Unexpected Side Effects: How COVID-19 Affected our Click Habits

Phishing has been around for ages and continues to be one of the most common threats that businesses and home users face today. But it’s not like we haven’t all been hearing about the dangers of phishing for years. So why do people still click? That’s what we wanted...

Key Considerations When Selecting a Web Classification Vendor

Since launching our web classification service in 2006, we’ve seen tremendous interest in our threat and web classification services, along with an evolution of the types and sizes of cybersecurity vendors and service providers looking to integrate this type of...

4 Ways MSPs Can Fine-Tune Their Cybersecurity Go-To-Market Strategy

Today’s work-from-home environment has created an abundance of opportunities for offering new cybersecurity services in addition to your existing business. With cyberattacks increasing in frequency and sophistication, business owners and managers need protection now...

Ransomware: The Bread and Butter of Cybercriminals

Imagine a thief walks into your home and rummages through your personal belongings. But instead of stealing them, he locks all your valuables into a safe and forces you to pay a ransom for the key to unlock the safe. What choice do you have? Substitute your digital...

Is the Value of Bitcoin Tied to Ransomware Rates?

With investors currently bullish on Bitcoin, is its high value is driving cybercriminals to pursue crypto-generating forms of cybercrime like ransomware and illicit miners?

At time of writing, the value of one Bitcoin is north of $58 thousand. Famously volatile, a crash is widely expected to accompany the current bubble, perhaps before the end of 2021. The reason for this volatility is at least partly attributed to an event known as “the halvening,” where the reward generating supply of the cryptocurrency is cut in half, simultaneously increasing demand.

At the same time, the average cost of a ransomware incident is also rising steeply. A study by Palo Alto Networks charted a growth rate of 171 percent in ransoms paid between 2019 and 2020, with the average cost now over $312 thousand. The steepest ransom doubled between 2015 and 2020, from $15 million to $30 million.

An iron law?

So, is it fair to argue that the two trends positively correlated? When the price of Bitcoin rises we should expect ransomware activity to rise with it? Not necessarily, says threat researcher and cryptocurrency expert Tyler Moffitt.

For one, Moffitt cautions it’s important to keep the relative values of U.S. dollars and the various cryptocurrencies in mind when comparing the cost of ransomware. Demanding $50 million in Monero last month for hacking the Taiwanese PC manufacturer Acer and demanding $10 million in Bitcoin for a hack last year will not have netted cybercriminals the same amount. Patient ones, at least.

“Ransomware actors can always grow their demands based on the value of the U.S. dollar,” says Moffitt. “But they have the added benefit of being able grow profits exponentially by riding the Bitcoin market.”

As could be expected with such a volatile asset, these swings sometimes happen quickly. Like when ransomware actors had Baltimore’s public schools between a rock and hard place with WannaCry. The price of Bitcoin had crashed in 2018, but as the ransom demand was on the desk of the city the price surged, sending the total value of the ransom up with it.

In a sense, it’s the volatility of Bitcoin that undermines any direct, positive relationship with ransomware rates. While it’s tempting to see today’s sky-high price and assume cybercriminals would rush to get their slice of that pie, they too know how markets work. It’s possible a ransom of Bitcoin this year could be worth far less next year. For ransomware actors, it’s better to ride out the market, treating their Bitcoin stash like a cybercrime savings plan for aging hackers.

“A lot of ransomware actors aren’t turning their Bitcoin into cash as soon as they get it,” says Moffitt. “Many of them live cheaply on the hope that the $200 million they made in their cybercrime careers will one day net them billions.”

A more direct relationship

Cryptojacking—the process of secretly hijacking a victim’s computing power to generate cryptocurrency—has a much simpler relationship with the value of various currencies. Because miners only collect their currency after doing the work (redirected CPU in this case), it’s only worth doing when values justify it.

“With cryptojacking, we do actually see an increase or decrease in the number of attacks based on its price. So right now, in a bull year when the price keeps rising, you’re going to earn more when you mine,” says Moffitt.

Browser-based cryptojacking uses scripts injected into the webserver, usually by exploiting an unpatched server or capitalizing on an out-of-date WordPress plugin, etc. Then any browser that visits that webpage will mine cryptocurrency using the viewers browser. This attack skyrocketed from its inception in 2017 into 2018.

A watershed moment in browser-based cryptojacking followed the great crypto-crash of 2018 mentioned above. At least according to their official statement, the drop in mining profitability caused the ostensibly-legitimate mining script company Coinhive to shut down in early 2019.

“The ‘crash’ of the crypto currency market, with the value of [Monero] depreciating over 85% in the last year,” was cited by the company as a reason for closing up shop, though some researchers doubt how much truth there is to that claim.

In reality, Coinhive scripts were used by cybercriminals to mine on unsuspecting users’ devices. Researchers at Cornell University discovered that 99 percent of the sites they found running malicious mining scripts were no longer running them following the shutdown of Coinhive.

Its authors concluded, “It became less attractive not only because Coinhive discontinued their service, but also because it became a less lucrative source of income for website owners. For most of the websites, ads are still more profitable than mining.”

Executable-based cryptojacking is when criminals leverage a breach on a machine, whether through phishing, exploits, RDP, and then drop a payload that on execution will use the machines resources to mine crypto. This attack was around before browser-based scripts and is still alive today. In fact, it’s the tactic seeing the most growth during cryptocurrency bull markets.

Monero, a favored cryptocurrency for miners based on its efficiency using consumer-grade devices, witnessed a rebound during this period. Over the course of 2020 and into 2021, the value rose from around $50 to around $250, perhaps explaining why Webroot found 8.9 million cryptojacking scripts in use in 2020.

