Category: Detect

In today’s digital era, businesses actively strive to heighten network agility, boost security, and slash operational costs. Network Function Virtualization (NFV) and Secure Access Service Edge (SASE) stand at the forefront of this revolution, reshaping enterprise networking and security.

NFV breathes new life into traditional, hardware-based network functions, turning them into versatile, software-based solutions deployable on virtualized infrastructure. As a result, businesses cut hardware costs, speed up service deployment, and streamline network management and automation. When you incorporate NFV into your organization’s network architecture, you unlock these benefits:

• Cut hardware costs and physical footprint: Virtual Network Functions (VNF) operate on general-purpose servers, delivering a more cost-effective solution.
• Scale the edge swiftly: NFV grants networks that frequently or unpredictably change, greater flexibility and agility. You can deploy, modify, or scale them to adapt to shifting demand.
• Speed up service deployment: Forget procuring, installing, and configuring specialized hardware. Instead, launch VNFs fast and hassle-free to deploy new network services.
• Enhance network management and automation: NFV management and orchestration (MANO) systems allow central management and orchestration of VNFs, reducing network administration’s complexity and manual effort.
• Decrease energy consumption: NFV consolidates multiple network functions onto shared infrastructure, lowering energy consumption and cooling requirements, contributing to greener and more sustainable operations.

On the flip side, SASE represents a departure from the traditional network architecture that depends on separate devices for each function. It pulls network and security services closer to the edge, providing consistent security policies, better performance, and simplified management. With its flexible, programmable, and secure networking capabilities, NFV is a critical enabler of SASE. NFV and SASE architectures also deliver these benefits:

• Scalability: As a cloud-based service, SASE and NFV work in harmony to scale up or down effortlessly based on demand, helping organizations adapt quickly to evolving network conditions and requirements.
• Performance and user experience: SASE and NFV draw network and security services closer to the edge, reducing latency and enhancing performance for users, especially those remote from the organization’s data centers or main offices.
• Consistent security policies: SASE and NFV ensure the consistent application of security policies across the entire network, regardless of users or devices’ location. This is particularly advantageous for organizations with remote workers or multiple branches.
• Cost efficiency: By merging multiple network and security functions into a single service, and on single physical servers, SASE and NFV help organizations slash costs linked to hardware procurement, installation, and maintenance.

The powerhouse duo of Network Function Virtualization (NFV) and Secure Access Service Edge (SASE) empowers modern businesses to amplify their network agility, bolster security, and curb operational costs. Their synergy keeps organizations in step with the fast-paced rhythm of today’s digital business landscape, offering a network architecture that is flexible, scalable, secure, and efficient.

Adopting NFV can fuel cost savings, expedite service deployment, enhance network management, and promote sustainability. Simultaneously, embracing SASE can deliver consistent security policies, improve performance, and simplify management, especially beneficial for businesses with a dispersed workforce or multiple branch locations. Together, NFV and SASE form a robust framework for securing and managing modern networks.

The time to integrate NFV and SASE into your network architecture is now. Considering the multitude of benefits they offer, it’s not a mere option; it’s a strategic imperative to future-proof your network infrastructure. Don’t let your current network setup hinder your business growth. Contact AT&T Cybersecurity to discover how NFV and SASE can revolutionize your network infrastructure and propel your business forward.

The post Benefits of Using NFV with SASE appeared first on Cybersecurity Insiders.

The post Next-Generation Firewalls: A comprehensive guide for network security modernization appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In recent months, a cybercrime group known as Blacktail has begun to make headlines as they continue to target organizations around the globe. The group was first spotted by the Unit 42 Team at Palo Alto Networks earlier this year. Since February, the group has launched multiple attacks based on their latest ransomware campaign labeled Buhti.

An interesting detail about the organization is that they do not make their own strains of malware. Rather, they opt to repurpose pre-existing strains to achieve their end goal of monetary gain. Two of the most popular tools that have been used by the cybercrime group are LockBit 3.0 for targets using Windows OS and Babuk for targets using Linux OS. Both LockBit 3.0 and Babuk are strains of ransomware that encrypt files on a victim’s machine and demand payment in exchange for decrypting the files. These tools allow Blacktail to operate using a RaaS (ransomware as a service) model which falls in line with their goal of monetary gain.

Lockbit 3.0 is the latest version of the Lockbit ransomware which was developed by the Lockbit group in early 2020. Since its launch it has been linked to over 1400 attacks worldwide. This has led to the group receiving over $75 million in payouts. This ransomware is most distributed through phishing attacks where the victim clicks on a link which starts the download process.

Babuk is a ransomware that was first discovered in early 2021. Since then, it has been responsible for many cyber-attacks that have been launched against devices using Linux OS. This strain of ransomware serves a similar purpose to Lockbit 3.0 and its main purpose is to compromise files on a victim’s machine and make them inaccessible until the ransom is paid.

Recently, this group has been seen leveraging two different exploits. The first is CVE-2023-27350 which allows attackers to bypass the authentication required to utilize the Papercut NG 22.05 on affected endpoints. They leverage this vulnerability to install programs such as Cobalt Strike, Meterpreter, Sliver, and ConnectWise. These tools are used to steal credentials and move laterally within the target network. The second vulnerability, CVE-2022-47986, which affects the IBM Aspera Faspex File Exchange system allows attackers to perform remote code execution on the target devices.

