Team

now browsing by tag

 
 

#cybersecurity | #hackerspace | A Well-Equipped Security Team Could Save You Millions of Dollars a Year

Source: National Cyber Security – Produced By Gregory Evans

Data breaches are expensive. By now, most organizations are well aware of this fact. When it comes to resource planning, however, SecOps teams need concrete data to ensure adequate funding is available to handle a breach. 

Taking a look at recent breaches and industry analysis can help. 

The Financial Cost of a Data Breach Is Rising

IBM conducts an annual “Cost of a Data Breach” study as the basis for a global analysis of the cost impact of data breaches. According to the study, the average cost of a data breach in the U.S. is growing:

·  2017: $7.35 million

·  2018: $7.91 million

·  2019: $8.19 million

Between 2017 and 2019, the average financial impact of a data breach at a U.S. based company rose 10 percent. Companies that experience “mega breaches” involving millions of records can expect to pay anywhere from $40 million to $350 million to clean up the mess. 

IBM expects these figures to continue climbing in the coming year. 

What factors impact the cost of a data breach?

A data breach is not limited to a single incident to be mitigated in just a few days. IBM estimates that it takes companies an average of 280 days to fully recover from a breach. Responding to these breaches extends beyond addressing the root cause of the hack. 

Companies must satisfy notification requirements, preserve affected documents and logs, and address potential PR concerns. If the breach involved PHI (protected health information) or identifying information like Social Security Numbers, the response becomes even more complicated. Most companies will need to hire outside legal consultants to ensure a proper response has taken place.

Beyond these immediate issues, companies that experience a data breach will face “long-tail” costs, those occurring beyond a year year after a breach. These costs include class action lawsuits, regulatory fines, and the potential loss of customers who have lost trust in the company. IBM estimates that lost business accounts for 36 percent of the average total data breach cost.

Proactive Companies Fare Better

Not only will the cost of a data breach increase, so will the odds that a given company will experience a breach. 

Companies are more than 30 percent more likely to experience a breach in the coming years, according to IBM. The Herjavec Group estimates that a ransomware attack will affect a new business every 11 seconds by 2021. 

The risk of a data breach is not a vague threat intended to scare companies into investing more in backend security response. The risk is simply the reality companies must overcome to protect their clients’ data and their own future success. Bad actors are here to stay, unfortunately, and they are becoming savvier all the time. 

Still, companies can make proactive decisions to reduce the risk of a data breach. Key actions that can help include:

·  Establishing in-house incident response capabilities

·  Integrating advanced machine-learning AI into security platforms

·  Increased cybersecurity education for all employees

·  Creating DevSecOps teams who address data security from the start of the development process

IBM estimates that the presence of an in-house incident response team has a significant impact on reducing data breach costs. Using incident response teams can reduce the cost of a data breach by an average of 10.5 percent, a figure that can save companies hundreds of thousands of dollars. 

Next Steps

Don’t wait until you’re in response mode to come up with a data security strategy. MixMode’s third-wave, machine-learning AI detects vulnerabilities before they attract bad actors, giving our clients the upper hand when it comes to cybersecurity. 

Why is machine learning better?

Machine learning is a subset of AI that adds automation and intelligence to computer programs. A music platform that can predict which songs and artists a listener will likely enjoy is one example of machine learning at work.

MixMode takes the concept of machine-learning a few steps further. Not only could our context-aware AI make accurate song predictions, but it could also actually create original music compositions in the same vein. 

While today’s hackers and cybercriminals are often well-versed in typical machine-learning AI, MixMode’s unique context-aware AI is a world apart. 

Our platform takes a deep dive into your network to develop a baseline level of knowledge it will use to evaluate network anomalies. The result is at least a 12 percent reduction in the cost of detecting and responding to data breaches. That’s what happens when SecOps teams don’t have to wade through a mountain of false positives to address real issues. 

Learn how MixMode can ensure your organization won’t become the next company to make the news thanks to a data breach. Reach out to MixMode today to set up a demo. 

MixMode Articles You Might Like:

Network Data: The Best Source for Actionable Data in Cybersecurity

Using the MixMode query language to integrate with Splunk

3 Cyberthreats Facing Federal and State Governments in 2020

Staying CCPA Compliant with MixMode’s Unsupervised AI

5 Cybersecurity Threats That Will Dominate 2020

Wire Data: What is it Good For?