In summary, both of these crypto-generating schemes require patience from their perpatraitors. When ransomware actors land a big payment from an extorted business, they may be forced to wait out market forces to maximize their earnings. For cryptojackers, profits trickle in over time. First they must determine whether they’re worth the effort and if they too want to play the long game with their take.

This World Backup Day, Our Customers Do the Talking

“I solemnly swear to back up my important documents and precious memories on March 31st.”

Are you taking the pledge this World Backup Day? Now in its tenth year, World Backup Day remains one of our favorite reminders of the risks of not backing up the data we hold dear.

According to the World Backup Day site, “This independent initiative to raise awareness about backups and data preservation started out — like most good things on the internet – on reddit by a couple of concerned users.”

The day goes beyond reminding businesses and private citizens of what they stand to lose due to device theft, hardware failure and other common forms of data loss. It’s a reminder that more and more of our culture is digital, and some of our greatest achievements reside online. Without them, we risk losing a piece of the very greatness of our civilization. (It’s a lot easier to come to work every day in support of the Carbonite mission when you put it like that.)

Here are some of the threats we’ve recently faced online:

  • 121 million ransomware attacks in the first half of 2020 alone, up 20 percent over 20191
  • Eighty-nine percent of businesses claim to have been targeted by COVID-19-related malware in 20202
  • Phishing attacks claiming to be companies like Netflix, HBO and YouTube skyrocketed early in the pandemic3

Numbers are great, and necessary for showing the scope of the problem, but I wanted to see how data loss—and backups—affect real people. So I reached out to our community for stories about times when backup saved their backsides. Here’s what they had to say.

“In the past six weeks we have had two clients hit with ransomware. We have been able to use our backups to bring up server live environments within 45 minutes and it has saved a lot of time and data.” —David H.

“We managed IT for a remote office of a national law firm. The senior partner worked out of our office, and we had a contract to back up all client data firm-wide, as we felt there were numerous vulnerabilities in their system. One morning at 7 a.m., the server RAID array died, and not only were none of the drives recoverable but their tape backup also had not been working properly for at least six months. After the first few hours of them discovering all the things that did not work, I reminded the partner that we had been backing up their data and had a full, clean back up from six hours before the crash. Our extra backup saved the day!” —David Y.

“Backups saved us from a ransomware attack. We were able to isolate the server with the infected machine and restore our files from a local backup. Total downtime was less than 30 hours.” —PJ

“I have been saved from losing both personal and business data more than once!”—Vasilis

“I was able to use a backup to restore all my client’s data after a ransomware attack. Needless to say, they were very happy!”—Nathan

“We are extremely lucky in the fact that we haven’t had any cyberattacks. We did have an issue when our sever failed, and backup basically saved us.”—Simon

“Having good off-site backups enabled recovery from a large fire which rendered on-site backups useless.”—Warren

“We came in one day to find the office doors busted down and the computers raided. They left the cashbox alone, just stole RAM and hard drives. We were encrypting the hard drives, so we didn’t lose any data to the wild as the encryption couldn’t be cracked. But we were back up and running within two hours from backups alone.” —Sharif

Hardware failure, natural disasters, ransomware, device theft, file corruption—it’s not surprising that all of the most common forms of data loss surfaced when we reached out to our users. Don’t fall victim to them!

Back up your data this March 31 to keep from feeling like a fool come April.

Sources:
1 SonicWall Capture Labs
2 VMware/Carbon Black Global Threat Report June 2020
3 Webroot RTAP

A Defense-in-Depth Approach Could Stop the Next Big Hack in its Tracks

Last year’s SolarWinds attack and its aftermath have provided numerous lessons concerning the dangers of IT supply chain attacks. Not all apply to every small and medium-sized business—most are unlikely to be targeted by highly trained state-backed hackers with virtually limitless funding—but some will be.

We learned, for instance, that even IT pros could use a refresher on basic password hygiene through security awareness training. A more substantive lesson is the importance of defense in depth, an approach that prioritizes mutually reinforcing layers of security.

In the case of SolarWinds, the Trojanized Orion update was able to elude endpoint security because it was issued by such a trusted source. As we’ve discussed, however, the damage from the compromise could have been limited significantly by using a defense in depth approach backed by leading threat intelligence.

A firewall with the right threat intelligence embedded could have blocked communications with the command-and-control server thus preventing a Trojanized Orion install from connecting back to the attackers and stopping them from furthering the attack. An endpoint DNS solution could have stopped the Trojanized Orion version by refusing to resolve the domain names of the command-and-control servers, again disrupting the infection to the point that no real damage could be done.

This is what we mean when we stress the importance of a layered defense. Take a hypothetical scenario in which the opposite happens, for example. A zero-day threat with no known connection to malicious IPs, files, or other data objects may not be known to the threat intelligence feed informing a network security solution. Once it has made its way to the endpoint, however, it begins to engage in behaviors known to be malicious. Examples include elevating privileges, moving laterally, or trying to establish outbound communications to name a few.

In this case, it is the endpoint security solution’s turn to save the day. If equipped with a rollback or remediation feature, endpoint solutions can not only stop the activity but also remediate the damage already done. These two layers work in concert to pick up the slack left by the other, helping organizations remain resilient against different types of attacks.

Remote work threatens defense in depth

Most larger organizations and a growing number of smaller ones have caught on to the need for layering endpoint and network protection. Firewalls embed threat intelligence and DNS security solutions are used to both block malware and control internet use. But recent events have worked to undermine this growing understanding.

Remote work exploded in 2020 with the advent of COVID-19, rapidly ushering in a new way of working before all of the security details could really be worked out. This presents a new set of stubborn challenges for IT security admins that’s not likely to fade soon. Outside of the corporate firewall, it is the Wild West. Every employee’s home network has a different set of security protocols and internet use is unregulated.

