Connect with us

News

Attivo Networks Brings Identity Security to the Next Level

Published

on

Attivo Networks has announced a new way of protecting credentials from theft and misuse. As part of its Endpoint Detection Net (EDN) Suite, the ThreatStrike functionality allows organizations to hide real credentials from attacker tools and bind them to their applications. Additionally, the solution can show decoy credentials that facilitate threat intelligence gathering when left as bait. With this new functionality, Attivo becomes the only solution of its kind to cloak real credentials from attackers.

A credential-based attack occurs when an attacker steals credentials, extends privileges, and compromises critical data. Credential theft is the first stage of a lateral movement attack and stopping the attack early in the process can make a material impact on the success and damages incurred by an attacker. According to Verizon’s 2021 Data Breach Investigation Report, credentials remain among the most sought-after data types by attackers (60%). Stolen Credentials have been behind some of the largest and most costly data breaches.

The Attivo ThreatStrike cloaking hides and denies unauthorized access to applications. For example, only Chrome will have access to its credential store, and all other applications won’t. The product launches with support for 75 of the most popular Windows applications that attackers target, with a plan to add more applications in the future.

“The benefit of credential protection is that only allowed system software can access them,” said Srikant Vissamsetti, senior vice president of engineering at Attivo Networks. “Customers will benefit from the prevention of unauthorized access, which can lead to credential theft attacks, such as Pass-the-Hash, Pass-The-Ticket, and Password Theft that can be extremely difficult to detect and stop.”

This new capability directly addresses sophisticated attack techniques as outlined in the MITRE ATT&CK Credential Access Tactic, such as OS Credential Dumping (T1003), Credentials from Password Store (T1555), Unsecured Credentials (T1552), Steal or Forge Kerberos Tickets (T1558) and Steal Web Session Cookie (T1539). With endpoint credentials now hidden from attacker view, the ThreatStrike solution plants bait on the endpoint, designed to appear as popular production Windows, Mac, and Linux credentials. As threat actors conduct reconnaissance, these lures will appear as attractive bait for in-network attackers to steal.

“The growing risk of credential theft attacks and misuse is the root cause of many modern cyber incidents,’ said Ed Amoroso founder and CEO of TAG Cyber. ‘The recent Verizon Data Breach Report, for example, underscores stolen credentials as a top target for attackers. This challenge in the market is fueling the need to reduce credential risk by managing entitlements in the context of an authorization model. With the introduction of credential cloaking and policy-based application access, Attivo Networks is well-positioned to emerge as a significant player in the identity detection and response market.”

The addition of credential cloaking also adds to the company’s stack of cloaking technology. The company can currently cloak Active Directory objects, as well as files, folders, network, and cloud mapped shares, and removable drives. This technology is distinctly different from traditional deception technology that weaves fake objects amongst real ones. Cloaking technology hides real assets and puts fake data in its place. This combined innovation has received recognition and awards for its efficacy in identifying and deterring both ransomware and advance attack tactics.

The Attivo Networks Endpoint Detection Net (EDN) Suite is a component of the company’s identity detection and response (IDR) offering. IDR solutions grew popular in 2021 as the technology became available to detect identity theft, privilege escalation, and lateral movement threat activities. The company’s EDN solution includes:

  • ThreatStrike: for credential protection
  • ADSecure: for Active Directory protection
  • ThreatPath: for credential attack path visibility and attack surface reduction
  • Deflect: prevents fingerprinting of endpoints to identify targets and vulnerabilities to exploit
  • Central Management: manages EDN and comes with the ability, through licensing, to add visibility to Active
  • Directory and cloud entitlement exposures and vulnerabilities

News

Check Point Expands its Cloud Native Application Protection Platform (CNAPP) with Risk Management Engine

Published

on

Check Point Software Technologies has introduced a new risk management engine along with enhanced capabilities to the Check Point CloudGuard Cloud Native Application Protection Platform (CNAPP). The new capabilities add intelligent risk prioritization, agentless scanning, entitlement management, and pipeline security. With a focus on context, speed, and automation, the new capabilities operationalize cloud security, removing complexities and overhead noise associated with traditional standalone cloud security alerts, allowing security teams to focus on comprehensive threat prevention from code to cloud across the entire application lifecycle while supporting DevOps’ agility.

