According to CNN, the C919’s first flight left Shanghai at 10:32 am. Sunday and landed at the Beijing Capital International Airport at 12:31 p.m. This is being hailed as an important moment in China’s strategy to boost domestic manufacturing by 2025 and reduce reliance on foreign companies in the aviation sector.

While manufactured in China, many of the airplane’s components do come from Western companies. Leading to further scrutiny of the aircraft’s development are allegations that a Chinese state-aligned adversar conducted cyber intrusions against several of those companies that make the C919’s components. These allegations are detailed in a lengthy and detailed 2019 report from cybersecurity firm CrowdStrike as well as a series of indictments against both cyber actors and insiders.

CrowdStrike could not be reached for comment, so this article is sourced entirely from the firm’s report and U.S. Department of Justice indictments.

In CrowdStrike’s report, the company says its research corroborates a series of DOJ indictments released over the course of two years during the C919’s development that highly suggests cyber actors from China, company insiders and state directives targeted foreign companies to fill key technology and intelligence gaps to better compete with against the western aerospace industry.

“What follows is a remarkable tale of traditional espionage, cyber intrusions, and cover-ups, all of which overlap with activity CrowdStrike Intelligence has previously attributed to the China-based adversary TURBINE PANDA,” CrowdStrike said in the 2019 report, alleging that the operations can be traced back to China’s Ministry of State Security’s (MSS) Jiangsu Bureau, the alleged perpetrators of the infamous 2015 U.S. Office of Personnel Management (OPM) breach.

Cyberattacks beginning in 2010

According to CrowdStrike, Turbine Panda, conducted cyber intrusions against between 2010 and 2015 against foreign manufacturers of aviation components, including many that were chosen for the C919.

The state-owned enterprise (SOE) Commercial Aircraft Corporation of China announced in December 2009 that it had chosen CFM International’s (a joint venture between U.S.-based GE Aviation and French aerospace firm Safran, formerly Snecma) LEAP-X engine to provide a custom variant engine, the LEAP-1C, for the then-newly announced C919.

Despite the deal, both COMAC and fellow SOE the Aviation Industry Corporation of China were believed to be tasked by China’s State-owned Assets Supervision and Administration Commission of the State Council (SASAC) with building an “indigenously created” turbofan engine that was comparable to the LEAP-X, CrowdStrike says in its report. In 2016, the Aero Engine Corporation of China produced the CKJ-1000AX engine, which bears multiple similarities to the LEAP-1C engine.

While CrowdStrike admitted that it is difficult to assess if the Chinese engine is a direct copy, the cybersecurity firm said it is highly likely that its makers benefitted significantly from the cyber campaign of the Jiangsu Bureau of the MSS (JSSD).

CrowdStrike, citing its own intelligence reporting and U.S. government sources, says the Chinese government uses a “multi-faceted system” of forced technology transfer, joint ventures, physical theft from insiders and cyber espionage to acquire information to fill key knowledge gaps.

One DOJ indictment, CrowdStrike says, describes initial preparatory action that included compromising Los Angeles-based Capstone Turbine servers and later using a doppelganger site as a strategic web compromise (SWC) in combination with DNS … to compromise other aerospace firms.”

From 2010 to 2015, the linked JSSD operators are believed to have targeted a variety of aerospace-related targets … using two China-based APT favorites, PlugX and Winnti, and malware assessed to be unique to the group dubbed Sakula.

Many individuals associated with the campaign are “assessed to have storied histories in legacy underground hacking circles within China dating back to at least 2004,” CrowdStrike says, citing the DOJ.

Indictments

As detailed in CrowdStrike’s report, the U.S. Department of Justice released several indictments from 2017 through October 2018, charging several individuals with activities related to theft of trade secrets and hacking related to the development of the C919.

The indictments were against Sakula developer YU Pingan, JSSD Intelligence Officer XU Yanjun, GE employee and insider ZHENG Xiaoqing, U.S. Army Reservist and assessor JI Chaoqun, and 10 JSSD-affiliated cyber operators.