Webroot’s report on COVID-19 work habits found that three out of four people (76%) worldwide admit they use personal devices for work tasks, use work devices for personal tasks, or both. The 2020 Webroot Threat Report also found that personal devices were about twice as likely to encounter a malware infection as business devices. Together these numbers suggest a significant security threat for companies with remote workers.

DNS security solutions are one way of addressing this risk. Installed as an agent on each corporate endpoint, they route traffic through protected DNS servers that can identify, stop and disrupt communications threats. Of course, personal device use still represents a problem for companies not enforcing strict policies against their use. Nevertheless, DNS security remains a way to protect business-issued devices beyond the company network.   

The “next one” will look different

Focusing solely on how the SolarWinds attack is not the key to preventing future breaches. The next large supply chain attack will likely look very different than the SolarWinds attack. In fact, other than the infamous CC Cleaner hack of 2017, in which more than 2.3 million users of the computer cleanup software were duped into downloading malware onto their own machines, these types of attacks leveraging trusted but Trojanized updates are relatively rare.

But this fact makes defense in depth more critical, not less. Zero days will continue to be encountered. There is no telling which techniques the next one will employ, so it is important to make use of multiple tools to limit potential damage.

Cybercriminals will continue to undermine individual defenses. Smart organizations will hedge their cybersecurity bets so they are not all overcome at one time.

Why MSPs Need to Shift from Cybersecurity to Cyber Resilience

If your critical systems, website or customer data were suddenly inaccessible due to a cyberattack, how soon would you be able to get back up and running? That’s a question that should be on every business leader’s mind. We’ve written before about cyber resilience and why it’s so important, but in today’s increasingly disruptive threat landscape, it’s more important than ever for managed service providers (MSPs) and small to medium-sized businesses (SMBs) to embrace cyber resilience so they can mitigate disruption.

Threats such as hacking, phishing, ransomware and distributed denial-of-service (DDoS) attacks are only the tip of the iceberg and have the potential to interrupt critical business operations and cause reputational damage to organizations of all sizes. With attacks such as the SolarWinds security breach making headlines, as well as increasing threats targeting remote workers and taking advantage of COVID-19, MSPs and SMBs must concern themselves with threats that were once only a concern for much larger organizations. To stay resilient, it’s essential that leaders understand how to protect their businesses using a multi-layered approach.

Learn how your business can stay a step ahead of cybercriminals.
Download our Lockdown Lessons e-book today.

What’s driving the need for cyber resilience?

Cyberattacks are, unfortunately, a matter of “if,” not “when.” Being cyber resilient means that a company has both the ability to prevent attacks and also to mitigate damage and maintain business continuity when systems or data have been compromised. Where cybersecurity focuses more on protecting an organization before an attack has occurred, cyber resilience encompasses an end-to-end approach that keeps the business operating even in the midst and aftermath of an attack.

Without a holistic approach to security and recovery, catastrophic failures can occur. For example, many SMBs rely only on free cybersecurity solutions or eschew security all together. Our data shows only 26% of SMBs deploy enough layers of security to cover their users, networks and devices.

Complicating matters further is the digital disruption that stems from the rapid shift to remote work. The challenge for both MSPs and SMBs is in securing a remote workforce and new, unsecured perimeters, especially across home networks and personal devices, which are already at increased risk for an attack.

SMBs will look to MSPs to achieve cyber resilience

Business leaders have a significant opportunity to bolster confidence in the business through cyber resilience, especially as employees look to management to protect them against increasingly sophisticated threats. According to data from a recent report, only 60% of office workers worldwide believe their company is resilient against cyberattacks. Nearly one in four (23%) admit to not knowing whether their company is resilient, while nearly one in five (18%) flat-out think it isn’t. What’s more, only 14% of office workers worldwide consider cyber resilience to be a responsibility all employees share, meaning that the burden of championing resilience starts with leadership. These statistics indicate a clear gap, and it’s safe to say that many SMBs are grappling with how to keep their businesses safe from cyberattacks.

As prominent attacks and the flow of threats continue, SMBs will look to MSPs to protect their businesses and help them achieve cyber resilience. This creates a unique opportunity for MSPs to guide customers through the maze of cybersecurity and data protection solutions and ensure they are receiving relevant education on protecting the business. MSPs can ensure that customers have defense in depth by offering ongoing security awareness training as well as endpoint protection. Those looking to transition to managed security can lean on Webroot’s training modules and phishing simulations to provide world-class training and monitoring.

It can take a village to prevent cyber threats

While getting support from MSPs is a great stride towards keeping businesses safe, a big piece of the cyber resilience puzzle is teamwork. There’s no single solution or approach that can protect a business, and it really does take a village to protect against today’s cyberattacks. Just as SMBs look to MSPs to become cyber resilient, MSPs can rely on security expertise to fill in the remaining gaps.

Cyber resilience solutions can be custom built for MSPs and their SMB customers, and further tailored to each individual business. By partnering with Webroot and Carbonite, you can offer a customizable set of solutions including endpoint protection, ongoing end user training, threat intelligence, and backup and recovery.

To learn more about cyber resilience and stay up to date on security tips and industry topics, follow our Hacker Files and Lockdown Lessons podcast series.

It’s Too Late for Threat Intelligence Vendors to Ignore IPv6

IPv6 has been a long time coming. Drafted by the Internet Engineering Task Force (ITEF) in 1998, it became an Internet Standard in 2017. Though the rollout of IPv6 addresses has proceeded at a glacial pace since then, adoption numbers continue to inch higher.

Worldwide IPv6 adoption, according to Google’s handy tracker, is around 33 percent. It’s higher in the United States, at just shy of 45 percent. The graph has been trending relentlessly up and to the right since the mid-2000s.

This increased adoption means more cyberattacks are originating from IPv6 addresses. That means security vendors and device manufacturers who rely on embedded threat intelligence should insist on visibility surrounding the successor to IPv4.

