Other

The CrowdStrike Global Threat Report for 2024 highlights a rapidly evolving cyber threat landscape. The sophistication and speed of cyberattacks are skyrocketing, with adversaries leveraging identity-based tactics, exploiting unmanaged device vulnerabilities, and even capitalizing on trusted relationships for initial access. Several key takeaways warrant attention in response to the disturbing trends highlighted in the report: 1. The increase in identity-based attacks signals a need for more sophisticated identity and access management solutions. 2. The susceptibility of unmanaged devices underscores the importance of comprehensive asset management and endpoint protection strategies. 3. The exploitation of trusted relationships stresses the importance of zero-trust architectures. 4. Adversaries continue to gain in stealth and speed, increasing their ability to complete their mission before becoming discovered

The ever-shifting landscape of cyber threats demands constant adaptation and expertise from security professionals. This is where Large Language Models (LLMs) are making a transformative impact. By enabling the development of specialized AI assistants, LLMs empower professionals to work smarter and faster. Here at Acalvio Technologies, we have harnessed the power of LLMs to create an AI Assistant that transforms the way security professionals leverage standardized cybersecurity frameworks. Imagine an assistant that sifts through data to identify threats, and even helps develop effective response strategies – all powered by the vast knowledge and contextual understanding of LLMs. Of course, challenges remain. The computational power required and the need for specialized training present hurdles. However, the potential benefits are undeniable. Leveraging the wealth of cybersecurity defensive knowledge sources, the Acalvio AI Assistant provides comprehensive, real-time, up-to-date answers, thereby enhancing user efficiency and effectiveness. This blog post delves into the process of building a LLM based AI assistant. We’ll discuss the key components involved, including LLMs, datasets, RAG technology, vector databases, and how we evaluate the final product.

GigaOm’s recently published Radar chart on cyber deception platforms for 2024 provides detailed comparison of leading deception vendors. The research involved a set of key business criteria for deception solutions and considers the requirements of different market segments.

