Business + Partners

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

A Defense-in-Depth Approach Could Stop the Next Big Hack in its Tracks

Last year’s SolarWinds attack and its aftermath have provided numerous lessons concerning the dangers of IT supply chain attacks. Not all apply to every small and medium-sized business—most are unlikely to be targeted by highly trained state-backed hackers with virtually limitless funding—but some will be.

We learned, for instance, that even IT pros could use a refresher on basic password hygiene through security awareness training. A more substantive lesson is the importance of defense in depth, an approach that prioritizes mutually reinforcing layers of security.

In the case of SolarWinds, the Trojanized Orion update was able to elude endpoint security because it was issued by such a trusted source. As we’ve discussed, however, the damage from the compromise could have been limited significantly by using a defense in depth approach backed by leading threat intelligence.

A firewall with the right threat intelligence embedded could have blocked communications with the command-and-control server thus preventing a Trojanized Orion install from connecting back to the attackers and stopping them from furthering the attack. An endpoint DNS solution could have stopped the Trojanized Orion version by refusing to resolve the domain names of the command-and-control servers, again disrupting the infection to the point that no real damage could be done.

This is what we mean when we stress the importance of a layered defense. Take a hypothetical scenario in which the opposite happens, for example. A zero-day threat with no known connection to malicious IPs, files, or other data objects may not be known to the threat intelligence feed informing a network security solution. Once it has made its way to the endpoint, however, it begins to engage in behaviors known to be malicious. Examples include elevating privileges, moving laterally, or trying to establish outbound communications to name a few.

In this case, it is the endpoint security solution’s turn to save the day. If equipped with a rollback or remediation feature, endpoint solutions can not only stop the activity but also remediate the damage already done. These two layers work in concert to pick up the slack left by the other, helping organizations remain resilient against different types of attacks.

Remote work threatens defense in depth

Most larger organizations and a growing number of smaller ones have caught on to the need for layering endpoint and network protection. Firewalls embed threat intelligence and DNS security solutions are used to both block malware and control internet use. But recent events have worked to undermine this growing understanding.

Remote work exploded in 2020 with the advent of COVID-19, rapidly ushering in a new way of working before all of the security details could really be worked out. This presents a new set of stubborn challenges for IT security admins that’s not likely to fade soon. Outside of the corporate firewall, it is the Wild West. Every employee’s home network has a different set of security protocols and internet use is unregulated.

Webroot’s report on COVID-19 work habits found that three out of four people (76%) worldwide admit they use personal devices for work tasks, use work devices for personal tasks, or both. The 2020 Webroot Threat Report also found that personal devices were about twice as likely to encounter a malware infection as business devices. Together these numbers suggest a significant security threat for companies with remote workers.

DNS security solutions are one way of addressing this risk. Installed as an agent on each corporate endpoint, they route traffic through protected DNS servers that can identify, stop and disrupt communications threats. Of course, personal device use still represents a problem for companies not enforcing strict policies against their use. Nevertheless, DNS security remains a way to protect business-issued devices beyond the company network.   

The “next one” will look different

Focusing solely on how the SolarWinds attack is not the key to preventing future breaches. The next large supply chain attack will likely look very different than the SolarWinds attack. In fact, other than the infamous CC Cleaner hack of 2017, in which more than 2.3 million users of the computer cleanup software were duped into downloading malware onto their own machines, these types of attacks leveraging trusted but Trojanized updates are relatively rare.

But this fact makes defense in depth more critical, not less. Zero days will continue to be encountered. There is no telling which techniques the next one will employ, so it is important to make use of multiple tools to limit potential damage.

Cybercriminals will continue to undermine individual defenses. Smart organizations will hedge their cybersecurity bets so they are not all overcome at one time.

Why MSPs Need to Shift from Cybersecurity to Cyber Resilience

If your critical systems, website or customer data were suddenly inaccessible due to a cyberattack, how soon would you be able to get back up and running? That’s a question that should be on every business leader’s mind. We’ve written before about cyber resilience and why it’s so important, but in today’s increasingly disruptive threat landscape, it’s more important than ever for managed service providers (MSPs) and small to medium-sized businesses (SMBs) to embrace cyber resilience so they can mitigate disruption.

Threats such as hacking, phishing, ransomware and distributed denial-of-service (DDoS) attacks are only the tip of the iceberg and have the potential to interrupt critical business operations and cause reputational damage to organizations of all sizes. With attacks such as the SolarWinds security breach making headlines, as well as increasing threats targeting remote workers and taking advantage of COVID-19, MSPs and SMBs must concern themselves with threats that were once only a concern for much larger organizations. To stay resilient, it’s essential that leaders understand how to protect their businesses using a multi-layered approach.

Learn how your business can stay a step ahead of cybercriminals.
Download our Lockdown Lessons e-book today.

What’s driving the need for cyber resilience?

Cyberattacks are, unfortunately, a matter of “if,” not “when.” Being cyber resilient means that a company has both the ability to prevent attacks and also to mitigate damage and maintain business continuity when systems or data have been compromised. Where cybersecurity focuses more on protecting an organization before an attack has occurred, cyber resilience encompasses an end-to-end approach that keeps the business operating even in the midst and aftermath of an attack.

Without a holistic approach to security and recovery, catastrophic failures can occur. For example, many SMBs rely only on free cybersecurity solutions or eschew security all together. Our data shows only 26% of SMBs deploy enough layers of security to cover their users, networks and devices.

Complicating matters further is the digital disruption that stems from the rapid shift to remote work. The challenge for both MSPs and SMBs is in securing a remote workforce and new, unsecured perimeters, especially across home networks and personal devices, which are already at increased risk for an attack.

SMBs will look to MSPs to achieve cyber resilience

Business leaders have a significant opportunity to bolster confidence in the business through cyber resilience, especially as employees look to management to protect them against increasingly sophisticated threats. According to data from a recent report, only 60% of office workers worldwide believe their company is resilient against cyberattacks. Nearly one in four (23%) admit to not knowing whether their company is resilient, while nearly one in five (18%) flat-out think it isn’t. What’s more, only 14% of office workers worldwide consider cyber resilience to be a responsibility all employees share, meaning that the burden of championing resilience starts with leadership. These statistics indicate a clear gap, and it’s safe to say that many SMBs are grappling with how to keep their businesses safe from cyberattacks.