Why we needed IPv6

Since the late 1980s, the internet’s architects realized they were cruising toward a problem. IP addresses, those numbers assigned to every internet-connected device, or node, were designed to contain 32 bits. That made for just under 4.3 billion possible number combinations under the IPv4 system. It was apparent even thirty years ago that these possibilities would be exhausted.

That day came in February 2011, met with a dramatic announcement by the Internet Corporation for Assigned Names and Numbers. Its opening line reads, “A critical point in the history of the Internet was reached today with the allocation of the last remaining IPv4 (Internet Protocol version 4) addresses.”

It seemed like the end of an era. But it wasn’t really one at all. IP addresses are frequently recycled, reallocated and many millions were never used at all. There’s even a famous story about Stanford University giving back a block of millions of unused IPv4 addresses. That helps explain why we’ve gotten so far from the adoption of IPv6 as an Internet Standard to majority adoption.

On the other hand, IPv6 is based on 128-bit encryption. This allows for a whopping 3.4 x 1038 permutations, or roughly 340 trillion trillion trillion. So, while the day may come when we need to revisit the IP system, that day is unlikely to be soon and it almost certainly won’t be because we’ve run out of assignable options.

By the way…whatever happened IPv5? Didn’t we skip a number? Well, it did exist, but was never officially adopted because it used the same 32-bit architecture as its predecessor. Begun as an experimental method for transferring streaming voice and video data, IPv5 lives on through its successor, voice over IP (VoIP).

What continued IPv6 adoption means for internet security

Hackers tend to set their sites on new targets only when they become worthy of their attention. The same goes for IPv6. As the rest of the internet pursues its perfectly logical reasons for making the migration, increasing numbers of cybercriminals are looking to exploit it. As IPv6 adoption becomes more prevalent, threat actors are increasingly using its addresses as an attack vector.

If threat intelligence feeds haven’t prepared to analyze IPv6 addresses, they’re faced with big black holes in their data sets. As we’ve seen in recent attacks, the ability to monitor anomalous web traffic is key to detecting a breach. So, in addition to having visibility into the threat status of an IP, it’s also critical to have location data and be able to cross-reference its activities with known malicious ones.

Device manufacturers, too, should look to account for accelerated IPv6 adoption when it comes to securing their products. This is especially true for IoT devices. Not typically armed with the highest security measures to start with, they now face the additional threat of an intelligence blind spot if the manufacturer makes no effort to analyze IPv6 addresses.

As internet-connected nodes in the form of IoT devices continue to proliferate, millions of new IPs will be needed. IPv6 will thankfully be more than up to the task of accommodating them, but manufacturers should make sure their devices are designed with the capabilities to analyze them.

IPv6 may have been a long time coming, but it’s too late in the game to ignore. When it’s time to choose a threat intelligence partner, choose one that’s prepared.

To learn more about the Webroot BrightCloud IP Reputation Service, click here.

Cyber News Rundown: Phishing Targets NHS Regulatory Commission

Spanish labor agency suffers ransomware attack

Multiple systems were taken offline following a ransomware attack on the Spanish government labor agency SEPE, which has affected all 700 of their offices across the country. While some critical systems were impacted by the attack, officials have confirmed that the systems containing customer and other sensitive payroll data were not compromised. The Ryuk ransomware group are believed to be behind the attack. The group were involved in nearly a third of all ransomware attacks in 2020.

Latest phishing campaign targets NHS regulatory commission

Officials for the Care Quality Commission (CQC) have been received roughly 60,000 malicious phishing emails over the past three months that seems to be linked to the release of the COVID- 19 vaccine. The campaign has followed a pattern of spreading false information and requesting sensitive information for user’s NHS accounts. The use of the pandemic to scare recipients of fraudulent emails continues as many look forward to their turn to receive the vaccine.

Hackers gain admin access to surveillance company cameras

Hackers from a known collective were able to gain access to over 150,000 Verkada surveillance cameras in various sensitive locations across the globe after finding an access point available on the web. Viewable feeds included jails, banks and internal entry cameras for top companies like Cloudflare, which has since confirmed that they have taken these cameras offline. It remains unclear how long the hackers had access to the systems. They have stated they were able to steal roughly 5GB of data from the Verkada systems, which will likely be leaked in the coming months.

Ransomware distributor arrested in South Korea

An individual was arrested by South Korean police late last month after a lengthy investigation tracked ransomware payments to withdrawals made by the individual. The man in custody is believed to be responsible for distributing more than 6,000 phishing emails spoofing local law enforcement. These used malicious attachments to trigger GandCrab ransomware payloads to encrypt systems. This is the second reported GandCrab affiliate caught by law enforcement in the past year as global law enforcement agencies work together to transnational ransomware organizations.

REvil ransomware group puts 170GB of data up for sale

Officials for the Pan-American Life Insurance Group have issued a statement regarding recent outages in their systems, which were the result of a ransomware attack. Though there was a post on a known REvil ransomware group forum claiming to have taken 170GB of data from this breach, that post has since been removed, which could indicate that Pan-American could be in negotiations with the group to restore their systems.

Does a SIEM make sense for my MSP?

Every device on an MSP’s managed network provides insight into what’s happening on that network. This includes network routers, switches, printers, wireless devices to servers, endpoints, IoT devices and everything else connected to the network. Each creates a log in its own format, or syntax, that a technician can review for troubleshooting, configuration confirmation, the creation of specific alerts based on a device’s activity or a host of other reasons. These records of each devices’ activities are known as syslogs.

Syslogs present information in a variety of ways, including custom formatting, industry-standard formatting, even raw data lacking a consistent format. The good news is that any activity requiring a security review is buried somewhere in these syslogs. The bad news is that data can buried in these syslogs.

