The Gately Report: WatchGuard On Decentralized Security, Opportunities for MSPs
Communications giant RR Donnelly got hit with a Conti ransomware attack.
![Cybersecurity challenges Cybersecurity challenges](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blte9674c27f227cb59/65242aadd41e332f6e69b8e7/Cybersecurity-Challenges.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: What are the challenges associated with decentralized security?
WatchGuard’s Stephen Helm: Maintaining a consistent security policy across the broader organization can be difficult without centralizing security, especially for time-strapped IT teams. Signs of an active attack can be lost in the cracks or missed because they weren’t contextualized with events occurring at other security layers.
All this places a significant burden on the IT team, which is expected to manage the security of the business at a time when cybersecurity skills are in short supply globally. Setting these teams up for success requires giving them a platform that empowers IT staff to do more, in less time, with less complexity.
Specialized solutions from multiple vendors limit insights, and oversight is often fragmented. The ability to integrate security layers, a critical requirement for extended detection and response (XDR) and zero-trust networks, is minimal. As a result, threat data can be lost in siloed logs and dashboards, and cross-platform automation is nearly impossible.
CF: Does decentralized security create more vulnerabilities and, therefore, opportunities for cybercriminals? Can you give some examples?
SH: Every year, Verizon releases its Data Security Report that presents an average time to detect at 200-plus days. A third party often discovers the attack before the victim organization. Smaller companies take as much as four times that average to detect these threats. This speaks to the complexity of environments these businesses are expected to protect and the prevalence of security gaps within that environment.
As COVID-19 made work from home (WFH) the norm overnight, VPN and RDP connections became a prime target for hackers trying to exploit poorly protected users connecting from outside the protected network. Without the endpoint informing the network of an active infection, and having that network act to prevent a further connection from that endpoint, these remote channels could essentially let an attacker through the front door.
CF: How can unified security benefit MSPs?
SH: MSPs, like all businesses, struggle to source cybersecurity expertise. Universities and cybersecurity trade organizations simply are not graduating qualified candidates fast enough to fill the demand for entry-level talent and specialists. Recruiting senior cybersecurity staff is worse, with 37% of businesses struggling to fill the role. Simply put, MSPs must find ways of improving the efficiency and efficacy of their security team to ensure growth.
A unified security platform not only helps MSPs reduce their vendor stack, but also empowers their security staff with a single, easy-to-learn interface that provides end-to-end visibility of their environment. Unifying security to a single platform also unlocks the opportunity for a significant amount of cross-platform automation and knowledge sharing.
CF: Is unified security a lucrative opportunity for MSPs?
SH: MSPs with solid security practices are in high demand, with the market for security services expected to grow to $46.4 billion by 2025. Nearly 40% of MSPs believe security will be one of the biggest growth drivers for their business, as their clients consistently identify security as their top challenge.
Competing against fellow MSPs to claim cybersecurity market share requires having the right offering for your clients, a team with the right skills to manage security effectively, and the resources your team needs to support them now and into the future.
In other cybersecurity news, integrated communications giant RR Donnelly has confirmed that threat actors stole data in a December cyberattack.
BleepingComputer confirmed it to be a Conti ransomware attack. RR Donnelly disclosed the attack in a filing with the Securities and Exchange Commission (SEC).
“On Dec. 27, 2021, [the company] announced it had recently identified a systems intrusion in its technical environment,” it said. “The company promptly implemented a series of containment measures to address this situation, including activating its incident response protocols, shutting down its servers and systems, and commencing a forensic investigation. The company has engaged a cybersecurity expert to examine the incident and to oversee the implementation of appropriate remedial actions. The company has notified and is working with appropriate law enforcement authorities. As a precautionary measure, the company has isolated a portion of its technical environment in an effort to contain the intrusion.”
RR Donnelly said it was actively engaged in restoring the affected systems and returning to normal levels of operations.
“At this time, the company is not aware of any compromise of client data,” it said. “The company is in the early stages of its investigation and assessment of the security event, and cannot determine at this time the extent of the material adverse impact, if any, from such event on its business, results of operations or financial condition.”