“What makes these DoJ cases so fascinating is that, when looked at as a whole, they illustrate the broad, but coordinated efforts the JSSD took to collect information from its aerospace targets,” CrowdStrike says in its report. “In particular, the operations connected to activity CrowdStrike Intelligence tracked as TURBINE PANDA showed both traditional human-intelligence (HUMINT) operators and its cyber operators working in parallel to pilfer the secrets of several international aerospace firms.”

Insiders

CrowdStrike and the DOJ also detail how insiders and IT employees helped steal information and coverup the cyber activities, offering new insight into how adversaries leverage a wide variety of tools and techniques to accomplish their goals.

According to CrowdStrike and the DOJ, a GE insider was charged with using “an elaborate and sophisticated means” to steal GE trade secrets after being recruited by a Chinese aerospace official closely aligned with the country’s Ministry of Industry and Information Technology.

In addition, IT employees at the Canada-based International Civil Aviation Organization (ICAO), the United Nations body that sets global aviation standards, allegedly covered up a cyber intrusion by another alleged China state-sponsored actor that had been observed targeting the aviation industry.

CrowdStrike, citing public reporting, says the intrusion at ICAO was “likely designed to facilitate a strategic web compromise (SWC) attack … that would easily provide a springboard to target a plethora of other aerospace-related as well as foreign government victims.”

“Upon being alerted to the breach by the Aviation Information Sharing and Analysis Center (AISAC), the ICAO internal IT investigation staff was reportedly grossly negligent, and the cyber intruders may have had direct access to one of their superuser accounts,” CrowdStrike says in its report. “In addition, a file containing a list of all the potential organizations who were compromised by the incident mysteriously disappeared during further investigations.”

Both the ICAO IT supervisor in charge of the mishandled internal investigation and the ICAO’s secretary general who shelved recommendations to investigate the IT supervisor and his four team members, were both found by CrowdStrike to have ties to China’s aviation industry, CrowdStrike says.

Takeaways from four years later

This article is just a snippet of CrowdStrike’s reporting and what Turbine Panda and other associated groups are alleged to have done to help boost the Chinese aviation sector. But more than that, it tells the tale of how advanced persistent threat (APT) groups and other sophisticated threat actors will go to extraordinary means to accomplish their end goals.

That includes advanced hacking techniques, leveraging insiders, physical theft and collaborating with the massive underground cybercrime community to launch multi-faceted attacks against a particular organization or industry.

The post The Cyberattacks and Insider Threats During The Development of China’s C919 Passenger Jet appeared first on My TechDecisions.

According to the managed detection and response provider, identity-based attacks such as account compromise, account takeover and access key theft accounted for 57% of all cybersecurity incidents identified by Expels’ security operations center (SOC).

When narrowed down to Microsoft 365 attacks, account compromise and takeover accounted for 50% of all incidents, according to Expel’s first quarter threat report.

New inbox rules

As detailed in the report, hackers that have successfully compromised email accounts are creating inbox rules to automatically delete or hide certain emails from the compromised account. In all Microsoft 365 account takeovers in the first quarter of 2023, this happened in 50% of cases, according to Expel.

Creating those inbox rules essentially reduces the chance of the victim or IT administrator spotting unusual activity.

Of those new inbox rules in M365 accounts, 54% were named “.”, 18% were named “..” and 16% were named with just a single letter. The most common inbox rules automatically delete specific emails or marking certain emails as “Read” and then moving them to the “Archive” and “RSS Subscription” folders.

To maintain persistence, attackers are registering new multifactor authentication (MFA) devices in Azure, which Excel detected in about 25% of account takeover cases.

Inbox rules designed to forward emails to an attacker-controlled account has been a common tactic, but Expel detected just 5% of such cases in M365 account takeovers.

Jonathan Hencinski, vice president of security operations at Expel, cautions organizations to implement alerts for new Outlook inbox rules created with suspicious names.