Whole mountain ranges of information are regularly processed by these systems. Millions upon millions of data points may be present, making the set overwhelmingly confusing. At best, sorting meaningful information from noise is a daunting task, even for well-staffed IT departments.

Fortunately for security professionals—and more specifically for MSPs and MSSPs focused on providing insight into their managed networks—there is a mature product category that can be incorporated into their technology stack to help. Security information event management (SIEM) solutions have existed for years, but they’ve recently been gaining traction among MSPs and MSSPs. For good reason: knowledge of a network’s activity is essential to protecting it.

Is setting up a SIEM worth the cost and effort for an MSP?

The short answer is: YES. If you want to synthesize information from various sources to determine if a security event has or is taking place on a customer network, then yes, a SIEM is the natural evolution of the MSP security stack.

The longer answer is, well, longer. Let’s break out a couple of options for those interested in establishing a more sophisticated security information and event management solution.

SIM, SEM or SIEM? That’s the question to begin with. While security information management (SIM) and security event management (SEM) solutions have been in place for some time, they’re now commonly combined into the offering referred to as a SIEM.

So, where does an MSP get started? There are three common choices for getting a SIEM stood up and configured:

  • On-premise – Stand up a server, add some software (a bunch, actually), point all the syslogs to the device and get started. Easy, right? In reality, on-premise solutions have a higher cost and can be daunting to get started. Software costs range based upon the solution provider’s model. But if control and compliance are important, on-premise solutions may be a great option.
  • Cloud-based – Any one of a number of existing solutions that cater to MSPs are simpler to get started. The challenge with cloud-based solutions entails pulling data from many sources and pushing it through firewalls and networks to a public cloud solution.
  • Hybrid – As its name implies, some options blend cloud-based solutions with a local collection server to gather information and push a single source, securely, to the cloud for analysis and processing.

Feeding your SIEM a healthy diet of data

Before deciding on a SIEM component, a log collection or data collection solution must be set up to feed it. Syslog collection refers to a number of different activities, but in a SIEM or security-specific sense it usually comes down to what makes the most sense for the application: purpose-built or generic.

  • A syslog aggregator or log collector – These are devices that take in all syslog information from all devices. They range from sophisticated solutions with alerting and performance reviews to feeds that simply “normalize” the data, distilling the most relevant input and then reworking the details into a consistent standard and reporting on the highlights.
  • Syslog bridges – These are more generic solutions that act mostly as log collectors. Simply point devices to this collector and it maps the data.
  • Syslog collector – These are generic log collectors much like a bridges, but they usually provide a little more intelligence, cost more, and often serve multiple purposes like performance, device status and security event reporting.

Log gathering is the most misunderstood aspect of a SIEM and is often overlooked. The key is finding the most appropriate strategy for your needs.

For most MSPs, a basic bridge with a specific security purpose for feeding a SIEM may be the most efficient and cost-effective option. For additional needs like performance or status determinations, a more sophisticated syslog may be good. But most performance and status information is already provided by RMM solutions, so why reinvent the wheel?

What to expect from your SIEM

After deciding on a syslog collector and SIEM setup, it’s time to put the SIEM to work parsing data and making sense of the output. This is the intel that allow technicians to make sound decisions regarding security events.

Which SIEM to incorporate into a given MSPs operations depends on the level of services offered. MSPs building out a SOC or offering managed detection and response (MDR) services may require more sophisticated output from their SIEM. MSPs simply looking to distill information for their respective technical teams to analyze and make security decisions can usually rely on tailored, cloud-based solutions.

Regardless of the provider, a SIEMs should at least do the following:

  • Perform log gathering – If log gathering is not directly accounted for by a SIEM, another solution will be necessary for feeding data to it.
  • Correlate security events – To spot security threats that may be spread across a network, not only native to a single device’s syslog, a SIEM must be able to track data across multiple devices.
  • Connect to threat intelligence feeds – To keep up with a rapidly shifting threat landscape (and therefore useful to preventing attacks) it must be informed by strong threat intelligence feeds, preferably those using machine learning to recognize even zero-day threats.
  • Issue security alerts – A key SIEM benefit is the ability to provide timely alerts regarding security events based on large amounts of data to assist with decision making, making it possible to stop attacks before they develop
  • Present reports – Many SIEMs can produce reports in a cadence that makes sense for an MSP or MSSP depending on their needs and the needs of their clients.
  • Enhance compliance – Because SIEMs aggregate information on a network, it can produce compliance reports for clients based on industry-specific needs.

A good SIEM solution can minimize technician workload and minimize manual data interpretation. It also benefits clients by beefing up your own security capabilities. A SIEM is a natural step for any growing MSP’s looking to provide the best security solution for customers with workable margins.

With a little focus, it shouldn’t take months or an act of congress to setup and use a SIEM. The above guidance should enable any MSP, regardless of size, to devise a viable plan for putting one in place.

3 Ransomware Myths Businesses Need to Stop Believing ASAP

Despite the rising ransomware numbers and the numerous related headlines, many small and medium-sized businesses (SMBs) still don’t consider themselves at risk from cyberattacks. Nothing could be further from the truth. Smaller organizations are a prime target, and ransomware authors have only upped the ante in their methods to ensure they get paid. For example, many ransomware groups now threaten to expose or sell company data stolen in a breach if victims refuse to pay, meaning the business in question could have to shell out for heavy fines due to GDPR and similar regulations. In many cases, paying the ransom may be the most cost effective (and least publicly embarrassing) option. But what if your business can’t afford it? Or if the downtime from the attack is too much to recover from? And what’s the long-term psychological and emotional toll?

Here are 3 myths about ransomware that businesses need to stop believing to stay resilient against these evolving and insidious attacks.

Myth #1: My company is small, so attackers won’t bother.