Cloud adoption and digital transformation continue to accelerate. The 2022 Cloud Security Report revealed that 35% of respondents are running more than 50% of their workloads in the cloud. However, 72% are extremely concerned about cloud security, and 76% are hindered by the complexity of managing multiple cloud vendors, which often results in misconfigurations, lack of visibility, and exposure to cyberattacks. Moreover, the study revealed that misconfiguration is seen as the number one cause of security-related incidents, which can be attributed to the need for around-the-clock security operations and alert fatigue.

“It is challenging for organizations to manage security risk while supporting faster cloud-native development cycles,” says Melinda Marks, Senior Analyst, Enterprise Strategy Group (ESG), “As development teams grow, organizations are looking for a unified platform to help them prioritize and efficiently take the actions that are the most impactful in reducing security risk so they can effectively manage security instead of falling behind.”

With the launch of Effective Risk Management (ERM), in addition to Cloud Identity & Entitlement Management (CIEM), Agentless Workload Posture (AWP), and pipeline security tools, Check Point CloudGuard now provides smart risk prioritization that allows teams to quickly eliminate critical vulnerabilities, such as misconfigurations and over-privileged access, based on severity throughout the software development lifecycle. The collaborative output that enterprises receive is simple, easy to understand, and focused on the threats that matter to them, thereby reducing the complexity that was once a challenge. By minimizing this complexity, the threat landscape is also reduced.

“Cloud adoption continues to accelerate and the ability to streamline cloud security has become vital,” explains TJ Gonen, VP Cloud Security at Check Point Software. “By adding Effective Risk Management and amplifying Check Point CloudGuard’s CNAPP offering, we are making it possible for organizations to shift CNAPP left and take a prevention-first approach to their cloud security that’s easy to manage. With our contextual AI and risk scoring engine, security teams no longer have to manually figure out which alerts to remediate first—the machine will do it for them. By removing this burden, customers can focus on migrating their critical workloads to the cloud with confidence.”

Check Point CloudGuard combines the latest tools into a new generation of CNAPP capabilities to aid security professionals while removing barriers to DevSecOps with ShiftLeft tools. Check Point CloudGuard utilizes the power and potential of unification along with operational value to end users including:

  • Effective Risk Management: CloudGuard’s ERM engine prioritizes risks and provides actionable remediation guidance based on full context including workload posture, identity permissions, attack path analysis, and the application business value. Security teams can now focus on critical threats and administer a “minimal effective dose” of security for maximum impact.
  • Cloud Identity & Entitlement Management: The CIEM capabilities understand effective permissions of users and cloud services, identify exposure and risks, and automatically generate explicit least privilege role recommendations to reduce access and revoke unused permissions. With CIEM built into ERM, users can understand their permissions and enforce the least privilege across their cloud environments.
  • Agentless Workload Posture: AWP extends CloudGuard’s agentless infrastructure visibility into workloads. AWP scans and identifies risks including misconfigurations, malware detection, vulnerabilities, and secrets across all cloud workloads including virtual machines, container, and serverless functions. With this agentless deployment model, security teams gain deep workload security visibility at scale without impacting performance.
  • Pipeline Security: The pipeline security capabilities fully integrate the Spectral offering to detect and resolve misconfigurations, secrets, and vulnerabilities within CloudGuard. The developer-first security extends workload protection to the CI/CD to the pipeline to remediate issues before reaching production. Security teams can shift CNAPP left and secure cloud applications from the start.
Continue Reading

LEAP

Cisco Study Identifies Key Success Factors to Boost Security Resilience in Saudi Arabia

Published

on

At LEAP, Cisco released the KSA findings of its latest Security Outcomes Report, focusing on “Achieving Security Resilience”. Now in its third year, the report is Cisco’s annual security study and consists of responses from more than 4,700 participants across 26 countries, including Saudi Arabia. It identifies the top success factors that boost enterprise security resilience and measures responses against these factors to identify the biggest strengths and weaknesses in current enterprise security deployments.

Why Security Resilience Is Important in Saudi Arabia
The findings in Saudi Arabia revealed that 54 percent of organizations surveyed had experienced a security event that impacted business. The most common incidents were distributed denial of service attacks (60 percent), network or system outages (54 percent), and malicious insider abuse events (40 percent).

These incidents resulted in severe effects for the companies experiencing them, along with the ecosystem of organizations they do business with. With incidents this impactful (64 percent of organizations globally affirmed that cybersecurity incidents impact their resilience) it is no surprise that the main objectives of security resilience are to prevent incidents and mitigate losses when they occur.