Tim Erlin is Tripwire‘s vice president of strategy.
“Ransomware isn’t just about encrypting your data any longer,” he said. “It’s now about exfiltrating your data and holding it hostage. The strategy of taking a copy of data to ransom means that simply having backups from which you can restore isn’t really a sufficient ransomware strategy.”
In most incidents, the initial discovery and report rarely provide a complete picture, Erlin said. The fact is, it takes time for organizations to discover what really happened. Additional information is likely to come out after the initial report.
“As usual, the reporting and the regulatory filing focus on the ransomware and the data, but don’t really explain how the attacker was able to succeed,” he said. “Information about how the attack occurred, the initial vector and subsequent steps, can really help other organizations organize their defensive measures. Successful ransomware attacks aren’t inevitable. Implementing strong security controls can prevent these types of attacks, but more information makes for better defensive decisions.”
Erich Kron is security awareness advocate at KnowBe4.
“Ransomware continues to not only be disruptive to businesses, but is also very threatening to personal information of employees, customers and intellectual property,” he said. “The Conti group is well known for leveraging data theft in order to facilitate the payment of significant ransoms by victim organizations.”
Since ransomware primarily spread through phishing emails or remote access portals, organizations can lower their risk of infection by ensuring employees are trained to spot and report phishing emails to internal security teams, Kron said. They also should ensure strong security controls are applied to remote access portals. In addition, ensuring accounts used for remote access have multifactor authentication (MFA) can also help lower risk of intrusion.
SafeBreach researchers used Google’s own VirusTotal to find and retrieve more than 1 million credentials stolen by malware.
VirusTotal is a free service offered by Google that checks suspicious files using dozens of antivirus engines.
Tomar Bar is SafeBreach’s director of security research. In a blog, he explains how the researchers were able to obtain credentials using VirusTotal with other malware services and hacker forums.
“After obtaining a VirusTotal license, we began by classifying the exfiltrated file names used by common malicious info stealers,” he said. “Next, we used different VirusTotal APIs, including search, VT Graph and Retrohunt, to search for those file names. The results were huge.”
In just a few days, SafeBreach researchers collected more than 1 million credentials, Bar said. They also discovered a market that publishes a small amount of victims’ data for free as a teaser, with an additional site and Telegram channel that offers larger amounts of victims’ exfiltrated data for sale.
Nasser Fattah is Shared Assessments‘ North America steering committee chair.
“I know that VirtusTotal does screening before granting access to files and data hosted by service,” he said. “But due to the plethora of available sensitive data, inadvertently or advertently, VirusTotal needs to look at ways to either permanently delete, deidentify or minimally protect credentials and other sensitive information it retains. I know this is a challenge because VirusTotal is designed to be a low-touch service and the need to keep files intact for forensics purposes.”
Identity theft and account takeover could result from the theft of those credentials, Fattah said. Both are on the rise and are designed to defraud businesses and consumers.
“Any site that has a trove of sensitive data and a one-stop shop is an attractive target,” he said.
Fashion retailer Moncler has confirmed a data breach after a recent ransomware attack.
This week, Moncler confirmed to Bleeping Computer that some data related to its employees, former employees, suppliers, consultants, business partners and customers was leaked by the AlphaV (BlackCat) ransomware operation. The ransomware gang also demanded $3 million not to publish the data.
The company issued the following statement:
“Moncler recently detected an extremely sophisticated malware attack on its IT systems. The breach is not related to tools and payment methods, given that those are not stored in our systems. However some personal and business data might have been accessed. We are working closely with authorities and have taken further security measures to mitigate the impact.”
Trevor Morgan is product manager with data security provider comforte AG.
“The trend toward an increasing number of ransomware attacks against high-profile targets in 2022 seems to be moving in the direction that many of us suspected,” he said. “With news that the Italian luxury fashion giant Moncler sustained an attack late last year resulting in stolen files hitting the dark web this week, we can see the organizational characteristics which appeal to threat actors. If your business collects lots of sensitive data about employees, partners or customers, then you are sitting on a gold mine, or oil well, just choose your analogy, that they want to infiltrate. Sure, they want that sensitive information, with which they can do any number of things. But if they can also disrupt business operations with ransomware or other extortion tricks, they multiply their chances of a successful attack.”