One hundred and forty pages strong, the Health Industry Cybersecurity Practices (HICP) Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations document is a technical volume that provides an overview of cybersecurity practices that have been outlined by the U.S. Department of Health & Human Services (HHS) as highly effective at mitigating risks in the healthcare industry. There are many great insights in the document, and one that we were super excited to see was the inclusion of deception technology as a critical component of a comprehensive security posture. Cyber deception is a technique that many organizations have used to create decoys, traps, and other mechanisms that mislead attackers and divert their attention away from actual targets. The document suggests that deception technology is useful for detecting and responding effectively to attacks, and for gaining insights into an attacker’s tactics, techniques, and procedures (TTPs). We applauded their recognition of the compelling reasons to add deception to an organization’s security posture. Some of these highlights include: Reduction of dwell time, which is achieved with early detection and by diverting an attacker’s attention, so they reveal their presence. Therefore, reducing the time they have to spend time in the network. Improvement in threat intelligence that is gained through insights into the TTPs of attackers. Increased situational awareness can be achieved by using decoys and other mechanisms, while providing early warnings of potential attacks. The report (Section 8.l.F) includes how Healthcare Delivery Organizations (HDOs) can implement cyber deception techniques, such as deploying honeypots, honeytokens, and other decoys, to create a layered defense and make it more difficult for attackers to gain access to sensitive data. Benefits such as disrupting attacks, early warning of intrusions, and reduction to the impact of a successful attack were also noted. The document goes on to suggest that using cyber deception as an additional layer of defense will improve an organization’s ability to detect and respond, gather threat intelligence, and reduce the impact of a cyber incursion. The cyber deception landscape has undergone many changes since inception, ranging from technology enhancements to integration into other vendor technologies through partnership and acquisition. The Acalvio Defense platform is designed for AI- driven autonomous deception and carries the most patents, 25 in total, that protect complex environments across all industries, both on-premises, and in the cloud. Acalvio also has Federal Risk and Authorization Management Program (FedRamp) certification, further validating Acalvio cloud service offerings (CSOs) on their efficacy related to security assessment, authorization, and continuous monitoring. The use cases for deception in healthcare organizations can be quite extensive. However, Acalvio has found Advanced Persistent Threat (APT) attacks, ransomware, insider threats, and identity threats to be amongst the most popular and consistently deployed. APT attacks are particularly concerning to healthcare organizations because they are sophisticated, stealthy, and can go undetected for long periods of time. APTs are designed to infiltrate a network and remain undetected for extended periods, stealing sensitive data or causing damage. Acalvio deception detects APTs by creating false environments that appears to be legitimate but are actually lures and traps designed to detect and analyze malicious activity. Insider threats occur when someone with employee, contractor, or third-party access to a network or system misuses that access to cause harm or the theft of data. Acalvio deception efficiently identifies insider threats by embedding deceptions into the data, deploying deceptive identities and creating false environments that are designed to accurately detect unauthorized access. Because deception does not have a production role, any attempt to use the deceptions creates a high-level alert that carries detailed evidence substantiation that can dramatically reduce investigation time. Ransomware attacks have continually attacked healthcare organizations due to their complex environments, fluid workforce, and a range of challenges that can prevent the best cybersecurity operating environments. Ransomware groups generate new variants through Ransomware-as-a-Service (RaaS) affiliates, evading traditional security. Acalvio deception creates a variety of snares for attackers that will detect credential misuse, privilege escalation, deletion of backups and propagation attempts. Ransomware can move very quickly and since deception does not rely on baselines or trends, it is proven to be an imperative alerting mechanism for early ransomware detection, including evolving variants. Identity Threat Detection and Response (ITDR) is another key deception use case. The misuse of credentials is not new, and as most know, is a staple in almost every attack. Gartner, Inc. coined the term ITDR in 2022 based on the need to educate organizations on Zero Trust architectures and why network-based security is not sufficient for detecting and deterring attacks using credentials and privilege escalation. Endpoint Detection and Response (EDR) vendors have taken note with SentinelOne acquiring Attivo Networks and CrowdStrike partnering with Acalvio. You can read more about the CrowdStrike and Acalvio partnership at our web page. The highlight of this partnership is that it enables deceptions to be deployed at scale without requiring an additional agent. Now, CrowdStrike customers can deploy Acalvio deception and identity solutions across the organization and manage the detections in CrowdStrike’s incident response dashboard. Acalvio uses AI to refresh the deception environment for authenticity and scale. Another recent document of worth noting is the technical report called the HHS Cybersecurity Program: Cybersecurity Framework Profile for Healthcare Delivery Organizations. This also discusses the importance of cyber deception as a key strategy for protecting healthcare organizations from a variety of cyber threats. In this report they included additional use cases for deception, which included social engineering and attacks against network connected medical devices. Medical devices based on IoT can be challenging to protect against threats due to their inability to upgrade, inability to deploy EDR agents and limited downtime windows. Acalvio deception plays an important role in IoT because it can use decoy elements such as false credentials, simulated data, and decoys to detect malicious network activities without having to load software on the devices. It is another use case for deception for creating layers of defense in specialized networks. Many healthcare organizations have successfully deployed cyber deception and have realized its benefits towards patient safety and well-being. It is exciting to see deception receive an important recommendation in this new journal. Deception technology serves to efficiently address a wide range of cyber threats, including APTs, insider threats, ransomware, identity, IoT, and social engineering attacks. By creating false environments that appear legitimate, cyber deception non-disruptively lures, detects, and diverts attacks making it faster and easier for security teams to eradicate the threat before it can cause harm. Click here to request a consultation or for insights into what’s new in cyber deception in 2024.

A Chinese hacking group breached email accounts of several US and Western European government agencies. What was their modus operandi and primary motive? On July 11 2023, Microsoft released information indicating that the email accounts of multiple US federal agencies and Western European government agencies were accessed by threat actors, and sensitive data was exfiltrated. This attack had been underway for several weeks but went undetected. Threat actors gained unauthorized access to Outlook Web Access (OWA) in Exchange Online and Outlook.com to obtain access to sensitive emails.