“We recommend security teams implement alerts for new Outlook inbox rules created with suspicious names—two to three characters in length, or repeating characters could be a clue. Employees should also be vigilant and check their Outlook inbox for any abnormal or suspicious rules they didn’t set up by clicking ‘File’ and then ‘Rules & Alerts’ to review the rules they’ve implemented.

MFA bypass

Expel’s threat report for the first quarter of 2023 also details what is becoming a common hacking tactic: MFA bypass.

The company says attackers are targeting SaaS applications like Okta and M365 by stealing session cookies, launching MFA fatigue attacks, registering malicious OAuth applications and authenticating using legacy protocols.

According to Expel’s report, 5% of all identity-related incidents in the quarter involved frameworks such as Evilginx2 to steal login credentials and session cookies for initial access and subsequent bypassing of MFA.

This represents an important shift in threat actor tactics, Hencinski says.

“This is an important shift: threat actors are moving away from authenticating using legacy protocols to bypass MFA in M365, and are instead adopting frameworks to launch Attacker-in-the-Middle (AiTM) phishing campaigns—a new tactic effective at end-running MFA defenses,” Hencinski says.

In most of these situations, once attackers access the email account, they typically query the email inbox for the phishing email that contains a link to their proxy site. Then they move the email to the deleted items folder to hide evidence of the attack.

Finally, they register a new MFA device to establish persistence before the session cookie expires, Hencinski adds.

Organizations should adopt FIDO2 and certificate-based authentication to protect against these attacks. However, most organizations don’t use FIDO Factors for MFA.

“In this case, deploy phish-resistant MFA,” Hencinski instructs. “If that’s unrealistic, disable email, SMS, voice, and TOTPs, and instead opt for push notifications.”

Vulnerabilities

According to Expel, the company saw the exploitation of software vulnerabilities to gain initial access in a small percentage of first-quarter incidents, but the security bugs that were leveraged by threat actors tend to be at least a year old.

According to Expel, the most common vulnerabilities leveraged by hackers in the first quarter of 2023 were:

• CVE-2022-47966 – Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
• CVE-2022-21587 – Oracle E-Business Suite Unspecified Vulnerability
• CVE-2021-4034 – Red Hat Polkit Out-of-Bounds Read and Write Vulnerability
• CVE-2020-14882 – Oracle WebLogic Server Remote Code Execution Vulnerability

This is a common theme in threat reports, as organizations are still struggling to prioritize and patch vulnerabilities.

“This indicates that organizations may not understand which vulnerabilities pose the biggest threats to their environment,” Henscinski says. “But by evaluating and understanding the vulnerabilities that could most impact their orgs, security teams can prioritize patching them and eliminate critical risks in the cybersecurity kill chain.”

Insider threats

Another hacking tactic briefly detailed in Expel’s report is the rise of insider threats so far in 2023. The company said it detected a bump in cases of misuse of cloud storage and file synchronization services like Google Drive, although these still only accounted for a small percentage of incidents.

In these cases, employees with legitimate access to Google Drive uploaded gigabytes of information, including sensitive intellectual property.

“While these officially qualify as insider threats, we can’t speculate on the motivations in these incidents,” Hencinski says. “Regardless, orgs should be aware of the potential risks associated with cloud storage and file synchronization services.”

The post New Email Rules, MFA Bypass Are Top Hacking Tactics So Far in 2023 appeared first on My TechDecisions.

According to a recent Deloitte poll, legacy systems and environments are the greatest challenge to adopting zero trust, with 44.6% of executives agreeing to that sentiment.

However, these organizations plan to forge ahead with their zero trust plans due to increases in cyber threats (30.1%) and the need to better manage third party risks (25.1%), according to Deloitte’s research.

Further down that list of drivers of zero trust adoption include managing workforce-related risks, such as remote work and insider threats (17.2%), managing risks due to cloud adoption (15.1%) and managing elevated cyber risks due to geopolitical conflict (4.8%).