Yesterday’s SIEM Solutions Can’t Combat Today’s Cyberthreats

Source link

The post #cybersecurity | #hackerspace |<p> A Well-Equipped Security Team Could Save You Millions of Dollars a Year <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | DEF CON 27, Blue Team Village, @Lak5hmi5udheer’s, @dhivus & @NarayanGowraj’s ‘Who Dis Who Dis: The Right Way To Authenticate’

Source: National Cyber Security – Produced By Gregory Evans

Thanks to Def Con 27 Volunteers, Videographers and Presenters for publishing their superlative conference videos via their YouTube Channel for all to see, enjoy and learn.

Permalink

The post DEF CON 27, Blue Team Village, @Lak5hmi5udheer’s, @dhivus & @NarayanGowraj’s ‘Who Dis Who Dis: The Right Way To Authenticate’ appeared first on Security Boulevard.

Source link

The post #cybersecurity | #hackerspace |<p> DEF CON 27, Blue Team Village, @Lak5hmi5udheer’s, @dhivus & @NarayanGowraj’s ‘Who Dis Who Dis: The Right Way To Authenticate’ <p> appeared first on National Cyber Security.

View full post on National Cyber Security

5 Tips for Keeping Your Security Team on Target

Source: National Cyber Security – Produced By Gregory Evans In nearly every security environment, competing priorities are a constant battleground. Here’s how to keep the focus on what’s important. When I sit down to write an article, I encounter any number of distractions. Each distraction seems to want nothing more than to keep me from […] View full post on AmIHackerProof.com

Sodinokibi Ransomware Builds An All-Star Team of Affiliates

Source: National Cyber Security – Produced By Gregory Evans

Sodinokibi

The Sodinokibi Ransomware (REvil) has been making news lately as they target the enterprise, MSPs, and government entities through their hand-picked team of all-star affiliates. These affiliates appear to have had a prior history with the GandCrab RaaS and use similar distribution methods.

It should be noted that we will refer to this ransomware infection as Sodinokibi as that is what it is most commonly known as to the general public and victims. This ransomware also goes under the name REvil, which is the actual name given by the malware developers.

Since being discovered in late April exploiting vulnerable WebLogic servers, Sodinokibi has seen wide success being distributed worldwide through exploit kits, phishing campaigns, remote desktop attacks, and large scale attacks through hacked MSP.

Victim Heatmap
Victim Heatmap (Source: McAfee)

In two new reports from McAfee, the Sodinokibi Ransomware has been analyzed to bring us information about code similarities between this ransomware and GandCrab. The affiliates of both RaaS operations have also been analyzed to bring us similarities seen between the two and how many of affiliates switched Sodinokibi as GandCrab began shutting down.

The GandCrab RaaS

Before we get into the Sodinokibi RaaS, it is important to discuss how the GandCrab RaaS operated.

One thing that was well known about the GandCrab Ransomware-as-a-Service is that they put together a team of some of the best affiliates out there.

These affiliates showed a wide range of experience in the distribution of malware and advanced technical knowledge regarding MSP software that allowed them to achieve high volumes of victims by attacking a single organization.

For those not familiar with the term RaaS, it is when a ransomware developer allows “affiliates” to distribute their ransomware in exchange for a portion of the ransom payment. Typically, the affiliates would earn the lion’s share of the payment and the developer would take a lower portion, between 30-40%, as their payment for managing the ransomware and the payment system.

Those affiliates who performed the best, would earn higher levels of commission.

RaaS Explainer
RaaS Explainer (Source: McAfee)

In new research by McAfee’s John Fokker, Head of Cyber Investigations, and Christiaan Beek, lead scientist & sr. principal engineer, we take a deep dive in how the GandCrab RaaS operated and some of its more high profile affiliates.

With the GandCrab RaaS, each affiliate was assigned an ID that was embedded in the ransomware executables that they distributed. It was also possible for affiliates to generate SubIDs that they could tag an executable as with.

It is not known what these SubIDs were used for, but could have been for a major affiliate to assign distribution work to one of their partners or simply to track the success of different distribution campaigns.

By analyzing hundreds of samples of GandCrab, the researchers told BleepingComputer that there were approximately 292 affiliates registered with the RaaS, with not all of them necessarily being active.

Partial list of GandCrab affiliates
Partial list of GandCrab affiliates (Source: McAfee)

Of these, McAfee stated that the affiliate with ID 99 was by far the most active, with affiliate IDs 15, 41, and 170 being the next most active.