Today, any business is a target for ransomware, no matter its size. Since 2018, up to 86% of SMBs have reported being victims of ransomware each year. And, according to Verizon, “[Ransomware] is a big problem that is getting bigger, and the data indicates a lack of protection from this type of malware in organizations.”

We’ve put this myth at the top of our list because it’s particularly dangerous. For many small organizations, a single cyberattack could put them out of business. Bigger enterprises with more robust data recovery and bigger security budgets are much more likely to weather an attack, while a smaller business may have no way of making up for the loss of time, revenue, and damage to customer trust that an attack could have.

Ransomware is not going away, and it’s getting more costly for SMBs. Businesses can’t afford to underestimate the risk.

Myth #2: There’s no way to prepare for a ransomware attack.

The sad truth in today’s cyber climate is that an attack is practically inevitable. The trick is reducing the likelihood of an attack, and making sure critical data is protected in case an attack succeeds. To prepare your business to weather the storm, there are a few key steps you can take.

  1. Proactively defend against ransomware attacks.
    Ransomware typically gets into an organization by tricking a user into downloading a file and/or enabling macros. Combining reliable endpoint protection that can stop macros and malicious scripts with security awareness training for end users is an excellent step toward a proactive and in-depth defense.
  2. Protect your data.
    The ransomware business model works because losing access to your data can cause serious damage. A strong backup solution is vital. Full-server backups or asking end users to manage their own backups aren’t the most feasible options. But with the right solution set, there are significantly more efficient ways to ensure data on endpoint devices, servers, and within the Microsoft 365 suite is secured.

Myth #3: I already have a backup, so I’m safe.

If your business gets hit with an attack, you can and should expect some downtime. And if we accept the maxim “time is money,” then any amount of downtime is costly and potentially damaging. Having backups in place is crucial, but you also need to be able to recover the data you need quickly from safe backups that haven’t also been infected with the ransomware.

Bigger organizations have more resources to invest in redundant servers in secondary locations, but these protections can come at too high a cost for many SMBs. If that sounds like you, you’re not alone. We recommend you look into disaster recovery as a service (DRaaS), so you can leverage the cloud to ensure that critical business systems are online and accessible, no matter what happens on your network.

Next Steps

The one-two combination of proactive prevention and recovery is key for staying cyber resilient. If you start working to address the tips in this blog, you’ll drastically improve your chances of avoiding a ransomware attack entirely; and getting through it successfully if you do get breached.

For more details on these and other misconceptions to watch out for, get your free copy of our guide, Rip the Target Off Your Back: Debunking the Top 5 Myths about Ransomware and SMBs.

Who’s Hacking You?

One of the reasons why there’s so much cybercrime is because there are so many ways for cybercriminals to exploit vulnerabilities and circumvent even the best defenses. You may be surprised to find that one of the biggest vulnerabilities is users. Many successful attacks could actually be prevented if users just knew what to look for. In that spirit, we put together this blog post to explain the different hacker types and methods they use against us.

For even more tips from Webroot IT security experts Tyler Moffitt, Kelvin Murray, Grayson Milbourne, George Anderson and Jonathan Barnett, download the complete e-book on hacker personas.

Take a deep dive into the three main hacker types and get tips on how to defend against them by downloading the e-book, Hacker Personas: a deeper Look Into Cybercrime.

The Impersonator

Today’s cybercriminals are masters at exploiting basic human trust. Pretending to be someone else, these hackers manipulate their victims into opening doors to systems or unwittingly sharing passwords or banking details. This type of cybercriminal is skilled at masking their true intentions behind seemingly harmless requests or legitimate-looking websites. Impersonators are increasingly sophisticated, often hosting malicious content on legitimate sites.

The Opportunist

Opportunists exploit common human traits such as trust and familiarity. They rely on targeted or focused attacks, and carry out their crimes against specific businesses or individuals. These hackers thoroughly research their targets, often running tests before launching the actual attack. Opportunists look for existing weaknesses or vulnerabilities they can exploit at scale to pull as many victims as possible into their nets.

The Infiltrator

Infiltrators rely on virtual back doors and unprotected points-of-entry to slip through hidden

cracks. Hiding in the shadows, this type of cybercriminal watches and waits for the opportunity to invade systems. DNS (Domain Name System) is especially vulnerable. Once the criminal redirects internet traffic to malicious websites or takes control of servers, the damage is inevitable.

One of the most common methods of infiltration includes internet-based attacks, such as Denial of Service (DoS), Distributed Denial of Service (DDoS) and DNS poisoning. By default, DNS traffic is unencrypted, allowing internet service providers and other third parties to monitor website requests, surveil browsing habits, and even duplicate web servers to redirect traffic. However, cybercriminals can also use legal DNS traffic surveillance to their advantage.

Cybersecurity Tips for Individuals and Businesses

Aside from arming yourself with the knowledge you need to identify attacks, it’s important to install threat detection and remediation software on your devices. Be sure to update and patch software and firewalls as well as network security programs. You should also be skeptical of any requests for financial information or passwords, and scrutinize all COVID-related emails, links or apps. To learn more tips on how to identify and prevent attacks, download the complete e-book below.

Cyber News Rundown: Italian Banks Hit with Ursnif

Italy targeted by Ursnif banking Trojan

Over 100 banks in Italy have fallen victim to the Ursnif banking trojan, which has stolen thousands of login credentials since it was first discovered in 2007. The attack may have compromised up to 1,700 additional pairs of banking credentials through a payment processor, some of which were already confirmed to be legitimate by multiple Italian banks. The attack likely began as a malicious email using social engineering to trick users into clicking links.