Read Next: First Steps to Take for Zero Trust Implementation

However, organizations far and away cited complexity and compatibility issues with legacy systems and environments as the top challenge to successful implementation of zero trust, with nearly 45% of executives agreeing.

Within zero trust adoption programs, organizations are most likely to prioritize enhancements focused on data security and identity and access management, which came in at 26.1% and 21.5%, respectively. This isn’t surprising given the importance of responsibly handling data and protecting user identities.

Also cited as important in zero trust adoption efforts include SASE implementation (13.9%), network segmentation (13.3%) and endpoint controls improvements (9.3%).

Listen to the podcast with the media player below, or on your favorite podcasting platform!

The post My TechDecisions Podcast Episode 195: Zero Trust Adoption Challenges and Drivers appeared first on My TechDecisions.

However, new data from cybersecurity firm Proofpoint suggests that cybersecurity leaders are again at their wits’ end as 68% of chief information security officers (CISOs) now feel at risk for a material cyberattack, compared to just 48% in 2022.

The Sunnyvale, Calif.-based firm says in its 2023 Voice of the CISCO report that this is a shift back to 2021, when 64% of CISOs believed a material cyberattack was imminent.

Similarly, CISOs now feel that their organizations are less prepared for a cyberattack than last year, with Proofpoint’s research showing that 61% feel unprepared for an attack versus 50% that felt the same last year. In 2021, 66% of CISOs said their organizations were unprepared.

The report, the results of a survey from more than 1,600 cybersecurity leaders across 16 countries, essentially concludes that CISOs no longer feel the sense of calm they briefly experienced after the initial onslaught of attacks and distributed infrastructure during the pandemic.

Why are CISOs less confident than they were in 2022?

Proofpoint’s 2023 Voice of the CISO report finds that several factors are contributing to a less-than-ideal confidence among security leaders, including a possible economic downturn, employe turnover, increasing threats and unreasonable job expectations.

According to the study, email fraud, insider threats, cloud account compromise and DDoS attacks were the four most concerning threat categories cited by CISOs this year, and it is largely unchanged from last year.

However, the research also suggests that cyber awareness among employees continues to lack, as 60% of CISOs say human error is their organization’s biggest cyber vulnerability, compared to 56% and 58% who said the same in 2022 and 2021, respectively.

In addition, just 61% of CISOs believe employees understand their role in helping prevent cyberattacks.

CISOs also feel that the loss of sensitive data is exacerbated by employee turnover, with 63% of security leaders reporting having to deal with a material loss of sensitive data in the past 12 months. Of those, 82% agreed that employee turnover contributed to the loss.

Security leaders are clearly feeling more pressured, with 61% reporting they face unreasonable job expectations, a significant increase from 49% who said the same last year. That is leading to 62% saying they are concerned about personal liability and 60% reporting burnout in the past 12 months.

“Back to ‘business as usual’, they are less assured in their organization’s abilities to defend against cyber risk,” says Lucia Milică Stacy, global resident CISO at Proofpoint. “Our 2023 Voice of the CISO report reveals that amidst the rising difficulties of protecting their people and defending data, CISOs are being tested at a personal level with higher expectations, burnout, and uncertainty about personal liability.”

The post CISOs Are Less Confident in Their Organization’s Security in 2023 appeared first on My TechDecisions.

According to the company, the new innovations further enhance its threat and information protection platforms, in addition to its newly formed Identity Threat Defense business (formerly known as Illusive), to help organizations augment and safeguard their productivity investments, such as Microsoft 365, with maximum deployment flexibility.

“Proofpoint continues to deliver on innovations that empower organizations to break the attack chain,” said Ryan Kalember, executive vice president, cyber security strategy, Proofpoint in a statement. “By providing our customers a unified path to solve for risk across email, cloud, identity and data, CISOs gain unparalleled visibility into and protection against the tactics that attackers rely on most.”