Acalvio Threat Research Lab Retadup worm has been in the news recently. It was first observered infecting Israeli Hospitals [1] and recently it was observered active in South America mining for Crypto Currency[2]. The details of the worm have been published by Trend Labs[1][2].  This blog will share the spreading technique used by the worm (For comparison see our analysis of the Petya malware propagation techniques). Retadup’s wormlike behavior consists of copying itself to the drives as malicious .LNK files, named as normal looking shortcuts like “Games.lnk”, “Downloads.lnk”. As shown in figure 2.0, it makes use of the AutoIt function “DriveGetDrive”.  The function “DriveGetDrive” enumerates all the letter drives of specified drive type and returns an array of available drives. Retadup enumerates the array and copies its script folder, which consists of the interpreter (usually named WinddowsUpdate.exe) and the malicious script file (e.g. WinddowsUpdate.zip), to the destination along with several malicious link files which execute the au3 interpreter with command line like: “cmd.exe /c start ..<ScriptDir>\<InterpreterBinary>.exe..<ScriptDir>\<MaliciousScript>.zip & exit” Once the file gets copied, spreading requires user interaction on the destination host since the link file has to be manually executed to start execution on another host. This spreading technique will be detected by distributed deception architecture. Deception centric architecture involves having honey drives at the endpoint which will get returned to the function call DriveGetDrive. When the malicious files gets copied to the  honey drives for the engagement of the threat,  it will raise an alert for the possibility of a compromise. Malicious activity of the Retadup worm like extracting passwords, installing keylogger will classify the file as malicious in the engagement platform and the infected endpoint can be isolated from the network. The IoC which is generated from the engagement will be used for quarantining the infected machines. The material discussed above further establishes the potential of distributed deception solutions and their efficacy for Advanced Threat Detection.  References: [1] Information Stealer Found Hitting Israeli Hospital [2] New Retadup Variants Hits South America, Turn to Cryptocurrenty mining 

The majority of today’s breaches are comprised of sophisticated multi-stage attacks.  The stages of such attacks can best be described by a “Cyber Kill Chain”, which breaks down cyber intrusions into the following steps:  Recon  → Weaponize → Deliver → Exploit → Install → Command & Control → Action.   Most inline or endpoint protection products have the capability to detect one of the stages of an attack, but lack the ability to analyze the entire activity chain.  This prevents security operations teams from seeing the full context of the attack. If one were to allow the attack to be played out completely, one can learn more about these threat actors, making it easier to stop future attacks. In this blog, I will demonstrate this using a case study of a common attack. This particular attack was stopped by a perimeter based device.  Based upon the analysis of the attack, we will discuss internal security weaknesses in organizations.  I will then discuss one of the recommended approach for analyzing a multi-stage attack that is aimed at identification and remediation of the internal weak links in an organization. Figure 1 shows a file titled “Verify.pdf”, which was stopped by an email filtering solution.  Since there is a mismatch between the comment, which shows as Bank of America,  and the email address, which shows as kolumbus.fi, the file is declared as malicious and is quarantined. Figure 1 –   Malicious attachment detected by Email Filtering Solutions. When the attached PDF file is dissected, as shown in figure 2,  it can be seen that the file is a making an HTTP request: Figure 2.0.  HTTP request inside the PDF If we do a quick search for the domain,  as shown in figure 3, it is malicious and is detected by one vendor Trustwave. Figure 3 – Virustotal Detection of the Embedded URL link However, if we check for the endpoint detection of the pdf file, as per VirusTotal figure 4, it evades 53 endpoint protection products. Figure 4.0 Virus Total Score for the File Based upon this quick analysis of the stopped threat, it can be observed that even though the threat got stopped, there are many internal weak links in an organization: Detection of the  malicious pdf downloader (as shown in figure 4.0 ) at the end point is missing. If the malicious pdf downloader would have been able to reach the end point via some other delivery mechanism it would have infected the organization. Detection of the malicious communication (as  shown figure 3.0 ) by the network inspection devices is almost non-existent, since true targeted attacks will contain a fresh, previously unknown C&C server that is not in any known blacklist. One of key indicators to detect the threat is a mismatch of comment in the email address,  which is  “Bank of America” and email address “kt1448@kolumbus.fi”.   If the descriptor (Bank of America) was missing, then the same attack might have been able to reach the endpoint via email. So the detection algorithm to stop the attack can be bypassed by a variation of the attack. These weak links can be exploited by other threat actors attack who leverage slight variants of it. Given that majority of breaches these days involve multi stage attacks, the recommended architecture for the analysis of the multi stage threat, will be to have a threat analysis platform which allows execution and analysis of every stage of a threat. In order to determine if an entity is malicious, besides using analysis algorithms, Threat Analysis platform must also leverage time-independent correlations, which gives an ability to correlate the events which happened before or after in a virtualized network, to classify an entity as malicious. In this way, each malicious entity which was part of the threat gets detected. Identification of every malicious entity  of the  threat will allow  an organization to capture all the malicious indicators involved in a multi stage attacks, and not just the initial stages. This can then can be used to strengthen internal defenses in a more robust and comprehensive manner.