InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
1. Rise of Sophisticated Impersonation Attacks Threat actors are increasingly tricking users by impersonating trusted services like ChatGPT, Cisco AnyConnect, Google Meet, and Microsoft Teams. They deploy phishing campaigns using cloned login pages or malicious files that seem legitimate, hoping to deceive users into entering credentials or downloading malware. These mimicry operations are carefully designed, with legitimate branding and context.
2. Exploiting Hybrid Work Tools With remote and hybrid work now the norm, hackers have shifted their tactics to exploit collaboration and VPN platforms. They craft malicious emails or fake notifications that appear to come from these popular services, encouraging users to click harmful links or grant permissions that facilitate unauthorized access and infection .
3. Diverse Payload Delivery Mechanisms The attacks aren’t limited to one method. Some rely on phishing emails containing malicious links or attachments, while others abuse meeting invites in Google Meet or Teams to deliver payloads. There are also standalone fake installers—such as trojanized VPN software—used to deploy remote access tools or malware under the guise of routine updates or patches .
4. Automation and Targeted Social Engineering By automating the creation of phishing sites and using AI-driven reconnaissance, attackers can construct highly specific and credible social engineering scenarios. These may include sending spoofed notifications tailored for IT admins or frequent VPN users, significantly increasing the chances of successful breaches .
5. Prevention & User Awareness Strategies The article stresses defense-in-depth strategies: enabling multi-factor authentication (MFA), verifying URLs before entering credentials, using dedicated device managers for downloads, and providing regular phishing-awareness training. It also underscores that IT teams should monitor logs for unusual login patterns and extend protection to collaboration platforms via endpoint security or email filtering .
Feedback
This piece effectively highlights a growing threat in today’s work environment—attackers hijacking the trust in widely used collaboration and VPN tools. Its strength lies in contextualizing how deepfake-style phishing is evolving with remote work trends. However, the article could benefit from more real-world examples or case studies to illustrate these threats in action. Additionally, it might be worthwhile to include references to security standards like the MITRE ATT&CK framework, which would give readers clearer insight into attack patterns and mitigation tactics. Overall, it’s a clear, timely alert that serves both as a warning and a practical guide for strengthening organizational security.
AI hallucinations—instances where AI systems generate incorrect or misleading outputs—pose significant risks to cybersecurity operations. These errors can lead to the identification of non-existent vulnerabilities or misinterpretation of threat intelligence, resulting in unnecessary alerts and overlooked genuine threats. Such misdirections can divert resources from actual issues, creating new vulnerabilities and straining already limited Security Operations Center (SecOps) resources.
A particularly concerning manifestation is “package hallucinations,” where AI models suggest non-existent software packages. Attackers can exploit this by creating malicious packages with these suggested names, a tactic known as “slopsquatting.” Developers, especially those less experienced, might inadvertently incorporate these harmful packages into their systems, introducing significant security risks.
The over-reliance on AI-generated code without thorough verification exacerbates these risks. While senior developers might detect errors promptly, junior developers may lack the necessary skills to audit code effectively, increasing the likelihood of integrating flawed or malicious code into production environments. This dependency on AI outputs without proper validation can compromise system integrity.
AI can also produce fabricated threat intelligence reports. If these are accepted without cross-verification, they can misguide security teams, causing them to focus on non-existent threats while real vulnerabilities remain unaddressed. This misallocation of attention can have severe consequences for organizational security.
To mitigate these risks, experts recommend implementing structured trust frameworks around AI systems. This includes using middleware to vet AI inputs and outputs through deterministic checks and domain-specific filters, ensuring AI models operate within defined boundaries aligned with enterprise security needs.
Traceability is another critical component. All AI-generated responses should include metadata detailing source context, model version, prompt structure, and timestamps. This information facilitates faster audits and root cause analyses when inaccuracies occur, enhancing accountability and control over AI outputs.
Furthermore, employing Retrieval-Augmented Generation (RAG) can ground AI outputs in verified data sources, reducing the likelihood of hallucinations. Incorporating hallucination detection tools during testing phases and defining acceptable risk thresholds before deployment are also essential strategies. By embedding trust, traceability, and control into AI deployment, organizations can balance innovation with accountability, minimizing the operational impact of AI hallucinations.
Google recently announced a significant advancement in its fight against online scams, leveraging the power of artificial intelligence. This initiative involves deploying AI-driven countermeasures across its major platforms: Chrome, Search, and Android. The aim is to proactively identify and neutralize scam attempts before they reach users.
Enhanced Scam Detection: The AI algorithms analyze various data points, including website content, email headers, and user behavior patterns, to identify potential scams with greater accuracy. This goes beyond simple keyword matching, delving into the nuances of deceptive tactics.
Proactive Warnings: Users are alerted to potentially harmful websites or emails before they interact with them. These warnings are context-aware, providing clear and concise explanations of why a particular site or message is flagged as suspicious.
Improved Phishing Protection: AI helps refine phishing detection by identifying subtle patterns and linguistic cues often used by scammers to trick users into revealing sensitive information.
Cross-Platform Integration: The AI-powered security measures are seamlessly integrated across Google‘s ecosystem, providing a unified defense against scams regardless of the platform being used.
Significance of this Development:
This initiative signifies a crucial step in the ongoing battle against cybercrime. AI-powered scams are becoming increasingly sophisticated, making traditional methods of detection less effective. Google‘s proactive approach using AI is a promising development that could significantly reduce the success rate of these attacks and protect users from financial and personal harm. The cross-platform integration ensures a holistic approach, maximizing the effectiveness of the countermeasures.
Looking Ahead:
While Google‘s initiative is a significant step forward, the fight against AI-powered scams is an ongoing arms race. Cybercriminals constantly adapt their techniques, requiring continuous innovation and improvement in security measures. The future likely involves further refinements of AI algorithms and potentially the integration of other advanced technologies to stay ahead of evolving threats.
This news highlights the evolving landscape of cybersecurity and the crucial role of AI in both perpetrating and preventing cyber threats.
AI’s role in modern hacking is indeed a double-edged sword, offering both powerful defensive tools and sophisticated offensive capabilities. While AI can be used to detect and prevent cyberattacks, it also provides attackers with new ways to launch more targeted and effective attacks. This makes AI a crucial element in modern cybersecurity, requiring a balanced approach to mitigate risks and leverage its benefits.
AI in Modern Hacking: A Double-Edged Sword
AI as a Shield: Enhancing Cybersecurity Defenses
Threat Detection and Prevention: AI can analyze vast amounts of data to identify anomalies and patterns indicative of cyberattacks, even those that are not yet known to traditional security systems.
