Although they didn’t always call themselves a managed service provider, that’s exactly what T-Consulting has been since its inception. According to Vera Tucci, founder and CEO of the Italy-based MSP, it was her mission to give her clients more than a basic hardware/software bundle with a few hours of IT consultation. She knew her clients needed a greater level of service, especially those whose businesses had grown from small family operations into larger companies, and that’s what she built her own business to provide.
When one of her oldest clients began having issues with the previous security program T-Consulting offered — issues that prevented the client from being able to access business critical systems and required hours upon hours of her team’s time to diagnose and resolve — Tucci immediately started working to identify a better solution. As far as she was concerned, the tools her team used should solve problems, not cause them. That’s when she came across the Webroot® portfolio of cyber resilience products for endpoint protection, DNS protection, and end user training.
“I actually remember the change in mood within my company. Within days of making the decision [to switch to Webroot], my employees were happy again. They weren’t waking up worried about what would go wrong. […] We saw immediate results in terms of the time our team suddenly had on its hands. We were not wasting time trying to solve problems we shouldn’t have had in the first place.” – Vera Tucci, Founder and CEO, T-Consulting
Hear how T-Consulting integrated Webroot® Business Endpoint Protection, DNS Protection, and Security Awareness into its RMM, enabling its team members to take back their time and refocus their efforts on business priorities and revenue-generating tasks in CEO Vera Tucci’s video testimonial.
Aging infrastructure in the United States is not confined to crumbling roads and bridges. Recent events have shown that connected devices in our pipelines, water treatment facilities and power grids are also vulnerable to exploitation.
As of now, we still don’t know much about the ransomware attack against the operators of the Colonial Pipeline. Details about how and when cybercriminals were able to compromise Colonial’s network have yet to emerge. The FBI has confirmed that Darkside, a ransomware as a service (RaaS) group, was behind the attack but background on that group is about the only place where information is plentiful.
We still don’t know if a ransom has been paid. Or if Colonial was able to completely isolate its operational network from its corporate systems – the intended target of the attack according to the company – or if Darkside could have bridged that gap.
Based on the Darkside’s own statements and analyses of its past behavior, experts believe the attack wasn’t intended to seriously disrupt the nation’s gasoline supply or cause major harm to its critical infrastructure. But that’s beside the point.
It was enough for states of emergency to be declared up and down the Eastern seaboard and for the federal government to issue warnings to other utility providers to be on the lookout for similar attacks.
And this cyberattack against critical infrastructure is far from the first of its kind and unlikely to be the last. A 2019 attack on a power grid control center responsible for supplying several sites in the Western U.S. was considered a near miss in which the country got off easy.
Early this year, remote access software at a water treatment facility in Oldsmar, Florida was compromised and hackers used the access to attempt to increase the concentration of a tissue-damaging chemical normally used to prevent the corrosion of pipelines. Only an attentive employee and the delay needed to get the added chemical into the water supply prevented serious harm.
The sorry state of cybersecurity in U.S. critical infrastructure is well-known within the industry. The rise of the Internet of Things (IoT) isn’t limited to the consumer sector. These devices help with automation and make industrial control systems (ICSs) smarter than they’ve ever been before, but cybersecurity is often an afterthought in their design if it’s one at all. One source claimed it was communication between an ICS and Colonial’s corporate networks, responsible for simplifying the billing process, that caused concern about the attack spreading to operational systems.
Making more cyber resilient infrastructure
After several shots across the bow have luckily not resulted in direct hits, what can we do to bring about a hardening of U.S. infrastructure cybersecurity? How can we prevent a replay of the 2017 attacks against Ukraine’s power grid from happening here?
Here are a few suggestions:
- Don’t disincentivize cybersecurity investment. – Ransomware insurance isn’t a bad idea, but providers won’t subsidize poor security practices forever. We’re already seeing some pushback against companies who happily shell out for ransoms knowing a reimbursement will soon follow. Well-insured but under-protected organizations may have gotten away with it for a while, but surging ransomware incidents are ushering those days out the door.
- Actively promote that investment. – Policy analysts who have studied this issue urge government, at whatever level, ensure that critical infrastructure providers have the financial wiggle room to invest in better cybersecurity. Designing these investment incentives is beyond the scope of this post, but our near misses should make it clear that this is a national security imperative. Even private companies like Colonial, until now under less pressure than a public utility to account for compromises, should be invited in.
- Don’t forget to secure corporate networks, too. – Just because the computer in the lobby of corporate HQ can’t crank up the sodium hydroxide in the drinking water doesn’t mean it’s not worthy of an antivirus. If access between corporate and operational networks exists, it can be exploited by determined cybercriminals. Endpoint protection for all devices and network-level security are the bare minimum. And with phishing attacks enabling the majority of breaches year after year, it’s important to train workforces on how to spot them.
