Posts

Understanding the Types of Cyber Threats on the Rise in 2019

Keeping your IT environment safe means ensuring your finger is on the pulse of the latest threats in cyber-security. However, while there are always the latest zero-day threats and new attack vectors, each year we see some fundamental repeats. Often attackers find it easy to penetrate networks that have poor hygiene such as old exploits left unpatched, authentication issues such as a lack of two factor authentication and weak passwords. These types of network threats threaten the security of your enterprise, endanger your public image, and put customer data and privacy at risk.

While some types of cyber threats have been around for many years, as we enter 2019, many are growing in complexity or changing in design. This risk is growing, especially as businesses continue to move their workloads and processes to multi and hybrid-cloud environments. Virtualization and hypervisors, container orchestration, and auto-scaling workloads are all realities of a modern enterprise. If we really think about what was new in 2018 and will surely continue in 2019, it is attackers attacking critical applications, data centers and clouds directly. In order to stay secure, as well as manage compliance and keep control despite potential gaps in vendor security, your own solution needs to step up. Businesses will increasingly need to choose a security solution that can effortlessly manage a hybrid and multi-cloud infrastructure.

Attackers are regularly learning new methods to gain entry or cause damage. Here are the top threats to look out for in 2019.

Direct Attacks on Data Centers and Clouds

What we’ve seen through our work with our customers and through our Guardicore Global Sensor Network is an increase in attacks on data centers and clouds directly. These types of cyber-security threats do not use targeted spear phishing campaigns to gain entry through a user within an enterprise. Instead, we see attackers finding known and zero day vulnerabilities in applications they can reach directly and exploiting these to get inside. In many cases their work is assisted by fundamental weaknesses like insecure passwords and a lack of dual factor authentication. One of Guardicore Labs’ most important finds this year was the Butter campaign. The attacker(s) started their attack by merely brute forcing poorly passworded SSH servers to gain access. Once they gained access – we found attackers moving incredibly easily across these applications and data centers due to poor segmentation.

While these attacks on the data centers are easy to accomplish, they remain difficult to spot. In fact, for some companies, security teams are not even the ones to ring the alarm bell. Dwell time is not reduced or mitigation started with an enterprise finding the attackers and blocking the threat, but with a third-party letting the enterprise know there is something wrong. In some cases this could be White Hat researchers or the customers themselves, and in the case of attackers seeking monetization – it could be credit card or law enforcement companies that notify the compromised enterprise.

Crypto-jacking

Many experts failed to predict the increase of cryptocurrency attacks for 2018, but no one is making that mistake this year. Attackers are often financially-driven, and mining for cryptocurrency is one way to attempt a quick payout, with more guaranteed results than ransomware. Besides merely offering DDoS as RAT as a service to their customers, the attackers are seeking an additional revenue stream. In fact, while crypto-jacking has risen 44.5% since 2017, ransomware has dropped by almost 30%. Mining malware often looks to exploit vulnerabilities such as unpatched software or known bugs such as this year’s Microsoft Windows Server 2003 vulnerability, or the Oracle Web Logic flaw.
The impact of these attacks is huge, and attackers can steal vast amounts of CPU usage from victims, slowing down performance overall and having a negative effect on both business and customers. Like a worm, virus, or other types of cyber-security threats, crypto-jacking attacks can be tough to find, leaving stakeholders using time-wasting trial and error to find the source of the slowdown. Visibility into the traffic on your network is essential, so that you can track CPU usage and compare real-time activity to historical baselines.

APT

An APT is an Advanced Persistent Threat, where an attacker can breach a network and stay undetected for a long period of time. The goal of these attacks is not to cause instant damage or immediately ask for ransom, drawing attention to your breach, but rather to insidiously steal information or security data in an unobtrusive way. An APT could breach your network using malware, exploit kits or by piggybacking on legitimate traffic. This could make it difficult to spot. Once your network is infected, an APT could find login credentials, and then use these to make lateral moves around your data center or wider system.

