fbpx
Cyberattacks On Utilities: Is Your Water Supply Next?

Cyberattacks On Utilities: Is Your Water Supply Next?

Cyberattacks On Utilities. Here are the top two things Water Utilities need to do right now to secure our drinking water supply from cyberattacks.

cyberattacks on utilities

Nothing seems to be safe from cyberattacks anymore. In 2021 so far, the Colonial Pipeline gas line was hacked resulting in gas shortages across the southeast. Brenntag, a chemical distribution company was compromised, resulting in hackers demanding $7.5 million. 

Major beef and pork producer JBS USA suffered a cyberattack recently, prompting reported shutdowns at company plants in North America and Australia, but luckily did not result in any food shortages.

The U.S. Department of Energy is working to implement a national cybersecurity strategy and has so far focused its efforts on the nation’s transmission and generation assets, but utility distribution systems are “increasingly at risk” from intrusion and disruption, according to a report from the Government Accountability Office.

Cyberattacks On Utilities: What about our Water Supply?

On April 1, 2021, federal prosecutors announced that they had indicted Wyatt A. Travnichek for hacking into the computer systems of the Post Rock Rural Water District, where he was once employed, and shutting down the cleaning and disinfection processes. And in February of the same year, a yet-to-be-identified intruder hacked into the water treatment plant at Oldsmar, Florida, and briefly increased the amount of lye, a chemical used to regulate acidity in drinking water, from the normal 100 parts per million to a toxic 11,100 ppm.

These and other types of cyberattacks on utilities are likely to become more and more common in the future. So, what are the top two things water utility companies can do to secure their operations?

Make It Clear That Cybersecurity Everyone’s Responsibility

In many water utility firms, there is a tendency to assume that cybersecurity is the sole responsibility of the IT department. However, modern computer hacks are not always technical; malicious actors sometimes use a range of social and psychological techniques to trick employees into making security mistakes. For this reason, cybersecurity should be an integral part of the overall workplace culture at all levels. Utilities should make it clear that cybersecurity is everyone’s responsibility, from the cleaner to the chief executive. They should take a ‘verify then trust’ approach: every email, file, and approach by a third party should be viewed as a potential threat until proven otherwise.

Reconfigure Remote Access

It is instructive to note that the attacks described in the previous section were possible, in the main part, because the water utilities in question had enabled remote access to their information technology (IT) and operational technology (OT) systems. To prevent such attacks, utilities need to seriously re-look their remote access policies.

Remote access should be disabled as a matter of routine, advises Jake Brodsky, an industrial control systems (ICS) security engineer with over 30 years of experience in the water industry. Where such access is necessary, as is occasionally the case, the feature should be configured in such a way that it has to be manually enabled by someone who is physically present at the facility. For added security, utilities should set access to time out after a brief duration, utilize multi-factor authentication for remote users, and avoid using one account for multiple employees.

Conclusion

These are the two top things most water utility companies need to do to keep their operations – and our water supply – safe from hackers. What else can these companies do to improve security? Tackle the basics, such as performing asset inventories and assessing risk, as well as the more advanced stuff, such as planning in advance for contingencies. Finally, utilities need to share information with each other and industry stakeholders; there is strength in numbers.

CybriantXDR

We have found that many organizations don’t consider themselves a target for hackers. What we have learned is that it’s not IF but WHEN you will be attacked. CybriantXDR was created with you in mind. This service covers all the basics for a complete cybersecurity strategy including the right people, processes, and technology.

Schedule a demo to learn more. 

Related Posts
Understanding Cybersecurity Attack Vectors and Protecting Your Data
cybersecurity attack vector

Hackers understand every angle of cybersecurity attack vectors, so it's important that you do as well. Once you know how Read more

#1 Resource to Keep Your Organization Safe from Cyber Attacks
safe from cyber attacks

Cyber-attacks can destroy your business. It’s important to invest in your best line of defense: your employees. Engaging your employees Read more

Ransomware Attacks Are Here to Stay: How To Stay Protected
ransomware attacks are here to stay

Ransomware attacks are here to stay, so it is vital to be prepared and don't become a statistic. Here are Read more

Cybriant Named to MSSP Alert’s Top 250 MSSPs List for 2021

Alpharetta, GA:  MSSP Alert, published by After Nines Inc., has named Cybriant, a leader in cybersecurity services,  to the Top Read more

3 Advantages of Outsourced Network Monitoring

3 Advantages of Outsourced Network Monitoring

There are multiple advantages of outsourced networking monitoring. No matter your organization’s size, it’s vitally important to protect the data that can be accessed inside and outside of the perimeter.