- Make smarter ICSs more secure. – IoT devices are not going anywhere. Their applications are many and varied and they make us more effective. But they’re seldom designed with cybersecurity in mind. In high-stakes applications like water treatment, oil and gas delivery and power distribution, this cannot be taken for granted. Manufacturers should consider OEM applications for threat intelligence feeds that make their smart devices more secure. This problem has been well studied but should be addressed with greater urgency.
For the time being, major damage and fears of prolonged fuel shortages may be unfounded with the Colonial Pipeline attack. But we need to act deliberately now in order to avoid relying on the same luck in the future.
Coauthored by Dominick Bitting, Sr. Threat Research Analyst, and Colin Maguire, Web Content Specialist.
Manchester City win the Carabao Cup Final, many illegal streamers lose
The COVID pandemic has led to a surge in content consumption as people stayed home and turned to Netflix, Youtube and other streaming services for entertainment. Not everyone agrees with paying for the latest episode or album, however, and this rise has ran parallel with a rise in digital piracy.
Piracy is widespread and – ethical issues aside – makes for an interesting case study from a threat research perspective. In terms of sports, European football is the most commonly pirated, making up more than a quarter of all illegal sports streams according to one recent study.
There is a sizable online community that shares bootlegged movies, TV and live sports streams without copyright protection over HTTP/HTTPS. Sites streaming pirated sports, specifically the English football “free-to-view” sites, were the subject of an April 2021 Webroot study on the week of the Carabao Cup final game between Manchester City and Tottenham Hotspur.
This was not meant to be an exhaustive study, but rather focused on getting a snapshot of the dangers involved in spending 90 minutes illegally streaming a match online.
The sites we analysed
We analysed a total of 20 sites in the study, of which 12 “game sites” were analysed in greater detail for the duration of the Cup Final. 92% per cent of illegal streaming sites analysed by Webroot were found to contain some form of malicious content.
Sites ranged from having a “trusted” Webroot Brightcloud® reputation score of 92 to an “untrusted” rating of 44. All sites at time of testing had a safe, zero detection rating in Virus Total except for one, “daddylive”, with a rating of 1/85.
However, when examined more closely, most hosting IPs were found to have hosted malicious content (such as some serious malware) in the past, and had connections to other high-risk IPs. Some of the sites caught our attention for leading to a massive amount of URLs. For instance, rojadirecta[.]me pulled 565 different URLs. We focused most of our attention on these suspicious sites.
Most of the sites analysed were insecure and running HTTP. The lack of security on these sites means any personal data shared across the site’s connection is out in the open. While the more secure HTTPS isn’t always a guarantee a site is completely safe, the lack of certification and security protocol were red flags, making sharing details or sensitive information risky.
Most of these sites (more specifically the advertising on these sites) use dishonesty and social engineering to fool users into opening links, enabling an action on their browser or downloading a file they never intended to. This is done using an array of tricks like fake “X” boxes on video overlays, false “notification enable” messages and outrageous promises and warnings.
Redirects are not bad in and of themselves, but when links jump between a number of unrelated sites (e.g. sports to dating to bitcoin to online shopping) this is a definite red flag. And we observed it a lot on illegal streaming sites. This signals that the site or site network admins must constantly change what their links direct to as they introduce new URLs. The presence of zero-day (or brand new) sites is a related bad indicator when looking at any site and it’s connected IPs.
Types of threats we saw on pirated streaming sites
“With cryptocurrency values soaring again, executable based cryptojacking has been on the rise.”
Webroot’s 2021 Threat Report
We observed targeted and localised bitcoin scams promising riches and asking users for banking details. The price of Bitcoin and other cryptocurrencies have been booming over the last year, and the rise and fall of these prices affects cryptocrime levels. We observed convincing ads and websites that link directly to fake news sites or feature local(ised) celebrities and politicians selling scams.
This “Mirror” fake news page is clearly designed to copy the popular UK newspaper. It is a front for a “get rich quick” scam designed to gather users’ cash and personal details. Different versions of this scam have been observed localised for different countries. This was pushed on the vipleague[.]lc streaming site.
“Appearing on the ‘BBC Breakfast’ show, Bill Gates revealed that he invested substantial amounts of money. The idea was simple: allow the average person the opportunity to cash in…”
Text from one scam we witnessed
Hijacked search results
Hijacking browsers allows cybercriminals to switch a user’s default browser and take over its notifications. This means different search results are served up or users can be spammed with junk notifications and explicit content. Even if users shut down their laptops, the changes will remain.
Users looking to watch a stream are also tricked into allowing notifications, which bombard them with explicit and extreme content, as well as scams and links to other malicious sites.
Links on jackstream. push users into installing a browser hijacker known as mysearchflow.com, which is blocked as Spyware/Adware by Webroot. Clicking on the stream causes a popup which asks to allow notifications. These particular notifications were pop-up ads appearing in the screen’s right corner that were very intrusive and not easy to disable.
All these sites supported mobile browsing and the advertising, social engineering and malicious content targeting mobile users, too. For instance, links pointed to fake mobile apps with privacy issues and useless in-app purchases ranging from £2.09 – £114.99. It’s important for users to note that many of these mobile apps can also be installed on PCs and are often difficult to remove. Here’s a mobile advertisement from hulkstreams.com that earns clicks by claiming a device is infected with viruses.