As prominent attacks and the flow of threats continue, SMBs will look to MSPs to protect their businesses and help them achieve cyber resilience. This creates a unique opportunity for MSPs to guide customers through the maze of cybersecurity and data protection solutions and ensure they are receiving relevant education on protecting the business. MSPs can ensure that customers have defense in depth by offering ongoing security awareness training as well as endpoint protection. Those looking to transition to managed security can lean on Webroot’s training modules and phishing simulations to provide world-class training and monitoring.

It can take a village to prevent cyber threats

While getting support from MSPs is a great stride towards keeping businesses safe, a big piece of the cyber resilience puzzle is teamwork. There’s no single solution or approach that can protect a business, and it really does take a village to protect against today’s cyberattacks. Just as SMBs look to MSPs to become cyber resilient, MSPs can rely on security expertise to fill in the remaining gaps.

Cyber resilience solutions can be custom built for MSPs and their SMB customers, and further tailored to each individual business. By partnering with Webroot and Carbonite, you can offer a customizable set of solutions including endpoint protection, ongoing end user training, threat intelligence, and backup and recovery.

To learn more about cyber resilience and stay up to date on security tips and industry topics, follow our Hacker Files and Lockdown Lessons podcast series.

It’s Too Late for Threat Intelligence Vendors to Ignore IPv6

IPv6 has been a long time coming. Drafted by the Internet Engineering Task Force (ITEF) in 1998, it became an Internet Standard in 2017. Though the rollout of IPv6 addresses has proceeded at a glacial pace since then, adoption numbers continue to inch higher.

Worldwide IPv6 adoption, according to Google’s handy tracker, is around 33 percent. It’s higher in the United States, at just shy of 45 percent. The graph has been trending relentlessly up and to the right since the mid-2000s.

This increased adoption means more cyberattacks are originating from IPv6 addresses. That means security vendors and device manufacturers who rely on embedded threat intelligence should insist on visibility surrounding the successor to IPv4.

Why we needed IPv6

Since the late 1980s, the internet’s architects realized they were cruising toward a problem. IP addresses, those numbers assigned to every internet-connected device, or node, were designed to contain 32 bits. That made for just under 4.3 billion possible number combinations under the IPv4 system. It was apparent even thirty years ago that these possibilities would be exhausted.

That day came in February 2011, met with a dramatic announcement by the Internet Corporation for Assigned Names and Numbers. Its opening line reads, “A critical point in the history of the Internet was reached today with the allocation of the last remaining IPv4 (Internet Protocol version 4) addresses.”

It seemed like the end of an era. But it wasn’t really one at all. IP addresses are frequently recycled, reallocated and many millions were never used at all. There’s even a famous story about Stanford University giving back a block of millions of unused IPv4 addresses. That helps explain why we’ve gotten so far from the adoption of IPv6 as an Internet Standard to majority adoption.

On the other hand, IPv6 is based on 128-bit encryption. This allows for a whopping 3.4 x 1038 permutations, or roughly 340 trillion trillion trillion. So, while the day may come when we need to revisit the IP system, that day is unlikely to be soon and it almost certainly won’t be because we’ve run out of assignable options.

By the way…whatever happened IPv5? Didn’t we skip a number? Well, it did exist, but was never officially adopted because it used the same 32-bit architecture as its predecessor. Begun as an experimental method for transferring streaming voice and video data, IPv5 lives on through its successor, voice over IP (VoIP).

What continued IPv6 adoption means for internet security

Hackers tend to set their sites on new targets only when they become worthy of their attention. The same goes for IPv6. As the rest of the internet pursues its perfectly logical reasons for making the migration, increasing numbers of cybercriminals are looking to exploit it. As IPv6 adoption becomes more prevalent, threat actors are increasingly using its addresses as an attack vector.

If threat intelligence feeds haven’t prepared to analyze IPv6 addresses, they’re faced with big black holes in their data sets. As we’ve seen in recent attacks, the ability to monitor anomalous web traffic is key to detecting a breach. So, in addition to having visibility into the threat status of an IP, it’s also critical to have location data and be able to cross-reference its activities with known malicious ones.

Device manufacturers, too, should look to account for accelerated IPv6 adoption when it comes to securing their products. This is especially true for IoT devices. Not typically armed with the highest security measures to start with, they now face the additional threat of an intelligence blind spot if the manufacturer makes no effort to analyze IPv6 addresses.

As internet-connected nodes in the form of IoT devices continue to proliferate, millions of new IPs will be needed. IPv6 will thankfully be more than up to the task of accommodating them, but manufacturers should make sure their devices are designed with the capabilities to analyze them.

IPv6 may have been a long time coming, but it’s too late in the game to ignore. When it’s time to choose a threat intelligence partner, choose one that’s prepared.

To learn more about the Webroot BrightCloud IP Reputation Service, click here.

Does a SIEM make sense for my MSP?

Every device on an MSP’s managed network provides insight into what’s happening on that network. This includes network routers, switches, printers, wireless devices to servers, endpoints, IoT devices and everything else connected to the network. Each creates a log in its own format, or syntax, that a technician can review for troubleshooting, configuration confirmation, the creation of specific alerts based on a device’s activity or a host of other reasons. These records of each devices’ activities are known as syslogs.

Syslogs present information in a variety of ways, including custom formatting, industry-standard formatting, even raw data lacking a consistent format. The good news is that any activity requiring a security review is buried somewhere in these syslogs. The bad news is that data can buried in these syslogs.

Whole mountain ranges of information are regularly processed by these systems. Millions upon millions of data points may be present, making the set overwhelmingly confusing. At best, sorting meaningful information from noise is a daunting task, even for well-staffed IT departments.

Fortunately for security professionals—and more specifically for MSPs and MSSPs focused on providing insight into their managed networks—there is a mature product category that can be incorporated into their technology stack to help. Security information event management (SIEM) solutions have existed for years, but they’ve recently been gaining traction among MSPs and MSSPs. For good reason: knowledge of a network’s activity is essential to protecting it.

Is setting up a SIEM worth the cost and effort for an MSP?

The short answer is: YES. If you want to synthesize information from various sources to determine if a security event has or is taking place on a customer network, then yes, a SIEM is the natural evolution of the MSP security stack.

The longer answer is, well, longer. Let’s break out a couple of options for those interested in establishing a more sophisticated security information and event management solution.

SIM, SEM or SIEM? That’s the question to begin with. While security information management (SIM) and security event management (SEM) solutions have been in place for some time, they’re now commonly combined into the offering referred to as a SIEM.