Automated Incident Response: AI can automate many aspects of the incident response process, enabling faster and more effective remediation of security breaches.
Enhanced Threat Intelligence: AI can process information from multiple sources to gain a deeper understanding of potential threats and predict future attack vectors.
Vulnerability Management: AI can automate vulnerability assessments and patch management, helping organizations to proactively identify and address weaknesses in their systems.Â
AI as a Weapon: Amplifying Attack Capabilities
Sophisticated Phishing Attacks: AI can be used to generate highly personalized and convincing phishing emails and messages, making it more difficult for users to distinguish them from legitimate communication.Â
Automated Vulnerability Exploitation: AI can automate the process of identifying and exploiting vulnerabilities in software and systems, making it easier for attackers to gain access to sensitive data.Â
Deepfakes and Social Engineering: AI can be used to create realistic deepfakes and engage in other forms of social engineering, such as pretexting and scareware, to deceive victims and gain their trust.Â
Password Cracking and Data Poisoning: AI can be used to crack passwords more efficiently and manipulate data used to train AI models, potentially leading to inaccurate results and compromising security.Â
The Need for a Balanced Approach
Multi-Layered Security:Organizations need to adopt a multi-layered security approach that combines AI-powered tools with traditional security measures, including human expertise.
Skills Gap:The increasing reliance on AI in cybersecurity requires a skilled workforce, and organizations need to invest in training and development to address the skills gap.
Continuous Monitoring and Adaptation:The threat landscape is constantly evolving, so organizations need to continuously monitor their security posture and adapt their strategies to stay ahead of attackers.
Ethical Hacking and Red Teaming:Organizations can leverage AI for ethical hacking and red teaming exercises to test the effectiveness of their security defenses.Â
Countering AI-powered hacking requires a multi-layered defense strategy that blends traditional cybersecurity with AI-specific safeguards. Here are key countermeasures:
Deploy Defensive AI: Use AI/ML for threat detection, behavior analytics, and anomaly spotting to identify attacks faster than traditional tools.
Adversarial Robustness Testing: Regularly test AI systems for vulnerabilities to adversarial inputs (e.g., manipulated data that tricks models).
Zero Trust Architecture: Assume no device or user is trusted by default; verify everything continuously using identity, behavior, and device trust levels.
Model Explainability Tools: Employ tools like LIME or SHAP to understand AI decision-making and detect abnormal behavior influenced by attacks.
Secure the Supply Chain: Monitor and secure datasets, pre-trained models, and third-party AI services from tampering or poisoning.
Continuous Model Monitoring: Monitor for data drift and performance anomalies that could indicate model exploitation or evasion techniques.
AI Governance and Compliance: Enforce strict access controls, versioning, auditing, and policy adherence for all AI assets.
Human-in-the-Loop: Combine AI detection with human oversight for critical decision points, especially in security operations centers (SOCs).
In conclusion, AI has revolutionized cybersecurity, but it also presents new challenges. By understanding both the benefits and risks of AI, organizations can develop a more robust and resilient security posture.Â
AI-Powered Cyberattacks: Hackers now use AI for smarter, faster attacks. Defense: Deploy AI-driven security tools and invest in AI threat detection.
Deepfake Manipulations: Synthetic media is used for fraud and disinformation. Defense: Train staff on deepfake identification and enhance verification procedures.
Quantum Computing Threats: Future quantum computers could break traditional encryption. Defense: Start planning for quantum-resistant cryptographic solutions.
IoT Exploits: Connected devices are major entry points for attacks. Defense: Implement strict IoT security policies and update firmware regularly.
Supply Chain Attacks: Attackers target vendors and partners to breach organizations. Defense: Conduct thorough supplier risk assessments and enforce supply chain security standards.
​The U.S. National Institute of Standards and Technology (NIST) has raised concerns about the security vulnerabilities inherent in artificial intelligence (AI) systems. In a recent report, NIST emphasizes that there is currently no foolproof method to defend AI technologies from adversarial attacks. The institute warns against accepting vendor claims of absolute AI security, noting that developers and users should be cautious of such assurances. ​
NIST’s research highlights several types of attacks that can compromise AI systems:​
Evasion Attacks: These occur when adversaries manipulate inputs to deceive AI models, leading to incorrect outputs.​
Poisoning Attacks: In these cases, attackers corrupt training data, causing the AI system to learn incorrect behaviors.​
Privacy Attacks: These involve extracting sensitive information from AI models, potentially leading to data breaches.​
Abuse Attacks: Here, legitimate sources of information are compromised to mislead the AI system’s operations. ​
NIST underscores that existing defenses against such attacks are insufficient and lack robust assurances. The agency calls on the broader tech community to develop more effective security measures to protect AI systems. ​
In response to these challenges, NIST has launched the Cybersecurity, Privacy, and AI Program. This initiative aims to support organizations in adapting their risk management strategies to address the evolving landscape of AI-related cybersecurity and privacy risks. ​
Overall, NIST’s findings serve as a cautionary reminder of the current limitations in AI security and the pressing need for continued research and development of robust defense mechanisms.
In recent investigations, Mandiant, a leader in cybersecurity, identified a China-nexus espionage group known as UNC3886 targeting Juniper Networks’ routers. This group exploited vulnerabilities in Juniper’s Junos OS to deploy custom backdoors, aiming to establish persistent access within targeted networks.
UNC3886 is recognized for its sophisticated tactics, often focusing on network appliances that traditionally lack advanced detection mechanisms. By compromising these devices, the group can maintain long-term, covert access, making their malicious activities challenging to detect.
The attack methodology involved deploying malware that could survive device reboots and software upgrades, ensuring continuous access. This persistence is particularly concerning as it allows the threat actors to monitor and potentially manipulate network traffic over extended periods.
Mandiant’s analysis indicates that UNC3886’s operations are part of a broader strategy by China-nexus espionage actors to exploit network infrastructure devices. These devices often operate without the rigorous security monitoring applied to standard endpoints, providing an attractive target for sustained espionage activities.
The use of compromised routers and other network devices is not an isolated tactic. Other China-nexus groups have been observed employing similar strategies, utilizing compromised devices to create obfuscated relay networks, complicating attribution and detection efforts.
Organizations are advised to implement stringent security measures for all network appliances, including regular firmware updates, robust access controls, and continuous monitoring for unusual activities. Such proactive steps are essential to defend against these sophisticated threats targeting critical network infrastructure.
This incident underscores the evolving landscape of cyber espionage, highlighting the necessity for comprehensive security strategies that encompass all facets of network operations to mitigate risks associated with advanced persistent threats.