Proofpoint’s Aegis Threat Protection Platform

Proofpoint Aegis Threat Protection Platform is an AI/ML-powered threat protection platform that disarms attacks, such as business email compromise (BEC), phishing, ransomware, supply chain threats. With flexible deployment options using both APIs and inline architecture, Aegis delivers AI-powered, cloud-based protection that complements native Microsoft 365 defenses, says Proofpoint.

By combining the company’s proprietary behavioral analytics and threat intelligence, Proofpoint is delivering new capabilities that provide visibility into account takeover-based attacks from both within an organization’s environment and outside suppliers.

Supplier Threat Protection

Supplier relationships are a growing attack vector: 69% of organizations experienced a supply chain attack within the past year, and CISOs rate it as one of their top concerns, according to Proofpoint research. With Proofpoint’s Supplier Threat Protection, organizations can detect compromised supplier accounts so that security teams can swiftly investigate and remediate.

This new product proactively monitors for and prioritizes known compromised third-party accounts, simplifies investigation with details on why the account is suspected compromised and which employees recently communicated with the account in question, enabling security teams to seamlessly defend against prevalent third-party attacks such as BEC and phishing.

Targeted Attack Prevention Account Takeover (TAP ATO)

Threat actors successfully override MFA in 30% of all targeted cloud and email account takeover attacks according to Proofpoint threat research. Once inside, malicious actors can hide undetected in an organization’s environment, waging sophisticated attacks at will.

Proofpoint TAP ATO, available at the end of Q2 2023, provides visibility across the entire email account takeover attack chain. It accelerates response investigation and remediates accounts, malicious mailbox rule changes, and manipulations of third-party apps and data exfiltration across email and cloud environments.

Identity Threat Defense (formerly known as Illusive)

From ransomware to APTs, 90% of attacks rely on compromised identities, says Proofpoint. The complexity of managing Active Directory (AD) has resulted in the presence of exploitable privileged identity risks in all organizations at a rate of one in six endpoints.

These identity risks include unmanaged local admins with stale passwords, misconfigured users with unnecessary privileges, cached credentials left exposed on endpoints and much more. When an attacker compromises an endpoint with these privileged identity risks, deploying malicious software and stealing data is easy. Privileged identities represent the keys to the kingdom, which attackers exploit to steal the crown jewels. Unfortunately, most organizations are unaware of this risk – until they are attacked.

Leveraging new advanced identity risk analytics and automated detection, Proofpoint has further bolstered its Identity Threat Defense platform – undefeated in more than 150 red team exercises – to provide organizations with comprehensive identity risk protection and remediation:

 Spotlight Risk Analytics

The new advanced risk analytics in the Spotlight dashboard allows users to gain an executive view of an organization’s risk trends as well as exposure across various risk categories and risk exposure levels. It also provides recommendations for possible user admin action.

Spotlight Risk Analytics simplifies decision makers’ workload while ensuring organizational leaders can make informed decisions to remediate modern and sophisticated identity risks. With availability expected late Q2 2023, decision makers will also be able to follow risk trends to track their organization’s risk posture improvements over time.

Proofpoint Spotlight Cross Domain & Trust Visibility

For organizations with complex infrastructure, including multinational, multi-business and merging organizations, identity infrastructure is often stitched together without broader visibility.

Spotlight Cross Domain & Trust Visibility provides insight to understand where AD domains across companies have too much bi-directional trust, which can result in identity risk and lateral movement by attackers. Business leaders can gain a centralized view into the broadest organizational structure’s domains and trusts to better prevent identity risk exposure in a holistic fashion.

Sigma Information Protection Platform

Since its introduction in early 2020, Proofpoint’s information protection business has grown a remarkable 107%, making the company the second largest data loss prevention (DLP) vendor globally and by revenue according to Gartner. Driven by the accelerated adoption of work-from-anywhere practices, the Proofpoint Sigma Information Protection platform is now deployed to over 5,000 customers and 46 million users worldwide, analyzing 45 billion events each month, and trusted by nearly half of the Fortune 100.