So, where does an MSP get started? There are three common choices for getting a SIEM stood up and configured:

  • On-premise – Stand up a server, add some software (a bunch, actually), point all the syslogs to the device and get started. Easy, right? In reality, on-premise solutions have a higher cost and can be daunting to get started. Software costs range based upon the solution provider’s model. But if control and compliance are important, on-premise solutions may be a great option.
  • Cloud-based – Any one of a number of existing solutions that cater to MSPs are simpler to get started. The challenge with cloud-based solutions entails pulling data from many sources and pushing it through firewalls and networks to a public cloud solution.
  • Hybrid – As its name implies, some options blend cloud-based solutions with a local collection server to gather information and push a single source, securely, to the cloud for analysis and processing.

Feeding your SIEM a healthy diet of data

Before deciding on a SIEM component, a log collection or data collection solution must be set up to feed it. Syslog collection refers to a number of different activities, but in a SIEM or security-specific sense it usually comes down to what makes the most sense for the application: purpose-built or generic.

  • A syslog aggregator or log collector – These are devices that take in all syslog information from all devices. They range from sophisticated solutions with alerting and performance reviews to feeds that simply “normalize” the data, distilling the most relevant input and then reworking the details into a consistent standard and reporting on the highlights.
  • Syslog bridges – These are more generic solutions that act mostly as log collectors. Simply point devices to this collector and it maps the data.
  • Syslog collector – These are generic log collectors much like a bridges, but they usually provide a little more intelligence, cost more, and often serve multiple purposes like performance, device status and security event reporting.

Log gathering is the most misunderstood aspect of a SIEM and is often overlooked. The key is finding the most appropriate strategy for your needs.

For most MSPs, a basic bridge with a specific security purpose for feeding a SIEM may be the most efficient and cost-effective option. For additional needs like performance or status determinations, a more sophisticated syslog may be good. But most performance and status information is already provided by RMM solutions, so why reinvent the wheel?

What to expect from your SIEM

After deciding on a syslog collector and SIEM setup, it’s time to put the SIEM to work parsing data and making sense of the output. This is the intel that allow technicians to make sound decisions regarding security events.

Which SIEM to incorporate into a given MSPs operations depends on the level of services offered. MSPs building out a SOC or offering managed detection and response (MDR) services may require more sophisticated output from their SIEM. MSPs simply looking to distill information for their respective technical teams to analyze and make security decisions can usually rely on tailored, cloud-based solutions.

Regardless of the provider, a SIEMs should at least do the following:

  • Perform log gathering – If log gathering is not directly accounted for by a SIEM, another solution will be necessary for feeding data to it.
  • Correlate security events – To spot security threats that may be spread across a network, not only native to a single device’s syslog, a SIEM must be able to track data across multiple devices.
  • Connect to threat intelligence feeds – To keep up with a rapidly shifting threat landscape (and therefore useful to preventing attacks) it must be informed by strong threat intelligence feeds, preferably those using machine learning to recognize even zero-day threats.
  • Issue security alerts – A key SIEM benefit is the ability to provide timely alerts regarding security events based on large amounts of data to assist with decision making, making it possible to stop attacks before they develop
  • Present reports – Many SIEMs can produce reports in a cadence that makes sense for an MSP or MSSP depending on their needs and the needs of their clients.
  • Enhance compliance – Because SIEMs aggregate information on a network, it can produce compliance reports for clients based on industry-specific needs.

A good SIEM solution can minimize technician workload and minimize manual data interpretation. It also benefits clients by beefing up your own security capabilities. A SIEM is a natural step for any growing MSP’s looking to provide the best security solution for customers with workable margins.

With a little focus, it shouldn’t take months or an act of congress to setup and use a SIEM. The above guidance should enable any MSP, regardless of size, to devise a viable plan for putting one in place.

3 Ransomware Myths Businesses Need to Stop Believing ASAP

Despite the rising ransomware numbers and the numerous related headlines, many small and medium-sized businesses (SMBs) still don’t consider themselves at risk from cyberattacks. Nothing could be further from the truth. Smaller organizations are a prime target, and ransomware authors have only upped the ante in their methods to ensure they get paid. For example, many ransomware groups now threaten to expose or sell company data stolen in a breach if victims refuse to pay, meaning the business in question could have to shell out for heavy fines due to GDPR and similar regulations. In many cases, paying the ransom may be the most cost effective (and least publicly embarrassing) option. But what if your business can’t afford it? Or if the downtime from the attack is too much to recover from? And what’s the long-term psychological and emotional toll?

Here are 3 myths about ransomware that businesses need to stop believing to stay resilient against these evolving and insidious attacks.

Myth #1: My company is small, so attackers won’t bother.

Today, any business is a target for ransomware, no matter its size. Since 2018, up to 86% of SMBs have reported being victims of ransomware each year. And, according to Verizon, “[Ransomware] is a big problem that is getting bigger, and the data indicates a lack of protection from this type of malware in organizations.”

We’ve put this myth at the top of our list because it’s particularly dangerous. For many small organizations, a single cyberattack could put them out of business. Bigger enterprises with more robust data recovery and bigger security budgets are much more likely to weather an attack, while a smaller business may have no way of making up for the loss of time, revenue, and damage to customer trust that an attack could have.

Ransomware is not going away, and it’s getting more costly for SMBs. Businesses can’t afford to underestimate the risk.

Myth #2: There’s no way to prepare for a ransomware attack.

The sad truth in today’s cyber climate is that an attack is practically inevitable. The trick is reducing the likelihood of an attack, and making sure critical data is protected in case an attack succeeds. To prepare your business to weather the storm, there are a few key steps you can take.

  1. Proactively defend against ransomware attacks.
    Ransomware typically gets into an organization by tricking a user into downloading a file and/or enabling macros. Combining reliable endpoint protection that can stop macros and malicious scripts with security awareness training for end users is an excellent step toward a proactive and in-depth defense.
  2. Protect your data.
    The ransomware business model works because losing access to your data can cause serious damage. A strong backup solution is vital. Full-server backups or asking end users to manage their own backups aren’t the most feasible options. But with the right solution set, there are significantly more efficient ways to ensure data on endpoint devices, servers, and within the Microsoft 365 suite is secured.

Myth #3: I already have a backup, so I’m safe.