3 Advantages of Outsourced Network Monitoring

Ideally, the focus of business management should be its bottom line. The more time businesses spend monitoring their own network infrastructures, the less time they have for managing employees, revamping policies, and researching profit gain strategies.

Aside from time, there is a stress factor that must be considered–business owners or managers who take on the task of monitoring their own network will generally be more stressed, although it’s an avoidable problem. When a business’s income flow depends on the integrity of its computer network, then it can count on dividing its time and energy between profit gain and maintenance of the computers.

Outsourced proactive monitoring is a trend utilized by several businesses to mitigate this problem. Besides saving time and stress, there are other important facets of computer networks that benefit from the outsourcing of proactive monitoring.

Quality Of Service

This refers to the status of network data flow–whether data is transmitting efficiently or not. Optimizing the flow of network data can add up to an abundance of saved time.

Assuming there is already an efficient setup of the physical network, the software built into the network routers, switches, and computers must be configured to allow for the optimization of apps and programs most relevant to a company’s activities.

Fluctuations of data flow within a company’s internal network can be detected and confidently compensated for remotely by trained technicians.

Monitoring Malicious Activity

Businesses using computer networks cannot get around the necessity of efficient security. With the monetization of stolen data on the Deep Web and the glamour pushed by the film industry and hacker culture of successfully hacking computer systems, it’s more important than ever to mitigate risk.

Mitigating security risks inherent in computers and networks is not only about installing antivirus software and setting up push alerts, however–it also includes the proper configuration of routers and switches and can also involve a revamp of the actual physical network setup.

Whatever the case, once the fundamental security measures are configured, remote monitoring of certain metrics can begin and businesses can rest assured knowing they are under professional care. Monitoring in a proactive sense can also include memos pushed by the professionals so that employees are familiar with trending or up-and-coming security threats.

Controlled Software Updates

Updating software installed on computer systems goes hand-in-hand with security and quality of service. It is also a task that can be done remotely and should be done proactively. Software is revamped continually by its manufacturers after glitches are found in the original releases.

Security loopholes are also discovered which the manufacturer will create patches for. These software updates are made available on manufacturer websites or can be configured for automated installation within the programs they are made for.

However, timing the installation of these updates is critical. It generally requires much of the bandwidth (available data speed) of the company’s internet and internal network. The installation should be prioritized in accordance with the interests of the company while weighing the risks of installing vs not installing. In general, it is a good idea to install updates, but updates have been known to bring entire networks down and out of service due to unforeseen glitches in them.

Perhaps manufacturers did not thoroughly test the updates, or another technical anomaly occurred. Whatever the case, service technicians trained in proactive monitoring will take on the task of weighing the risks and installing in a manner where there is minimal if any negative consequence.

Conclusion

The benefits of outsourced management of computers and networks are bountiful. Not only does it close the knowledge gap so that businesses know they are receiving proper care, but it lowers business management stress to a tolerable level. Furthermore, when data residing on business computers is mission-critical, managed IT service providers even have methods and resources for preservation thereof. There is much to be gained.

CybriantXDR

The number one way to mitigate the damage from any attack on your environment is to prevent it from happening in the first place.

It’s vital to protect your organization from all points of entry and ensure your organization has visibility of all the points of entry that are being accessed by authorized personnel.

CybriantXDR combines the latest technology utilizing machine learning and artificial intelligence with experienced oversight to identify and terminate malicious software before it can execute.