Telemarketer leaves thousands of records exposed

A California-based telemarketing firm was recently alerted to an exposed Amazon AWS bucket containing over 100,000 records and requiring no authentication to access. Among the records were hours of customer phone calls and text-based communications. These contained sensitive information that could be used to launch further social engineering attacks, endangering the identities of thousands of clients. The AWS bucket has remained unsecured for more than two months since the company was notified.

Third party exposes decade of Malaysia Airlines customer data

Officials for Malaysia Airlines have announced that a third-party IT service provider had suffered a data breach that may have exposed information belonging to the airline’s Enrich frequent flyer program members for nearly a decade. While it remains unclear how many members had their information leaked, the airline has reached out to all members regarding updating their login credentials. None of their internal systems have been reported compromised.

Microsoft releases patches for multiple zero-day vulnerabilities

Microsoft has pushed out fixes for at least seven known vulnerabilities related to Exchange Servers in an off-cycle release. Four of the zero-day exploits are being actively targeted by malicious actors. These vulnerabilities were believed to have been compromised for nearly two months and are being used to steal sensitive information from within the affected systems. Users looking to deploy the patches should note that it will not cleanse already compromised systems, but would only prevent future exploitation.

Cyberattack takes PrismHR offline

Officials for PrismHR are working to restore functionality to their payroll platform after a suspected ransomware attack. IT workers were able to shut down the remainder of their unaffected systems before the attack could spread further, though the attack occurred over a weekend. The company has also confirmed that no customer information was stolen during the attack and that it is working to restore functionality from backups.

Reducing the Time to Discovery: How to Determine if You Have Been Hacked

For most small businesses, the chances of falling prey to a long-term covert surveillance operation by well-resourced, likely state-backed actors are slim. To recap, that is what the evidence suggests happened in the SolarWinds compromise discovered last December. Many believe the company’s Orion update was used to conduct cyber espionage for months prior to being discovered.

However, data shows the time to detect a data breach for businesses averages 280 days, according to research conducted by IBM and the Ponemon Institute; a significant gap between the time a network is compromised and its discovery. This shows that stealthily surveilling a network is not a tactic exclusive to highly sophisticated threat actors targeting enterprise businesses.

What would reducing the time to discovery mean for small businesses? Likely it would mean less of their data on the dark web, fewer important pieces of intellectual property leaked, ransomware attacks thwarted or less reputational damage to companies.

Here are some ideas IT admins can use to detect a network compromise sooner, potentially limiting the damage of an adverse cyber event.

Consider booby trapping your network

As swashbuckling as it sounds, adopting an “offensive defensive” posture against cyberattacks can help your organization level the playing field against attackers. Because so much of cybersecurity relies on passive forms of protection (think firewalls, antivirus solutions, password protection, etc.), hackers have an asymmetrical advantage when probing defenses. Passive protection is good and necessary, to be sure, but network “booby traps,” sometimes called canary tokens, can help reduce the advantage held by hackers.

These measures may include setting up a domain administrator account that is bound to look like a juicy target to a network intruder. It may be configured according to default settings or with a particularly weak password – some way that makes it easy for a determined hacker to access. Once inside, though, the intruder’s presence triggers alarms alerting IT staff that an attack is underway and even locking out the suspicious user.

Researchers have laid out several ways booby trapping could work, but all rely on the principal of an action being taken by an attacker that would typically not occur otherwise. While they may not reveal who is behind the attack or their motivations, booby traps trigger a response alerting admins and allowing time to react.

Configure and pay close attention to failed login attempts

Allowing attackers unlimited tries at cracking passwords is never wise, but sometimes the configurations for preventing this are overlooked. This is especially dangerous when remote desktop protocol (RDP) is enabled. RDP-enabled machines can often be located using search engines like Shodan.io, making them sitting ducks for attackers armed with brute-force tools.

When configured properly, however, RDP and other password protected tools should lock users out after a given number of incorrect attempts and alert an admin. This would force a user, legitimate or otherwise, to wait some predetermined time before attempting to login again. Reaching out to the locked-out user could then help determine if the credentials have been stolen or if it is a genuine case of “fat fingers.”

If credentials have been compromised, it is a good idea to force password resets and keep an eye out for further failed login attempts. If there is no limit to the number of times a password can be tried without being timed out, an organization may never know it is in an attacker’s crosshairs.

Monitor anomalous web traffic

Skilled threat actors like those involved in the SolarWinds attack take steps to conceal their true locations when attempting to compromise a network. This can prevent alarm bells from ringing when, suddenly, an IP address from Eastern Europe is trying to connect to a network housed in Silicon Valley. Other times, malicious hackers do not have the skills or resources to cover their tracks. Their attack may also be so broadly aimed they simply do not care to.

That is why the difference between looking for malware and looking for “weird stuff” matters. It takes time to gather the data to truly know what constitutes “anomalous activity,” but once it is there it can automatically alert admins when it occurs. This could include communication with previously unknown IP addresses or uncommon application traffic patterns. In other words, a platform that has never talked to a domain in China but now does so often should be cause for alarm.

Monitoring access lists, including who is logged into what and whether anything is out of the ordinary, is another good option for spotting potential breaches early on. These so-called “spot-checks” can be too resource intensive for small businesses without dedicated IT positions, and too expensive to farm out to MSPs, but they are good to consider for businesses with dedicated IT resources.

Staying on guard against attacks

The best strategies for ensuring cyberattacks are not successful – and do not go unnoticed if they do – involve a mix of active and passive defenses. But poor configurations can undermine both. While small businesses are unlikely to become targets of highly skilled state-sponsored attackers, there are steps they can still take to make sure defenses are not undermined by the same common tactics.  

Here are a few quick tips:

  • Do not rely on the default configuration for RDP. Enforce 2FA and passwords time outs.
  • Disable powerful tools like PowerShell, Office macros and WMI where not needed.
  • Limit access rights on your internal network so that only those who need access have it.
  • Strictly control access to the dev and QA processes if these take place within your organization.