Blacktail represents a significant threat in the world of cybercrime, employing a wide range of sophisticated methods to attack its victims. From phishing and social engineering to ransomware campaigns and APT attacks, their tactics demonstrate a high level of expertise and organization. To counter such threats, individuals, businesses, and governments must prioritize cybersecurity measures, including robust firewalls, regular software updates, employee training, and incident response plans. The fight against cybercrime requires constant vigilance in order to stay one step ahead of the attackers.

Reference:

https://heimdalsecurity.com/blog/buhti-ransomware-blacktails-newest-operation-affects-multiple-countries/

The post Blacktail: Unveiling the tactics of a notorious cybercrime group appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

While cryptocurrencies have been celebrated for their potential to revolutionize finance, their anonymous nature has also been exploited for illicit activities. From drug dealing and arms trafficking to funding terrorism, black market activities have thrived under the cloak of cryptocurrency’s pseudonymity. According to a report by Chainalysis in 2023, around $21 billion in crypto transactions were linked to illegal activities.

Money laundering, too, has found a home in the crypto space. Overall, between 2017 and 2021, crooks laundered over $33 billion worth of cryptocurrency.

Moreover, tax evasion has surged with crypto’s rise. Crypto traders evading their tax obligations could be costing the Internal Revenue Service upwards of $50 billion annually.

Law enforcement’s response to technological challenges

While the majority of cryptocurrency transactions remain legitimate, these dark sides of cryptocurrency cannot be ignored. Regulatory and law enforcement agencies worldwide have an urgent task ahead: to develop robust mechanisms to combat these illicit uses while supporting the technology’s legitimate growth. We should craft and use Blockchains that are safe and advantageous to everyone except lawbreakers.

There is a long-standing tradition of law enforcement agencies modifying their approaches to chase criminals who exploit the newest technologies for illicit purposes. This adaptability was evident when technologies like fax machines and pagers were invented. Throughout history, the legal system has consistently demonstrated its ability to adapt and grow in order to confront emerging technological challenges.

Even though Blockchain represents a revolutionary development in the finance and tech spheres, it is merely the latest example of how law enforcement must continually innovate and adapt to new technologies. Given this perspective, it is hard to argue that Bitcoin and other coins pose an insurmountable problem for law enforcement.

As Blockchain technology is still young, we have a unique opportunity to enhance law enforcement’s understanding of it and improve its security. Individuals interested in Blockchain should assist law enforcement in understanding and harnessing the potential of this technology.

A practical approach to achieving this is implementing a public-private information-sharing process like the one employed to exchange cybersecurity threat details. These dialogues can establish a mechanism through which the Bitcoin community can contribute their knowledge to help law enforcement overcome challenges encountered during cybercrime investigations.

Challenges for law enforcement in investigating cryptocurrency crimes

Still, certain features of Bitcoin and other popular cryptocurrencies present substantial challenges for law enforcement. Collaborating with distant international counterparts, each with its distinct policies often complicates investigative efforts. Identifying an individual from a Bitcoin address is also not easy. Cryptocurrency exchanges operating in different jurisdictions, the use of mixers and tumblers to obfuscate transactions, and the rapid evolution of technology pose significant hurdles for investigators.

The greatest obstacle in any cybercrime investigation is attributing a specific person to a virtual offense. Prosecutors often attempt to link a particular MAC or IP address, or an email address, to a specific individual. This becomes significantly more challenging when someone utilizes Tor, proxies, or employs privacy coins like Monero.

Another complication arises from the fact that many email providers, as well as cell phone companies, either cannot or do not find it necessary to validate the information their users provide them.

One potential solution to overcome these challenges is to employ data analysis from multiple sources, aiming to isolate and identify the single offender in the crowd.

Advantages of Blockchain for law enforcement

Despite the various challenges it presents, the Blockchain actually offers several advantages to law enforcement. One of the notable benefits is the ability to trace all transactions associated with a particular Bitcoin address, including records dating back to its initial transaction.

Cases like Silk Road, Mt. Gox, and others have showcased the proficiency of law enforcement agencies in tracing transactions on the Blockchain. Carl Force, a DEA agent, faced accusations of pilfering Bitcoins during the Silk Road investigation. During the trial, a chart was presented as evidence, demonstrating how law enforcement successfully tracked the funds across the Blockchain, despite Carl Force’s attempts to divide the transactions among multiple addresses.

Contrary to popular belief, Bitcoin is not as anonymous as many people think. Each Bitcoin address may serve as an account number for an individual. If a person can be linked to a specific address, it becomes possible to access information about all the transactions associated with that person.

If an individual utilizes a crypto wallet to interact with the Blockchain, the wallet organization will associate the address with the individual, similar to how a bank keeps records of its customers and their accounts.

New software tools can identify patterns in Blockchain transactions, such as repeated transactions between specific addresses or sudden large transactions, indicating potential illegal activity and leading to particular people.

The Blockchain operates as a peer-to-peer system, where no single entity has exclusive authority to remove records. It functions as a publicly accessible ledger of data blocks, and it cannot be revised or tampered with. This ability allows law enforcement to track the flow of funds in a manner that was previously impossible.

Law enforcement agencies often face a significant challenge when dealing with phone and Internet companies due to varying regulations regarding the retention of customer data. The process of locating the specific provider that possesses the information needed to trace a high-level cyber-criminal can be time-consuming, spanning multiple providers and even different countries.