Learn More at cybriant.com/cybriant-xdr

Related Posts
Ransomware Attacks Are Here to Stay: How To Stay Protected
ransomware attacks are here to stay

Ransomware attacks are here to stay, so it is vital to be prepared and don't become a statistic. Here are Read more

Cybriant Named to MSSP Alert’s Top 250 MSSPs List for 2021

Alpharetta, GA:  MSSP Alert, published by After Nines Inc., has named Cybriant, a leader in cybersecurity services,  to the Top Read more

Technology Professionals in Short Supply – 3 Tips to Retain Yours

In an article posted on the organization’s website, the Center for Strategic and International Studies (CISI.org) reported that, as of Read more

Cybersecurity: Research Reveals 79% of Employees Engaged in Risky Behavior

If you are an IT manager looking for information to present to your bosses to emphasize the need for an Read more

What is a Right-to-Left Override Attack?

What is a Right-to-Left Override Attack?

The right-to-left override attack may be unassuming but incredibly malicious. Most people have heard about phishing attacks, but they think that opening a file with the “.txt” extension is harmless.

right-to-left override attack

What is a Right-to-Left Override Attack?

A right-to-left override (RTLO) attack takes advantage of user trust in text files and changes the text file extension to an “.exe” executable file. An RTLO attack is a sophisticated phishing method that tricks users into thinking that they are opening a harmless text file, but they instead open a malicious executable. It’s one of many ways ransomware authors get their malware installed on corporate computers.

The Right-to-Left Unicode 4Character

English speakers read left to right, but languages such as Arabic and Hebrew are read from right to left. Operating systems such as Windows must support global languages, including Arabic and Hebrew. By default, the operating system displays characters from left to right, but a special Unicode character tells the operating system to display characters from right to left when necessary.

The Unicode character to flip text right to left is represented as [U+202e] in writing, but it can be copied and pasted from the Windows character map. Type “character map” in the Windows 10 search textbox to open it. Check “Advanced View” and type “202e” in the “Go to Unicode” textbox. You can then click “Copy” to copy the character to the clipboard where you can paste it to a document. It’s a non-displayable character, so you won’t see anything when you paste it to a file.

The easiest way to demonstrate the right-to-left Unicode character is to create a file name similar to the following:

mytextfile.txt

Now, change the name of the file and add the Unicode right-to-left character in the file name, like the following:

mytext[U+202e]file.txt

Note that you can copy the character from the Windows character map to ensure that it’s entered properly. Next, open the file properties by right-clicking the file and selecting “Properties” from the context menu. In this window, the file name will now display as:

mytexttxt.elif

If you notice the name change, all letters displayed after the Unicode character are reversed. It’s this operating system feature that can be used in phishing attacks to trick email systems into allowing executables to pass to a targeted user’s inbox and trick users into executing malware on their systems.

How Right-to-Left Override Attacks Work with Phishing

Email is one of the most popular attack vectors for threat actors. Many of the biggest data breaches start with a phishing email. Phishing emails can be used to trick users into divulging sensitive data such as authentication credentials, or they can be used to trick users into executing malicious software. An RTLO attack works with the latter of these two types.

The problem for attackers is getting past email cybersecurity. Most email clients and recipient servers block executable files. Some will even block zip files, but business email requires passing zip files to send multiple files in one attachment between employees and customers. Cybersecurity scanners have a hard time scanning zip files, and they can’t scan zip files protected behind a password. Attackers using RTLO leverage zip archives and occasionally password protect them. The password is sent in the email message to get it to the targeted victim so that the file can be opened.

Several executable files are used in malware attacks. A few file types include:

  • .exe
  • .bat
  • .cmd
  • .vbs
  • .ps1 (PowerShell)
  • .com

Most users know that a .txt file is harmless, so attackers use the text file extension to make users think that malicious files are harmless. Since the right-to-left Unicode character does not print a recognizable code to the screen, users do not realize that the file is really an executable and not a harmless text file.

Look at the file name below:

mytextexe.txt

It looks like a harmless text file, but now add the Unicode right-to-left character:

mytext[U+202e]exe.txt

The user does not see the Unicode character, because it’s an invisible character, but the operating system will detect it. When the user double-clicks the file to open it, the file name translates to:

mytexttxt.exe

The executable file runs, and any malware located in its code will run on the computer. If the file is a script, the script will run and execute commands, which could be anything from opening web pages to downloading malicious files from the internet. In some attack scenarios, malware such as ransomware is downloaded from the internet using scripts to avoid detection from email anti-malware systems.