If a business is data dependent, it needs to assume it, too, is a target and it’s just a matter of time before somebody internal or external gets their hands on it, Morgan said.
“Squirreling sensitive data away behind protected perimeters won’t cut it anymore as a defensive measure,” he said. “Only robust data-centric security, such as tokenization or format-preserving encryption applied directly to sensitive data elements, can help mitigate the situation if the wrong hands get ahold of your data. These methods obfuscate sensitive information while still preserving the original data format, which means business applications have a better chance of working with that data in a protected state.”
The latest omicron variant has led to another spike in COVID-19 cases as well as phishing attacks. That’s according to Barracuda’s latest threat spotlight.
As demand for COVID-19 tests increased in recent weeks, the number of scams exploiting the scarcity of tests also went up. Barracuda researchers have seen an increase in COVID-19 test-related phishing attacks over the past couple of months. Between October and January, the number of COVID-19 test-related scams increased by 521%. The daily average peaked in early January, declining recently before starting to trend upward again.
Cybercriminals are taking advantage of the heightened focus on COVID-19 testing and the ongoing scarcity of tests to launch phishing attacks. Scammers are using different tactics to get the attention of their victims.
Some of the most common scams included:
Offers to sell COVID-19 tests and other medical supplies such as masks or gloves. Some of these scams are selling counterfeit or otherwise unauthorized products.
Fake unpaid notifications for COVID-19 test orders. Scammers provide a PayPal account to send payments to complete purchases of rapid tests, counting on the desperation of their victims.
Impersonation of either labs, testing providers or individual employees sharing fake COVID-19 test results.
Olesia Klevchuk is principal product marketing manager at Barracuda. She said to keep COVID-19 phishing scams from succeeding, MSPs can take advantage of artificial intelligence (AI), deploy account-takeover protection, train staffers to recognize and report attacks, and set up strong internal policies to prevent fraud.
“Hackers will continue to use this theme in the future as long as the pandemic dominates headlines,” she said. “They use the latest and most top-of-mind topics. Spring 2020 it was COVID-19 and remote working. Winter 2021 there was an uptick in vaccine-related attacks. Now it’s COVID-19 tests as demand is so high. With the U.S. government launching [its] free-tests program, I won’t be surprised to see some impersonation attacks urging victims to register for free tests on the fake phishing sites. It’s worth noting that [the] absolute volume of these attacks remains low. But that’s what contributes to their success. They are targeted, play on fear and sense of urgency, while relying on information that is top of mind for many. All of these are perfect characteristics of a social engineering attack.”
A new report by Hornetsecurity shows a surprising percentage of all incoming emails now pose a potential threat.
As the primary means of communication for business, email is one of the main gateways for cybercrime and remains a prime attack vector. Threat researchers at Hornetsecurity found 40% of all inbound emails out of the total email traffic during the research period posed a potential threat. This includes spam, phishing emails, and advanced threats such as CEO fraud and any type of malware.
Phishing, malicious links and ransomware are among the most popular attack tactics used by hackers. Furthermore, brand impersonation is especially popular. Cybercriminals copy a company‘s corporate design and mimic the sender address in such a way that it can hardly be distinguished from the original, genuine email address. The main aim is to obtain the user’s access data or to spread malware via hidden links.
At 16.5%, Deutsche Post and DHL are among the top five most frequently imitated brands.
Ransom leaks are now widely known. These attacks are an extension of ransomware campaigns. In ransom leak attacks, sensitive data is first copied and then encrypted. If the targeted victim refuses to pay ransom for decryption, the cybercriminals threaten to publish the copied data on their so-called leak websites.
About 140 files have been published on REvil’s ransomware leak website so far, with new ones being added almost daily, according to Hornetsecurity. Despite this large volume, REvil is only in fifth place among the leak websites with the most published data from ransomware victims.
Daniel Hofmann is Hornetsecurity’s CEO.