Furthermore, there is always a risk that the trail may have gone cold by the time the relevant provider is identified. In contrast, the Blockchain serves as a permanent repository for all data. It retains information indefinitely, ensuring that it is always accessible. This eliminates the need for extensive investigations across multiple providers and offers a streamlined way to obtain the required data.

The Third Party Doctrine states that individuals should not expect confidentiality for data shared with third parties such as ISPs, banks, etc., creating complications for law enforcement. It enables law enforcement to obtain records from ISPs, banks, and cellphone carriers through a subpoena rather than a search warrant. However, Blockchain operates differently in this regard. There are no such complications when it comes to Blockchain. It is straightforward to utilize Blockchain and trace transactions without needing a subpoena. The Blockchain is intentionally designed to be open and accessible to all, eliminating the need for legal procedures to access its data.

When evidence emerges in a foreign country, U.S. law enforcement is required to adhere to the Mutual Legal Assistance Treaty (MLAT) procedure in order to seek assistance from foreign agencies. One significant example highlights the Department of Justice engaging in a legal battle against Microsoft. This case revolved around the question of whether the DOJ possesses the authority to access data stored in a Microsoft data center located in Ireland. Microsoft argued that the DOJ could not employ a search warrant to obtain overseas data and must follow the MLAT procedure instead. However, with Blockchain, such issues do not arise as it allows access from anywhere in the world without the need for MLAT.

Final thoughts

It is an undeniable reality that illegal money transfers will persist. It is impossible to completely eliminate criminals from utilizing Blockchain or the internet as a whole. However, what we can strive for is to develop solutions that make it increasingly challenging for illicit parties to thrive. Law enforcement should concentrate their efforts on the specific areas of the Blockchain where criminal activities frequently emerge. Individuals must collaborate and devise innovative strategies that law enforcement can adopt to combat these challenges effectively.

The post Law enforcement’s battle against Cryptocurrency crime appeared first on Cybersecurity Insiders.

Executive Summary

Killnet is a hacktivist group based in Russia that has been active since at least 2015. The group is known for launching DDoS attacks on a diverse range of industries, including state and local governments, telecommunications, and defense.

Killnet has been linked to several high profile attacks, including distributed denial-of-service (DDoS) attacks against U.S. airports and Elon Musk’s Starlink satellite broadband service.

The motivations behind these attacks vary, but recently, they have primarily targeted those who are the most vocal supporters of Ukraine and its political agenda.

The aim of this threat hunt is to create a virtual attack environment that simulates Killnet’s tactics, techniques, and procedures (TTPs). Subsequently, detections and threat hunt queries will be written to proactively identify the emulated TTPs while compensating for the limitations of traditional IOC historical searches.

The results of the threat hunt will include high-level dashboards, code, and network artifacts generated from the attack range, which will be used to explain how a hypothesis was formed. The outcomes will also contain the pseudo and translated query logic in a format that can be utilized by tools such as Suricata, Snort, Splunk, and Zeek. The query output will then be employed to confirm the initial hypothesis generated.

Network Artifacts

To emulate the attack, cc.py was utilized to generate continuous HEAD requests against an Apache server, refer to Appendix A for further details. Once the attack was launched, the captured log traffic was examined, as shown in Figure 1 and Figure 2. Upon reviewing the HEAD HTTP traffic, it was discovered that the digits between the ranges of 11-12 appeared after “HEAD /?” consistently. This pattern will serve as the basis for our first hypothesis, as outlined in the next section.

Figure 3 also contains the Apache logs that were generated on the server as the attack script kept trying to access different files in the ‘/var/www/html/’ directory. The script reiterates in a brute force type style, until CPU resources are rendered exhausted by sheer traffic volume.

Figure 1 –Wireshark – Dynamically Generated 11-12 Digits

Figure 2 –Wireshark – Forged Referrer & Anonymized IPs

Figure 3 – Splunk – Apache Server Error Logs – Failed File Access Attempts

Detection Guidance

Perl compatible regular expressions can be used to leverage the context derived from the packet capture during threat analysis, as shown in Figure 1. This allows us to write Suricata/Snort rules that will match observed patterns in headers. Detections tend to scale more than hunt queries and can be applied strategically on a per sensor basis. Specifically, the following rule will match any instance when an HTTP HEAD request containing 11-12 digits has been captured by a network sensor on a forward looking basis. This serves as our first hypothesis to identify the usage of DDoS HEAD floods:

alert tcp any any -> any any (msg:”Killnet cc.py DDoS HTTP HEAD Flood”; content:”HEAD”; depth:4; content:” /?”; distance:0; content:” HTTP/1.1|0d0a|Host: “; distance:0; fast_pattern; content:”.”; distance:1; within:3; content:”.”; distance:1; within:3; content:”.”; distance:1; within:3; content:”|0d0a|Referer: https://”; distance:0; content:”|0d0a|Accept-Language: “; distance:0; content:”|0d0a|Accept-Charset: “; distance:0; content:”|0d0a|Connection: Keep-Alive|0d0a0d0a|”; distance:0; pcre:”/^HEADx20/?[0-9]{11,12}x20HTTP/”; sid:10000001;)

Hypothesis #1

Hunting Process

The following is a Splunk hunt query that utilizes the Zeek/Bro dataset to identify “High connections from common source over a short amount of time”. The query breaks the time column (shown in Figure 2) into 1-second chunks. Once an appropriate threshold has been established, the “where count > 10” statement can be adjusted accordingly to search retroactively within the last 7 days from when the activity was first observed. This query serves as our second hypothesis to identify the usage of DDoS HEAD floods:

index=zeek sourcetype=zeek_conn | eval datetime=strftime(ts,”%Y-%m-%d %H:%M:%S”) | bucket span=1s datetime | stats count by datetime, id.orig_h | where count > 10 | rename datetime as “Date & Time” id.orig_h as “Attacker IP”

Hypothesis #2

Appendix A – Adversary Emulation

Cc.py is a Python tool publicly available on the internet that can be used for Layer 7 DDoS attacks. The tool, created by a student in 2020, uses various dynamic characteristics to launch DDoS attacks against web assets. The script automates the process of using open proxy servers to relay attacks while maintaining anonymity, which can render traditional IP-based blocking techniques ineffective.