Salman Faqeeh, Managing Director, Cisco Saudi Arabia commented: “In the last few years, the Kingdom has taken confident steps towards digitization, bringing new opportunities to the country. This progress must be accompanied hand-in-hand by a sharp focus on cybersecurity.” 

He added: “Cisco is uniquely positioned to support the government and businesses of all sizes and across industries in the kingdom, addressing the cyber security challenges they are facing, and helping them increase their security resilience. Our presence at LEAP this year provides us with the perfect platform to engage with our partners and customers while demonstrating our latest range of security innovations and solutions for safer, more secure, and more efficient operations.”

Seven Success Factors of Security Resilience
The report develops a global methodology to generate a security resilience score for the organizations surveyed, identifying seven data-backed success factors most impactful to an organization’s security resilience. These include establishing executive support; cultivating a culture of security; simplifying hybrid cloud environments; maximizing zero trust adoption; extending detection and response capabilities; and taking security to the edge. If achieved, these factors would boost our measure of an organization’s overall security resilience from the bottom 10th percentile to the top 10th percentile.

Globally, security is a human endeavor, as leadership, company culture, and resourcing have a significant impact on resilience:

  • Organizations that report poor security support from the C-suite scored 39 percent lower than those with strong executive support.
  • Businesses that cultivate an excellent security culture scored 46 percent higher on average than those without.
  • Companies that maintain extra internal staffing and resources to respond to incidents resulted in a 15 percent boost in resilient outcomes.

Businesses need to take care to reduce complexity when transitioning from on-premise to fully cloud-based environments:

  • Companies whose technology infrastructures are either mostly on-premise or mostly cloud-based had the highest, and nearly identical, security resilience scores. However, businesses that are in the initial stages of transitioning from an on-premise to a hybrid cloud environment saw scores drop between 8.5 and 14 percent depending on how difficult the hybrid environments were to manage.

Adopting and maturing advanced security solutions saw significant impacts on resilient outcomes:

  • Companies that reported implementing a mature zero trust model saw a 30 percent increase in resilience score compared to those that had none.
  • Advanced extended detection and response capabilities correlated to an incredible 45 percent increase over organizations that report having no detection and response solutions.
  • Converging networking and security into a mature, cloud-delivered secure access services edge (SASE) boosted security resilience scores by 27 percent.
Continue Reading

Cyber Security

OneNote Documents Increasingly Used to Deliver Malware

Published

on

Proofpoint researchers recently identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023. OneNote is a digital notebook created by Microsoft and available via the Microsoft 365 product suite. Proofpoint has observed threat actors deliver malware via OneNote documents, which are .one extensions, via email attachments and URLs.

While there is an increase in the number of campaigns utilizing OneNote to deliver malware, its use is unusual. Based on Proofpoint’s observed characteristics of past threat campaigns, it is believed that threat actors have increasingly adopted OneNote as of result of their experimentation with different attachment types to bypass threat detection. Since Microsoft began blocking macros by default in 2022, threat actors have experimented with many new tactics, techniques, and procedures (TTPs), including the use of previously infrequently observed filetypes such as virtual hard disk (VHD), compiled HTML (CHM), and now OneNote (.one).

Observed email campaigns that use OneNote for malware delivery share similar characteristics. While the message subjects and senders vary, nearly all campaigns use unique messages to deliver malware, and do not typically utilize thread hijacking. Messages typically contain OneNote file attachments with themes such as invoice, remittance, shipping, and seasonal themes such as Christmas bonus, among other subjects. In mid-January 2023, Proofpoint researchers observed actors using URLs to deliver OneNote attachments that use the same TTPs for malware execution.

The OneNote documents contain embedded files, often hidden behind a graphic that looks like a button. When the user double-clicks the embedded file, they will be prompted with a warning. If the user clicks continue, the file will execute. The technique may be effective for now. At the time of analysis, multiple OneNote malware samples observed by Proofpoint were not detected by numerous anti-virus vendors on VirusTotal.

It is important to note, an attack is only successful if the recipient engages with the attachment, specifically by clicking on the embedded file and ignoring the warning message displayed by OneNote. Organizations should educate end users about this technique and encourage users to report suspicious emails and attachments.

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.