If your business gets hit with an attack, you can and should expect some downtime. And if we accept the maxim “time is money,” then any amount of downtime is costly and potentially damaging. Having backups in place is crucial, but you also need to be able to recover the data you need quickly from safe backups that haven’t also been infected with the ransomware.

Bigger organizations have more resources to invest in redundant servers in secondary locations, but these protections can come at too high a cost for many SMBs. If that sounds like you, you’re not alone. We recommend you look into disaster recovery as a service (DRaaS), so you can leverage the cloud to ensure that critical business systems are online and accessible, no matter what happens on your network.

Next Steps

The one-two combination of proactive prevention and recovery is key for staying cyber resilient. If you start working to address the tips in this blog, you’ll drastically improve your chances of avoiding a ransomware attack entirely; and getting through it successfully if you do get breached.

For more details on these and other misconceptions to watch out for, get your free copy of our guide, Rip the Target Off Your Back: Debunking the Top 5 Myths about Ransomware and SMBs.

Who’s Hacking You?

One of the reasons why there’s so much cybercrime is because there are so many ways for cybercriminals to exploit vulnerabilities and circumvent even the best defenses. You may be surprised to find that one of the biggest vulnerabilities is users. Many successful attacks could actually be prevented if users just knew what to look for. In that spirit, we put together this blog post to explain the different hacker types and methods they use against us.

For even more tips from Webroot IT security experts Tyler Moffitt, Kelvin Murray, Grayson Milbourne, George Anderson and Jonathan Barnett, download the complete e-book on hacker personas.

Take a deep dive into the three main hacker types and get tips on how to defend against them by downloading the e-book, Hacker Personas: a deeper Look Into Cybercrime.

The Impersonator

Today’s cybercriminals are masters at exploiting basic human trust. Pretending to be someone else, these hackers manipulate their victims into opening doors to systems or unwittingly sharing passwords or banking details. This type of cybercriminal is skilled at masking their true intentions behind seemingly harmless requests or legitimate-looking websites. Impersonators are increasingly sophisticated, often hosting malicious content on legitimate sites.

The Opportunist

Opportunists exploit common human traits such as trust and familiarity. They rely on targeted or focused attacks, and carry out their crimes against specific businesses or individuals. These hackers thoroughly research their targets, often running tests before launching the actual attack. Opportunists look for existing weaknesses or vulnerabilities they can exploit at scale to pull as many victims as possible into their nets.

The Infiltrator

Infiltrators rely on virtual back doors and unprotected points-of-entry to slip through hidden

cracks. Hiding in the shadows, this type of cybercriminal watches and waits for the opportunity to invade systems. DNS (Domain Name System) is especially vulnerable. Once the criminal redirects internet traffic to malicious websites or takes control of servers, the damage is inevitable.

One of the most common methods of infiltration includes internet-based attacks, such as Denial of Service (DoS), Distributed Denial of Service (DDoS) and DNS poisoning. By default, DNS traffic is unencrypted, allowing internet service providers and other third parties to monitor website requests, surveil browsing habits, and even duplicate web servers to redirect traffic. However, cybercriminals can also use legal DNS traffic surveillance to their advantage.

Cybersecurity Tips for Individuals and Businesses

Aside from arming yourself with the knowledge you need to identify attacks, it’s important to install threat detection and remediation software on your devices. Be sure to update and patch software and firewalls as well as network security programs. You should also be skeptical of any requests for financial information or passwords, and scrutinize all COVID-related emails, links or apps. To learn more tips on how to identify and prevent attacks, download the complete e-book below.

Reducing the Time to Discovery: How to Determine if You Have Been Hacked

For most small businesses, the chances of falling prey to a long-term covert surveillance operation by well-resourced, likely state-backed actors are slim. To recap, that is what the evidence suggests happened in the SolarWinds compromise discovered last December. Many believe the company’s Orion update was used to conduct cyber espionage for months prior to being discovered.

However, data shows the time to detect a data breach for businesses averages 280 days, according to research conducted by IBM and the Ponemon Institute; a significant gap between the time a network is compromised and its discovery. This shows that stealthily surveilling a network is not a tactic exclusive to highly sophisticated threat actors targeting enterprise businesses.

What would reducing the time to discovery mean for small businesses? Likely it would mean less of their data on the dark web, fewer important pieces of intellectual property leaked, ransomware attacks thwarted or less reputational damage to companies.

Here are some ideas IT admins can use to detect a network compromise sooner, potentially limiting the damage of an adverse cyber event.

Consider booby trapping your network

As swashbuckling as it sounds, adopting an “offensive defensive” posture against cyberattacks can help your organization level the playing field against attackers. Because so much of cybersecurity relies on passive forms of protection (think firewalls, antivirus solutions, password protection, etc.), hackers have an asymmetrical advantage when probing defenses. Passive protection is good and necessary, to be sure, but network “booby traps,” sometimes called canary tokens, can help reduce the advantage held by hackers.

These measures may include setting up a domain administrator account that is bound to look like a juicy target to a network intruder. It may be configured according to default settings or with a particularly weak password – some way that makes it easy for a determined hacker to access. Once inside, though, the intruder’s presence triggers alarms alerting IT staff that an attack is underway and even locking out the suspicious user.

Researchers have laid out several ways booby trapping could work, but all rely on the principal of an action being taken by an attacker that would typically not occur otherwise. While they may not reveal who is behind the attack or their motivations, booby traps trigger a response alerting admins and allowing time to react.

Configure and pay close attention to failed login attempts

Allowing attackers unlimited tries at cracking passwords is never wise, but sometimes the configurations for preventing this are overlooked. This is especially dangerous when remote desktop protocol (RDP) is enabled. RDP-enabled machines can often be located using search engines like Shodan.io, making them sitting ducks for attackers armed with brute-force tools.

When configured properly, however, RDP and other password protected tools should lock users out after a given number of incorrect attempts and alert an admin. This would force a user, legitimate or otherwise, to wait some predetermined time before attempting to login again. Reaching out to the locked-out user could then help determine if the credentials have been stolen or if it is a genuine case of “fat fingers.”

If credentials have been compromised, it is a good idea to force password resets and keep an eye out for further failed login attempts. If there is no limit to the number of times a password can be tried without being timed out, an organization may never know it is in an attacker’s crosshairs.