For a detailed breakdown of each control set, check out the full post
The state threats outlined in the 2025 National Risk Register focus on risks posed by hostile states and their potential impact on critical national infrastructure (CNI), financial systems, and communications networks. Key findings include:
Cyber Attacks on Financial Systems: State and non-state actors could target financial market infrastructures (FMIs) and retail banks, leading to system failures, data breaches, and prolonged outages. Such incidents risk eroding public confidence in financial systems, disrupting transactions, and causing economic instability. Recovery from these attacks could take weeks to months, depending on the severity.
Disruption of Critical Infrastructure: Malicious attacks on telecommunications, such as transatlantic cables or space-based systems, could severely impact data communication, government operations, and emergency services. These risks, while low in likelihood, have significant consequences, including economic losses and interruptions to essential services like energy and transport.
Economic and Strategic Risks: The report emphasizes the potential consequences of geopolitical conflicts and economic vulnerabilities. Examples include the UK’s integration with European energy markets, where supply disruptions or price volatility could result from global or regional tensions, including threats to global oil trade routes.
In response, robust incident management frameworks and recovery plans, such as the UK’s Authorities’ Response Framework (ARF), are critical to mitigate the effects of these threats. The focus remains on resilience-building and safeguarding national security.
“The National Risk Register is the external [published] version of the [internal, classified] National Security Risk Assessment which is the government’s assessment of the most serious risks facing the UK.”
In 180 pages, the NRR describes of significant risks, threats and hazards categorized as: terrorism; cyber; state; geographic and diplomatic; accidents and systems failures; natural and environmental [plus] human, animal and plant health; societal; or conflict and instability. Each risk is described as a ‘reasonable worst case scenario’, most with plots of estimated probabilities over 2 years (if malicious) or 5 years (benign) against domestic impacts, along with the necessary response and recovery activities.
The introduction by Pat McFadden, chairman of the UK Cabinet resilience committee, refers to recent and current incidents, not just in the UK (e.g. Crowdstrike and US wildfires), emphasising resilience at a national level. [NIS 2, in contrast, concerns resilience both nationally and internationally across Europe, acknowledging the regional and in fact global nature of shared infrastructure, supply chains and threats.]
Pat concludes the intro with a call to action: “I encourage all risk and resilience professionals to consider the risks in this publication, and join our collective endeavor to make the UK more prosperous and resilient.” Hopefully we are doing more than ‘consider’, for example comparing and contrasting our corporate risk registers, priorities and actions against the NRR, and adopting a similarly dynamic risk management approach with frequent updates rather than the usual once-a-year.
A hacktivist entity known as USDoD has asserted that it has leaked CrowdStrike’s “entire threat actor list” and claims to possess the company’s “entire IOC [indicators of compromise] list,” which purportedly contains over 250 million data points.
Details of the Alleged Leak
On July 24, 2024, the USDoD group announced an English-language cybercrime forum, stating that they had obtained and leaked CrowdStrike’s comprehensive threat actor database.
The group provided a link to download the alleged list and shared sample data fields to substantiate their claims.
The leaked information reportedly includes:
Adversary aliases
Adversary status
The last active dates for each adversary
Region/Country of Adversary Origin
Number of targeted industries and countries
Actor type and motivation
Claim of the breach
The sample data contained “LastActive” dates up to June 2024, while the Falcon portal’s last active dates for some actors extend to July 2024, suggesting the potential timeframe of the data acquisition.
Cyber Press researchers stated that they were able to view some of the documents leaked.
Background on USDoD
USDoD has a history of exaggerating claims, likely to enhance its reputation within hacktivist and eCrime communities.
For example, they previously claimed to have conducted a hack-and-leak operation targeting a professional networking platform, which was later debunked by industry sources as mere web scraping.
Since 2020, USDoD has engaged in both hacktivism and financially motivated breaches, primarily using social engineering tactics.
In recent years, they have focused on high-profile targeted intrusion campaigns and have sought to expand their activities into administering eCrime forums.
USDoD also claimed to possess “two big databases from an oil company and a pharmacy industry (not from the USA).” However, the connection between these claims and the alleged CrowdStrike data acquisition remains unclear.
The potential leak of CrowdStrike’s threat actor database could have significant implications for cybersecurity:
Compromise of ongoing investigations
Exposure of tracking methods for malicious actors
Potential advantage for cybercriminals in evading detection
This story unfolds following a CrowdStrike update that caused Windows machines to experience the Blue Screen of Death (BSOD) error.
CrowdStrike’s Response
CrowdStrike, a leading cybersecurity firm known for its threat intelligence and incident response services, has responded to the claims. The company stated:
“The threat intel data noted in this report is available to tens of thousands of customers, partners, and prospects – and hundreds of thousands of users. Adversaries exploit current events for attention and gain. We remain committed to sharing data with the community.”
While USDoD has been involved in legitimate breaches, its credibility in this specific case is questionable.
Their history of exaggeration, the inconsistencies in the leaked data, and CrowdStrike’s response all cast doubt on the authenticity and severity of the claimed leak.
Secure email gateways (SEG) do a lot to protect organizations from malware, spam, and phishing email. For some threat actors though, they also offer an attractive option for sneaking malicious mail past other SEGs.
Security researchers from Cofense this week reported observing a recent surge in attacks, where threat actors have used SEGs to encode or to rewrite malicious URLs embedded in their emails to potential victims. In many cases, when the emails arrived at their destination, SEGs allowed the malicious URLs to go through without properly vetting the link.
The SEG Versus SEG Threat
The reason, says Max Gannon, threat intelligence manager at Cofense, is that some secure email gateway products appear not to be handling SEG-encoded URLs properly and assume them to be always safe, when in reality they are not.
“We do not have access to the internals of SEGs, so I can’t say for certain,” Gannon says. “But they likely either implicitly trust the URLs or they attempt to scan them, but the domain of the SEG that encodes the URL is trusted, so the [receiving] SEG assumes the URL itself is legitimate.”
In SEG encoding, a secure email gateway product essentially rewrites every URL in an outgoing email into a link that points to its own infrastructure. When a recipient clicks on the encoded link, the user is first directed to the sender’s SEG system, which checks if the URL is safe before redirecting the user to the intended destination. The checks usually involve assessing the URL using reputation, blacklists, signatures, and other mechanisms, which means sometimes it might take an SEG days and even weeks before it designates a URL as malicious.
In these situations, problems can arise if the recipient’s secure email gateway technology does not recognize an already encoded URL as needing scanning, or if the recipient’s SEG scans the URL, but only sees the sending email gateway’s domain and not the final destination.