Proofpoint’s Information Protection platform merges content inspection, threat telemetry and user behavior across channels in a unified, cloud-native interface.

Privacy by Design Data Loss Prevention

As international organizations work to meet new and changing local privacy and data sovereignty requirements, Proofpoint now hosts its Sigma Information Protection platform in regions such as the European Union, Japan, and Australia in addition to the U.S.

Proofpoint is also further investing in privacy-related capabilities so that organizations can mask sensitive data in the console to limit its exposure and create custom data access policies to address privacy and compliance needs. 

Additional features are available in beta, with general availability expected in Q3 2023, enabling organizations to anonymize identifying user information so analysts can investigate without bias and with better privacy for the user.

Administrators will also be able to set up metadata for anonymization and approval workflows for de-anonymizing the metadata during investigation.

The post Proofpoint Unveils New Innovations to Combat Increasingly Common Threats appeared first on My TechDecisions.

According to new research from business management consulting firm Deloitte, legacy systems and environments are the greatest challenge to adopting zero trust, with 44.6% of executives agreeing to that sentiment.

However, these organizations plan to forge ahead with their zero trust plans due to increases in cyber threats (30.1%) and the need to better manage third party risks (25.1%), according to Deloitte’s research.

Further down that list of drivers of zero trust adoption include  managing workforce-related risks such as remote work and insider threats (17.2%), managing risks due to cloud adoption (15.1%) and managing elevated cyber risks due to geopolitical conflict (4.8%).

However, organizations far and away cited complexity and compatibility issues with legacy systems and environments as the top challenge to successful implementation of zero trust, with nearly 45% of executives agreeing.

Within zero trust adoption programs, organizations are most likely to prioritize enhancements focused on data security and identity and access management, which came in at 26.1% and 21.5%, respectively. This isn’t surprising given the importance of responsibly handling data and protecting user identities.

Also cited as important in zero trust adoption efforts include SASE implementation (13.9%), network segmentation (13.3%) and endpoint controls improvements (9.3%).

While legacy IT infrastructure can be challenging when implementing zero trust, they are also a primary driver, says Andrew Rafla, Deloitte’s Risk and Financial Advisory’s Zero Trust offering leader.

“You cannot replace a mainframe over night, but you can rapidly change how that environment is accessed to significantly reduce risk,” Rafla says. “It is also possible to reduce friction for end users by limiting disruption to their native experiences and enhancing IT operational efforts associated with the adoption of modernized controls.”

The post What is Holding Up Your Zero Trust Implementation? appeared first on My TechDecisions.

That individual, Jack Teixeira, was an IT worker for the Air National Guard, working as a Cyber Defense Operations Journeyman, according to an affidavit that was unsealed Friday. That role, essentially a junior security system administrator tasked with supporting IT systems, included access to sensitive compartmented access and other highly classified programs.

The information disclosed in the leaked documents included details on the U.S.’s ability to deeply spy on both adversaries and allies, as well as detailed information about ground movements of troops in Ukraine.

With the help of a Discord user, the FBI was able to identify the Discord account and discover Teixeira’s identity, including his address. They easily discovered that Teixeira was employed by the U.S. military.

U.S. agencies were able to access logs of documents accessed by Teixeira and compare them with what was being posted on Discord and when. In addition, U.S. agencies that monitor searches conducted on classified networks discovered that Teixeira used his government computer to search classified intelligent reporting for the word “leak” as the story began to make headlines.

Insider Risk Management 

This is a perfect example of why organizations need to take insider threats and securing highly privileged accounts very seriously.

According to a recent Microsoft report, the average organization has about 12 insider risk events each year, with about one-third of organizations reporting an increase in their insider risk event occurrence in the past year.

Microsoft’s report, “Building a Holistic Insider Risk Management Program,” also identified IT professionals as the most associated with being at risk for abusing or leaking data. IT was far and away the most identified with 60% seeing IT as highly at risk. Second was finance and accounting at just 48%.