Attackers take the malware executable file and zip it in an archive, which will then bypass email filters. Users open the zip archive, and then see a harmless text file, double-click it, and the payload is then delivered to the user’s desktop. In many attacks, Microsoft Office documents with malicious macros are used to download ransomware and install it on the user’s device.

Stopping RTLO Attacks

Many email clients will block RTLO attacks, but zip files with malicious executables slip through. Anti-malware software will also catch RTLO attacks, but users should be trained to look at file extensions and avoid opening files from strangers. However, Windows hides file extensions by default. Windows can be configured to show file extensions, which helps fight RTLO attacks.

Attackers can assign any icon they please to a file, so icons should not be used to determine file contents. To display file extensions in Windows explorer, type “folder options” in the Windows 10 search textbox to open the configuration window. In the Advanced Settings section, uncheck the option “Hide extensions for known file types” and click “Ok.” This setting takes effect immediately, and the file extension will show for all files in Explorer. You can test it by opening any folder and viewing the files.

To help with safeguarding systems from malware, always keep antivirus and antivirus software updated with the latest patches and updates. Should a user get tricked into opening the file, anti-malware software will catch many of the common malicious executables that pose a threat to business cybersecurity and data protection.

RTLO attacks are not as common and not well known, so it’s important that system administrators take necessary precautions to protect user devices. Configure Windows to show file extensions, and use email cybersecurity to block files with executable extensions and malicious content.

Easy Comprehensive Security

CybriantXDR give you full visibility across your entire organization. The number one way to mitigate the damage from any attack on your environment is to prevent it from happening in the first place. With CybriantXDR, our 24/7 team of security analysts will help you prevent, detect, and remediate so issues like right-to-left override attacks never fully execute in the first place.

Learn more at cybriant.com/cybriant-xdr. 

 

Related Posts
What Hackers Know About Fileless Malware (And You Should Too)
fileless malware

Fileless Malware is one of the top cyber threats that can infiltrate your network and cause serious damage. Take a Read more

How to Stop Hackers That Are Exploiting Coronavirus Panic
stop coronavirus panic

In a recent Hacker News story, it was revealed how hackers are exploiting the coronavirus panic. Here are some ways Read more

Here’s How Hackers Steal Passwords
steal passwords

Have you wondered how hackers steal passwords? Unfortunately we make it easy for them with weak passwords that are simple Read more

Ransomware Attacks Are Here to Stay: How To Stay Protected
ransomware attacks are here to stay

Ransomware attacks are here to stay, so it is vital to be prepared and don't become a statistic. Here are Read more

Ransomware Groups Boast About Their Malware

Ransomware Groups Boast About Their Malware

Ransomware groups are becoming more boastful and even advertising for affiliates, according to a recent article. Read more to see which groups are more active and how to defend your organization.

 

As evidence of the worsening ransomware epidemic, brazen cybercriminals are now brazenly boasting about how well their malware performs as it encrypts their victims’ data. They’re doing so in an attempt to recruit hacker affiliates to grow their illicit operations.

According to BleepingComputer.com, two Russian forums previously used by ransomware groups to promote themselves recently banned them from doing so. This forced these bad actors to turn to alternate methods of advertising. So far, two of these groups have been found to be openly using their own websites for self-promotion and recruitment purposes.

LockBit’s hacker recruitment program

In June of 2021, after their attempts failed to convince the Russian forums to reconsider banning them, the LockBit ransomware group began bragging on their website about the newest version of their encryption malware. They claimed to have significantly increased the speed at which this tool encrypts the files of their victims and, as evidence that they can be trusted, posted results of tests to prove it. LockBit also boasted that its malicious encryption solutions have performed well since 2019.

Openly behaving as if they are a legitimate operation, LockBit, in connection with the release of their new malware version, announced a program to recruit hackers as affiliates. Per BleepingComputer, the group touted the easy-to-use functionality of their encryption tool, letting their potential business associates know that they need only to hack into core servers and let LockBit 2.0 do the rest of the work for them.

To reinforce their position among ransomware gangs and impress the cybercriminals they were attempting to partner with, LockBit also bragged that their encryption algorithm and their StealBit tool, used to abscond with their victims files, were the fastest of their kind in the world.