Origins of APTs are usually found to be state actors – either direct or sponsored government attackers. Probably the best example this year was the Marriott/SPG attack. With a dwell time that began in 2014 the state actor enjoyed great benefit from their access to Marriott’s SPG network. The data stolen included names, phone numbers, email addresses, passport numbers, dates of birth and arrival and departure information.

This personally identifiable data from an attack of this kind could offer an intelligence agency all sorts of very tangible benefits. One example could be the ability to create more legitimate looking false passports with the use of real identification documents.

This kind of breach would also provide actionable tracking information, allowing an agency or a bad actor to track people’s movements. They could see if someone was checking into particular locations or even catch a meeting between multiple people of interest. The data would also allow them to learn travel patterns and even potentially set up intelligence agencies to “intercept” people of interest.
Because APTs and similar types of cyber-security threats are designed to go unnoticed, they can be difficult to spot. Signs to look out for could be unusual network activity such as spikes in data access. Key defense tactics could be isolating critical data using micro-segmentation and using white lists to limit access to only the applications that should be allowed to communicate with one another.

File-less Malware

One dangerous type of attack that is typically found as part of an APT is file-less malware. As the name suggests, a file is never created, so standard antivirus file-based detection does not work against these breaches. While traditionally, file-less techniques were the first step in malware infection, in recent months fully file-less attacks are gaining traction.

These types of network threats often pivot from memory exploits to highly trusted system tools and then move to access of the rest of a network, undetected. The most common kinds of file-less malware attacks are remote logins, WMI-based attacks, and PowerShell or Microsoft Office based. In short – no malware doesn’t mean no breach. Micro-segmentation, especially if done with effective rules and in even more thorough projects down to the process level, can keep your most critical applications safe from lateral moves even within the same application cluster, even against the threats you can’t see coming.

Attacks on Critical IoT Devices

The final and perhaps the most frightening increase we have seen through 2018 is attackers commandeering critical IoT devices. Often unpatched, and residing in what are generally flat networks (ones without any segmentation), medical devices have been a big target in 2018 and are likely to be further exploited in 2019.

Furthermore, “point of sale” systems are another attack environment we’ve seen increase in popularity, as they also often suffer from a lack of patching and security, and are an easy target for both physical and remote attacks.

Recognizing how to Ward off These Types of Cyber-Security Threats

The combination of increasingly complex IT environments and the growing sophistication of cyber threats is a dangerous one. Micro-segmentation technology can reduce the attack surface in case of a breach, isolating attackers and keeping them away from critical assets and sensitive customer data. Building a smart segmentation strategy starts with a map of your entire IT environment, with application dependency mapping to visualize all the communications and flows in your ecosystem. This true visibility and real-time control over your entire infrastructure, from on premises data centers to multi and hybrid cloud IaaS is essential, in 2019 and beyond.

Want to learn more about breach detection to help prevent damage from cyber threats to your environment?

Read More

Considering Cyber Insurance in the Aftermath of the NotPetya Attack

It’s been 18 months since June 2017 when the Petya/NotPetya cyber attacks fell on businesses around the globe, resulting in a dramatic loss of income and intense business disruption. Has cyber insurance limited the fallout for the victims of the ransomware attacks, and should proactive businesses follow suit and ensure they are financially covered in case of a breach?

Monetizing the Impact of Cybercrime

The effect on the IT and insurance industries of last years wave of cybercrime continues to grow as businesses disclose silent cyber impacts, as well as affirmative losses from WannaCry/Petya. The latest reports from Property Claim Services put the loss at over $3.3 billion, and growing.

Despite this, for some businesses, reliance on insurance schemes has proven inadequate. US Pharmaceutical company Merck disclosed that the Petya cyberattacks have cost them as much as $580 million since June 2017, and predicted an additional $200 million in costs by the end of 2018. In contrast, experts estimated their insurance pay-out would be around $275 million, a huge number, but under half of the amount they have incurred so far, let alone as their silent costs continue to rise.