“This makes it all the more important to ensure that the security and IT teams investigating insider risks have strong auditing and approval controls in place, to make sure that their actions are in the best interest of the organization,” the company said in the report.

Another recent report from insider risk management provider Code42 finds that companies with an insider risk management program in place saw a 32% increase in data loss incidents, and 71% expect data loss from insider events to increase over the next 12 months.

The report, the culmination of a survey of chief information security officers (CISOs), found that 82% of CISOs say data loss from insiders is a problem for their organization.

Insider events have devastating effects on organizations, with 79% of cybersecurity executives saying they could lose their job from an unaddressed insider breach. In addition, security leaders said insider risk was the most difficult type of threat to detect, according to the report.

In this case, it’s more than just jobs and a company’s reputation at stake–it could be someone’s life.

The post The Alleged U.S. Military Document Leaker Worked in IT appeared first on My TechDecisions.

The Sunnyside-Calif.,-based security copmany’s report is based on data gathered across more than 58,000 customers, analyzing over 4 billion emails and stopping 800,000 threats every month.

Armorblox 2023 Email Security Report Key Findings

• Small and medium-sized businesses (SMBs) are particularly vulnerable to vendor fraud and supply chain email attacks. More than half of vendor compromise attacks targeted technology organizations (53%).
• Bad actors are still infiltrating legitimate business workflows to steal sensitive business information. Business workflows involving email notifications were the most compromised, a significant uptick over 2021. Half of all attacks involve sensitive user data, such as user login credentials (52%).
• BEC attacks continue to evolve. Language remains the main attack vector in 4 out of 5 (77%) BEC attacks that bypassed legacy solutions in 2022.
• With the widespread use of email for business communications, half of account compromise attacks targeted SMBs (58%), proving to be a persistent and prevalent threat.
• 20% of BEC attacks involved graymail or unwanted solicitation and security teams can find themselves spending upwards of 27 person hours a week manually sorting and deleting graymail across inboxes.
• Of all attacks in 2022, half bypassed legacy security filters (56%).
• In 2022, there was a 70% increase in phishing attacks, compared to 63% in the previous year.

Financial Fraud, Insider Threats on the Rise

In addition, financial fraud attacks such as payroll, payment and invoice fraud increased by 72% over 2022 and are expected to continue to rise in 2023. With tools such as ChatGPT, in 2023 Armorblox expects to see a significant increase in the total number of BEC emails that flood user mailboxes inside of organizations. With an increasing hybrid approach to work, more campaigns will rise that use work-from-home-related reasons to target employees.

“Based on threats analyzed by Armorblox across our customer base of over 58,000 organizations, we see over half of email attacks targeting critical business workflows aim to exfiltrate sensitive user data. These attacks often involve bad actors infiltrating legitimate business communications to alter sensitive business information, such as assigning new routing numbers for payment requests,” said DJ Sampath, co-founder and CEO of Armorblox, in a statement. “These attacks use language as the primary attack vector to impersonate trusted SaaS applications, vendors, and VIPs. This only increases the critical need for organizations to augment native and legacy security layers with modern API-based solutions that use a broad set of deep learning algorithms, machine learning models, data science approaches, and natural language-based techniques to understand the content and context of communications, and protect against these targeted attacks.”

The Armorblox 2023 Email Security Threat Report presents the associated trends for targeted email attacks across the following threat types – vendor compromise, BEC, financial fraud, phishing attacks, impersonation attacks, account compromise and graymail. The report uncovers the vulnerabilities in legacy email security filters, the sensitive user data at risk across compromised business workflows, and the gratuitous work security teams juggle in response to high volumes of graymail emails.

View Armorblox’s complete 2023 Email Security Report here.

The post Armorblox: BEC Attacks Increased by 72% YOY appeared first on My TechDecisions.