Figure 4 depicts a Python function called “head” that performs an HTTP HEAD request to a target server. The function takes two arguments: “event” and “proxy type”. These arguments control the flow of the request and specify the type of open proxy to leverage. Additionally, the code concatenates the variables where the forged/randomized headers will be used.

Figure 4 – cc python script

To generate a dynamic list of compromised open proxies that will be used to relay attacks on behalf of the attacker, the following command is utilized:

python3 cc.py –down –f proxy.txt –v 5

Once the list is generated, the following command is used to launch an attack against a server running Apache web server within the attack range. The command specifies the use of the “head” module and sets the duration of the attack to 30 seconds. The “head” module floods the target server with continuous HTTP HEAD requests until it is knocked offline.

python3 cc.py –url http:// -f proxy.txt –m head –v 4 –s 30

Appendix B – IOCs

At OTX pulse was created listing over the 12K+ indicators from this research.

https://otx.alienvault.com/pulse/642dd6df987a88229012d214

References

https://github.com/Leeon123/CC-attack

https://securityresearch.samadkhawaja.com/

The post Threat Hunt: KillNet’s DDoS HEAD Flood Attacks – cc.py appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

When most people think about social media and cybersecurity, they typically think about hackers taking over Instagram accounts or Facebook Messenger scammers taking private information. It’s for good reason that this is top-of-mind. The Identity Theft Resource Center’s 2022 Consumer Impact Report revealed that social media account takeovers have grown by 1,000% in one year. 

Putting yourself out there on social media platforms opens up your personal information to cyber threats. However, social media can be used for good, rather than evil, when it comes to cybersecurity. Learn how to educate your social media following on everyday cybersecurity risks.

Create Cybersecurity content relevant to your audience

Not every company or content creator posting on social media is in the cybersecurity niche, not to mention any offshoots or umbrella niches like technology. Of course, if you do fall into a tech niche and have an audience that’s interested specifically in cybersecurity, you can certainly post on social media about the topic.

However, virtually any industry could benefit from creating cybersecurity content. When planning quality content for your social pages, identify your content niche and determine what aspects of cybersecurity would be most beneficial and interesting to your audience. You can also capitalize on current trends on social media or in the news when designing an informational content campaign around cybersecurity.

Let’s look at how cybersecurity topics can be approached from a variety of industry angles.

B2B

If you are a shared workspace company, for example, your followers are likely interested in ways to establish network security in a hybrid workplace. Followers of a hiring software company likely want to see how to hire more securely online. If your business caters to other businesses, you can create educational cybersecurity content to help them stay safe while using your services or otherwise doing things related to your product or services.

Healthcare

While creating content aimed at public services is different than B2B audiences, cybersecurity information is especially relevant. In a time when interest in virtual healthcare services is booming, patients and providers alike need to be aware of HIPAA laws. For instance, a social media post about the security risks and ethical concerns of doctors emailing and texting patients is an important and highly relevant topic.

Education

Like many healthcare practices have incorporated virtual visits, many schools have started providing virtual classes. If your business is in the education sphere at all, your followers would likely benefit from engaging content about keeping student information private in online classrooms.

Lifestyle

If your brand is in a lifestyle category, you may not think this has much to do with cybersecurity. However, think about the ways in which your followers engage with your brand. If you sell products on a website, make a social post about how to create a secure login for your site when purchasing to reduce the risk of data theft. Further, you can inform your consumers how you’re taking steps to securely process payments and handle customer information. This will instill trust in your brand.

If you don’t sell tangible products or services in this way, you can still find something to do with cybersecurity that will benefit your audience. People use online services all the time, and not everyone is up to date with the latest ways to catch phishing scams or create safe passwords. If your followers are interested in a certain fashion brand and you are aware of an email scam under that brand’s name, you can post about it on social media to help spread awareness.

Pick the right platform and format

Regardless of your industry, it’s clear that all audiences can benefit from some level of cybersecurity education. Similar to how your content will differ, each creator will also benefit from posting on varying social platforms. Some of the most popular social media sites for sharing informative posts include:

• Twitter: platform for text posts, accompanying images, and links;
• Reddit: site for more nuanced, forum-style discussions;
• Quora: site with question-and-answer-style discussions;
• Instagram: app with primarily image-based with short-form video and live streaming options;
• Facebook: platform affiliated with and similar to Instagram but with longer text posts and groups;
• LinkedIn: professional networking platform with longer text posts and videos;
• YouTube: leader in the long-form video space with the option for Shorts and live streaming;
• Twitch: live streaming platform primarily for gamers;
• Pinterest: image-based sharing platform;
• TikTok: short-form video content platform with live streaming options.