Affiliate ID 99
Affiliate ID 99

Unfortunately, it not currently known what IDs are associated with particular types of attacks at this time, but Fokker told BleepingComputer that they are looking into this.

Sodinokibi builds an all-star affiliate team

A month before Sodinokibi became active, McAfee noted that the high profile affiliates suddenly went missing from GandCrab’s final 5.2 build.

Soon after, a relatively new unnamed RaaS was being marketed on online hacker forums such as Exploit.in where a member named UNKN was recruiting affiliates. This was a selective recruitment process and only a small amount of highly vetted applicants would be selected.

Forum post about new RaaS
Forum post about new RaaS

One of the people who replied to the topic and vouched for the RaaS was a member named Lalartu, who stated they were previously a GandCrab affiliate.

Soon after, Sodinokibi exploded with ransomware distribution that was very similar to the high profile attacks BleepingComputer saw with GandCrab.

BleepingComputer believes that GandCrab informed their top affiliates that they would soon be shutting down and either transferred them to Sodinokibi or the affiliates just decided to move to the new RaaS.

When analyzing Sodinokibi samples, the McAfee researchers also noted that Sodinokibi also used affiliate IDs and SubIDs in the same way as GandCrab. 

Sodinokibi Config
Sodinokibi Config (Source: McAfee)

This allowed them to extract the IDs from samples to find the most active affilaites and see if they could compare them to the GandCrab affiliates. Based on their analysis, Fokker told BleepingComputer that there are currently 41 known affiliate IDs, with the most active being affiliate 19, followed by 33 and 20.

When comparing the activity of affiliate 19 compared to GandCrab affiliate 99, the chart showed a very similar pattern of SubIDs and distributed samples.  In the image below, the GandCrab affiliate 99 is shown on the left and the Sodinokibi affiliate 19 is shown on the right.

Comparison of GandCrab and Sodinokibi Affiliates
Comparison of GandCrab and Sodinokibi Affiliates

While the above does not indicate that they are definitely the same affiliate, their usage patterns do appear very similar.

With a business model, and this is definitely a business, that focuses on affiliates performing the distribution of the ransomware, McAfee notes that it is important for law enforcement to not only take down the ransomware, but also the affiliates.

By disrupting the distribution, the RaaS model simply falls apart.

“Given that the income of the RaaS network is largely dependent on the performance of its top affiliates, and it is run like a normal business, we (the security industry) should not only research the products the criminals develop, but also identify possible ways to successfully disrupt the criminal business.”

Similarities in code

In addition to the many similarities between the affiliates of Sodinokibi and GandCrab, there are also similarities within the code itself.

Last week we reported that researchers at SecureWorks identified shared code between the two ransomware and McAfee has come to the same conclusion.

According to the McAfee Advanced Threat Research, when comparing an unpacked Sodinokibi sample with GandCrab v 5.0.3, the researchers determined that there was a 40% code overlap between the two infections. Most of this similar code appears to be within the functions as shown below.

Code similarity between  Sodinokibi and GandCrab 5.0.3
Code similarity between  Sodinokibi and GandCrab 5.0.3 (Source: McAfee)

This is further illustrated by the very similar graph view of the two infections as seen below. Without even looking at the functions, you can see that the flow and logic of both programs are very similar, if not almost identical.

Graph view of both Sodinokibi and GandCrab 5.0.3
Graph view of both Sodinokibi and GandCrab 5.0.3 (Source: McAfee)

When Sodinokibi and REvil connects back to the ransomware’s command and control server, it will do so through a randomized URL that is generated at runtime. As previously found by Tesorion’s earlier analysis, McAfee also found that the URLs generated between the two families is almost identical.

Random URL Generation Comparison
Random URL Generation Comparison (Source: McAfee)

As you can see from the above image, the URL generation is almost identical other than a few varied strings used to generate the URL.

Is Sodinokibi the new GandCrab?

Whether or not Sodinokibi/REvil is the next version of GandCrab is really hard to say.

On one hand we have code similarities that are very hard to ignore and affiliates who were historically part of the GandCrab RaaS and using the same distribution tactics.

On the other hand, the operator’s personality is completely different between the two ransomware families.

With GandCrab, the operators were very open and public with their communications, joked with the research community, and generally had a good time running their operation.