“Oftentimes when SEGs detect URLs in emails that are already SEG-encoded they do not scan the URLs, or the scanning shows only the security tool’s scanning page and not the actual destination,” Cofense wrote in its report this week. “As a result, when an email already has SEG-encoded URLs, the recipient’s SEG often allows the email through without properly checking the embedded URLs.”
A Substantial Increase
Attackers have abused SEG encoding previously to sneak malicious emails into target environments. But there has been a substantial increase in use of the tactic in the second quarter of this year, May in particular. Cofense said.
According to the security vendor, the four email security gateways that threat actors have abused the most to encode URLs and sneak them past email defense mechanisms are VIPRE Email Security, Bitdefender LinkScan, Hornet Security Advanced Threat Protection URL Rewriting, and Barracuda Email Gateway Defense Link Protection.
Cofense said its researchers had observed attackers using these SEGs to encode malicious URLs in variously themed campaigns targeted at users protected by SEGs from a variety of vendors.
Gannon says some SEG encodings would require the threat actor to run their URL through the SEG. “Other encodings like Barracuda Link Protect would let you simply prepend their URL to the malicious URL you are trying to bypass with,” he says. “For example, to use Barracuda Link Protect to bypass SEGs with the URL hxxp[:]//badplace[.]com/, I would simply add the Barracuda Link Protect URL and make it: hxxps://linkprotect[.]cudasvc[.]com/url?a=hxxp[:]//badplace[.]com/.”
Gannon says one reason why threat actors likely aren’t using the tactic on a much broader scale is because it involves additional work. “The biggest thing it comes down to is effort,” he says. If a threat actor can take an hour to encode all the URLs in a campaign and reach 500 more inboxes, they could take the same hour and just find an additional 1,000 email addresses to send the campaign to.”
Protecting against the tactic can be relatively difficult, as most SEGs don’t have tuning methods for ignoring other SEG encodings, Gannon says. Therefore, the best way to combat the tactic remains user awareness and training. “A vigilant and informed employee is not going to click a link in a suspect email, even if the URL is encoded by a SEG.”
Ransomware attacks against manufacturers, utilities and other industrial companies were up 50% last year.
The pace and sophistication of cyberattacks against industrial companies are escalating rapidly, as administration officials warn that nation-states are heavily targeting U.S. critical infrastructure sectors.
Ransomware attacks against industrial companies increased by around 50% last year, according to an annual report from cybersecurity company Dragos published Tuesday, which tracked 905 strikes.
The Hanover, Md.-based company, which specializes in protecting systems used by heavy industries such as electric grids and wastewater plants, said it tracked 28% more groups specifically targeting “operational technology” last year than the year before. The term refers to the heavy machinery and industrial control systems used by manufacturing plants, water utilities and similar organizations, as opposed to information technology, which generally comprises software such as accounting and human resources systems. Among industrial companies, manufacturers were targeted most, said Rob Lee, chief executive of Dragos.
“It’s not so much that they’re OT experts, it’s just they know that they’re impacting the revenue-generating portions of those companies,” Lee said, “so the companies are willing to pay, and pay faster.”
Even when ransomware attacks target manufacturers’ corporate technology systems and not their operational technology machinery, there can be collateral damage for production, said Mark Orsi, president of the Manufacturing Information Sharing and Analysis Center, a nonprofit that coordinates the sharing of threat data among manufacturers.
“The vast majority of ransomware variants only target the IT infrastructure of an organization, but all too often the manufacturing plant floor operations are disrupted as a result of compromise to IT systems,” he said.
But ransomware is just the tip of the iceberg, say industry observers. The tools used by hackers to specifically target operations have become more sophisticated in recent years.
The emergence of Pipedream, for instance, a tool believed to have been authored by a nation-state team, has many concerned. Pipedream is able to target industrial systems across industries, and doesn’t rely on common attack methods, such as exploiting vulnerabilities in software.
“When Pipedream or Pipedream-like capabilities leak out into the community, they will be the Cobalt Strikes of OT. That’s the stuff that worries me,” Lee said during a call with reporters on Jan. 30, referring to a suite of cybersecurity tools, Cobalt Strike, developed for network defenders, which gave rise to a slew of malicious hacking tools when it was leaked.
U.S. officials have also ratcheted up warnings of attempts to infiltrate U.S. critical infrastructure. Christopher Wray, director of the Federal Bureau of Investigation, on Sunday said Chinese efforts to secure footholds in critical infrastructure networks are occurring at an unprecedented scale.
While Beijing routinely denies involvement in hacking, Wray’s comments follow a series of similar remarks made by Rob Joyce, cybersecurity director of the National Security Agency. Last month, Joyce told an FBI-sponsored conference that Chinese hackers are positioning themselves within those networks so as to be able to strike at U.S. infrastructure in the event of a conflict. The U.S. government in January said it disrupted one such operation, without specifying the types of infrastructure targeted.
“It’s not just an electric company issue, it’s not just a water issue or a manufacturing issue. I think it’s an issue that affects all of us,” said Jason Nations, director of enterprise security at Oklahoma City-based
Critical infrastructure operators also face supply-chain security threats common to companies in many industries. German company
PSI Software, which said last week it had been the victim of a cyberattack, specified on Monday that it had been hit by ransomware, and took its systems offline to prevent further intrusions. PSI Software supplies software specialized for energy providers and other industrial processes. PSI didn’t respond to a request for comment.
One difficulty critical-infrastructure companies struggle with is finding cybersecurity experts to defend their networks. While there is a shortage of around 4 million corporate cyber professionals globally, according to trade association ISC2, some companies say it is especially difficult to hire people with both cyber skills and expertise in heavy machinery and industrial technology.
A wastewater treatment plant in Fountain Valley, Calif. U.S. officials have said Chinese hackers have been trying to position themselves inside critical infrastructure to be able to impede operations in the event of a conflict. PHOTO: MARIO TAMA/GETTY IMAGES
Cybercriminal tactics continue to grow in number and advance in ability; in response, many organisations have seen the need to reach a security posture where their teams can proactively combat threats.
Threat hunting plays a pivotal role in modern organizations’ cybersecurity strategies. It involves actively searching for signs of advanced threats and vulnerabilities beyond passive defense mechanisms. The MITRE ATT&CK Framework is an industry-standard threat hunters can use to proactively ensure they have protection against new and evolving attacks. Automating these processes for threat hunting can advance any security team’s capabilities.