Other companies have been left even worse off, such as snack food company Mondolez International Inc, who are in a continuing battle with their property insurer, Zurich American Insurance Company. Mondolez claimed for the Petya attacks under a policy that included “all risks of physical loss or damage” specifying “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”

However, Zurich disputed the claim, due to a clause that excludes insurance coverage for any “hostile or war-like act by any government or sovereign power.” As US Intelligence officials have determined that the NotPetya malware originated as an attack by the Russian military against the Ukraine, Zurich are fighting the claim by Mondelez that they are wrongfully denying coverage.

How Does This Lawsuit Affect the Cyber-Insurance Market Overall?

As cyber crime continues to rise, cyber insurance is understandably becoming big business. For companies deciding on whether to take out coverage, CISO’s need to find space in the budget for monthly costs and potentially large premiums. For this risk to be worthwhile, businesses want to be confident that they will recover their costs if a breach happens.

The insurance pay-outs around the Petya cyberattacks, and in particular the Mondolez case, throw this into question. This is especially true considering the rise in cyberattacks that are nation-backed or could plausibly be claimed to be nation-backed by insurance companies in order to dispute a claim. As regulations change and the US military are given more freedom to launch preventative cyberattacks against foreign government hackers, any evidence that suggests governmental or military attribution could be legitimately used against claimants looking to settle their losses.

The Effect on Public Research

The ripple effect of this could go beyond the claims sector, and have a connected impact on security research, as well as free press and journalism in the long run, something we feel strongly about at Guardicore Labs. Traditionally, researchers have had the freedom to comment and even speculate on the attribution of cyber attacks, through information on the attackers’ behavior behind the scenes and the attack signatures they use. If insurance companies and claims handlers begin using public research as a reason to deny coverage to the victims, this could put research teams in an ethical bind, reducing the amount of public research and the transparency of the industry overall.

How Much of a ‘Guarantee’ Can Security Companies Provide?

The issue of what claims to honor extends to financial guarantees from security companies, not only to insurance handlers. It is becoming increasingly popular to offer guarantees to customers who purchase cybersecurity products, in order to ‘put your money where your mouth is’ on the infallibility of a particular solution.

However, many experts believe that these policies have so many loopholes that they negate the benefit of the warranty overall. One example is the often cited ‘nation state or act of god’ exception, which includes cyberterrorism. Others include exclusions of coverage for portable devices, insider threats, or intentional acts. Even if you are widely covered for an event, does that extend to all employees? According to the latest Cyber Insurance Buying Guide, “most policies do not adequately provide for both first-party and third-party loss.”

Your ‘Guarantee’ is not a Guarantee

The bottom line for CISOs looking to protect their business is that cyber insurance is not a catch-all solution by any means. Whether it’s insurance companies paying out a limited figure or skirting a pay-out altogether, or cybersecurity companies making big promises that are ultimately undermined by the small print, cyber insurance has a way to go.

Focus on your cybersecurity solution, including strong technology like micro-segmentation to limit the attack surface in the case of a breach. With this in place, you can ensure that your critical assets and data are ring-fenced and isolated, no matter what your infrastructure looks like and what direction the attack comes from. Integration with powerful breach detection and incident response capabilities strengthens your position even further, reducing dwell time, and giving you a security posture you can rely on.

Do You Have an Effective Security Incident Response Plan? – Assess your Readiness

The Ponemon Institute has found that the survival rate for businesses without a security incident response plan is just 10%. Enterprises will often focus on creating a strong security posture to detect and thwart attackers, but fail to detail what to do if and when a breach actually occurs. That’s not unusual; it can feel defeatist to prepare for the worst. However, with new attacks being discovered all the time, and increasingly connected networks putting us all at risk, an incident response plan is essential.

1. Understanding the Consequences of Ignoring a Security Incident Response Plan

The first stage in your security incident response strategy needs to be recognizing the ramifications of an attack. From the obvious problems, such as asset and data breach, to reputational damage, compliance failures and public image breakdown, it’s in your company’s best interests to be fully prepared. Detailing these threats in writing can help your staff focus on maintaining a strong security posture to prevent attacks, and encourage everyone to work together with a mutual understanding of what’s at risk if the worst happens.