We installed and ran this particular product. It turned out to be an example of fleeceware, a type of malware that tries to sneak excessive fees past subscribers. It had over 10 thousand downloads on the Google Play store already. The product offered in-app purchases ranging from £2.09 – £114.99 per item and has since been marked as malicious by our threat intelligence.
|The sites we analysed. Starred sites indicate “game sites.”|
Since pirate streams operate outside the law, they often sell advertising space to entities that are also operating outside the law. Although we found some advertising from reputable vendors, we would not recommend visiting these sites for the good of your overall online safety.
We do recommend that, when browsing any site on the web, users update their software and operating systems, employ AV and anti-phishing detection, and double-check any links before clicking, especially when they profess to offer something that seems too good to be true.
What’s better for getting your business’ name out there and boosting sales than having a killer business marketing plan with well-placed ads, zippy copy, and a slick design?
The answer is: having a group of dedicated real-world customers who use their own platforms to advocate for your business and its offerings.
Thanks to social media, reviewing platforms, and the steady rise of online presence, your customers have numerous avenues in today’s internet to help make (or break) your brand. Discerning prospective customers don’t trust faceless brands with no reviews. In increasingly saturated markets, one of the best ways to build your brand is not to advertise to your customers, but to turn them into advocates for your brand and services.
What’s the difference between advocacy and community?
Although they may go hand in hand, an advocacy program isn’t the same as a user community. User communities are more about connecting all of your end customers with one another, your teams, and the resources they need to be successful with your products; and about giving them an active forum to find support, both from their peers and your teams. But an advocacy program should be more selective about its members. Sure, at first, you may be happy just to get people involved so you can get your program off the ground; but the ideal customer for your advocacy program isn’t just an average user with little investment in the product. Instead, it’s someone whom you can recognize as a power user; someone who is invested in the success of your product as being integral to their own success, and will, therefore, be more likely to help evangelize your wins and also bring enhancement requests, unanticipated requirements, bugs, and other worthwhile concerns to your attention.
But how do you find these people? How do you keep them engaged once you do find them? And what does it look like to build an advocacy program that actually works for you and that your customers genuinely want to be a part of? We checked in with Emma Furtado, customer advocacy manager at Carbonite + Webroot, OpenText companies, for her take on the best tips to turn your savviest customers into your loyal advocacy partners who can’t wait to spread the word about your amazing products and efforts.
Top 4 Tips for Building a Successful Customer Advocacy Program
Tip #1: Take your time.
According to Emma, step one is recognizing that doing anything right takes time. “You can’t build a successful advocacy program overnight,” she clarifies, “you’ll need to have at least one employee, maybe even a team, depending on the size of your business and program goals, dedicated to research and relationship-building. You should also think about coordinating across teams. Very few customers want to be cold-called to take part in an advocacy program. Take advantage of the relationships your sales reps and engineers have already built; start working with them to identify power users and have them make an introduction so that you don’t have to start building the relationship entirely from scratch.”
Tip #2: Figure out your goals.
Sometimes in business, we end up with the desire to do something without fully understanding why it’s necessary or what it can do for us. “The point of an advocacy program isn’t to just being able to say you have one,” Emma explains. “It needs to be doing something for you and for your advocates. So, start with the basics around your own needs. Are you trying to build brand awareness, get stronger product feedback, or something else? Ask yourself how this program could boost efforts that your team is already working towards. After you fully outline why you’re doing it, you can start determining realistic goals, deliverables, and KPIs to measure the progress of your program. And once you have those pieces in place, you can start working to determine how best to engage with your customers to develop the kind of program that can achieve those goals.”
Tip #3: Hand-pick your members
As mentioned previously, when your program is in its infancy, you might choose to have a sort of volunteer enrollment phase just to get people in the proverbial door. But Emma warns that, to actually meet your objectives, you need to make sure you’re bringing in customers who will work with you and make good brand advocates. “Not every customer meets that criteria, and that’s okay. Each customer will want to engage with us differently. Your job here is to identify the people who would make good advocates and be willing to be active for your brand in one way or another. A good place to start is by looking for folks who are already engaged in customer-facing programs, such as product betas; who have already provided a Net Promoter Score (NPS); who recently responded to a survey; and/or people who are already active in your industry through blogs or social media.”
Tip #4: Give customers incentives, not bribes.
It sounds rational to entice advocates to your program with exclusive swag or even free software. That’s not the worst thing you could do; but quality brand advocates are the ones who do it to get the word out, help their fellow IT pro, and improve the products we all use, regardless of whether they have a sweet, company-branded vacuum-insulated stainless steel tumbler for their morning coffee. “A good advocacy program isn’t about getting any old kind of engagement with your wider audience,” Emma says, “it’s about creating a mutually beneficial situation between your business and a select group of highly-invested power users. Those users aren’t doing it for the swag. They’re doing it because they believe in your mission; or because they love your products and want to help guild your roadmap; or because they feel they represent unique concerns and feel an obligation to share that voice; or because they want chances to increase their own expertise or presence in the space. There are so many reasons that have nothing to do with free stuff.”