Himalaya: Criminals with a conscience?

Himalaya is another ransomware gang now using its own website to promote its unlawful activities.

It’s an up-and-comer in the Ransomware industry, having started operations in 2021 according to the BleepingComputer article.

This group has apparently established some sort of code of ethics, possibly to allow themselves to feel better about their unlawful activities or to position their organization as having a collective conscience in order to enhance their public image. They claim they don’t target non-profits, healthcare providers, or certain public service organizations and that they also prohibit their hacker affiliates from doing so.

In an attempt to recruit new hacker partners, Himalaya offers a generous 70% commission to those willing to join their affiliate network. Himalaya claims that their malware is “fully undetectable” and comes pre-configured for easy deployment.

Could this be a trend?

Many of the larger ransomware gangs obviously have an online presence but tend to limit things like affiliate recruitment to their own private networks. The actions of Himalaya and LockBit may, however, be indicative of things to come as the ransomware threat continues its trend of explosive growth and criminals are able to successfully evade arrest and prosecution.

Ransomware attackers love to require their victims to pay them using wire transfers and cryptocurrency because the money can be transferred anywhere and the transactions are harder for law enforcement agencies to track. There are often jurisdictional issues as well. If your attackers are in another country, officials in your home country may not be able to bring them to justice.

As more of these gangs form and get away with their attacks, more will likely begin to behave as if they are untouchable and publicly flaunt their criminal activities as Himalaya and LockBit have.

Conclusion: You must defend yourself

The behavior of some perpetrators of ransomware attacks seems to indicate that they aren’t concerned about getting caught.  Their recruitment activities are evidence that they are ramping up their unlawful activities.  No technical control is 100% effective and cybercriminals are continually coming up with new ways to defeat them.  Ransomware attacks often begin with phishing emails that make it through filters and reach their intended recipients.  This being the case, the burden of reducing the number of successful attacks falls primarily upon the shoulders of the potential victims. Organizations must ensure that their employees are trained to recognize the signs of an attack and report potential threats.

CybriantXDR

As a comprehensive threat detection and remediation service, CybriantXDR is an all-in-one cybersecurity service that will fit the needs of many organizations. Not only does this service increase the visibility of potential threats across your organization, but CybriantXDR also has a team of security analysts watching your systems 24/7 and prepared to assist with remediation when a credible threat is detected.

Learn more about CybriantXDR at cybriant.com/cybriant-xdr. 

Related Posts
Official Cybersecurity Planning Guide and Best Practices
2020 cybersecurity planning guide

Cybersecurity Planning Guide - Containing and managing cybersecurity threats may be the most important strategic plan you create...

Plan Today for Cybersecurity Trends in 2021
cybersecurity trends 2021

The global economy is in a slump. But believe it or not, now could be a good time to invest Read more

8 Best Practices for Patch Management to Improve Cybersecurity
best practices for patch management

As a vital piece of your overall cybersecurity strategy, here are 8 best practices for patch management. 

Cybriant Named to MSSP Alert’s Top 250 MSSPs List for 2021

Alpharetta, GA:  MSSP Alert, published by After Nines Inc., has named Cybriant, a leader in cybersecurity services,  to the Top Read more

Recommendation for Best SIEM for Managed SOC

Recommendation for Best SIEM for Managed SOC

What is the best SIEM for a Managed SOC? Security information and event management (SIEM) software, is software that grants security professionals in enterprises insight, as well as a track record of the activities taking place in their IT environment.

SIEM technology has been around for more than a decade. It started off as a log management discipline but has quickly evolved. It now combines security event management.

In this article, we will take a look at managed SOC as well as three SIEMs that are ideal for managed SOC.

What is a Managed SOC?

A SOC as a Service or managed SOC is a subscription-based offering that enables organizations to subcontract threat detection as well as incident response. It is built on the notion of developing an internal security operations center (SOC) to an external cloud-based service.

With a managed SOC, organizations get external cybersecurity experts mandated with monitoring their logs, cloud environments, devices, as well as a network for identified and evolving advanced threats.

Posed as a managed service offering, managed services offer organizations an array of cybersecurity experts that are tasked with monitoring, detecting, as well as investigating threats throughout the organization’s whole enterprise.