2. Assigning Roles Before an Emergency

Especially in large organizations, it can be hard to keep everyone in the loop when there is a crisis. Identifying the core stakeholders for a security incident before a breach occurs is therefore essential. Here are some key personnel who need to be detailed in your security incident response plan. In some cases they may be obvious, while in others you might need to choose staff to take on responsibilities for some of these roles in your cyber-security incident response team.

  • Incident response managers . It’s worth having at least two members of staff on hand who can oversee and prioritize the incident response plan, communicating information and tasks throughout the business.
  • Security analysts. Maintain the investigation, support the managers in following the plan, and filter out false positives. They may also alert others to potential attacks. It’s essential to ensure that they are given the right tools to be able to manage their role effectively.
  • Threat researchers. These personnel will be the port of call for contextual information around a threat. Using the web, as well as other threat intelligence, they can build and maintain a database of intelligence internally.
  • Key internal stakeholders. Who needs to be kept in the loop when a threat occurs? From board level personnel who may need to sign off on your actions or give the go-ahead for your response plan, to your CISO or human resources representative if human error is involved.
  • Third-party organizations, such as legal counsel, law enforcement, forensics experts or breach remediation companies.

3. Create a High-Level Document Outlining the Security Incident Response Procedure

Many organizations have multiple playbooks with granular detail on the technical side of an attack, in order to help IT manage and contain a breach. However, if you’ve ever experienced a security incident, you know that IT are far from the only department affected by an attack. Your incident response plan needs to be easily communicated and understood by C-suite employees, Human Resources, Vendor Management and all other lines of business stakeholders including global offices or teams in the field. As regulation increasingly dictates that customers are kept informed when their data is at risk, you may even need customer experience managers to be able to relay your position.

Some of the best security incident response plans are one or two pages, and give a high-level overview of how to manage the consequences of an incident. While playbooks might hold specific information for targeting a type of attack, such as Ransomware, your incident response plan should be written so that it can be read by anyone and understood easily in a moment of crisis.

4. Outline Response Priorities

Not every key stakeholder is going to have the same priorities when an attack hits, and not all priorities can be taken into consideration. For example, your board might want to get your operations up and running as quickly as possible, while legal counsel may suggest staying offline until vendors have been notified or customers contacted. Without a clear outline of whose priorities take precedence, existing relationships can dictate what procedure is followed after a breach, following tribal knowledge rather than smart decision making.

Assessing the scale of an attack and making quick decisions about revenue over security for example should not be done in the moment, or by whomever has the ear of the CISO that day. While you’re building your incident response plan, think about who should have autonomy over decisions that manage risk, and engage them in creating priorities based on levels of threat.

Detailed performance objectives can help here. In the event of a customer data breach, your security team might be tasked with finding out what has been exposed and how many customers are affected within a given amount of time. Making smart decisions about the action needed before a problem becomes a reality means all relevant teams can hit the ground running.

5. Simulate Breaches to Troubleshoot in a Safe Environment

Having an incident response plan is not enough in and of itself. Without testing and simulation, there is no way to recognize gaps in protocol or resources, or to uncover changes in third-party procedure. Regular simulations can ensure that your security incident response strategy remains up to date and nothing falls through the cracks. This can include finding replacements for staff who took on security roles and have now left the company, or for external vendors with lapsed service agreements. It can also help you keep up with changes in regulation, and keep new staff informed of the process in case of a breach.

A simulation can be as in-depth as you would like and can range from table top exercises to injecting your system with a known and containable malware, but a few basics to cover include:

  • Going over the lines of communication from detection to resolution
  • Understanding who is authorized to make decisions on security and risk
  • Confirming you have the third-party services in place you need to control a breach
  • Who needs to be contacted in case of a breach for continued regulatory compliance/operations?

The more you make simulation and testing part of your usual security posture, the more likely it will be second nature for the relevant stakeholders when the incident is no longer theoretical.

6. Identify the Scope of a Breach

Many companies act too quickly when they see a threat. Failing to recognize the size of a breach can cause more problems in the long run. Finding one point of entry does not mean that you’ve identified all the endpoints that have been compromised for example. Acting like you have found patient zero when it’s actually patient 10 or 15 can slow down recovery time overall. Modern day attacks are stealthy and subtle, and could have caused more damage than you might have first assumed.

