationally. “Throughout my time at Ridge, I have learned about many new issues that we face today. One of the biggest and most consistent ones was the issue of cybersecurity and how it is applied in the modern world. I hope to share some of these ideas and help bring a new perspective to anyone who wants to listen!”

Adithya is a Freshman at Ridge High School interested in gaming, gadgets, anime, and working on math proofs. He also enjoys tennis, volunteering to tutor kids in Math and Science, and engaging them with the Big Sibling program at school. “As a Freshman, I am taking a class on financial literacy and computer security where I was introduced to CyberStart, and it got me thinking about how I can apply some of those basic ideas to stay safe in the online (cyber) world-hope you enjoy them!” I constantly seek to expand my knowledge and deepen my experience in dynamic, hands-on STEM initiatives.

The post Navigating the Cyber Insurance landscape as a Gen Z digital citizen appeared first on Cybersecurity Insiders.

This blog was co-written with Kristen Perreault – Professional Cybersecurity and James Rodriguez – Sr. Specialist Cybersecurity.

Executive summary

Since December 22nd, 2022, there has been an increase in malware sent via Phishing emails via a OneNote attachment. As with most phishing emails, the end user would open the OneNote attachment but unlike Microsoft Word or Microsoft Excel, OneNote does not support macros. This is how threat actors previously launched scripts to install malware.

Minimal documentation has been made towards the tactics, techniques, and procedures (TTP’s) observed in these attacks. Some of the TTP’s observed included executions of Powershell.exe usage and Curl.exe once a hidden process was ran. Once the hidden executable was clicked on, a connection was made to an external site to attempt to install and execute malware. Once executed the attacker will unload additional malicious files and gain internal information from within the organization. In this case, malicious files were detected and mitigated by SentinelOne.

Investigation

Initial Alarm Review

Indicators of Compromise (IOC)

The initial alarm came in for malware being detected by SentinelOne which was a .One file type. The file sourced from Outlook indicated this was likely a phishing email. Shortly after receiving the initial alarm, the MES SOC Threat Hunters (SECTOR Team) were alerted by a customer experiencing this activity and began their deep dive. Upon entering the file hash obtained from the SentinelOne event, no discernible information regarding the file’s purpose was uncovered. This prompted SECTOR to utilize Deep Visibility to gain further insight into the process and purpose of the detected file.

Deep Visibility is a feature within SentinelOne that provides comprehensive insight into the activities and behaviors of threats within a network environment. This feature allows security teams, such as SECTOR, to investigate and respond to threats by providing greater insight in processes, network connections, and file activities. It is an incredibly powerful tool in SentinelOne and is commonly used during the Incident Response process.

Deep Visibility Sentinel One redacted

Expanded investigation

Events Search

A search string was created for Deep Visibility which included the file name and associated file hashes. An event in SentinelOne was found that included a Curl.exe process with the external domain minaato[.]com. When reviewing the domain further, it was determined that this was a file sharing website and additional malicious indicators were uncovered. Analyzing the DNS request to minaato[.]com, showed events with the source process mshta.exe with the target process curl.exe, and the parent process of onenote.exe. This chain of processes were the heuristic (behavioral) attributes that prompted SentinelOne to fire off an alert. Utilizing these TTP and previous source processes, a new query was generated to find any potential file populating the same activity. This led SECTOR to detect another file under Cancellation[.]one.

Event Deep Dive

SECTOR began their event deep dive with an initial IOC based search query that included the file name and the domain that generated outbound network connections.

Pivoting off of the results from the initial IOC based search query, SECTOR created a secondary search query that included multiple file names, domains, and hashes that were found. These IOCs had not been previously discovered in the wild but once they were found, SECTOR provided them to the AT&T AlienLabs team for additional detection engines, correlation rules, and OTX (AT&T Open Threat Exchange Platform) pulse updates.

After gathering all the IOCs, a third heuristic-based search query was created. This new query aimed to find any remaining events related to the malware that SentinelOne might not have alerted on, as it mainly focuses on execution-based activities rather than behavior-based ones. This demonstrates the importance of using threat hunting in conjunction with SentinelOne’s Deep Visibility feature for enhanced security.

SECTOR working

In the final stage of the event search, SECTOR created a final heuristic search query that detected any outreach to a domain with the same behavioral attributes observed in this environment. Although the results contained false positives, they were able to sift through and find an event where the “ping.exe” command successfully communicated with the malicious domain, “minaato[.]com”. In this case, SentinelOne did not alert on this activity due to it being a common process execution.

heuristic query

Response

Building the Investigation

After gathering all necessary information and event findings, SECTOR was able to pull the malicious OneNote file and detonate it within their sandbox environment. They were then able to see that once the file was opened, the malicious link was hidden under an overlayed stock Microsoft image that asked the user to click open. This then brought the user to the malicious domain, minaato[.]com.

SECTOR provided all data gathered from this threat hunt to the affected customers and fellow CyberSecurity Teams within AT&T for situational awareness.