However, it can be challenging to integrate or collect security data for effective threat hunting. The number of security technologies often results in fragmented data and hinders a comprehensive threat-hunting approach. Automated threat hunting has become a solution that can advance the capabilities of any security team.
Understanding Disparate Security Technologies
Modern organisations employ a variety of security technologies to safeguard their digital assets. These include firewalls, intrusion detection systems, antivirus software, and endpoint protection. While effective, the sheer number of disparate security technologies poses challenges in centralising security data. Each solution generates logs and alerts, creating data silos.
The Problem of Non-integrated Security Data
Scattered security data creates several difficulties. Security teams grapple with a deluge of data from diverse sources, making identifying relevant threat indicators and patterns challenging. The absence of comprehensive visibility into potential threats leaves organisations vulnerable to increasingly advanced adversaries, who will exploit these data gaps. Inefficiencies plague threat-hunting processes because analysts must manually correlate data from various sources, slowing response times and increasing the likelihood of missing critical threats.
The Concept of Automated Threat Hunting
Automated threat hunting remediates the challenges inherent in integrating disparate security data. Security systems use advanced algorithms to streamline and enhance the threat hunting process. Automated threat hunting empowers security teams to pull security data from different technologies on demand, ensuring they have the right data.
Automating the MITRE ATT&CK Framework for Threat Hunting
Organizations should enhance the use of MITRE ATT&CK Frameworks in their threat hunting processes and techniques with automation to free up time and improve detection.
Automation #1: Pre-Built Response Playbooks
MITRE ATT&CK provides updated data sets of indicators of compromise (IOC) and techniques, tactics, and procedures (TTPs) that adversaries use. Threat hunters use this data to create procedures and processes around known threats to properly respond. Automation can save this set of procedures as a pre-defined playbook, which can be applied in the future for the same threat. It will also search across all data sources in your security environment for a comprehensive visibility into threats.
Automation #2: Collecting the Right Hunt Data
When collecting security data during a hunt, it’s common to collect too much or too little information. Pinpointing the right data saves time and increases hunt accuracy. MITRE ATT&CK frameworks ensure you have the correct data sources by telling you which to collect from logs, security systems, and threat intelligence. Automation allows you to save parameters for data collection of the right sources to apply for future hunts.
Automation #3: Penetration Testing/Red Teaming
Cyberattacks and tactics change all the time, and red/blue teaming are great exercises that help you understand where your proactive abilities are and your defence against them. Automation can provide a great lift here by automating simulations of known TTPS from MITRE Frameworks to fine-tune detection and response management.
Advantages of Automating Threat Hunting
Automating threat hunting allows security teams to effortlessly access security data from diverse technologies when needed, streamlining hunting and procedures, while reducing manual effort. Security analysts can swiftly identify suspicious activities and patterns, resulting in quicker threat detection. The accelerated detection and response to security incidents are crucial in today’s threat landscape. Automated threat hunting expedites the identification of threats, enabling organisations to respond promptly and mitigate potential damage.
The Role of the Security Operations Platform
A security operations platform offers a wide range of capabilities. It centralises security data from disparate technologies and provides security teams with a unified, real-time view of their environment, thus facilitating improved threat detection and response. An essential aspect of this platform is its ability to query security data from all technologies. This functionality ensures that all artifacts, regardless of their source, are examined, making it an invaluable tool in the hunt for threats.
Conclusion
Automating threat hunting via a security operations platform enhances efficiency, augments visibility, and expedites incident response. As we look to the future of cybersecurity, the seamless integration of security data will remain central to effective threat hunting, ensuring that organizations stay ahead of evolving cyber threats.
Identity isn’t a security problem — it’s the security problem.
This was the takeaway from my recent meeting with a local government CISO in the Washington, D.C. area. Tasked with protecting infrastructure, including the fire and police departments, the CISO turned to CrowdStrike a year ago for endpoint and identity protection.
The CISO outlined the main challenge his team faced: the managed detection and response (MDR) solution in use at the time was unable to keep up with modern security demands. The tool didn’t deliver the speed or fidelity he needed. Nor did it provide remediation, leading to long delays between when the tool sent data to the management console and when his thinly stretched security team could investigate and triage alerts.
CrowdStrike Falcon® Complete solved these problems by providing a bundle of Falcon modules on AWS GovCloud, complete with a virtual team of experts to administer the technology and quickly eliminate threats.
“There’s a complete difference between our previous MDR and CrowdStrike Falcon Complete. One gives me work to do. The other tells me the work is done.” –CISO, A county in the Washington, D.C. area
Identity Is the New Perimeter
Of everything the CISO shared, it was the identity piece that really stood out to me. According to the CrowdStrike 2022 Global Threat Report, nearly 80% of cyberattacks leveraged compromised credentials — a trend the county sees regularly, he said.
With Falcon Complete, the CISO gets CrowdStrike Falcon® Identity Threat Protection to stop identity-based attacks, both through services performed by CrowdStrike and via work done by his security operations center (SOC) team.
Check out this live attack and defend demo by the Falcon Complete team to see Falcon Identity Threat Protection in action.
Below are nine use cases for the identity protection capability, in his own words.
1. We receive executive-level key metrics on identity risks. Falcon Identity Threat Protection provides us immediate value with real-time metrics on total compromised passwords, stale accounts and privileged accounts. As these numbers decrease, our risk and expenditures drop as well, allowing us to prove the value of our cybersecurity investments to stakeholders.
2. We get powerful policies and analytics. Falcon Identity Threat Protection helped us move away from reactive, once-a-year privileged account analysis to proactive real-time analysis of all of our identities, including protocol usage such as Remote Desktop Protocol (RDP) to DCs/critical servers. Many attacks leverage compromised stale accounts, and with Falcon Identity Threat Protection we can monitor and be alerted to stale accounts that become active.
3. We can stop malicious authentications. With Falcon Identity Threat Protection, we can enforce frictionless, risk-based multifactor authentication (MFA) when a privileged user remotely connects to a server — stopping adversaries trying to move laterally. Additionally, we can define policies to reset passwords or block/challenge an authentication from stale or high-risk accounts.
“I’ve bought a lot of cyber tools. My analysts unanimously thanked me the day we bought CrowdStrike.”
4. We can alert system admins to critical issues. Adversaries often target critical accounts. Instead of simply alerting the security team, Falcon Identity Threat Protection allows us to flag critical accounts with specific policies and alerts that can be sent directly to the account owner. For example, the owner of a critical admin account for our organization’s financial systems can be alerted to anomalous behavior around that account, eliminating the need for the security team to reach out to her for every alert.