Unlike traditional data protection solutions that force security teams into binary monitoring or blocking trade-offs, the Incydr solution offers a range of response controls to address the data risk events it detects.  By doing so, Incydr allows organizations to drive both effective and efficient reduction of employee-driven data risk. This new integration expands Incydr’s response capabilities by allowing security analysts to more quickly detect and prioritize risk to data and speed insider threat response via SentinelOne. SentinelOne’s network isolation capability allows security team members to stop an employee’s device from communicating with the internet in order to prevent exfiltration of data while an investigation takes place.

Related: Insiders Pose Cybersecurity Threat to Healthcare

“Time is an invaluable commodity for security teams, which is why so much of a response strategy requires automation. Insider threat incidents require hands-on investigation from security analysts so it’s critical they have real-time actions they can utilize to contain threats,” says Aimee Simpson, director of product marketing at Code42. “Through this partnership with SentinelOne, we are now offering security teams rapid control over their company’s data and the ability to easily and quickly quarantine a device during an active insider threat investigation. Organizations not only need this level of visibility into data risks to secure their most critical data and assets but also the proper tools in place to efficiently address threats when they arise.”

Leveraging either SOAR playbooks or Code42’s no-code automation service, Incydr Flows, this new SentinelOne and Code42 integration is simple to deploy and manage, says the company.

Specific customer benefits from Code42 and SentinelOne integration include:

• Detect insider threat: Effectively surface the insider threat events that require investigation.
• Contain data risk: Prevent the user from taking further risky action while you investigate.
• Save security time: Speed-up response time and eliminate manual effort by automating the device isolation in response to critical severity events.

“We are committed to helping customers gain additional detection, investigation and response synergies with their security tooling,” says Akhil Kapoor, vice president of technology partnerships, SentinelOne. “We are pleased that SentinelOne’s integration with Code42 will significantly reduce the risks associated with insider threats for our customers.”

The post Code42 and SentinelOne Partner to Uncover Risk to Data & Accelerate Response to Insider Threats appeared first on My TechDecisions.

The Santa Clara, Calif.-based firm says the new solution enables customers to ingest user identity and behavior data and deploy AI technology to help detect identity-driven attacks within seconds, strengthening XSIAM’s ability to consolidate multiple security operations tools into a unified, AI-driven SOC platform.

The Identity Threat Detection and Response (ITDR) module comes in the wake of several high-profile identity-driven attacks that target user credentials to access systems. In a news release, Palo Alto highlights the actions of Lapsus$, a hacking group that targets privileged user credentials to gain access to victim systems.

The group’s victims have included Okta, Nvidia, Samsung, Microsoft, Uber and others.

According to Palo Alto Networks, the ITDR module ingests and integrates user behavior data such as when employees work, and which data and applications they access. The module processes data from a variety of sources, including authentication services, endpoint logs, cloud identity data, email and HR data, network, OS and custom sources.

The built-in AI Models can be trained to flag suspicious activity based on irregular user behavior to help IT and security teams get ahead of insider risks like configuration manipulation, file manipulation and modification of permissions, the company says.

In addition, the ITDR module reduces complexity by integrating identity analytics into a unified SOC platform, the company says.

Cortex XSIAM already natively integrates security information and event management (SIEM), endpoint detection and response (EDR), network detection and response (NDR), security, orchestration and response (SOAR), Threat Intelligence Management (TIM) and Attack Surface management (ASM) capabilities, replacing the need for multiple point solutions, according to Palto Alto Networks.

In a statement, Gonen Fink, senior vice president of Cortex products at Palo Alto Networks, says customers who want to detect identity-related attacks must deploy multiple tools, with each providing a partial view into user activities.

“Such disjointed approaches result in poor security outcomes, alert overload, and time wasted on triage,” Fink says. “With the addition of ITDR,  the XSIAM platform now integrates all identity data sources into a single security data foundation spanning endpoints, networks and cloud. This allows our customers to run comprehensive AI-driven threat detection to protect against stealthy identity-driven attacks.”

The post Palo Alto Networks Launches New AI-Driven Identity Threat Detection and Response Model for SOC Solution appeared first on My TechDecisions.