The best security solutions will intercept suspicious activity on threat detection and reroute it to where it cannot do any harm using dynamic deception. The full extent of the breach can then be searched for and contained in real-time, giving your security team an accurate dynamic map of your entire data center and network. Your automatically generated report shows you the deception incidents, including integral information you need to investigate the breach. What passwords were used, and where did the attacker gain entry? Were there malicious binaries used, or suspicious C&C servers? With this level of detail, your security teams are able to start building up a clear picture of root cause.

Containment of this kind can also give you more time to understand what you’re dealing with in a safe environment. By rerouting an attacker using dynamic deception, you can isolate them safely, and monitor and learn from their activities rather than frighten them away by alerting them that you know they’ve gained entry. In this way, you can take back the upper hand, responding to the attackers behavior without going into crisis mode, calmly following your incident response plan priorities – risk free.

7. Limit Dwell Time

Having this level of granular visibility manages the next part of your incident response plan, limiting the amount of time that attackers are on your network. The SANS Institute found that a shocking 50% of organizations didn’t notice a breach for more than 48 hours, while 7% had no idea how long an attacker had breached their network for, even after the fact. The longer an attack continues for without being stopped, the more damage can be done, so having a plan for limiting this is essential.

Your security solution should be able to limit dwell time by provide application layer visibility. This uncovers and tracks process-level activity (not just at the transport layer) across applications in real-time. This can then be automatically correlated with network events and context, allowing you to access reports on suspected incidents and any anomalies detected across all workloads. With this, even new attack vectors are isolated in real-time. With nowhere for attackers to hide, dwell time is automatically minimized at a policy level.

8. Including Recovery Plans

The clearest part of your security incident response plan should outline what happens when a breach has been confirmed. Detail the processes that are automated so that all key stakeholders understand what has already been put into place.

Does your security solution allow IOCs (Indicators of Compromise) to be automatically exported to your SIEM or security gateways to speed up incident response? Can you update your micro-segmentation policies quickly and seamlessly in response to traffic violations? There might be different automated procedures needed for various environments. For example, stopping the spread of damage from VMs or Containers could involve an IOC halting or disconnecting service entirely. The best solutions will provide an integrated platform that shows the full picture from both a security and an infrastructure point of view.

Recovery plans might need their own smaller security incident response plans or playbooks. A DDoS attack is different from an injection of malware. An external bad actor is a different adversary from an insider with high level access who has compromised the network. Your company might have one set of response plans for a breach to customer data, another for artificial intelligence, and yet another for asset recovery. Make sure the right documentation is ready for any event, and the right personnel are equipped with a plan of action.

9. What Lessons Can You Add to Your Security Incident Response Plan?

By utilizing a smart incident response plan, you can use a breach to help prepare for the future. Once the attack is contained and eradicated, make sure to complete any incident documentation for regulation or internal records. You can also perform your own analysis internally to learn from the attack and your responses to it as a company. With the lessons you’ve learned, you can update your security incident response plan. What can you improve for next time, and what gaps did you uncover if any?

A strong security incident response plan is a must-have in today’s increasingly interconnected IT environment. If and when a breach occurs, your business will be asked how you prepared for an incident. This could be used to establish regulatory compliance as well as assessment of the attack and even blame. Creating a detailed analysis of how your company prepares for a threat, as well as responds in the moment and learns from the experience puts you one step ahead, and ready for anything.

Protecting your Business Against Attack Vectors and the Evolving Threat Landscape

Understanding Attack Vectors

An attack vector is the way that an adversary can gain unauthorized access to your network or devices. Over the years, there have been dozens of different attack vectors, many of which have adapted and evolved over time to cause harm or hold companies hostage. Today, networks and organizations are interconnected using both private and public clouds leaving the door ajar for attack vectors that are more sophisticated than ever. What should smart businesses look out for, and how can they protect themselves?