In some events, the remediations of identified threats can be done by the outsourced security team. In other cases, the SOC squad teams up with the internal IT teams to remedy detected threats.

A managed SOC is able to offer 24/7 monitoring without needing organizations to invest significantly in security software, hardware, or any other infrastructure. Instead, organizations are able to get a SOC quickly and start scanning for cyber threats, cost-effectively boosting the organization’s security position.

Why should you use a managed SOC?

Organizations that are focused on their cybersecurity will come to the realization of how important the cost is as well as the time required to get security experts, negotiate as well as buy security software and equipment, install and configure the SOC, and then start working to detect threats.

As such, when organizations are looking at setbacks to setting up their own SOC, the issues are usually the following:

  • They have little internal security and/or SOC expertise- With managed SOC providers, they get experts who are good at directing the security operations of companies from around the world in pretty much every industry.
  • There are not enough funds for capital expenditures- With managed services, the capital expenditure that you’d normally need to set up a SOC is swapped for a monthly operating expense.
  • It takes a long time to set up your own SOC- The time needed to build a SOC team, get infrastructure, as well as license and execute the software is scrapped away by the managed SOC’s functional team.
  • An internal team may not necessarily boost a company’s security posture- Getting a managed SOC affords you cutting-edge threat intelligence, experienced cybersecurity analysts, and advanced security monitoring and response solutions. A company’s security position, whether on-premises or in the cloud, is greatly enhanced once the service is executed.
  • An internal SOC may not be affordable- A subscription to a managed SOC can be more cost-effective than what it costs a company to set up its own SOC. In most cases, the monthly subscription cost is usually less than the expense of internal security analysts alone that would need to be obtained (without factoring in the cost of setting up the SOC itself).

A managed SOC enables organizations to rest assured that their entire network is constantly under watch for new cyberthreats, for much less than it would cost to do it on their own.

Benefits of a Managed SOC to an organization

Companies that leverage managed SOCs register perks to their threat detection, response, staffing, and cost. These benefits include:

Reduces SOC complexity

The amount of work needed to design, execute, configure, test, direct, maintain, upgrade, as well as operate an in-house SOC is not something most companies have the expertise or time to do effectively, if at all. By choosing to get a managed SOC, they simplify the equation. This is because they pay for an already existing service.

Boosts the speed of deployment

Because you don’t have to build a SOC, the time needed to deploy is reduced significantly. Instead of taking years to get on its feet, a managed SOC will be up and running your company’s environment in no time.

Immediate expertise

Not every company has the benefit of in-house cybersecurity experts. In fact, not many can afford to hire them. However, with a managed SOC, organizations are able to gain access to a squad of cybersecurity experts and analysts that are skilled and experienced to detect and remediate the current cybersecurity threats.

Boosts threat detection and response

Providers of managed SOCs are usually better equipped at providing threat detection and response than their client companies. Leveraging the latest threat intelligence, a squad of dedicated security experts, the best security solutions, as well as automated response, managed SOCs increase the speed, effectiveness, and ability to detect threats and respond to them as opposed to internal security teams.

Affordable security

The shift from companies paying for every aspect of an in-house SOC to making single payments every month makes the managed SOC an affordable choice. Furthermore, there is the safe assumption that costs will be reduced significantly while maintaining improved levels of security.

Best SIEM for Managed SOC

Here are the recommendations based on Cybriant’s expertise:

AlienVault USM Anywhere (AT&T Cybersecurity)

USM Anywhere is a SIEM solution that focuses mainly on threat response and detection. It uses several supported sensors that have in-built network intrusion detection to gather events and log information. In case support for a needed sensor is not available, subscribers can ask for help from AlienApp collectors.

This SIEM solution brings together threat detection, compliance management, and incident response across environments to make threat management easier for security professionals.

The platform boasts of many crucial automated features, simplifying deployment, and reducing the burden on security teams. It also does away with the need for additional security tools. For example, USM Anywhere is linked directly to the MITRE Database and Open Threat Exchange. This means there’s no need to buy additional threat feed tools.