TikTok, in particular, is interested in promoting cybersecurity education, so you may have enhanced luck on the platform. Short-form TikTok videos are brief enough to keep viewers’ attention, but you also have enough options to successfully pack in cybersecurity knowledge. For example, you could make a video using a trending sound about how to spot insider threats, pointing to each tip. The platform shows users the content they will be most interested in, so you are more likely to reach the right audience and spread cybersecurity awareness.

If you already have a social media presence, you likely know which platforms garner you the most engagement currently. Start by testing the performance of cybersecurity education posts on your chosen platforms. Then, analyze the data and adjust accordingly.

Using social media for Cybersecurity awareness

Whatever industry you’re in, your social media following will be able to benefit from cybersecurity education. Data privacy is top-of-mind for most social media users, so cater to their unique needs with your content.

The post Using social media as a tool to share knowledge on day-to-day Cybersecurity risks appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Small businesses are more vulnerable to cyber-attacks since hackers view them as easy victims to target. While this may seem unlikely, statistics reveal that more than half of these businesses experienced some form of cyber-attack in 2022. It’s also reported that state-sponsored threat actors are diversifying their tactics and shifting their focus toward smaller enterprises.

Cyber-attacks against small-sized businesses do not always make headlines, but they have potentially catastrophic impacts. These attacks can result in significant financial and data loss, sometimes shutting down the business. Therefore, it’s crucial that small businesses make cybersecurity a top priority.

What drives more cybersecurity attacks on small businesses?

Small businesses are on the target list of hackers mainly because they focus less on security. On average, SMBs and small businesses allocate 5%-20% of their total budget to security. Additionally, human mistakes are the root cause of 82% of cyber breaches in organizations. Cybercriminals take advantage of their weak security infrastructure and exploit the behavior of careless employees to launch insider threats and other cyber-attacks successfully.

A report reveals various cyber-attacks that often target small businesses, such as malware, phishing, data breaches, and ransomware attacks. Also, small businesses are vulnerable to malware, brute-force attacks, ransomware, and social attacks and may not survive one incident.

The influx of remote working culture has added new challenges and cybersecurity risks for small businesses. This culture has given rise to a large number of personal devices like mobile phones, laptops, and tablets that can easily access sensitive information. Many employees don’t undergo regular scans of their phones and laptops for potential vulnerabilities.

In addition, few companies can provide access to password management software or VPNs to protect their internet connection and credentials and maintain security on rogue Wi-Fi networks. Statistics also reveal that only 17% of small businesses encrypt their data, which is alarming.

Moreover, small businesses are at a higher risk of being attacked because they have limited resources to respond to cyber-attacks. Unlike large organizations, they don’t have a dedicated IT team with exceptional skills and experience to deal with complex cyber-attacks. They also have a limited budget to spend on effective cyber security measures. Hence they don’t invest in advanced cybersecurity solutions or hire professionals to manage their cybersecurity.

Impacts of a Cybersecurity attack on small businesses

Cyber-attacks on small businesses can result in severe consequences – like financial loss, reputational damage, legal ramifications, and disruptions in operations. Below is a better insight into the effects of a potential cyber-attack on small businesses:

Loss of money

A cyber-attack may cause small businesses to lose billions of dollars. A report predicted that the attacks on small businesses will cost the global economy $10.5 trillion by 2025. Also, the average data breach cost to small businesses increased to $2.98 million in 2021, and these figures will likely increase with time. Sometimes small businesses will need to pay to compensate customers, investigate the attack, or implement additional security measures – all of which add up to more financial costs.

Reputational damage

A possible cyber-attack can also damage the business’s reputation and erodes customers’ trust. Suppose a customer’s, partner’s, or supplier’s sensitive data gets exposed to attackers. In that case, it negatively affects the company’s reputation. This might cause them to lose valuable clients, which can also lead to the unexpected closure of the business. According to the National Cybersecurity Alliance, 60% of small and mid-size companies get shut down within six months of falling victim to a cyber-attack. It might take a lot of time and effort to restore the client trust and restore the organization’s reputation.

Disruptions in operations

Small businesses often face operational disruption after a cyber-attack. They may experience downtime or lose access to critical business data – which leads to lost opportunities and delays in operations. This negatively impacts your business as you fail to meet customer demands.

Legal ramifications

Small organizations are also subject to various industry legal and regulatory regulations like GDPR, HIPAA, and CCPA to maintain data privacy. A cyber-attack resulting in valuable data loss ultimately triggers regulatory penalties. As a result, small businesses may face lawsuits and hefty fines for non-compliance, further adding financial strains. A Small Business Association Office of Advocacy report finds that the cost of lawsuits for small firms ranges from $3,000 to $150,000. Therefore, protecting the clients’ data is better than facing compliance issues.

Actionable Cybersecurity tips for small businesses

With  51% of small businesses having limited cybersecurity measures, adopting preventive measures to protect networks and employees from malicious threat actors is crucial. Some of the best practices that you, as an owner of a small business, can exercise to reduce the attack vector includes:

• Educate employees by providing regular training sessions and conducting awareness programs about cyber-attacks like phishing, malware, or social engineering techniques. Ensure that the employees at all levels understand the risks and learn how to detect and respond to these attacks.
• Create a comprehensive cybersecurity policy outlining the employees’ guidelines, best practices, and responsibilities regarding data protection, password management, incident reporting, and acceptable use of technology.
• With the rise of remote and hybrid working culture, it’s crucial to ensure that all remote workers use online security tools like a virtual private network (VPN). It maintains data safety and privacy and enables the workers to access the company’s resources safely.
• Deploy a regular data backup strategy to prevent data loss due to phishing or ransomware attacks. Store the backups offline or within secure cloud storage to ensure they are not easily accessible by attackers.
• Regularly monitor and assess systems using inexpensive security tools to detect and respond to threats in real-time. Conduct regular security assessments, vulnerability scans, or penetration testing to identify potential vulnerabilities within the system and address them promptly.
• Creating an incident response plan (IRP) helps small businesses prevent cyber-attacks by providing a structured approach to detect, respond, and mitigate security incidents. It outlines roles, procedures, and protocols – enabling effective action to minimize damage, protect data, and restore operations, ultimately strengthening the business’s cybersecurity defenses.