5.We can investigate behavior and hygiene issues. When reviewing RDP sessions from the last 24 hours, we noticed a former employee, Steve Smith (names changed), remotely accessing a server in our environment from Jane Doe’s computer. Upon investigation, we found Jane Doe was legitimately using Steve Smith’s credentials to perform business functions that Steve was no longer around to perform. We immediately tied Jane’s account to Steve’s to trigger MFA for any authentication. We also reviewed Steve’s permissions and noticed he had extensive local administrator privileges to over 600 computers, which we were able to remove instantly.
6. We can eliminate attack paths to critical accounts. It takes only one user’s credentials to compromise your organization. In previous phishing campaigns that asked users to reset their passwords, 7% of our employees entered their username and password into a fake Microsoft login screen. Falcon Identity Threat Protection shows us how one username and password dump from a single machine can lead to the compromise of a highly privileged account, allowing for full, unfettered access to an enterprise network. We now have the ability to visualize how a low-level account compromise can lead to a full-scale breach.
“Within two hours of deploying Falcon Identity Threat Protection, we identified 10 privileged accounts with compromised passwords and began resetting them immediately.”
7. We gain awareness of AD incidents. With Falcon Identity Threat Protection, we can now see credential scanning and password attacks on all of our external-facing systems that link to our Microsoft AD and Azure AD logins.
8.We can verify if lockouts are actually malicious. Every day, we face a handful of account lockouts, mostly due to users forgetting their passwords or a system that continues to authenticate after the user has reset their password. With Falcon Identity Threat Protection, we can see all account lockouts and failed authentications, allowing us to immediately understand why a lockout occurred and if malicious activity was involved.
9. We can correlate endpoint and identity activity. Once an alert fires off regarding a potentially misused identity, such as a stale account becoming active after 90+ days of inactivity, we can correlate this information with endpoint-related detections. We simply grab the hostname where the stale account became active, pivot to CrowdStrike Falcon® Insight XDR, and look for malicious activity and detections on a specific machine. Likewise, if a machine becomes infected, we can use Falcon Identity Threat Protection to investigate who has access to that machine and whether their behavior is normal. This integration is not only unique but essential with identity-based attacks.
“CrowdStrike not only revolutionized the way our SOC operates, it changed the way I sleep at night.”
Cybersecurity researchers exposed new evasion techniques adopted by an advanced malware downloader called GuLoader.
CrowdStrike researchers d a detailed multiple evasion techniques implemented by an advanced malware downloader called GuLoader (aka CloudEyE).
GuLoader uses a polymorphic shellcode loader to avoid traditional security solutions, the experts mapped all embedded DJB2 hash values for every API used by the malicious code.
The malware uses an anti-analysis technique to avoid execution in virtualized environments.
“In dissecting GuLoader’s shellcode, CrowdStrike revealed a new anti-analysis technique meant to detect if the malware is running in a hostile environment by scanning the entire process memory for any Virtual Machine (VM)-related strings.” reads the analysis published by CrowdStrike.
“New redundant code injection mechanism means to ensure code execution by using inline assembly to bypass user mode hooks from security solutions.”
GuLoader first appeared on the threat landscape in 2019, it was used by threat actors to download multiple remote access trojans (RATs) such as AgentTesla, FormBook, Nanocore, NETWIRE and the Parallax RAT.
Early versions of GuLoader were distributed via spam messages using attachments containing the malicious executable. Recent variants were delivered via a Visual Basic Script (VBS) file.
“GuLoader also started employing advanced anti-analysis techniques to evade detection, such as anti-debug, anti-sandbox, anti-VM and anti-detection to make analysis difficult.” reads the analysis.
A recent GuLoader variant analyzed by the experts exhibits a multistage deployment:
The first stage uses a VBS dropper file to drop a second-stage packed payload into a registry key. It then uses a PowerShell script to execute and unpack the second stage payload from the registry key within memory.
Thesecond stage payload performs all anti-analysis routines (described below), creates a Windows process (e.g., an ieinstal.exe) and injects the same shellcode into the new process.
The third stage reimplements all the anti-analysis techniques, downloads the final payload from a remote server and executes it on the victim’s machine.
The malware implements anti-debugging and anti-disassembling checks to detect the presence of breakpoints used for the analysis of code.
The researchers also noticed the use of a redundant code injection mechanism to avoid NTDLL.dll hooks used by antivirus and EDR solutions to detect malicious activities.
“It then maps that section via NtMapViewofSection on the suspended process.” continues the analysis. “If this injection technique fails, it uses the following redundancy method:
a. NtAllocateVirtualMemory by invoking the inline assembly instructions (without calling ntdll.dll, to bypass AV/EDR User Mode hooks) of that function, using the following assembly stub:
mov eax,18
mov edx,ntdll.77178850
call edx
ret 18
It uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address. It uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address.”
Experts pointed out that GuLoader remains a dangerous threat that constantly evolves, they also shared Indicators of Compromise for the latest variant of the downloader.
is this website safe ? In this digital world, Check website safety is most important concern since there are countless malicious websites available everywhere over the Internet, it is very difficult to find a trustworthy website. We need tobrowse smart and need to make sure the site is not dangerous by using Multiple approaches.
In general, it is good to type the website URL instead of copy-paste or clicking an URL. Also, check to see the website working with HTTP OR HTTPS.
Investigating: is this website safe
In order to find, is this website safe , we need to figure it out if the URL received from an unknown source and we would recommend cross-checking the URL before clicking on it. Copy the URL to analyzers that available over the Internet and ensure it’s Integrity.
If it is a shortened URL you can unshorten itwith the siteand then analyze the actual URL.
Methods to analyze Websites
To check website safety, the first and the most recommended method is to check online page scanners, which uses the latest fingerprinting technology to show web applications are up to date or infected by malware.
Website reputation check needs to be done to find the trustworthiness of website with WOT .
Ensure SSL is there before making a purchase
In order to check website safety, Ensure the website availability with https before entering the payment card details. We can audit the HTTPS availability with the SSL analyzer URL’s available over the internet.
Also, there is a range of certificates available over the Internet from low assured (domain validation) to the Most trusted Extended validation certificates, you can refer the URL for more details.
Moreover, we can verify their prompt installation with various popular checkers available
According to Google, in order to check, is this website Safe, Browsing is a service that Google’s security team built to identify unsafe websites across the web and notify users and webmasters of potential harm.
In this Transparency Report, Google discloses details about the threats we detect and the warnings we show to users.
We share this information to increase awareness about unsafe websites, and we hope to encourage progress toward a safer and more secure web.
Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem so that their visitors stay safer.