Monitor anomalous web traffic

Skilled threat actors like those involved in the SolarWinds attack take steps to conceal their true locations when attempting to compromise a network. This can prevent alarm bells from ringing when, suddenly, an IP address from Eastern Europe is trying to connect to a network housed in Silicon Valley. Other times, malicious hackers do not have the skills or resources to cover their tracks. Their attack may also be so broadly aimed they simply do not care to.

That is why the difference between looking for malware and looking for “weird stuff” matters. It takes time to gather the data to truly know what constitutes “anomalous activity,” but once it is there it can automatically alert admins when it occurs. This could include communication with previously unknown IP addresses or uncommon application traffic patterns. In other words, a platform that has never talked to a domain in China but now does so often should be cause for alarm.

Monitoring access lists, including who is logged into what and whether anything is out of the ordinary, is another good option for spotting potential breaches early on. These so-called “spot-checks” can be too resource intensive for small businesses without dedicated IT positions, and too expensive to farm out to MSPs, but they are good to consider for businesses with dedicated IT resources.

Staying on guard against attacks

The best strategies for ensuring cyberattacks are not successful – and do not go unnoticed if they do – involve a mix of active and passive defenses. But poor configurations can undermine both. While small businesses are unlikely to become targets of highly skilled state-sponsored attackers, there are steps they can still take to make sure defenses are not undermined by the same common tactics.  

Here are a few quick tips:

  • Do not rely on the default configuration for RDP. Enforce 2FA and passwords time outs.
  • Disable powerful tools like PowerShell, Office macros and WMI where not needed.
  • Limit access rights on your internal network so that only those who need access have it.
  • Strictly control access to the dev and QA processes if these take place within your organization.

Fools Rush in: 5 Things MSPs Should Know Before Adopting EDR

Buzzwords and acronyms abound in the MSP industry, an unfortunate byproduct of marketing years in the making. Cybersecurity is a hot watercooler topic at any business. Well, now probably more likely a virtual happy hour than a watercooler, but nevertheless cybersecurity remains top-of-mind.

To sleep at night, MSPs feel they must enhance or expand their security offerings beyond the standard layers, like; firewalls, firewall filtering, active directory protocols, DNS Filtering and antivirus/malware detection. One of the ways many MSPs feel they can satiate their cybersecurity concerns involves buzzword-y new acronyms floating around involving “EDR” or endpoint detection and response. But what is EDR really and what can it do for MSPs and their clients?

But first, besides EDR, there’s also ADR, MDR, xDR and the industry can surely expect newer blank-DR acronyms coming in the next few years. What are all these acronyms and how do they help MSP protect their clients? Here are a few definitions:

  • EDR (Endpoint Detection and Response) – Technically, every security agent sitting on an endpoint is an EDR solution. The information the agents feed back to administrators determines what action to take and when.
  • ADR (Automatic Detection and Response) – Newer technology allows the agent to automatically make a decision without human intervention. Ideally, ADR automatically remediates a situation and reports to the administrators on action taken.
  • xDR – This newer acronym refers to agents across a network communicating to make a remediation decision or report decision across multiple endpoints.
  • MDR (Managed Detection and Response) – A best-of-breed solution using EDR, ADR and possibly xDR tools in various combinations, MDR allows a human team to make decisions and respond to situations. While more complex and administrative heavy, MDR closes the gap that arises when suspicious applications are being monitored and observed, but not reacted to by an ADR or xDR solution. Human-driven MDR ferrets out the suspicious and reacts.

Here are five things MSPs should consider when evaluating EDR solutions:

1. All security tools with an endpoint agent are basically EDR.

Their job is to detect malicious code, applications, scripts or other malicious files and make a status determination on the fly. Most security agents use various methods like physically scanning file hashes, scanning file content, watching behaviors, looking at scripts, detecting known attack surfaces and other techniques to try to ascertain if a newly encountered file is good or bad.

How the security agent reports its activity depends on the EDR tool. So, while many security tools claim they offer an “EDR” solution, the key is to determine the level of threat, suspicions and action taken in reporting or alerting that adds value for MSPs.

2. The “R,” or response, is key to a successful EDR solution.

While many security tools report and alert, the level of response is the most important aspect of any security practice. If the security agent provides minimal information for decision making, it’s of limited use to the technical personnel responsible for intervening.

On the other hand, technicians can take advantage of security tools with consoles that display alerts, reports and visibility into whether an agent responded, how and the agent’s current status. Too often tools don’t provide necessary insight for reviewing or comparing threat data or approaches – like the MITRE attack framework or other sites with relevant threat information.

Solutions with a more comprehensive API  are advantageous for custom review, integration into more dedicated threat review tools or for alerting through a log gathering and reporting tool. APIs are valuable for providing added information from which human technicians can make decisions.

3. What can be done with the EDR information? Is it actionable?

Once a tool has been selected, what should be done with the information it provides? Answering this is key to successfully setting EDR expectations for customers. If a client requires an MSP has an EDR solution in place, installing an agent is only half of the equation.

Gathering the information into a comprehensive tool or suite can be daunting. If the security solution provider has tools like alerts, reports or an API, start there. However, these tools are often limited and need to be supplemented by a solution with higher performance or a faster response time.

Log gathering tools are a higher performance option that allow many tools to feed into a single system. Once such a solution is in place, the next challenge is to build rules for sifting through the millions of ingested points of information. These rules provide human reviewers  more details for making decisions. It may take several cycles to hone in on the rules that lead to successfully spotting suspicious or malicious activity and protecting customers.

4. Understand what’s behind the EDR hype.

What’s the buzz around EDR and why has it become such a topic for discussion? Fair question considering level of effort to stand up, manage, monitor and address a situation when it arise can be costly and time consuming. Simply having a security vendor “supports EDR” isn’t enough. Selecting a check box to satisfy a requirement is, again, only half of the equation.

So, why go through the time and expense of implementing EDR? Here are three top reasons:

  • Cybersecurity insurance – With the rise of breaches across business and public sector landscapes, cybersecurity insurance on the rise. Many providers have requirements from governance to tools that meet a specific scope. EDR is one such requirement.
  • Good practice – Having layers of protection for customers is important. Extending security offerings by adding an EDR solution with a process will increase that security footprint.
  • Managed Security Service Provider (MSSP) – More and more MSPs are adding value to their customers by adding cybersecurity-specific services. With cybersecurity challenges on the rise, many service providers can increase revenue and provide greater security posture for their customers. Implementing an EDR solution will contribute to that effort.