While customer advocacy can’t entirely replace your normal marketing spend line items, creating an advocate program can make all the traditional line items significantly more effective. It is an exciting and important opportunity to level up your marketing efforts by identifying and leaning on your brand evangelists, who effectively share the marketing burden with you.
“Figure out where your advocates are and go there. Talk to them about their businesses and goals. Show them you’re invested in their success, with or without your products. You’ll have an advocate for life.”– Emma Furtado, customer advocacy manager, Carbonite + Webroot, OpenText companies
Keep in mind: an advocate program cannot succeed as a siloed effort. Customer advocacy works best when it supports your marketing efforts and product development. You can use the real-world customer input to inform your understanding of how customers want to be interacted with, improving the success of marketing programs and return on spend. Additionally, you can use the same feedback forum to guide how you use marketing and product development resources and pivot quickly on a leaner budget. By tailoring the overall customer journey to best serve their unique preferences and needs at each stage, you demonstrate to your base how highly you value their input. Ultimately, these actions serve to build a better experience for the customer overall, i.e., better reputation, brand recognition, and market posture for you.
Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually corresponding shifts in crypto-based crime, such as ransomware, though it’s not necessarily the kind of change you might predict.
According to Tyler Moffitt, senior threat researcher and resident crypto expert, “whatever Bitcoin does, the altcoins are going to follow. When [Bitcoin] crashes, the rest crash.” But that doesn’t necessarily mean you’ll see big spikes in ransomware or cryptojacking. In fact, Moffitt states, because Bitcoin is known for being fairly volatile, it can undermine any direct effect on, say, the amount demanded in a ransomware scheme. It’s very possible for a Bitcoin ransom to lose value over time due to market flux, making it less profitable than it might otherwise appear.
So, what’s the real story? As we see cryptocurrency values rise and fall, how should we interpret shifts in the threats we can expect to see? Is it safe for ordinary folks to try to get into the crypto market, or does that just give malicious actors another method to scam and steal from you?
Get answers to these questions and more in this informative Hacker Files podcast with Joe Panettieri, in which he and Tyler Moffitt discuss the ins and outs of crypto, what the market looks like, how it actually affects cybercrime, and what everyone from crypto novices and to bigtime enthusiasts need to know.
Although cybercriminal activity throughout 2020 was as innovative as ever, some of the most noteworthy threat activity we saw came from the old familiar players, namely ransomware, business email compromise (BEC) and phishing. According to the 2021 Webroot BrightCloud® Threat Report, each of these threat types saw significant fluctuations as people all over the world shifted to working, studying, and doing everything else online. Here are some of the findings from the report.
One of the newer trends we saw in ransomware was that of data extortion. Believed to have been started by the Maze ransomware group, the data extortion trend involves not just encrypting business’ data and holding it for ransom, but in fact threatening to expose the compromised data if the victims refuses to pay. This new ransomware business model specifically targets sensitive data to increase the likelihood of payment.
Unfortunately, there’s little a targeted business can do in these situations. If they don’t pay up, their data might be disclosed publicly or otherwise misused. And, depending on what kind of data has been compromised, the consequences of exposure could include costly fines for violating privacy regulations like GDPR and California’s Consumer Privacy Act (CCPA). These fines can really add up, starting at $100 per customer per record lost and going up to flat percentages of revenue.
As if the ransom cost and regulatory fines aren’t enough, there’s also the cost of other ransomware fallout, such as downtime and time to recover. Universal Healthcare Services reportedly suffered three weeks of downtime after its September 2020 ransomware incident, resulting in a $67 million loss of revenue. Finally, there’s the question of the brand’s reputation and customer trust, which could be so irreparably damaged that the business might not survive.
As the data extortion trend took off, we also saw massive payouts to ransomware actors.
- The attackers who hit Foxconn demanded ~1804 Bitcoin ($34 million at the time) to prevent the data they’d stolen from being publicly exposed.
- Malicious actors infected Garmin’s systems with ransomware and required (and reportedly received) $10 million to destroy the stolen data.
- By September 2020, the average ransom payment peaked at $233,817.
“In most cases, ransomware isn’t the beginning of a compromise. It’s actually the end state, where the criminals cash in after an extended period. By the time you realize you’ve got ransomware on your network, the criminals may have been in there, watching, listening, and tampering with things for weeks or months without your knowledge. They might’ve even checked out your financials, so they know what kind of ransom to demand.”
– Kelvin Murray, Sr. Threat Research Analyst
Business email compromise (BEC)
BEC typically targets commercial, government, and nonprofit organizations by impersonating a senior colleague, IT team member, vendor, or trusted customer. In most scenarios, the malicious actor contacts the victim via email under the pretense of requesting money (especially via wire transfer or pre-paid gift card), provide credentials, or release sensitive data.