These are some of the effective steps that small businesses and start-ups can take to reduce the likelihood of a data breach or decrease the negative impact when an attack occurs.

Final thoughts

Small businesses face many cybersecurity threats and challenges that can affect their reputation and making it difficult to run their business successfully. The best way to ensure a healthy cybersecurity culture is to deploy a successful security awareness and training program. This assures employees are well aware of the threats and how to respond at the right time. To sum up, by prioritizing cybersecurity and adopting proactive measures, small businesses can safeguard their digital assets and mitigate potential threats in today’s increasingly interconnected world.

The post How can small businesses ensure Cybersecurity? appeared first on Cybersecurity Insiders.

A way to manage too much data

To protect the business, security teams need to be able to detect and respond to threats fast. The problem is the average organization generates massive amounts of data every day. Information floods into the Security Operations Center (SOC) from network tools, security tools, cloud services, threat intelligence feeds, and other sources. Reviewing and analyzing all this data in a reasonable amount of time has become a task that is well beyond the scope of human efforts.

AI-powered tools are changing the way security teams operate. Machine learning (which is a subset of artificial intelligence, or “AI”)—and in particular, machine learning-powered predictive analytics—are enhancing threat detection and response in the SOC by providing an automated way to quickly analyze and prioritize alerts.

Machine learning in threat detection

So, what is machine learning (ML)? In simple terms, it is a machine’s ability to automate a learning process so it can perform tasks or solve problems without specifically being told do so. Or, as AI pioneer Arthur Samuel put it, “. . . to learn without explicitly being programmed.”

ML algorithms are fed large amounts of data that they parse and learn from so they can make informed predictions on outcomes in new data. Their predictions improve with “training”–the more data an ML algorithm is fed, the more it learns, and thus the more accurate its baseline models become.

While ML is used for various real-world purposes, one of its primary use cases in threat detection is to automate identification of anomalous behavior. The ML model categories most commonly used for these detections are:

Supervised models learn by example, applying knowledge gained from existing labeled datasets and desired outcomes to new data. For example, a supervised ML model can learn to recognize malware. It does this by analyzing data associated with known malware traffic to learn how it deviates from what is considered normal. It can then apply this knowledge to recognize the same patterns in new data.

Unsupervised models do not rely on labels but instead identify structure, relationships, and patterns in unlabeled datasets. They then use this knowledge to detect abnormalities or changes in behavior. For example: an unsupervised ML model can observe traffic on a network over a period of time, continuously learning (based on patterns in the data) what is “normal” behavior, and then investigating deviations, i.e., anomalous behavior.

Large language models (LLMs), such as ChatGPT, are a type of generative AI that use unsupervised learning. They train by ingesting massive amounts of unlabeled text data. Not only can LLMs analyze syntax to find connections and patterns between words, but they can also analyze semantics. This means they can understand context and interpret meaning in existing data in order to create new content.

Finally, reinforcement models, which more closely mimic human learning, are not given labeled inputs or outputs but instead learn and perfect strategies through trial and error. With ML, as with any data analysis tools, the accuracy of the output depends critically on the quality and breadth of the data set that is used as an input.

A valuable tool for the SOC

The SOC needs to be resilient in the face of an ever-changing threat landscape. Analysts have to be able to quickly understand which alerts to prioritize and which to ignore. Machine learning helps optimize security operations by making threat detection and response faster and more accurate.

ML-powered tools automate and improve the analysis of large amounts of event and incident data from multiple different sources in near real time. They identify patterns and anomalies in the data and then prioritize alerts for suspected threats or critical vulnerabilities that need patching. Analysts use this real-time intelligence to enhance their own insights and understand where they can scale their responses, or where there are time-sensitive detections they need to investigate.

Traditional threat detection methods, such as signature-based tools that alert on known bad traffic can be augmented with ML. By combining predictive analytics that alert based on behavioral anomalies with existing knowledge about bad traffic, ML helps to reduce false positives.

ML also helps make security operations more efficient by automating workflows for more routine security operations response. This frees the analyst from repetitive, manual, and time-consuming tasks and gives them time to focus on strategic initiatives.

New capabilities enhance threat intelligence in USM Anywhere

The USM Anywhere platform has long utilized both supervised and unsupervised machine learning models from AT&T Alien Labs and the AT&T Alien Labs Open Threat Exchange (OTX) for most of its curated threat intelligence. The Open Threat Exchange is among the largest threat intelligence sharing platforms in the world. Its more than 200,000 members contribute new intelligence to the platform on a daily basis.

Alien Labs uses ML models in several ways, including to automate  the extraction of indicators of compromise (IOCs) from user threat intelligence submissions in the OTX and then enrich these IOCs with context, such as associated threat actors, threat campaigns, regions and industries being targeted, adversary infrastructure, and related malware.