The Evolution of Cyber Attack Vectors

Traditionally, having hardened perimeter security was enough to protect data centers. Layers of security to detect and prevent a breach coming in or out of data centers meant that you could ward off attack vectors to your infrastructure and hardware, which was almost exclusively on-premise.

The Cloud and mobile solutions have changed all of this. The reality for data centers today is keeping data private and secure while running an environment that spans public, private and hybrid clouds. Companies now use a mix of compute resources: Containers, Serverless Functions and VMs. However hackers are not just targeting your compute resources, they are sneaking in via routers and switches, or storage controllers, and sensors. From this vantage point, attackers can then scale their attack, compromising an entire network with lateral movements and connected devices. The MITRE ATT&CK Framework is a great resource to dive deeper on the different initial access attempts¹.

As the way we access the internet changes, cyber attack vectors adapt their own designs right alongside. Assuming that we are plugging all the holes on the IT side is not enough. The human factor has always been a key vulnerability in the security scheme. It has become more prevalent with the advance in end-user technology in recent years. Smartphones are a good example of this. Mobile attack vectors are not something that any organization had to be aware of a decade ago, and now they are an ever-present reality providing an easy gateway into many organizations.

While most people know not to click on dangerous links that arrive via SMS from unknown numbers, and no longer fall prey to email phishing campaigns like unexpected warnings of your bank password being changed, new attack vectors come from unexpected places. The recent Man in the Disk attacks on Android devices are something no one could have anticipated. This malware relies on vulnerabilities in third-party application storage protocols that are not regulated by sandbox restrictions through Android². This careless use of external storage can lead to potential malicious code injection, or the silent installation of unrequested apps to the user’s device. From there, the journey of an attacker to leverage this access to a deeper data center one is very short.

As technology evolves, there are more ways than ever for bad actors to launch attacks. Smart devices and Cloud-solutions only serve to increase the number of platforms which can be used for malicious intent.

Which Attack Vectors Are the Biggest Threats Today?

Email and phishing schemes have been the attack vectors of choice for a large amount of malicious attacks over the past few years. However, as simple attacks are becoming more recognizable, more complex threats are increasingly in vogue. Worryingly, the trend in malware is a movement away from reliance on human error, to clever attack vectors that can strike without any conscious act by the user whatsoever³. Man-in-the-Disk was just one example of this.

Take Drive-by-Downloads. A user only has to visit a compromised website, and malicious code can be injected through their web browser. Once done, this can swiftly move laterally across a network. Mouse Hovering hacking is also growing, a technique that launches javascript when a user hovers over a link to see where it goes. This has been seen in familiar applications such as PowerPoint, showing that even what users consider to be ‘safe’ environments can be dangerous. Increasingly sophisticated attack vectors that can spread without a user’s knowledge or their initial action are only going to become more common over time. If these tactics are leveraged against a user with administrator access to your data centers, the results could be catastrophic.

Administrator access could be the weak link when it comes to keeping your data centers safe overall. By accessing admin privileges, adversaries have access to the most valuable information you store, and can therefore cause the most harm. It’s important to think about the way your business works in a crisis when you’re planning preventive security measures. Used in an emergency, local authentication options are often not logged in the same way as your admins usual activity, and the credentials may even be shared across workloads and hosts for the sake of ease of use.

As well as smarter attack vectors, the growth in threats such as file-less attacks show that attackers are getting better at learning how to cover their tracks. 77% of cyber-crime in the US last year used a form of file-less attack⁴. Research shows that this type of malware is ten times as likely to succeed as traditional file based attacks, and helps attackers stay well beneath the radar.

AI is also an area that is likely to be compromised in the near future, with many companies creating chatbots and machine learning tools as the customer-facing representative of their websites and apps. As virtual assistants are built by humans, they are subject to the same gaps that human knowledge has. Studies are beginning to show that AI has problems with hallucinations and recognition⁵. Let loose on customer data and processes, it’s easy to see how advanced malware may slip through the cracks.

More than ever, in preparation for the next stage of intelligent malware, companies need to secure their data centers effectively against the latest attack vectors.

How Can Businesses Protect Themselves from Cyber Attack Vectors?