BEC relies pretty heavily on the inherent trust of employees in their management teams, fellow colleagues, and customers. But with so many invoices and payment requests that occur as part of the daily operations in any businesses, it can be quite easy for attackers to sneak a fake one in.
From the example above, you might not think much of the consequences of this type of attack. It’s important to keep in mind that it’s not always a matter of a few $50 or $100 gift cards; it could just as easily be a legitimate-looking vendor invoice for tens of thousands of dollars. BEC remains a very lucrative business; the Internet Crime Complaint Center (IC3) got 19,369 BEC complaints in 2020, resulting in adjusted losses of $1.8 billion!
“Like phishing prevention, successfully preventing BEC involves a combination of robust training for end users and appropriately designed and publicized business policies around how to handle financial or technical requests.” – Grayson Milbourne, Security Intelligence Director
Phishing is still one of the most popular ways (if not the most popular) to get ransomware and other types of malware into a business’ network. Getting a victim to fall for a phishing attack is often the first step, which gives attackers a jumping off point to perform reconnaissance on the network, acquire any necessary credentials, interfere with protection measures and backup schedules, deploy malware payloads, and more — and then they get to decide what to do with any data they steal at their leisure.
COVID-19 definitely affected phishing in very visible ways. For example, the majority of phishing lures we spotted throughout the year pretended to offer information on the pandemic, COVID-19 tracking, protection measures and PPE, and more, often purporting to be from reputable sources like the CDC or WHO. There were also numerous malicious spam (malspam) emails claiming to provide details on stimulus checks and vaccines.
The rates of phishing attacks throughout 2020 largely coincided with the early months of the pandemic. Attacks increased 510% from January to February, with eBay and Apple the brands most often targeted (we believe these numbers were due to buyers increasingly looking online as product shortages and technology needs arose). Attack volume continued to grow into March, then dropped off as we moved into the summer months. A more modest spike occurred in the months leading up to the U.S. election, up 34% from September to October, and another 36% from October to November.
Here are a few of the other phishing stats that stand out.
- From March to July, during the initial lockdown phase in the U.S., phishing URLs targeting Netflix jumped 646%. Other popular streaming services saw similar spikes at corresponding times.
- By the end of 2020, 54% of phishing sites used HTTPS, indicating that checking for the lock icon in your browser’s address bar is no longer an adequate way to gauge if a website is legitimate or not.
Cybercriminals certainly didn’t sit 2020 out, but it’s not all gloom and doom. In fact, there were numerous cybersecurity achievements throughout the year that work to the benefit of businesses and individuals everywhere. Security researchers and analysts have been working hard to identify and neutralize new threats the moment they’re encountered. More businesses are adopting robust backup and disaster recovery plans to remain resilient in the face of downtime, planned or unplanned. Operating systems and web browsers are improving their built-in security to stop threats sooner in the attack cycle. Phishing simulations and security awareness training for employees continue to improve business security postures by major percentages (up to 72%, per the report). Nations and companies are working together to break down cybercriminal infrastructure. Even malware (for the moment) is trending gently downward. It’s clear from our findings that, with the right backup, training, and security layers working together to form a united defense against cyber threats, businesses and individuals can achieve true resilience, no matter what threatens.
At Webroot, we could go on and on about user experience (UX) design. The study of the way we interact with the tools we use has spawned entire industries, university programs and professions. A Google Scholar search of the term returns over 300 thousand results. Feng Shui, Leonardo Davinci and Walt Disney are all described as important precedents for modern UX.
Just to say: it’s something software companies spend a fair amount of time thinking about, even cybersecurity companies.
April 27 marks the release of the re-designed Webroot business console, and our team of UX designers had plenty to think about in terms of inspiration for our first major business management console re-design in more than 10 years. Ultimately, it was decided that console’s facelift would be guided by the principal of “human-centered design,” or HCD.
The International Standards Organization describes HCD as “an approach to interactive systems development that aims to make systems usable and useful by focusing on the users, their needs and requirements, and by applying human factors/ergonomics, and usability knowledge and techniques.”
Ultimately, human-centered design entails giving people the tools they need to accomplish what they set out to. It can refer to designing products to help individuals overcome their disabilities or making sure a driver feels like he’s behind the wheel of an Indy Car every time the engine turns over. As CIO puts it, “human-centered design focuses on the human first.”
HCD and the new Webroot management console
The humans we put first are our users. More specifically, in terms of our business products, managed service providers (MSPs) and small to medium-sized businesses (SMBs). These groups have varying pain points they need addressed by our software. MSPs tend to need multi-site, multi-tenant capabilities for managing many clients, whereas SMBs typically require a simplified console that’s easy to use. So, in accordance with HCD, we’ll be releasing a separate console for each.
That’s not the only way we considered the user in refreshing our console though. Our UX and product management teams directly discussed desired improvements with more than 50 top users and incorporated feedback from hundreds of users through the Community, wire frames, usability tests and conversations. Enhancements were made based on this customer research.