5. Plan out next steps for adopting EDR at your MSP

  • Evaluate the need. Investing in potentially costly new solutions because of a buzzword is not advisable.
  • Determine the level of effort required to adopt an EDR solution and devise a plan for doing it.
  • Review existing tools and determine if existing solutions are being leveraged most effectively today.
  • Build the team. Part of the plan for adopting EDR should include designating a security team to both manage the solution and respond to its findings.

Simply selecting ticking an EDR box won’t necessarily contribute to client security. MSPs should evaluate the needs EDR will satisfy, the level of effort it takes to implement and how EDR fits into their overall service offering. Vendors won’t hesitate to offer “EDR solutions,” but it’s up to the MSP to properly implement and establish process to support expectations. Simply having the solutions does no good. EDR done right requires the additional team focus, rules, review and responses. Implement an EDR offering with caution and planning.

The NSA Wants Businesses to Use DoH. Here’s What You Need to Know.

Most people would categorically agree that increased privacy online is a good thing. But in practice, questions of privacy online are a bit more complex. In recent months, you’ve likely heard about DNS over HTTPS, also known as DNS 2.0 and DoH, which is a method that uses the HTTPS protocol to encrypt DNS requests, shielding their contents from malicious actors and others who might misuse such information. It can even address several DNS-enabled cyberattack methods, such as DNS spoofing or hijacking. On the other hand, obfuscating the content of DNS requests can also reduce admins’ visibility and control, as well as negatively affect business network security.

Ultimately, this DNS privacy upgrade has been a long time coming. While its creators’ original 1983 design has undoubtedly proven itself by scaling to meet the demands of today’s internet, privacy just wasn’t a consideration 38 years ago; thus, the need for DoH.

“Privacy just wasn’t a consideration 38 years ago; thus, the need for DoH.”

When weighing the obvious privacy and security benefits against the visibility and potential security drawbacks, some businesses are having difficulty managing these new protocols. That’s likely why the NSA recently released a guide that not only explains the need for DoH, it strongly recommends that businesses protect their networks from rogue DNS sources to improve their network security. But what their guide doesn’t really focus on is how.

Correctly managing encrypted DNS can be very challenging. Here’s what businesses need to know about the NSA’s guide and how to successfully embrace DoH.

What does the NSA guide recommend?

The NSA supports the privacy and security improvements DoH provides. However, they also recommend that DNS be controlled, which may leave some admins scratching their heads.

“The enterprise resolver should support encrypted DNS requests, such as DoH, for local privacy and integrity protections, but all other encrypted DNS resolvers should be disabled and blocked.”

What does the NSA caution against?

The NSA specifically warns about applications that can make DNS requests for themselves. Previously, if an application needed DNS, it would ask the local system for the resolution, ideally following whatever configuration the admin had set. These requests would then be sent to the network DNS resolver. This process provides a wealth of information to the network, helping with visibility in the case of a malware attack, or even in the event of a user accidentally clicking a phishing link.

With DNS encryption like DoH, this visibility not only disappears, but now DNS itself becomes incredibly difficult to control. The real challenge comes in as DoH hides the DNS requests using SSL, just as your web browser does when connecting to your online banking website. With this method, DNS requests appear as regular website traffic to most firewalls and networks, and can’t be identified by them as legitimate or malicious.

What other challenges should I consider?

DoH is fairly early in its adoption and only a few applications currently use it, though adoption will continue to grow. In North America, Mozilla Firefox uses DoH for DNS resolution by default. Other browsers, such as Google Chrome and Microsoft Edge have also begun to support DoH, though their default behavior will not enable DoH on most business networks.

Worth noting is that Microsoft itself has yet to support DoH on their DNS servers, so enforcing the NSA’s recommendations may be somewhat difficult. Additionally, as DoH traffic runs on port 443, just like a secure connection to a website, it is not easily regulated or blocked. You can’t just block port 443 at your firewall either, as this action would also block all secure websites. You could block some of the known DoH providers, but as with any new technology solution, more DoH resolvers appear daily.

How does Webroot address security with DoH?

The Webroot® DNS Protection agent already secures DNS requests by using DoH for all of its communications and leverages the power of Webroot BrightCloud® Threat Intelligence to identify and block alternate DoH connections. Our DNS Protection solution also includes an option to echo all DNS requests to your local resolver, so it maintains visibility into the DNS requests being made, leaving intact the powerful information provided by DNS.

Essentially, with a solution that works like Webroot DNS Protection, you still get the power of DNS filtering while also benefitting from DoH encryption. This protection secures remote and on-site users, devices, and networks, effectively fulfilling the NSA’s recommendations.

Hacker Personas Explained: Know Your Enemy and Protect Your Business

In today’s rapidly evolving cybersecurity landscape, the battle for privacy and security is relentless. Cybercriminals are masters at using technology and psychology to exploit basic human trust and compromise businesses of all sizes. What’s more, they often hide in plain sight, using both covert and overt tactics to cause disruption, steal money and data, and wreak havoc with MSPs and SMBs.

While cybersecurity advice is often focused on technology like endpoint protection, firewalls and anti-virus, it’s important to remember that behind every breach is a human. Knowing who they are and why they target your business is essential to remaining cyber resilient.

As we mentioned in a previous blog, hackers come in many forms, but their methods can generally be classified into three distinct types of cybercriminals:

  • The Impersonator – Hackers that pretend to be others, often using social engineering and human psychology to trick users.
  • The Opportunist – Hackers that exploit public events and socio-political crises for disruption or personal gain.
  • The Infiltrator – Hackers that target specific organizations and work to breach systems using a variety of tools and tactics.

Each one has their own methods and protecting against them requires a multi-layered approach. Let’s look at a few primary examples.

Who is the Impersonator?

An impersonation attack recently made headlines with the 2020 Twitter/Bitcoin scam, in which 130 high-profile Twitter accounts were compromised by outside parties to steal bitcoin. The perpetrators gained access to Twitter’s administrative tools in order to pose as legitimate CEOs and celebrities to trick users into sending bitcoin with the promise of doubling their investment. Unfortunately, attacks like this work, and the hackers received $121,000 that was never paid back. This is a scam that’s been around for years and since no one can reverse a cryptocurrency transaction, it’s very likely here to stay.