Fools Rush in: 5 Things MSPs Should Know Before Adopting EDR

Buzzwords and acronyms abound in the MSP industry, an unfortunate byproduct of marketing years in the making. Cybersecurity is a hot watercooler topic at any business. Well, now probably more likely a virtual happy hour than a watercooler, but nevertheless cybersecurity remains top-of-mind.

To sleep at night, MSPs feel they must enhance or expand their security offerings beyond the standard layers, like; firewalls, firewall filtering, active directory protocols, DNS Filtering and antivirus/malware detection. One of the ways many MSPs feel they can satiate their cybersecurity concerns involves buzzword-y new acronyms floating around involving “EDR” or endpoint detection and response. But what is EDR really and what can it do for MSPs and their clients?

But first, besides EDR, there’s also ADR, MDR, xDR and the industry can surely expect newer blank-DR acronyms coming in the next few years. What are all these acronyms and how do they help MSP protect their clients? Here are a few definitions:

  • EDR (Endpoint Detection and Response) – Technically, every security agent sitting on an endpoint is an EDR solution. The information the agents feed back to administrators determines what action to take and when.
  • ADR (Automatic Detection and Response) – Newer technology allows the agent to automatically make a decision without human intervention. Ideally, ADR automatically remediates a situation and reports to the administrators on action taken.
  • xDR – This newer acronym refers to agents across a network communicating to make a remediation decision or report decision across multiple endpoints.
  • MDR (Managed Detection and Response) – A best-of-breed solution using EDR, ADR and possibly xDR tools in various combinations, MDR allows a human team to make decisions and respond to situations. While more complex and administrative heavy, MDR closes the gap that arises when suspicious applications are being monitored and observed, but not reacted to by an ADR or xDR solution. Human-driven MDR ferrets out the suspicious and reacts.

Here are five things MSPs should consider when evaluating EDR solutions:

1. All security tools with an endpoint agent are basically EDR.

Their job is to detect malicious code, applications, scripts or other malicious files and make a status determination on the fly. Most security agents use various methods like physically scanning file hashes, scanning file content, watching behaviors, looking at scripts, detecting known attack surfaces and other techniques to try to ascertain if a newly encountered file is good or bad.

How the security agent reports its activity depends on the EDR tool. So, while many security tools claim they offer an “EDR” solution, the key is to determine the level of threat, suspicions and action taken in reporting or alerting that adds value for MSPs.

2. The “R,” or response, is key to a successful EDR solution.

While many security tools report and alert, the level of response is the most important aspect of any security practice. If the security agent provides minimal information for decision making, it’s of limited use to the technical personnel responsible for intervening.

On the other hand, technicians can take advantage of security tools with consoles that display alerts, reports and visibility into whether an agent responded, how and the agent’s current status. Too often tools don’t provide necessary insight for reviewing or comparing threat data or approaches – like the MITRE attack framework or other sites with relevant threat information.

Solutions with a more comprehensive API  are advantageous for custom review, integration into more dedicated threat review tools or for alerting through a log gathering and reporting tool. APIs are valuable for providing added information from which human technicians can make decisions.

3. What can be done with the EDR information? Is it actionable?

Once a tool has been selected, what should be done with the information it provides? Answering this is key to successfully setting EDR expectations for customers. If a client requires an MSP has an EDR solution in place, installing an agent is only half of the equation.

Gathering the information into a comprehensive tool or suite can be daunting. If the security solution provider has tools like alerts, reports or an API, start there. However, these tools are often limited and need to be supplemented by a solution with higher performance or a faster response time.

Log gathering tools are a higher performance option that allow many tools to feed into a single system. Once such a solution is in place, the next challenge is to build rules for sifting through the millions of ingested points of information. These rules provide human reviewers  more details for making decisions. It may take several cycles to hone in on the rules that lead to successfully spotting suspicious or malicious activity and protecting customers.

4. Understand what’s behind the EDR hype.

What’s the buzz around EDR and why has it become such a topic for discussion? Fair question considering level of effort to stand up, manage, monitor and address a situation when it arise can be costly and time consuming. Simply having a security vendor “supports EDR” isn’t enough. Selecting a check box to satisfy a requirement is, again, only half of the equation.

So, why go through the time and expense of implementing EDR? Here are three top reasons:

  • Cybersecurity insurance – With the rise of breaches across business and public sector landscapes, cybersecurity insurance on the rise. Many providers have requirements from governance to tools that meet a specific scope. EDR is one such requirement.
  • Good practice – Having layers of protection for customers is important. Extending security offerings by adding an EDR solution with a process will increase that security footprint.
  • Managed Security Service Provider (MSSP) – More and more MSPs are adding value to their customers by adding cybersecurity-specific services. With cybersecurity challenges on the rise, many service providers can increase revenue and provide greater security posture for their customers. Implementing an EDR solution will contribute to that effort.

5. Plan out next steps for adopting EDR at your MSP

  • Evaluate the need. Investing in potentially costly new solutions because of a buzzword is not advisable.
  • Determine the level of effort required to adopt an EDR solution and devise a plan for doing it.
  • Review existing tools and determine if existing solutions are being leveraged most effectively today.
  • Build the team. Part of the plan for adopting EDR should include designating a security team to both manage the solution and respond to its findings.

Simply selecting ticking an EDR box won’t necessarily contribute to client security. MSPs should evaluate the needs EDR will satisfy, the level of effort it takes to implement and how EDR fits into their overall service offering. Vendors won’t hesitate to offer “EDR solutions,” but it’s up to the MSP to properly implement and establish process to support expectations. Simply having the solutions does no good. EDR done right requires the additional team focus, rules, review and responses. Implement an EDR offering with caution and planning.