All this led to a cleaner, more intuitively designed management console that we hope puts the needs of the user first. It’s our hope that HCD will make the lives of our business customers easier, removing some of the barriers they encounter with the software they use to make their clients and businesses more secure.
For more release details, specific improvements made and screenshots of the new console, download the full product bulletin here.
Pen testing is the art of attempting to breach an organization’s network, computers and systems to identify possible means of bypassing their defenses. It’s an “art” because there is no one-size-fits-all method or process. Testers need a variety of skills, knowledge and tools to make the attempt.
Most testers are hackers trying to use their skills legitimately, technical administrators, network administrators or just computer enthusiasts who enjoy trying to undermine IT security stacks. Many testers are jacks-of-all trades (and masters of them all). Their primary goal is to succeed in getting past defenses and report on their findings. An MSPs intention is to NOT allow this to happen by putting up the right security posture through layered defenses.
So it’s easy to see how the relationship can quickly become adversarial. But there are ways pen testing organizations can help MSPs. Before we get to that, more details on types of pen tests.
Types of testing
An issue with pen testing is a lack of standard operating procedures. No one company performs the tests the same way. Testers are fallible actors with certain skills they apply to circumvent defenses. While testers and testing organizations are usually highly skilled, they are not all knowing. Trust, but verify.
So, what types of testing methods are there? While standardization is scarce and pen testing is pretty much a Wild West environment, there are some common methods and approaches. These can be broken down into two categories: Blue Teams and Red Teams.
(Tools are varied and not important until the tester discovers or knows what type, brand or systems are present. In other words, tools are specific to the environment.)
With Blue Teams, “tester” has some information about the network, computers and organization that they’re pitted against. They know how things are set up and are there as more of an audit/report type tester rather than a malicious hacker.
Blue Teams can be anyone inside or outside the organization. However, in the MSP community, the Blue Teams are usually the technicians responsible for establishing the layered security defenses and then verifying their effectiveness. They’re the internal folks that are standing up various tools to block bad actors from encroaching or breaching their network, computers and systems.
Here’s where it can get murky and why you should always insist on more information about ay client’s pen test. Pen testing can be an outside organization performing a Blue Team activity and their report can be communicated as a Pen Test Failure. Trust, but verify.
Red Team testers have no idea about the organization they’re testing against and must figure out the technology, network, computers and systems before doing anything. These are true hackers starting from nothing. They may use social engineering to conduct reconnaissance, they may google employees, use LinkedIn or any other publicly available information to gain a foothold with the organization before they write one line of code.
This is real penetration testing, as they make the attempt to access networks, computes and systems of the identified organization they’re testing against. When a Red Team reports its findings on why and how they were able to breach a client, it’s time to pay attention.
Should you put a Penetration Testing company on retainer?
So, now that we’ve established some high-level perimeters, how should MSPs engage with pen testers?
First, it’s important to learn everything you can about your tools. The mantra of a strong security posture is ‘know your tools inside and out.’
But don’t stop there. Rather than stand up the layers of the latest cool tools and cross your fingers no pen tester hits a client with a failing report, be proactive. Learn about the penetration testing market, find a good pen testing company with strong credentials and engage with them. With security concerns exploding over the past few years, pen testing should be considered an essential tool for validating your effort and spend on the security stack. So get to know the good ones.
Again, many MSP view third-party pen testing organizations as the enemy. Instead, engage with pen testing organizations to test your own defenses before issues affect your customers.
Here are a few tips for improving your business’s relationships with pen testers:
- Pen test your own network, computers and systems. If you want to know how good your “Blue Team” is, put their feet to the fire and have a solid, reputable third-party pen testing organization attempt to breach your own defenses. Learn all you can about their methods and findings, then review and adjust.
- Work with the pen test organization as a potential revenue opportunity. Work out an agreement that lets you as the MSP provide work and opportunity through your own customer network. You act as the lead generator and offer their services as an adjunct to your own.
- When customers come along with a report that you were not involved, ask questions about how the test was conducted and then offer your own services to proactively verify their report.
Now that you know the basics of pen testing and how they can be used constructively, here’s a question: what happens when a customer fails a pen test? We’ll answer that question in an upcoming post.
In the United States, there are approximately 350,000 companies contracting for the Department of Defense. Each of these companies have to meet varying degrees of compliance and are now subject to the Cybersecurity Maturity Model Certification (CMMC). Effectively, CMMC means that before a DoD contractor can execute on their contract, they have to receive an independent, third-party verification certifying whether they meet the correct security and compliance criteria. The process is expensive and it’s pass/fail.
F1 Solutions, an MSP based in Huntsville, Alabama, has been working to align their security stack to the CMMC guidelines to help ensure that all of their customers, whether DoD contractors or otherwise, benefit from the comprehensive level of security the regulation requires. DNS protection, in particular, is a must-have under these rules. With over 5,000 endpoints under management, F1 has set itself quite a task. But with cyber resilience solutions from Webroot in their security stack, they’re up to the challenge.