Keeping your IT environment safe from the latest attack vectors means being able to detect threats faster, and with better intelligence.

This starts with visibility. Being able to identify application flows across your entire infrastructure means that you have granular visibility across your whole IT stack. Dynamic deception tactics automatically trap attackers, even when the end-user isn’t aware of what is going on under the surface. Reputation analysis instantly uncovers anything suspicious or out of the ordinary, from unexpected IP addresses and domain names to file hashes within application flows. Even new attack vectors are isolated in real-time, with mitigation recommendations so that incident response is streamlined.

Ring-fencing, the separation of one specific application from the rest of the IT landscape is one way that companies are limiting the reach of the latest attack vectors from their most sensitive data or valuable assets. This and other kinds of micro-segmentation allow your business to truly limit the attack surface of any potential breach.

There are a number of benefits to this. Regardless of operating system limitations, communication policy can be enforced at the layer 4 transport level as well as the Layer 7 process level. By segmenting your flows by the principle of least privilege, even if a breach occurs, you ensure that it is quickly isolated, and attackers are unable to make lateral moves or scale their intrusion any further. When micro-segmentation is enforced alongside breach detection and threat resolution, even new attack vectors can quickly become a known quantity, and are unable to pose real danger.

Staying Safe Against Future Cyber-Attack Vectors

The way that data is stored and transferred is dynamic in and of itself. Our methods and processes are always changing as the capabilities of the cloud and the hybrid nature of our IT environments continue to grow. In direct response, attack vectors will never stay the same for long, and hackers will always have new tricks up their sleeve to compromise the latest solutions and catch us unaware. As well as current attack vectors that take advantage of IoT devices and no-fault infiltration, predictions for the future include AI-driven malware and an increase in file-less malware attacks, allowing hackers to hide their activities from detection.

The only solution is true visibility of all your applications and workflows. Using this mapping alongside segmentation policy that controls communication flows can restrict attackers in their tracks at the smallest sign of an anomaly. Even against new or unknown attack-vectors, these tools enable true threat resolution that can protect your entire infrastructure in real-time.


1. https://attack.mitre.org/wiki/Main_Page
2. https://research.checkpoint.com/androids-man-in-the-disk/
3. https://churchm.ag/was-it-human-error/
4. https://www.securityweek.com/fileless-attacks-ten-times-more-likely-succeed-report
5. https://www.wired.com/story/ai-has-a-hallucination-problem-thats-proving-tough-to-fix

The Bondnet Army: Questions & Answers

Last week we announced the discovery of Bondnet, a new botnet that was uncovered by GuardiCore Labs. The originator of Bondnet had installed a cryptocurrency miner and backdoor in thousands of servers of varying power and conscripted them into a botnet – a group of computing devices that can be centrally controlled for malicious purposes.

The Bondnet Army

GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions.

As Yahoo Breach Sinks In, Here’s How to Secure Your Data Centre in 2017

It’s certainly not what Yahoo or its customers would have wanted. But news of the biggest data breach ever recorded serves as a timely reminder of the threats facing the modern data centre as we head into the new year. The internet pioneer may be an extreme example, having now allowed cyber thieves to steal data from 1.5 billion accounts. But organisations of all sizes should see it as a cautionary tale. They need to wake up to the threats facing their data centres or risk following in Yahoo’s footsteps.

Read more

Corporate Boards Aren’t Prepared for Cyberattacks

Despite the scale and potential harm from such attacks, there’s wide recognition that corporate leaders, especially boards of directors, aren’t taking the necessary actions to defend their companies against such attacks. It’s not just a problem of finding the right cyber-defense tools and services, but also one of management awareness and security acumen at the highest level, namely corporate boards.

Ocean’s Eleven and the Changing Landscape of Cyber Crime

On February 16th, 2015, Kaspersky lab published a report titled “Carbanak APT – The Great Bank Robbery”, telling the story of a cyber attack campaign on numerous banks and financial institutions, spanning from late 2013, and resulting in an estimated cumulative losses of $1B. The attack has been dubbed by Media outlets such as CNN “the Ocean’s eleven of cyber strikes”. Read more