This type of cybercriminal manipulates victims into opening doors to systems or unwittingly sharing sensitive information by pretending to be someone you would inherently trust. The most notable attack is the “Nigerian prince” email scam, also known as “foreign money exchange” scams. These typically start with an email from someone overseas claiming to be royalty, offering to share a financial opportunity in exchange for your bank account number. Nowadays, you’re more likely to receive an email from your boss’ boss asking for gift cards or money, but these scams are still active in many forms, as the Twitter attack shows.

Impersonators are known to use phishing, Business Email Compromise (BEC) and domain spoofing to lure victims, and they’re always looking for new ways to innovate. In fact, our 2020 Threat Report found that impersonators are now imitating legitimate business websites to release malicious payloads or steal data, and a shocking 27% of phishing sites use HTTPS to trick the user into clicking phishing links, which makes these attacks even more dangerous. It’s easy to assume an official-looking website with an HTTPS address is safe, but hackers can also use HTTPS sites to launch phishing emails and distribute BEC scams as obtaining SSL certificates is trivial now. This is why a multi-layered approach that can block phishing sites (including HTTPS) in real time, is key for staying safe.

What Does the Opportunist Want?

While attacks of opportunity are nothing new, the tactics of the opportunist have gone to a new level with the recent coronavirus pandemic. According to our COVID-19 Clicks report, at least one in three people have fallen for a phishing email in the past year. This year has been all about the pandemic and the fear surrounding it. These phishing attempts often appear in the form of articles about the best ways to avoid coronavirus or links to documents that have lists of people with COVID-19 “in your area.” These documents will ask users to enable an embedded macro that then delivers malware, usually in the form of ransomware. Over 90% of malware campaigns used the pandemic in their initial phishing email this past year.

Opportunists wait for the right opportunity to strike, and just as impersonators take advantage of trust, opportunists also rely on trust and familiarity to deceive users into downloading malicious payloads. Unlike other hackers, however, they don’t have specific victims in mind. The opportunist capitalizes on urgency, fear and unpreparedness to catch as many victims in their net as possible.

As we point out in a popular Hacker Personas podcast, other opportunist attacks like those exploiting U.S. government stimulus payments are also on the rise. Business leaders in particular should watch out for these tactics, as phishing emails can compromise company devices. With the increase of remote workers using unsecured systems and personal devices to access corporate networks, all businesses are at risk from opportunists who bait remote employees.

How Do Infiltrators Breach Systems?

One of the best examples of an infiltration attack is the 2020 SolarWinds breach, in which a foreign state hacked the SolarWinds supply chain to infiltrate at least 18,000 government and private networks including over 425 of the fortune 500. Nation-state hackers took advantage of   SUNSPOT malware to insert the SUNBURST backdoor into software builds of the Orion platform, and unbeknownst to SolarWinds developers, they released it as a normal update to their customers. Several significant US agencies, including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury were attacked. What’s more, the fallout of this attack is still ongoing and we may never know the full damage.

The Infiltrator is the opposite of an opportunist in that they target specific victims and have a clear-cut approach to getting what they want. Rather than casting a wide net and hoping for the best, they usually know the system they want to infiltrate, and they use stealthy measures to breach systems, often coming away with a large payout in the form of a costly ransom to criminal enterprises or valuable intel to nation states.

What Steps Should MSPs and SMBs Take to Stay Cyber Resilient?

If knowing your enemy is the first step to protecting your business, the next step is to develop a strong cyber resilience posture that protects against their attacks. Part of that is understanding that cyberattacks are often a matter of “when, not if.” Even if you’re not the target of an infiltrator, for example, your business or employees may be the unknowing victims of an opportunist or impersonator.

Protecting your business includes:

  • Implementing a multi-layered cybersecurity approach that includes complete endpoint protection, firewalls, real time anti-phishing as well as Security Awareness Training
  • Continuously educating and training employees, staff and customers to follow cybersecurity best practices and to stay up to date on cyberattack news
  • Using a backup and recovery solution that can restore critical files after an attack and keep the business up and running during a crisis.

To learn more about hacker personas and strategies to protect against their various attacks, check out our eBook, Hacker Personas: A Deeper Look Into Cybercrime. You can also follow our Hacker Files and Lockdown Lessons series that include a variety of guides, podcasts and webinars covering these topics and more.

How IT Will Prevail in the 2021 Cyber-Demic

While we can all rejoice that 2020 is over, cybersecurity experts agree we haven’t seen the last of the pandemic-related rise in cyberattacks. Throughout the last year, we’ve seen huge spikes in phishing, malicious domains, malware and more, and we don’t expect that to slow down. As employees around the world continue to work from home, 2021 is shaping up to be another year of record highs in terms of malicious online activity.

What is the cyber-demic?

Cybercriminals have always been opportunistic, taking advantage of all possible avenues that disrupt businesses, steal data, trick end users, and more to turn a profit. As the threat reports Webroot produces each year have shown — not to mention the increasing number of major hacks in the headlines — threats keep evolving, and their growth is often exponential. That means even before the pandemic, cyberattacks and resulting data loss were already becoming a case of “when,” not “if.”

Still, the COVID-19 pandemic brought unprecedented surges in threat activity as cybercriminals capitalized on chaos and security gaps caused by the switch to WFH. Particularly by targeting vaccine production and distribution, COVID-19 trackers, videoconference applications, and other pandemic-related topics in their scams, criminals have upped the ante on what would have already been a record year; hence “cyber-demic.”

What types of malicious activities should we expect?

“It’s all about data,” says Matt Seeley, senior solutions consultant at Carbonite + Webroot, OpenText companies.

“Whether you’re a business or an individual at home, your data is important to you. Not having access to corporate data can put companies out of business. Not having access to your personal files can also have devastating consequences. The scammers know how important data is. That’s why stealing it, misusing it, holding it for ransom, or threatening it in some other way is such an effective way to get what they want – i.e., the money.”

– Matt Seeley, sr. solutions consultant, Carbonite + Webroot, OpenText companies

Recent trends in ransomware back up these insights. Thought to be pioneered by the Maze ransomware group, a new tactic emerged in 2020 in which ransomware authors changed their business model. Instead of infiltrating systems to encrypt data and demand a ransomware to unlock it, they instead encrypted the data and further incentivized ransom payment by threatening to expose that data if the victim chose not to pay. Using leak/auction websites, criminals can display or auction off victim’s data to the highest bidder; the cake-topper here is that organizations that are subject to privacy regulations, such as GDPR, PCI, etc., would also have to pay the fines associated with improperly securing sensitive data.