Safe Browsing protections work across Google products and power safer browsing experiences across the Internet.
Check the Browsing Website have Any unsafe Content or not – Google Safe Browsing
To Report Malicious websites
Please report the dangerous URL to the services mentioned below. They are arranged in categories which should make it relatively easy to decide which services you should report the site to.
analyzes a website through multiple blacklist engines and online reputation tools to facilitate the detection of fraudulent and malicious websites. This service helps you identify websites involved in malware incidents, fraudulent activities, and phishing websites.
Important tools for Check the Website Reputation and confirm is this website Safe
Cyber criminals are using various sophisticated techniques to fool online users to drop malware and other cyber threats to cause unbearable damages. so beware of the malicious website, don’t blindly open the website and check the website safety before open it.
Here are eight top security threats that IT is likely to see in 2023.
Top 8 security threats for next year
1. Malware
Malware is malicious software that is injected into networks and systems with the intention of causing disruption to computers, servers, workstations and networks. Malware can extract confidential information, deny service and gain access to systems.
IT departments use security software and firewalls to monitor and intercept malware before it gains entry to networks and systems, but malware bad actors continue to evolve ways to elude these defenses. That makes maintaining current updates to security software and firewalls essential.
2. Ransomware
Ransomware is a type of malware. It blocks access to a system or threatens to publish proprietary information. Ransomware perpetrators demand that their victim companies pay them cash ransoms to unlock systems or return information.
So far in 2022, ransomware attacks on companies are 33% higher than they were in 2021. Many companies agree to pay ransoms to get their systems back, only to be hit again by the same ransomware perpetrators.
Ransomware attacks are costly. They can damage company reputations. Many times ransomware can enter a corporate network through a channel that is open with a vendor or a supplier that has weaker security on its network.
One step companies can take is to audit the security measures that their suppliers and vendors use to ensure that the end-to-end supply chain is secure.
3. Phishing
Almost everyone has received a suspicious email, or worse yet, an email that appears to be legitimate and from a trusted party but isn’t. This email trickery is known as phishing.
Phishing is a major threat to companies because it is easy for unsuspecting employees to open bogus emails and unleash viruses. Employee training on how to recognize phony emails, report them and never open them can really help. IT should team with HR to ensure that sound email habits are taught.
4. IoT
In 2020, 61% of companies were using IoT, and this percentage only continues to increase. With the expansion of IoT, security risks also grow. IoT vendors are notorious for implementing little to no security on their devices. IT can combat this threat by vetting IoT vendors upfront in the RFP process for security and by resetting IoT security defaults on devices so they conform to corporate standards.
If your organization is looking for more guidance on IoT security, the experts at TechRepublic Premium have put together an ebook for IT leaders that is filled with what to look out for and strategies to deal with threats.
5. Internal employees
Disgruntled employees can sabotage networks or make off with intellectual property and proprietary information, and employees who practice poor security habits can inadvertently share passwords and leave equipment unprotected. This is why there has been an uptick in the number of companies that use social engineering audits to check how well employee security policies and procedures are working. In 2023, social engineering audits will continue to be used so IT can check the robustness of its workforce security policies and practices.
6. Data poisoning
An IBM 2022 study found that 35% of companies were using AI in their business and 42% were exploring it. Artificial intelligence is going to open up new possibilities for companies in every industry. Unfortunately, the bad actors know this, too.
Cases of data poisoning in AI systems have started to appear. In a data poisoning, a malicious actor finds a way to inject corrupted data into an AI system that will skew the results of an AI inquiry, potentially returning an AI result to company decision makers that is false.
Data poisoning is a new attack vector into corporate systems. One way to protect against it is to continuously monitor your AI results. If you suddenly see a system trending significantly away from what it has revealed in the past, it’s time to look at the integrity of the data.
7. New technology
Organizations are adopting new technology like biometrics. These technologies yield enormous benefits, but they also introduce new security risks since IT has limited experience with them. One step IT can take is to carefully vet each new technology and its vendors before signing a purchase agreement.
8. Multi-layer security
How much security is enough? If you’ve firewalled your network, installed security monitoring and interception software, secured your servers, issued multi-factor identification sign-ons to employees and implemented data encryption, but you forgot to lock physical facilities containing servers or to install the latest security updates on smartphones, are you covered?
There are many layers of security that IT must batten down and monitor. IT can tighten up security by creating a checklist for every security breach point in a workflow.
While knowing full well that human lives may be at stake, criminal gangs have been increasingly targeting the healthcare sector with high-impact attacks like ransomware.
1. Tighten up email security
Healthcare providers should set up numerous layers of defense for a variety of email-borne threats. A good email security solution should be the first layer but will only be effective if it is able to detect multiple malicious signals (malicious IPs, suspicious URLs, hidden malware files, etc.).
Training staff to recognize malicious emails can be useful, but personnel should not bear the brunt of responsibility when it comes to catching signs of attack. Instead, training should focus on the importance of proper policies, such as confirming payments and transfers with a second channel outside of email.
2. Follow best practice for passwords and credentials
Obtaining login credentials is a primary goal in most cyberattacks, and many threat actors now specialize in selling information on to others. Investigations by the Trustwave SpiderLabs team found a large quantity of stolen login credentials and browser sessions enabling access to healthcare facilities advertised on dark web markets.
In addition to following best practices around phishing emails, all employees should be using complex passwords that can’t be easily guessed. When storing passwords, organizations must make sure to use modern and robust password hashing algorithms. Two-factor authentication should also be implemented across the organization as a priority (Note: SMS 2FA should not be considered secure).
3. Improve cyber security awareness
While the responsibility of spotting and stopping cyberattacks should not rest on ordinary healthcare personnel, a well-trained workforce can make a real difference in averting disaster. Attackers will be counting on healthcare staff being too busy and focused on supporting their patients to concentrate on security.
Security training is often limited to a few one-off PowerPoint-driven seminars, but this will do little to increase awareness. Healthcare providers should instead consider more in-depth exercises that replicate serious incidents such as ransomware attacks. This will help decision makers to gain experience in making snap decisions under pressure, better equipping them for when a real crisis looms.
4. Prepare for ransomware attacks
Ransomware is a threat to all sectors, but healthcare is particularly vulnerable to its disruptive effects. A paralyzed IT network will mean more than lost data or productivity – human lives may be on the line if data and equipment are locked down. Callous criminals are counting on healthcare providers caving and paying up to restore systems quickly. Further, attackers increasingly exfiltrate data to pile on more pressure and secure additional profits from dark web buyers.