“The role of MSSPs and cybersecurity professionals includes that of educator as well as solution provider, helping customers preempt and protect against security breaches and risks,” he said. “All too often, such advice falls on deaf ears, with the experts only being called in to fix things after an attack. Having an up-to-date, accessible cyber threat report to share with their customers could help mitigate this, serving as a valuable conversation starter with current or prospective clients.”
The report shows companies are increasingly recognizing the potential scale of the consequences a cyberattack could have, and of the growing risk of falling victim to one, Hofmann said.
“As a result, they are taking steps to combat this threat, as reflected in the increasing investment in IT security,” he said. “In 2020, global cybersecurity spending totalled approximately $133.8 billion. For 2021, expenditures are estimated at around $150 billion.”
A new report by Hornetsecurity shows a surprising percentage of all incoming emails now pose a potential threat.
As the primary means of communication for business, email is one of the main gateways for cybercrime and remains a prime attack vector. Threat researchers at Hornetsecurity found 40% of all inbound emails out of the total email traffic during the research period posed a potential threat. This includes spam, phishing emails, and advanced threats such as CEO fraud and any type of malware.
Phishing, malicious links and ransomware are among the most popular attack tactics used by hackers. Furthermore, brand impersonation is especially popular. Cybercriminals copy a company‘s corporate design and mimic the sender address in such a way that it can hardly be distinguished from the original, genuine email address. The main aim is to obtain the user’s access data or to spread malware via hidden links.
At 16.5%, Deutsche Post and DHL are among the top five most frequently imitated brands.
Ransom leaks are now widely known. These attacks are an extension of ransomware campaigns. In ransom leak attacks, sensitive data is first copied and then encrypted. If the targeted victim refuses to pay ransom for decryption, the cybercriminals threaten to publish the copied data on their so-called leak websites.
About 140 files have been published on REvil’s ransomware leak website so far, with new ones being added almost daily, according to Hornetsecurity. Despite this large volume, REvil is only in fifth place among the leak websites with the most published data from ransomware victims.
Daniel Hofmann is Hornetsecurity’s CEO.
“The role of MSSPs and cybersecurity professionals includes that of educator as well as solution provider, helping customers preempt and protect against security breaches and risks,” he said. “All too often, such advice falls on deaf ears, with the experts only being called in to fix things after an attack. Having an up-to-date, accessible cyber threat report to share with their customers could help mitigate this, serving as a valuable conversation starter with current or prospective clients.”
The report shows companies are increasingly recognizing the potential scale of the consequences a cyberattack could have, and of the growing risk of falling victim to one, Hofmann said.
“As a result, they are taking steps to combat this threat, as reflected in the increasing investment in IT security,” he said. “In 2020, global cybersecurity spending totalled approximately $133.8 billion. For 2021, expenditures are estimated at around $150 billion.”
Businesses are inundated with a variety of cyberattacks that target a range of infrastructure and services, and decentralized security is increasing risk.
That’s according to WatchGuard Technologies. Decentralized security solutions are hampering both the efficiency and productivity of business operations. This is creating new opportunities for MSPs to deliver unified security to help alleviate these challenges.
Stephen Helm is WatchGuard‘s senior product marketing manager. We spoke with him about the challenges of decentralized security and what it means for MSPs to deliver unified security.
Watchguard’s Stephen Helm
In a Q&A, Helm outlines the challenges and opportunities associated with decentralized security.
Channel Futures: What creates decentralized security?
Stephen Helm: Security decentralization is a common challenge for businesses. That’s being driven by the fact that IT teams have to contend with departments that have license to acquire tools and technologies they feel are needed to accelerate the business. This business-first mentality is not a surprise, but it has created a reactionary approach to building cybersecurity defenses and policy for far too long.
For businesses with the means, security information and event management (SIEM) tools have offered an effective, albeit expensive solution to centralizing security monitoring. But policy dissemination and control often fall out of the scope of those solutions. And for smaller IT teams and organizations, they’re way too complex.
Scroll through our slideshow above for more from WatchGuard and more of the week’s cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like