Pros

  • Is user friendly
  • Offers out-of-the-box content that is easy to implement and use
  • Has a Guided Tour that provides a walk-through
  • Integrates with many different platforms
  • Collects lots of data from every integrated platform as long as the right level of logging is enabled

Cons

  • SIEM implementation may be a little challenging
  • Reports are clunky and a tad tedious to parse through

 

SECEON

Seceon’s Open Threat Management Platform is directed towards simplifying SIEM deployment, as well as other security programs for all organizations.

Seceon can run fully on-premises, on the cloud, or in a hybrid environment. Once set up, it collects information from various sources. However, it can also collect its own data and even boasts of its own threat feed, which it leverages when correlating with events that are in a protected network.

It goes through all the systems and logs files that are generated by firewalls, routers, as well as other communications equipment. It provides collector programs in the form of agents for every Linux or Windows box. The collectors pulley system and log files and direct them into a pile of other data to be analyzed.

In case an organization wishes to retain the full text of the logs, they can be copied and saved.

Pros

  • It is easy to manage yet has comprehensive solutions
  • Has good customizations with many integrations
  • Is multi-tenant and onboards fast
  • Fully stable
  • Support is good

Cons

  • Needs more compatibility for co-managed solutions

 

Microsoft Azure Sentinel

Azure Sentinel is Microsoft’s SIEM and security orchestration automated response solution rolled into one.

It draws together state-of-the-art security innovation as well as advanced AI to give you near real-time intelligent security analytics. This in turn gives you a bird’s-eye view of your enterprise’s IT estate.

Sentinel allows you to access security-related data from nearly any source. This bypasses the need to direct several pieces of sophisticated and costly infrastructure components- while providing you with a cloud platform solution that is easily scaled to your needs.

Sentinel leverages AI models and machine learning to identify important insights that are based on data gotten via a diverse catalog of data connectors. This includes default connections to all Microsoft sources, coupled with a number of native third-party connectors such as AWS, Barracuda, Cisco, Symantec, among others.

Microsoft Sentinel integrates with a diverse range of systems, giving you the option of automating your incident response. This allows you to manage your activities efficiently and effectively.

Pros

  • Easy to set up
  • Works well with other Microsoft tools
  • Fast deployment
  • Doesn’t require you to deploy any infrastructure on-premises in order to manage it

Cons

  • Little online training available
  • Poor integration with third-party tools

Conclusion

No matter which SIEM solution you choose, be sure the managed services provider you work with has in-depth knowledge of that SIEM to be able to help you prevent, detect, and remediate any threats. If you would like specific experience with any of these SIEMs, let us know how we can help. 

Related Posts
Should You Consider a Managed SIEM Service?
managed siem service

While a SIEM is a vital tool for monitoring networks, could a Managed SIEM service make an impact on your Read more

Traditional SIEM vs. Next-Generation SIEM
next gen siem

We often think of the SIEM of the "brain" of the IT network environment, but with news around "next-generation" SIEM, Read more

Ransomware Attacks Are Here to Stay: How To Stay Protected
ransomware attacks are here to stay

Ransomware attacks are here to stay, so it is vital to be prepared and don't become a statistic. Here are Read more

Cybriant Named to MSSP Alert’s Top 250 MSSPs List for 2021

Alpharetta, GA:  MSSP Alert, published by After Nines Inc., has named Cybriant, a leader in cybersecurity services,  to the Top Read more

New Phishing Records Being Set in 2021

New Phishing Records Being Set in 2021

A new report has released the latest phishing records and the industries that are being targeted the most. Read on to learn more.

phishing record 2021

The Anti-Phishing Working Group (APWG) is an international coalition with a membership that includes over 2,200 private sector cybersecurity firms, government agencies, law enforcement, and other organizations. According to its site at APWG.org, the group is committed to “unifying the global response to cybercrime.” Members include Microsoft, PayPal, AT&T, Comcast, Cisco, Symantec, Agari, and many other industry leaders.

APWG continually conducts research and evaluates the threat landscape, issuing periodic reports detailing the findings. In June of 2021, the group reported that the number of phishing sites its members were able to identify reached a record high of 245,771 in January 2021. The average amount lost in Business Email Compromise wire transfers also hit an all-time high.