The behind-the-scenes capabilities in USM Anywhere have been reinforced by new, high-value machine learning models to help security teams find today’s most prevalent threats.

These new models help the platform generate higher-confidence alerts with less false positives and provide advanced behavioral detections to facilitate more predictive identification of both insider and external threats. Its supervised models can identify and classify malware into clusters and families to predict behaviors. They can also detect obfuscated PowerShell commands, domain generation algorithms, and new command-and-control infrastructure.

Since the platform has an extensible architecture, new models can be introduced as the threat landscape dictates, and existing models can be continuously refined.

For more on how machine learning is transforming today’s SOC and to learn how the USM Anywhere platform’s own analytics capabilities have evolved, tune in to our webinar on June 28.

Register now!

The post Toward a more resilient SOC: the power of machine learning appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

OpenAI’s flagship product, ChatGPT, has dominated the news cycle since its unveiling in November 2022. In only a few months, ChatGPT became the fastest-growing consumer app in internet history, reaching 100 million users as 2023 began.

The generative AI application has revolutionized not only the world of artificial intelligence but is impacting almost every industry. In the world of cybersecurity, new tools and technologies are typically adopted quickly; unfortunately, in many cases, bad actors are the earliest to adopt and adapt.

This can be bad news for your business, as it escalates the degree of difficulty in managing threats. 

Using ChatGPT’s large language model, anyone can easily generate malicious code or craft convincing phishing emails, all without any technical expertise or coding knowledge. While cybersecurity teams can leverage ChatGPT defensively, the lower barrier to entry for launching a cyberattack has both complicated and escalated the threat landscape.

Understanding the role of ChatGPT in modern ransomware attacks

We’ve written about ransomware many times, but it’s crucial to reiterate that the cost to individuals, businesses, and institutions can be massive, both financially and in terms of data loss or reputational damage.

With AI, cybercriminals have a potent tool at their disposal, enabling more precise, adaptable, and stealthy attacks. They’re using machine learning algorithms to simulate trusted entities, create convincing phishing emails, and even evade detection.

The problem isn’t just the sophistication of the attacks, but their sheer volume. With AI, hackers can launch attacks on an unprecedented scale, exponentially expanding the breadth of potential victims. Today, hackers use AI to power their ransomware attacks, making them more precise, adaptable, and destructive.

Cybercriminals can leverage AI for ransomware in many ways, but perhaps the easiest is more in line with how many ChatGPT users are using it: writing and creating content. For hackers, especially foreign ransomware gangs, AI can be used to craft sophisticated phishing emails that are much more difficult to detect than the poorly-worded message that was once so common with bad actors (and their equally bad grammar). Even more concerning, ChatGPT-fueled ransomware can mimic the style and tone of a trusted individual or company, tricking the recipient into clicking a malicious link or downloading an infected attachment.

This is where the danger lies. Imagine your organization has the best cybersecurity awareness program, and all your employees have gained expertise in deciphering which emails are legitimate and which can be dangerous. Today, if the email can mimic tone and appear 100% genuine, how are the employees going to know? It’s almost down to a coin flip in terms of odds.

Furthermore, AI-driven ransomware can study the behavior of the security software on a system, identify patterns, and then either modify itself or choose the right moment to strike to avoid detection.

Trends and patterns in ChatGPT-themed cybercrimes

While the vast majority of people use ChatGPT for benign or beneficial purposes, the notable uptick in ChatGPT-themed suspicious activities is cause for concern. These threats include the creation of malicious code, phishing schemes, and of course ransomware — often exploiting the advanced capabilities of ChatGPT to enhance their effectiveness.

The majority of patterns and trends in these activities are not ransomware-related; however, they provide invaluable insights for security experts to proactively respond to these challenges.

Creation of malware using ChatGPT

A self-proclaimed novice reportedly created a powerful data-mining malware using just ChatGPT prompts within a few hours.

ChatGPT imposters

Malware operators and spammers read the news, too, and are following trends and high-engagement topics, leading to an increase in malicious ChatGPT imposters.

Malware campaigns using ChatGPT

ChatGPT is everywhere. Meta took steps to take down more than 1,000 malicious URLs that were found to leverage ChatGPT.

Cybercriminals using ChatGPT

ChatGPT cybercrime is popular with hackers. A thread named “ChatGPT – Benefits of Malware” appeared on a popular underground hacking forum, indicating that cybercriminals are starting to use ChatGPT.

ChatGPT-themed lures

Watch out: hackers are using ChatGPT-themed malware to take over online accounts.

ChatGPT phishing attacks

Finally, these phishing attacks are the most concerning for organizations defending against ransomware. The ChatGPT “Banker” phishing attack involves fake webpages and a trojan virus.

Copycat Chatbots and their threat to Cybersecurity

The success and visibility of OpenAI’s ChatGPT inevitably leads to another cybersecurity concern — the rise of copycat chatbots. These are AI models developed by other groups or individuals seeking to mimic the functionalities and capabilities of ChatGPT, often with less stringent ethical guidelines and fewer protective measures.

There are two key issues that arise from these imitation chatbots. First, they often lack the advanced protective guardrails that have been incorporated into ChatGPT, leaving them more open to misuse. These bots could easily become tools for generating malicious code, crafting phishing emails, or designing ransomware attacks.

Next, these copycat chatbots are frequently hosted on less secure platforms, which may be susceptible to cyber-attacks. Hackers could potentially compromise these platforms to gain control of the chatbots and manipulate their capabilities for nefarious purposes.