“Of all our clients on our full stack (about 140), we’ve never had a client fall victim to cryptojacking or any significant virus, for that matter, unless the system was not using part or all of our stack or being managed by us. That’s pushing 5,000 endpoints, including all servers, terminal servers, Macs and PCs.” – James VanderWier, CEO, F1 Solutions
Hear how F1’s overall security and compliance offering changed for the better since they made the switch to Webroot endpoint security solutions in F1 CEO James VanderWier’s video testimonial.
Watch the video: https://vimeo.com/487018201
“It is a nightmare. Do all you can to prevent ransomware.”
– A survey respondent
Many businesses are hesitant to talk about their experiences with ransomware. It can be uncomfortable to cop being hit. Whether it’s shame at not doing more to prevent it, the risk of additional bad publicity from discussing it or some other reason, companies tend to be tight-lipped about these types of breaches.
By offering anonymity in exchange for invaluable quantitative and qualitative data, Webroot and professional researchers surveyed hundreds of business leaders and IT professionals about their experiences with ransomware attacks.
Perhaps the most surprising finding from our survey, and certainly one that presents broader implications for those involved, is that the ransom demanded by attackers is only a small part of the loss that accompanies these crimes. There are also lost hours of productivity, reputational suffering, neutralized customer loyalty, data that remains unrecoverable with or without paying a ransom and the general sense of unfairness that comes with being the victim of a crime.
Our ransomware report seeks to quantify these knock-on effects of ransomware to the extent possible. We looked at the value of a brand and how likely customers are to remain loyal to one after their data is compromised in a breach. We studied the relationship between the time to detection of the incident and its cost. We added up the labor cost spent during remediation.
But we were also interested in real people’s stories concerning their run-ins with ransomware. What advice would they give to those who may find themselves in their same position? Respondents talked about the inevitability of attack, the relief when frequent backups mitigate the worst effects of ransomware, the importance of a plan, and advised against the payment of ransoms.
Finally, we provide advice for defending against or at least reducing the disruptive impact of ransomware attacks. As a security company, it won’t be surprising that we recommend things like endpoint and network security. But it goes deeper than that. We stress the importance of empowering users with the knowledge of what they’re up against and implementing multiple layers of defense.
Most importantly – no matter how comprehensive or scattershot a business’s protection is – is that that it’s are in place before it’s needed. During the fight is not the time to be building battlements. If your organization has avoided the scourge of ransomware so far, that’s excellent. But IT administrators and other decision-makers shouldn’t count on their luck holding out forever.
Here are a few of the report’s most enticing findings, but be sure the download the full eBook to access all of the insights it delivers.
- 50% of ransomware demands were more than $50k
- 40% of ransomware attacks consumed 8 or more man-hours of work
- 46% of businesses said their clients were also impacted by the attack
- 38% of businesses said the attack harmed their brand or reputation
- 45% were ransomware victims in both their business and personal lives
- 50% of victims were deceived by a malicious website email link or attachment
- 45% of victims were unaware of the infection for more than 24 hours
- 17% of victims were unable to recover their data, even after paying the ransom
Ransomware attacks generate big headlines when the targets are government entities, universities and healthcare organizations. But there’s one increasingly frequent target of ransomware attacks that tends to slip under the radar. Small and midsize businesses (SMBs) have become bigger financial targets for hackers. As Webroot Senior Threat Researcher Kelvin Murray points out in a recent Hacker Files podcast, the SMB sector has become a cash cow for cybercriminals. According to Murray, there are more SMB targets than criminals have time to target, mostly due to inadequate security among SMBs.
Listen to the full episode of the Hacker Files podcast hosted by Joe Panettieri here.
It’s also become far easier for anyone with malign intentions but lacking coding skills to launch attacks. Murray cites the availability of ransomware kits on the dark web that anyone can download and figure out how to launch. Going by the name Ransomware as a Service, these kits reduce the sophistication required for perpetrators to target SMBs and collect hefty ransom payments.
Business email compromise (BEC) is also on the rise. In BEC attacks the perpetrator, pretending to be a colleague or vendor, contacts you under the pretense of requesting payment or disbursement for a seemingly legitimate business purpose. Businesses easily fall for these scams because, with so many invoices and payments occurring on a daily basis, it’s easy to slip a fake one in.
All of this malicious activity points to the need for a layered approach to cybersecurity. This includes essential security measures like firewalls, endpoint protection and DNS protection. And, since even firewalls can be circumvented, it means keeping backups of all business data so you never have to pay a ransom to get your data back.
Attacks like BEC are less about malware and more about manipulating people. This is why security awareness training with phishing simulations are increasingly important. Murray emphasizes that security awareness training is necessary due to the increasing popularity of remote working. While the corporate office is usually equipped with firewalls, DNS protection, corporate logins and security guards at the front door, now that everybody’s working from home, all of those things are absent. In their place you have faulty routers, dodgy setups, people sharing houses with other people and maybe even sharing PCs.