A strong email security system will stop most malicious emails, but not all – and organizations should be prepared for that. Effective managed detection and response (MDR) capabilities, backed by a skilled team of threat hunters, will help identify and stop ransomware quickly to reduce its impact. A managed security service provider (MSSP) is one of the most affordable ways of acquiring these capabilities on a limited budget.
5. Secure extended IoT networks
Internet of Things (IoT)-enabled equipment has been hugely beneficial in enabling healthcare providers to automate and facilitate remote working. But if not properly monitored and patched, these connected devices can also provide threat actors with an easy attack path.
Hospitals are likely to have hundreds of devices deployed across their facilities, so keeping them all updated and patched can be an extremely resource-heavy task. Many health providers also struggle to accommodate the required downtime to update vital equipment.
Automating device discovery and update processes will make it easier to keep devices secured. Providers should also vet future purchases to ensure they have key security functionality and are accessible for maintenance and updates.
6. Understand supply chain risks
Healthcare providers sit in the center of extremely large and complex supply networks. Suppliers for medical materials, consultants, hardware, and facilities maintenance are just a few examples, alongside a growing number of digital services.
These suppliers often have a large degree of network connectivity or access to data, making them a prime target for threat actors seeking a way into the healthcare provider’s network. Organizations can also become the victim of a second-hand breach if a firm trusted to host or manage their data is attacked.
Supply chain risk can be reduced by vetting the security level of all third-party connections. This can be achieved without invasive network scans through publicly available information such as DNS server configurations and the presence of insecure ports open to the internet (e.g., MS-TERM-SERV, SMB, etc.).
7. Test out your preparations
Security is never a one-and-done affair. Even if the right solutions are in place, the workforce has been well-trained and processes are watertight, it is important to continually test defenses and look for ways to improve them.
Regular vulnerability scans are essential for keeping up with the shifting IT and cyber threat landscape. Application and network penetration tests will take things a step further by leveraging the ingenuity of experienced security personnel to look for a crack that can be found and exploited.
Larger healthcare providers such as hospitals may also consider physical penetration tests to determine if their facility’s IT infrastructure is vulnerable to an intruder on their grounds.
Defending against healthcare threats: Preparation is everything
Hospitals and other frontline healthcare providers are used to dealing with medical emergencies. Personnel have the equipment and processes they need in place, and they have the training to adopt the cool head needed to handle a crisis.
As attackers continue to target the sector, the same level of preparation is increasingly essential for cyber threats.
Criminal gangs are counting on budget cuts and staffing shortages to leave healthcare organizations vulnerable to their attacks. By focusing on these seven steps, providers will be able to present a hardened target that sends these callous opportunists in search of easier prey.
Research from Netacea reveals that as of September 2022, there are over 1,600 professional refund service adverts on hacker forums.
Cybercrime’s continued shift to a service-driven economy has enabled several new professionalized hacking services with Refund Fraud-as-a-Service being one of the latest to rise in popularity over the last few years. This is according to Netacea’s latest threat report, which researched rising trends across a multitude of hacking forums.
Refund fraud is the abuse of refund policies for financial gain and costs e-commerce businesses more than $25 billion every year. Those interested in committing refund fraud can outsource the process to professional social engineers offering Refund-as-a-Service. This poses a significant challenge to retailers, as previously legitimate customers can enlist highly experienced fraudsters to perpetrate this fraud on their behalf, making it difficult to identify fraudulent activity. As online shopping continues its upward trend, professional fraudsters will look to cash in on the opportunity.
Over 540 new refund fraud service adverts were identified in the first three quarters of 2022
Refund fraud services increased by almost 150% from 2019 – 2021
Netacea’s report explores the current structure of the underground Refund-as-a-Service market, the changing tactics and methods used by adversarial groups to perform refund fraud, and how threat intelligence and fraud teams can work collaboratively to effectively combat it.
“As shown in the rise of ransomware-as-a-service attacks, cybercriminals have shifted to a service-based economy — and refund fraud is no exception” said Cyril Noel-Tagoe, Principal Security Researcher, Netacea. “As we approach Black Friday and the holiday season, e-commerce stores should take the necessary steps to reduce their risk of refund fraud, including educating employees on the methods and tactics fraudsters take.”
Additional steps include:
Delivery carriers should replace or complement signatures with one-time passwords to prevent refund fraudsters from claiming that packages did not arrive.
E-commerce stores and delivery carriers should work together to look for patterns in their data sets that may indicate fraudulent activity.
Reputation is power in the underground market. In the instance that an e-commerce store identifies the claim to be fraudulent after a refund payment has been made, the store should rebill the customer’s account. An influx of rebill complaints from customers may cause the refund fraud service to drop the retailer from their store list, to avoid negative reviews.
An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.
Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.
While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.
Distributed Denial of Service (DDoS) Attacks
A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.
DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.
DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.
Nation-State Sponsored Cyber Attacks
With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.
Nation-state-sponsored cyber attacks aim to
Hinder communication
Gather intelligence
Steal intellectual property
Damage to digital and physical infrastructure
They are even used for financial gain.
Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.
Ransomware
Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.
Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).
These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.
The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.
What The Public Sector Can Do to Stay Ahead?
Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.
You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.
Conclusion
The top cybersecurity threats are generally a consequence of new technologies the public sector is either looking to implement or is already implementing. It is harder to know all the variables and potential vulnerabilities with anything new.
This isn’t to suggest that old technologies are more reliable, however. Like antivirus software, the virus definitions must be continually updated for the software to remain effective. The public sector needs to stay on the cutting edge of best practices.
The public sector must also remain agile in adapting to new threats, whether offering ongoing cybersecurity training, hiring skilled consultants to keep their new technological infrastructures in check, partnering with experienced cybersecurity service providers like Indusface, or otherwise.
In the private sector, hackers and cybercriminals are prone to leaving organizations with good security infrastructures alone. Because they often go after low-hanging fruit, hacking into a well-protected network is perceived as more trouble than it’s worth.
But the public sector is a different matter entirely. The government and government agencies have access to assets and data that criminals would love to get their hands on, even with the added trouble. So, even though the public sector is well protected, it will not stop cybercriminals from attempting to break in.
An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.
Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.
While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.
Distributed Denial of Service (DDoS) Attacks
A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.
DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.
DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.
Nation-State Sponsored Cyber Attacks
With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.
Nation-state-sponsored cyber attacks aim to
Hinder communication
Gather intelligence
Steal intellectual property
Damage to digital and physical infrastructure
They are even used for financial gain.
Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.
Ransomware
Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.
Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).
These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.
The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.
What The Public Sector Can Do to Stay Ahead?
Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.
You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.