Copycat chatbots present the risk of amplifying misinformation and fostering cybercrime. As they lack the same level of scrutiny and oversight as ChatGPT, they could be used to disseminate deceptive content on a large scale.

Proactive measures you can take to combat AI-enhanced ransomware threats

Despite the escalating threat, the outlook is not hopeless.

As always, good security hygiene can go a long way in bolstering your defenses. The advice hasn’t changed, but it bears repeating.

Regular updates and patches: Ensure that all your software, including your operating system and applications, are up to date.

Avoid suspicious emails/links: Be wary of emails from unknown sources and don’t click on suspicious links. Remember, AI can be used to mimic trusted contacts.

Back up your data: Regularly backing up data is a simple yet effective way of mitigating the potential damage of a ransomware attack. The more data you have backed up, the easier it is to recover from a potential disaster.

Promote a culture of security awareness: Learn about the latest threats and techniques used by hackers. The better your company and all employees understand these tactics, the easier it will be to recognize and avoid potential threats.

If you do fall victim to a ransomware attack, don’t panic. Disconnect from the internet, report the incident to local authorities, and consider seeking professional help to mitigate the damage. In most cases, paying the ransomware is not recommended.

While AI can pose a threat when in the hands of hackers, it can also be a potent ally in your defense. AI-driven cybersecurity solutions are becoming more prevalent and can help you combat these advanced threats. These solutions use machine learning to recognize patterns, anticipate threats, and respond in real-time. By adopting AI-based security tools, you’re not just reacting to cyber threats, but proactively defending against them.

How AT&T Cybersecurity can help defend against ransomware

If your company lacks cybersecurity expertise, you may consider hiring trusted and experienced consultants to help you out. Take control by proactively making your company a place that cybercriminals do not want to visit.

With AT&T Cybersecurity incident response service, you’ll be well-positioned to:

• Prevent data breaches
• Quickly respond to attacks and mitigate impact
• Minimize impacts of a potential breach
• Quickly analyze and recover from the breach
• Mitigate security risk
• Improve incident response
• Leverage an “all hands on deck” approach, which includes in-depth digital forensic analysis, breach, support and compromise detection

The post Rise of AI in Cybercrime: How ChatGPT is revolutionizing ransomware attacks and what your business can do appeared first on Cybersecurity Insiders.

In today’s fast-paced digital landscape, businesses proactively seek innovative ways to optimize their networks, enhance operational efficiency, and reduce costs. Network Functions Virtualization (NFV) emerges as a transformative technology that leads the charge.

NFV revolutionizes traditional, hardware-based network functions by converting them into flexible, software-based solutions. Virtual Network Functions (VNFs) can be deployed on commodity servers, cloud infrastructure, or even in data centers, freeing businesses from the constraints of specialized, proprietary hardware.

NFV simplifies network operations and significantly reduces hardware costs by allowing network functions, such as firewalls, load balancers, and routers, to run on general-purpose servers. This leads to substantial savings in both capital expenditure (CAPEX) and operational expenditure (OPEX).

Furthermore, NFV equips businesses with the agility and flexibility necessary to adapt quickly to changing network demands. Unlike traditional hardware-based network functions, which are static and require manual configuration, VNFs can be rapidly deployed, scaled, or modified to accommodate fluctuating network requirements. This provides a level of scalability and agility that was previously unattainable.

NFV also streamlines network management and automation. With NFV Management and Orchestration (MANO) systems, businesses can centrally manage and orchestrate VNFs, reducing the complexity and manual effort associated with network administration. This simplifies the deployment and management of network services, improves efficiency, and minimizes the risk of errors.

Moreover, NFV contributes to more sustainable and environmentally friendly operations by reducing energy consumption. By consolidating multiple network functions onto shared infrastructure, NFV lowers energy usage and cooling requirements.

The NFV architecture, standardized by the European Telecommunications Standards Institute (ETSI), provides a blueprint for implementing and deploying NFV solutions. It comprises three main components:

• Virtual Network Functions (VNFs): Software implementations of network functions deployable on Network Function Virtualization Infrastructure (NFVI). Each VNF runs on generic server hardware and interconnects with other VNFs to create extensive networking communication services.
• NFV Infrastructure (NFVI): The environment hosting the VNFs. It includes the hardware resources and the software layers that abstract, pool, and manage the physical resources.
• NFV Management and Orchestration (MANO): The framework orchestrating and managing physical and/or virtual resources that support the VNFs. The MANO layer consists of the NFV Orchestrator, VNF Manager, and Virtualized Infrastructure Manager (VIM).

This architecture decouples network functions from proprietary hardware appliance which is how NFV enhances network flexibility, scalability, and service deployment speed, while cutting costs and energy consumption.

NFV not only brings cost savings and efficiency but also fosters innovation. The ability to quickly and easily deploy new network functions enables businesses to experiment with new services and features, accelerating innovation and enhancing competitiveness.

NFV represents a paradigm shift in networking. By transforming rigid, hardware-based network functions into flexible, software-based solutions, NFV equips businesses with the agility, cost-efficiency, and innovation potential necessary to thrive in the digital age. Embracing NFV is a strategic move for businesses looking to future-proof their networks and maintain a competitive edge in the digital era. Don’t let your current network setup hold you back; explore the possibilities NFV offers with AT&T Cybersecurity and transform your network infrastructure today.

The post What is NFV appeared first on Cybersecurity Insiders.