You can listen to the full Hacker Files podcast hosted by Joe Panettieri here.
With investors currently bullish on Bitcoin, is its high value driving cybercriminals to pursue crypto-generating forms of cybercrime like ransomware and illicit miners?
At time of writing, the value of one Bitcoin is north of $58 thousand. Famously volatile, a crash is widely expected to accompany the current bubble, perhaps before the end of 2021. The reason for this volatility is at least partly attributed to an event known as “the halvening,” where the reward generating supply of the cryptocurrency is cut in half, simultaneously increasing demand.
At the same time, the average cost of a ransomware incident is also rising steeply. A study by Palo Alto Networks charted a growth rate of 171 percent in ransoms paid between 2019 and 2020, with the average cost now over $312 thousand. The steepest ransom doubled between 2015 and 2020, from $15 million to $30 million.
An iron law?
So, is it fair to argue that the two trends positively correlated? When the price of Bitcoin rises we should expect ransomware activity to rise with it? Not necessarily, says threat researcher and cryptocurrency expert Tyler Moffitt.
For one, Moffitt cautions it’s important to keep the relative values of U.S. dollars and the various cryptocurrencies in mind when comparing the cost of ransomware. Demanding $50 million in Monero last month for hacking the Taiwanese PC manufacturer Acer and demanding $10 million in Bitcoin for a hack last year will not have netted cybercriminals the same amount. Patient ones, at least.
“Ransomware actors can always grow their demands based on the value of the U.S. dollar,” says Moffitt. “But they have the added benefit of being able grow profits exponentially by riding the Bitcoin market.”
As could be expected with such a volatile asset, these swings sometimes happen quickly. Like when ransomware actors had Baltimore’s public schools between a rock and hard place with WannaCry. The price of Bitcoin had crashed in 2018, but as the ransom demand was on the desk of the city the price surged, sending the total value of the ransom up with it.
In a sense, it’s the volatility of Bitcoin that undermines any direct, positive relationship with ransomware rates. While it’s tempting to see today’s sky-high price and assume cybercriminals would rush to get their slice of that pie, they too know how markets work. It’s possible a ransom of Bitcoin this year could be worth far less next year. For ransomware actors, it’s better to ride out the market, treating their Bitcoin stash like a cybercrime savings plan for aging hackers.
“A lot of ransomware actors aren’t turning their Bitcoin into cash as soon as they get it,” says Moffitt. “Many of them live cheaply on the hope that the $200 million they made in their cybercrime careers will one day net them billions.”
A more direct relationship
Cryptojacking—the process of secretly hijacking a victim’s computing power to generate cryptocurrency—has a much simpler relationship with the value of various currencies. Because miners only collect their currency after doing the work (redirected CPU in this case), it’s only worth doing when values justify it.
“With cryptojacking, we do actually see an increase or decrease in the number of attacks based on its price. So right now, in a bull year when the price keeps rising, you’re going to earn more when you mine,” says Moffitt.
Browser-based cryptojacking uses scripts injected into the webserver, usually by exploiting an unpatched server or capitalizing on an out-of-date WordPress plugin, etc. Then any browser that visits that webpage will mine cryptocurrency using the viewers browser. This attack skyrocketed from its inception in 2017 into 2018.
A watershed moment in browser-based cryptojacking followed the great crypto-crash of 2018 mentioned above. At least according to their official statement, the drop in mining profitability caused the ostensibly-legitimate mining script company Coinhive to shut down in early 2019.
“The ‘crash’ of the crypto currency market, with the value of [Monero] depreciating over 85% in the last year,” was cited by the company as a reason for closing up shop, though some researchers doubt how much truth there is to that claim.
In reality, Coinhive scripts were used by cybercriminals to mine on unsuspecting users’ devices. Researchers at Cornell University discovered that 99 percent of the sites they found running malicious mining scripts were no longer running them following the shutdown of Coinhive.
Its authors concluded, “It became less attractive not only because Coinhive discontinued their service, but also because it became a less lucrative source of income for website owners. For most of the websites, ads are still more profitable than mining.”
Executable-based cryptojacking is when criminals leverage a breach on a machine, whether through phishing, exploits, RDP, and then drop a payload that on execution will use the machines resources to mine crypto. This attack was around before browser-based scripts and is still alive today. In fact, it’s the tactic seeing the most growth during cryptocurrency bull markets.
Monero, a favored cryptocurrency for miners based on its efficiency using consumer-grade devices, witnessed a rebound during this period. Over the course of 2020 and into 2021, the value rose from around $50 to around $250, perhaps explaining why Webroot found 8.9 million cryptojacking scripts in use in 2020.
In summary, both of these crypto-generating schemes require patience from their perpatraitors. When ransomware actors land a big payment from an extorted business, they may be forced to wait out market forces to maximize their earnings. For cryptojackers, profits trickle in over time. First they must determine whether they’re worth the effort and if they too want to play the long game with their take.