Stats from the APWG

According to the APWG, the number of active phishing sites fluctuates from month to month. The number dropped from January’s record high of 245,771 to less than 200,000 the following month but rose above the 200,000 marks again in March. The March number was the fourth-highest total since the APWG began its research efforts. As these numbers indicate, the malicious site count remains high despite these fluctuations.

The group’s research revealed that, in the first quarter of 2021, financial institutions remained the most targeted of industries, accounting for nearly 25% of all phishing attacks. The second most targeted industry group was social media. Cybercriminals attempt to hijack social media user accounts, then sell access to the hacked accounts to online buyers.

The APWG’s research in 2020 and the first quarter of 2021 also revealed some statistics regarding the use of Transport Layer Security (TLS) certificates by phishing sites. In 2020, only about 17% of these sites offered HTTPS connections indicating that a TLS certificate had been issued. The APWG found that, during the first quarter of 2021, 94.5% of TLS certificates associated with phishing attacks were of the “Domain Valid” (DV) variety. DV certificates only certify that a domain name is valid. This is the weakest of TLS certificates, meaning that, even though a small percentage of phishing site URLs begin with HTTPS, the DV certificate they’re likely using doesn’t guarantee that the site is secure. It only means that it would be difficult for a hacker to intercept and use the site’s traffic.

Cybercriminals get around email filters by cheaply acquiring new domains from which they can send their phishing emails each time the filters begin recognizing and blocking messages from their previously-used domains. APWG research revealed that Namecheap continues to be the most popular domain name vendor used by perpetrators of phishing attacks. Of the Business Email Compromise (BEC) phishing attacks identified by APWG during the last quarter of 2020, 32% of those attacks used domain names issued by Namecheap. By the end of the first quarter of 2021, that percentage had increased to 46.3%.

The APWG also found that, in the first three months of 2021, the average amount of money lost in BEC wire transfers being misdirected to scammers’ accounts reached a record high of $85,000 per transaction. That represents a 44% increase since the third quarter of 2020.

A trained User Community Is The Last Line of Defense

As is evidenced by the fact that cybercriminals can easily obtain new, valid domain names with TLS certificates to at least temporarily defeat email filters and provide the illusion of secure connectivity to those who visit their sites, training is the best defense against these attacks. Even with the most effective technical controls, some phishing messages will reach their intended recipients and attacks will be successful unless your users know what to look for.

If you do not currently have a comprehensive training program in place that continually incorporates information about new and changing attack vectors, you may wish to consider contracting with a training provider. There are vendors offering training programs that include simulated phishing campaigns. Many training applications can track user progress and generate reports you can use to measure the program’s effectiveness over time. Some offer Active Directory (AD) integration, automating the process of adding and removing new and terminating users from the program.

Your Cyber Strategy Should be the First Line of Defense

Your first line of defense should be your cybersecurity strategy that involves people, products, and technology. We recommend starting with a security risk assessment that includes a gap analysis.

We have recently launched a service called CybriantXDR, which is a comprehensive threat detection and remediation service. This service includes all the tools necessary for organizations to provide cybersecurity protection around the clock. Contact us today to learn more.

 

Conclusion

The number of active phishing sites is hovering around record levels. The average amount of money lost per BEC transaction increased by 44% over a nine-month period. Technical controls are never 100% effective, thus your user community is your last line of defense. Effectively training your users to recognize and avoid these scams lowers your organization’s overall level of vulnerability and will likely cost significantly less than it would recover from a successful attack.

Related Posts
Ransomware Attacks Are Here to Stay: How To Stay Protected
ransomware attacks are here to stay

Ransomware attacks are here to stay, so it is vital to be prepared and don't become a statistic. Here are Read more

Cybriant Named to MSSP Alert’s Top 250 MSSPs List for 2021

Alpharetta, GA:  MSSP Alert, published by After Nines Inc., has named Cybriant, a leader in cybersecurity services,  to the Top Read more

Technology Professionals in Short Supply – 3 Tips to Retain Yours

In an article posted on the organization’s website, the Center for Strategic and International Studies (CISI.org) reported that, as of Read more

Cybersecurity: Research Reveals 79% of Employees Engaged in Risky Behavior

If you are an IT manager looking for information to present to your bosses to emphasize the need for an Read more