Additionally, the modular nature of modern malware means many malware groups are teaming up to increase their chances of a successful payday. For example, a phishing email might drop a botnet/Trojan that listens for domain credentials. Once the criminals have domain credentials, they can disable security and/or tamper with backups. That way, when they eventually drop ransomware, businesses may have no choice but to pay, since their backups are also compromised.

How IT will Prevail in 2021

“The answer, once again, is data,” says Seeley, “though, in this case, it’s part of overall cyber fitness. If your data isn’t secured, properly segmented, backed up and tested, then 2021 is likely to be a bad year.”

Stressing the need to combine comprehensive cybersecurity layers with proven backup and disaster recovery solutions, Seeley explains, “To bring your cyber fitness up and become more resilient, I recommend businesses start off by assuming they will definitely get breached this year, even if they’ve been lucky and have never been breached before. Once you accept that as your foundation, you can prepare for it. It’s that preparation that’s going to be key.”

Here are his top 3 tips for businesses to stay safe.

  1. Know your data.
    “This is the #1 most important advice I can offer. You can’t secure data if you don’t know where it lives or how important it is. The folks who don’t know their data, who don’t know all the places it resides, how up-to-date it is, or what kind of security it needs, are the ones who are going to suffer the worst if they get attacked or experience some kind of physical damage, like hardware failure or a natural disaster. They’re the ones who, even if they have backups in place, will go to restore their data and realize they don’t have the right information after all. You don’t want to have to learn that the hard way.”
  2. Classify your data.
    “This is part of knowing your data. If you accept that the data breach is going to happen sooner or later, then you need to know which data is mission-critical to get through your day, vs. other historical data that is nice to have, but won’t make or break your business if you lose access for a little while. Once you know the timing of which systems and data need to be available this second and which ones can wait a few days or weeks, you can properly plan your disaster recovery strategy and choose the right backup solutions and schedules.”
  3. Test your data recovery plan.
    “The biggest obstacle to your cyber fitness is overconfidence. Just because you have antivirus and backups doesn’t guarantee your protections will be there and functional when you need them. Bad actors are going to keep getting craftier. They’re going to keep finding new ways to target data. You need to regularly monitor and test your backup and disaster recovery strategy to ensure that your data is exactly as safe and available as you need it to be.”

    For more details on stress testing your disaster recovery plan, read his blog on the subject.

While these tips apply more to businesses than home users, Seeley says the same fundamental principles apply to anyone. “Think about all the data you could lose if your personal computer crashed right now and the hard drive died. Do you have it backed up? Are those backups secure? Do you know all the places your data lives? Do you have protection for it? Whether you’re a business, an MSP, a regular person at home, a student… These are the types of questions we should all be asking ourselves, so we can all be more resilient in this cyber-demic.”

Essential Threat Intelligence: Importance of Fundamentals in Identifying IOCs

The supply chain attack that Trojanized a SolarWinds update to infect and spy on the IT management platform’s customer base continues to be analyzed. Early reports have called the methods highly sophisticated and the actors highly trained. We do know that IP addresses, a command and control server and a malicious product update file were used. While details continue to come to light with further investigation, one thing has been made clear by the incident: the fundamental elements of tactical threat intelligence still have a critical place in a layered cybersecurity strategy.

Tactical threat intelligence typically focuses on the latest methods threat actors are using to execute attacks. It’s examines indicators of compromise (IOCs) like IP addresses, URLs, system logs and files to help detect malicious attacks. This type of threat intelligence is most often deployed in network and security devices like firewalls, SIEMs, TIPs and other tools, and is usually set to apply policy-based settings within these devices based on intelligence criteria.

Recent attacks continue to prove that these fundamental tactical threat intelligence pieces are still critical. While web filtering and URL classification, IP reputation, and file detection and reputation may be less flashy than threat actor profiles and takedown services, they continue to be the building blocks of core threat intelligence elements that are key to stopping attacks.

These IOCs – files, IPs, URLs – are proven methods of attack for threat actors and play a consistent role in their malicious campaigns. Having tactical intelligence concerning these internet items is one key step security and technology providers can take to ensure their users are better protected. For tactical threat intelligence to be effective it must be both contextual and updated in real-time.

Why context matters


Context is what allows threat intelligence providers to take a mass amount of data and turn it into something meaningful and actionable. With context, we can explore relationships between internet objects and better access their risk.

As the recent SolarWinds attack shows, IOCs are often interconnected and rarely only one is used. Seeing the connections surrounding various internet objects, like a benign website that may be one step away from a malicious IP address, allows us to map and analyze these objects not only as they are classified but in their contextual relationships. These relationships allow us to better predict whether a benign object has the potential to (or is even likely to) turn malicious.

Real-time intelligence

Over the course of a year, millions of internet objects change from benign to malicious and back many times as cybercriminals attempt to avoid detection. Showing a single IOC at a single point in time, as happens with static IP blocklists, doesn’t paint the full picture of an object’s activity. Both real-time and historical data, however, canhelp in the development of a reputation score based on behavior over time and common reputational influencers such as age, popularity and past infections. It also helps to protect users from never before seen threats and even predict where future attacks may come from.

Once the fundamental intelligence is present, it’s also critical to make sure policies are enabled and configured correctly to best take advantage of the threat intelligence. In the instance of the SolarWinds attack, when we evaluated the initial data we found that seven of the IP addresses used in the campaign were previously identified by BrightCloud® Threat Intelligence months prior to discovery of the attack. These IP addresses were marked as high-risk and had fairly low reputation scores. In addition, the IPs consistently remained in the high-risk category throughout the year, meaning there was a high predictive risk these IPs would attack infrastructure or endpoints. Depending on the threshold set in the policy, many end users could have already been prevented from experiencing malicious behavior initiating from one of these identified IP addresses.

Necessary, not sufficient

Many security companies treated the Orion software update released by SolarWinds as one coming from a trusted partner. That factor contributed to the widespread success of the suspected espionage operation. It also allowed the threat actors’ reconnaissance operations to go undetected for months.

But Webroot BrightCloud® Threat Intelligence associated the IP address with a botnet in the summer of last year. A properly configured security tool using Webroot BrightCloud Threat Intelligence data would have blocked communication with the command and control server.

When used as part of a wider defense in depth strategy, essential threat intelligence components and proper policy configurations that apply that intelligence can help to make vendors and their partners more resilient against complex attacks.