Customer interaction

The affected customers were given remediation steps based on the specific activity they experienced with this malware. Some of them were successfully compromised, while others were able to avoid any execution or downloads in association with the malware itself. These remediation steps included removing all files from the affected devices, resetting all user passwords for best practices, scanning assets to ensure no further unauthorized or malicious activity was occurring in the background, globally blocking all IOC’s, and implementing block rules on their firewalls.

IOCS

IOC Type

IOC

File Name

cancelation.one

File Name

cancelation.one

File Hash (MD5)

670604eeef968b98a179c38495371209

File Hash (SHA1)

8f4fc0dbf3114200e18b7ef23f2ecb0b31a96cd7

File Hash (SHA1)

776181d69149f893e9b52d80908311c0f42ec5eb

File Hash (SHA1)

202b7c6c05c1425c8c7da29a97c386ede09f1b9f

File Hash (SHA256)

83f0f1b491fa83d72a819e3de69455a0b20c6cb48480bcd8cc9c64dbbbc1b581

Domain Name

minaato[.]com

Domain Name

simonoo[.]com

Domain Name

olimobile[.]com

Domain Name

sellscentre[.]com

The post Stories from the SOC: OneNote MalSpam – Detection & response appeared first on Cybersecurity Insiders.

As everyone looks about, sirens begin to sound, creating a sense of urgency; they only have a split second to determine what to do next. The announcer repeats himself over the loudspeaker in short bursts… This is not a drill; report to your individual formations and proceed to the allocated zone by following the numbers on your squad leader’s red cap. I take a breather and contemplate whether this is an evacuation. What underlying danger is entering our daily activities? 1…2….3…. Let’s get this party started!

When I come to… I find that the blue and red lights only exist in the security operations center. Intruders are attempting to infiltrate our defenses in real time; therefore, we are on high alert. The time has come to rely on incident response plans, disaster recovery procedures, and business continuity plans. We serve as security posture guardians and incident response strategy executors as organizational security leaders. It is vital to respond to and mitigate cyber incidents, as well as to reduce security, financial, legal, and organizational risks in an efficient and effective manner.

Stakeholder community

CISOs, as security leaders, must develop incident response teams to combat cybercrime, data theft, and service failures, which jeopardize daily operations and prevent consumers from receiving world-class service. To maintain operations pace, alert the on-the-ground, first-line-of-defense engagement teams, and stimulate real-time decision-making, Incident Response Plan (IRP) protocols must include end-to-end, diverse communication channels.

stakeholder types

Stakeholder Types

 

What does an incident response plan (IRP) do?

That’s an excellent question. The incident response plan gives a structure or guideline to follow to reduce, mitigate, and recover from a data breach or attack. Such attacks have the potential to cause chaos by impacting customers, stealing sensitive data or intellectual property, and damaging brand value. The important steps of the incident response process, according to the National Institute of Standards and Technology (NIST), are preparation, detection and analysis, containment, eradication, and recovery, and post-incident activity that focuses on a continual learning and improvement cycle.

lifecycle of IR

Lifecycle of Incident Response

Many company leaders confront a bottleneck when it comes to assigning a severity rating that determines the impact of the incident and establishes the framework for resolution strategies and external messaging. For some firms, being able to inspect the damage and appropriately assign a priority level and impact rating can be stressful and terrifying.

Rating events can help prioritize limited resources. The incident’s business impact is calculated by combining the functional effect on the organization’s systems and the impact on the organization’s information. The recoverability of the situation dictates the possible answers that the team may take while dealing with the issue. A high functional impact occurrence with a low recovery effort is suited for fast team action.

The heart beat

Companies should follow industry standards that have been tried and tested by fire departments to improve overall incident response effectiveness. This includes:

  • Current contact lists, on-call schedules/rotations for SMEs, and backups
  • Conferencing tools (e.g., distribution lists, Slack channels, emails, phone numbers)
  • Technical documentation, network diagrams, and accompanying plans/runbooks
  • Escalation processes for inaccessible SMEs

Since enemies are moving their emphasis away from established pathways to avoid defenders, it is vital to enlist third-party threat landscape evaluations. These can halt the bleeding and cauterize the wound, much like a surgeon in a high-stress operation. Threat actors are always improving their abilities using the same emerging sizzling cyber technologies that defenders use.

Despite widespread recognition of the human aspect as the weakest link, threat actors study their prey’s network to seek alternative weak points such as straddle vulnerability exploitation and credential theft. Employ Managed Threat Detection Response (MTDR), Threat Model Workshop (TMW), and Cyber Risk Posture Assessment (CRPA) services to expertly manage your infrastructure and cloud environments in a one-size-fits-all way.

Takeaways

Take inventory of your assets

  • Increase return on investment
  • Provide comprehensive coverage
  • Accelerate compliance needs
  • Create a cybersecurity monitoring response strategy
  • Emphasize essential resources, attack surface area, and threat vectors
  • Deliver transparent, seamless security

Elevate security ecosystem

In the future, businesses should implement an incident response strategy, a collection of well-known, verified best practices, and assess their actual versus realized assets and security attack surface portfolio. Is your organization crisis-ready? A strong incident management solution increases organizational resiliency and continuity of operations in the event of a crisis.

The post What is an incident response plan (IRP) and how effective is your incident response posture? appeared first on Cybersecurity Insiders.