The Sodinokibi operators, on the other hand, are quiet, secretive, and almost reclusive in how the RaaS functions.

While personalities can change, the stark contrast between the two makes BleepingComputer believe that Sodinokibi is being operated by the programmers of GandCrab, while the original operators have since retired or moved on to new things.

This would explain the code similarities, yet the different and more secretive nature of the Sodinokibi/REvil RaaS.

Source link

The post Sodinokibi Ransomware Builds An All-Star Team of Affiliates appeared first on National Cyber Security.

View full post on National Cyber Security

New #Book Reveals How #Obama Team #Plotted #Cyberattacks Against #Russia in #2016

Source: National Cyber Security News

On March 13, a book titled “Russian Roulette: The Inside Story of Putin’s War on America and the Election of Donald Trump” will hit the shelves. Written by Michael Isikoff and David Corn, the book specifically focuses on Russia’s alleged interference in the 2016 US presidential elections.

In the summer of 2016, the Obama team prepared a plan for a large-scale cyber-operation against the Russian media, the country’s most influential businessmen and President Vladimir Putin personally, according to former White House cybersecurity coordinator Michael Daniel.

His remarks are included in “Russian Roulette: The Inside Story of Putin’s War on America and the Election of Donald Trump,” a book by Michael Isikoff’s and David Corn’s which is due to go on sale on March 13. Excerpts were released by Yahoo News earlier this week.

Daniel explained that the cyber-offensive against Moscow was co-authored by Celeste Wallander, the US National Security Council’s former chief Russia expert.

The plan stipulated that the National Security Agency (NSA) would conduct a number of cyberattacks to neutralize Russian websites and the Guccifer 2.0 hacker, who compromised the emails of the campaign headquarters of former Secretary of State Hillary Clinton and the Democratic Party’s National Committee.

Read More….

advertisement:

View full post on National Cyber Security Ventures

CodeFork hacking team spreading ‘fileless’ malware to mine Monero cryptocurrency

Source: National Cyber Security – Produced By Gregory Evans

A group of hackers dubbed ‘CodeFork’ by security researchers has recently launched a new campaign, reportedly spreading fileless malware and a strain of cryptocurrency miner that is able to exploit victims’ computers and produce Monero, a form of digital money. According to experts from Radware, a cybersecurity firm, the group…

The post CodeFork hacking team spreading ‘fileless’ malware to mine Monero cryptocurrency appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Mexican Governor Spied on President With Hacking Team Spyware, Lawsuit Alleges

Source: National Cyber Security – Produced By Gregory Evans

In the last few months, human rights and internet monitoring organizations have uncovered evidence that the Mexican government uses sophisticated spyware made by an Israeli company to monitor journalists, dissidents, and even political opponents, as reported in a series of articles in The New York Times. Now, a former Mexican…

The post Mexican Governor Spied on President With Hacking Team Spyware, Lawsuit Alleges appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Team Lead – Security SOC and Incident Response

Source: National Cyber Security – Produced By Gregory Evans

Description   Community Health Systems, Inc. is one of the nation’s leading operators of general acute care hospitals. The organization’s affiliates own, operate or lease 158 hospitals in 22 states with approximately 26,000 licensed beds. Affiliated hospitals are dedicated to providing quality healthcare for local residents and contribute to the…

The post Team Lead – Security SOC and Incident Response appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Trump Drops His Call for a Joint Cyber Security Team With Russia after Much Criticism

Trump Drops His Call for a Joint Cyber Security Team With Russia after Much CriticismSource: National Cyber Security – Produced By Gregory Evans U.S. President Donald Trump on Sunday backtracked on his push for a cyber security unit with Russia, tweeting that he did not think it could happen, hours after his proposal was harshly criticized by Republicans who said Moscow could not be trusted. Trump said on Twitter […] View full post on AmIHackerProof.com | Can You Be Hacked?

Man and machine: How to team up to meet cybersecurity challenges

Source: National Cyber Security – Produced By Gregory Evans

Man and machine: How to team up to meet cybersecurity challenges

In today’s cybersecurity landscape, the pressure is on. CISOs and other executives are suffering “security insomnia”: attack surfaces are growing exponentially, their security teams are receiving overwhelming numbers of alerts, real threats are masked by false positives, and the numbers of serious breaches are reaching new records – the list…

The post Man and machine: How to team up to meet cybersecurity challenges appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures