12228586861?profile=RESIZE_400xActivity Summary - Week Ending on 21 September 2023:

  • Red Sky Alliance identified 561 connections from ‘new’ IP’s checking in with our Sinkholes
  • Vimplecom hit
  • 53 ‘new’ Botnets hits
  • Digital Transformation
  • Exposure Management
  • ASM
  • US Casinos being Attacked
  • Top Forms of Cyber Attacks

 Red Sky Alliance Compromised (C2) IP’s 

95.25.208.16 was found once in Red Sky collection.   ISP:  PJSC Vimpelcom;  Usage Type:  Unknown;  Hostname(s): 95-25-208-16.broadband.corbina.ru;  Domain Name:  vimpelcom.com;  Country:

Red Sky Alliance Compromised (C2) IP’s

IP

Contacts

95.25.208.16

1

85.174.204.65

1

85.174.202.145

1

5.138.133.96

1

45.151.233.145

1

  

On 20 September 2023, Red Sky Alliance identified 561 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Malware Variant

Times Seen

sality

494

corkow

59

wekby

2

koobface

2

wcry_ransom

1

Top 5 Malware Variant and number of contacts.  Sality and Corkow has consistently remain the top variants. 
Wekby follows. 

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

Red Sky Alliance Malware Activity   

On 20 September 2023, analysts identified 53 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

First_ Seen

Botnet Attribution

Infected Host’s IPv4 Address

2023-09-17T16:30:21

HTTP proxy|port: 80

8.219.64.44

2023-09-17T16:30:19

HTTP proxy|port: 80

8.219.73.188

2023-09-17T16:30:14

HTTP proxy|port: 80

8.219.107.199

2023-09-15T20:00:14

HTTP proxy|port: 80

8.219.110.88

2023-09-17T18:10:49

HTTP proxy|port: 80

8.219.115.239

Keylogger IOCs available upon request. 

MALICIOUS CYBER TRENDS:

Digital Transformation - Attack surface management is evolving to support continuous threat exposure management solutions as many capabilities are being acquired and consolidated. This research highlights the evolutionary phases, technologies and services that product leaders must understand to gain a competitive advantage.[1]

Overview & Key Findings:

  • Attack surface management (ASM) evolution is following three main paths:
  • Enhancing threat intelligence (TI) capabilities by correlating discovered exposures with TI
  • Combining vulnerability assessment (VA) and external attack surface management (EASM) to have more targeted and prioritized vulnerability management capabilities
  • Converging EASM and security validation tools that support red team and blue team (and/or purple team) activities
  • New requirements associated with expanding attack surfaces are driving demand for emerging technologies that identify and help prioritize threat exposures across internal and external environments.
  • Current buyer attitudes and vendor strategies are pushing for product consolidation across different market segments.
  • Market dynamics are putting more pressure on stand-alone vendors to acquire new capabilities or seek technological partnerships that can enhance and expand the scope of their solution offerings.

Recommendations / ASM product leaders should:

Embrace opportunities to include features from adjacent markets to align with buyers’ desire to build exposure management (EM) programs and support solution consolidation trends.  Cover emerging attack surfaces and support more use cases for an overall broader ASM strategy by expanding your product and service solution offering capabilities.  Implement a broader-scope ASM strategy — one that supports client requirements for actionable remediation capabilities — by partnering with managed security service providers (MSSPs) and consulting service providers.

Analysis:  Overview / Demand for a more comprehensive and integrated approach to identifying threats and exposures will drive the convergence of existing security offerings into a more closely integrated set of solutions.  This will be influenced by the need to have a view of risks where EASM is acquired to support activities related to TI, VA, and breach and attack simulation (BAS).  ASM is expected to evolve to more closely support EM programs. EM is a set of processes and capabilities that allow enterprises to continually and consistently evaluate the accessibility, exposure and exploitability of an enterprise’s digital and physical assets.

This is driving market consolidation.  Vendors from disparate areas (e.g., TI, digital risk protection services [DRPS], EASM, VA, cyber asset attack surface management [CAASM], BAS and automated penetration testing) are expanding their portfolio by adding capabilities through acquisitions, building out natively or establishing new partnerships.  This consolidation is particularly noticeable because of the involvement of large players, which will drive further the establishment of platform solutions.  A sample list of large players adding ASM capabilities includes CrowdStrike, Fortinet, IBM, Palo Alto Networks, Qualys, Rapid7, Recorded Future and Tenable.

A variety of factors are behind this expected market evolution:  Demand for TI services (with an expected growth of 17.5% in 2023) that deliver actionable value has been a catalyst for evolution.  These services can act as a single source of technical input, as well as more closely support security operations and better contrast emerging business risks.  Here, identification of exposures and the correlation of discovered vulnerabilities to the likelihood of them being exploited by threat actors is becoming a key capability.

Digital transformation initiatives have been instrumental in the expansion of enterprises’ attack surface, which is increasingly exposing them to threat actors’ activities. Security weaknesses, cloud computing, mobile and remote workers, and increasingly integrated third-party infrastructures are among key factors driving the need for better visibility and continuous monitoring of externally exposed vulnerabilities.  Increased complexity in security is challenging security practitioners to decide where to focus their efforts.  The volume of threats and the disruption they cause will drive interest toward security solutions that help identify and prioritize the most-critical risks and exposures.  This can be done through the utilization of processes and tools that mirror threat actors’ surveillance activities, and then assessing and prioritizing based on the criticality of such exposures and test resiliency and preparedness.

Today, threat and exposure management is conducted as part of separate activities and tools:  ASM, which involves processes and tools (such as EASM) aimed at discovering enterprise assets and the exposures they may present.  VA, which is typically carried out to discover and enumerate the risks posed by known enterprise assets.  TI-related processes and tools aimed at discovering and making available knowledge, information and data about cybersecurity threats, campaigns and threat actors, as well as information and alerts on risks to digital assets such as domains and credentials.

Security control validation, which assesses enterprise infrastructure readiness to contrast cyberattacks with activities such as checking availability and proper configuration of controls and performing security control validation.  Tools that support some of these activities include BAS (primarily supporting overall validation and readiness) and CAASM and cloud security posture management (supporting control validation for internal systems and cloud environments, respectively).

Posture management tools aimed at testing security teams’ operational efficiency through the concept of cybersecurity validation, which combines EASM, VA, TI and offensive tools.

The market will evolve into a more centralized ASM approach (which eventually will support EM processes).  But it’s currently made up of distinct solutions that will evolve, in the next five to eight years, across three distinct phases as illustrated in Figure 1.  As a result, the focus and priorities among product leaders must adapt to meet changing customer demands from phase to phase.  Looking across the ASM evolution spectrum, product leaders will face many pivotal decisions that are unique to each market phase.

Examples include: 

  • Redefining product offerings and additional premium services in response to shifting market boundaries driven by overlapping/shared features and functionality
  • The increasing importance of digital security marketplaces, such as Amazon Web Services (AWS) Marketplace, Microsoft Azure Marketplace and Google Cloud Marketplace
  • Reviewing role and persona sales strategies as use cases and requirements will evolve along with phases
  • This research will provide product leaders detailed analysis of the key phases associated with emerging technologies and trends for ASM, along with a discussion of the opportunities presented across this emerging market through 2028.

Evolution Spectrum:  Looking toward 2028, the ASM technology markets will evolve through three distinct phases: siloed, advanced and mature ASM (see Figure 1).  Each of these phases will be defined by distinctive influences across technology, market and product/service characteristics.

At a high level, these phases are:

  • Siloed: In this phase, the use of ASM is focused mostly to provide added visibility of assets through native discovery and some level of prioritization of the vulnerabilities/issues associated with these assets. The application of ASM is siloed and more technical in nature.
  • Advanced: In this phase, ASM is incorporated into continuous threat and exposure management programs. There are enterprisewide applications, benefiting multiple functions (e.g., security operations centers [SOCs], infrastructure and operations, and governance, risk and compliance [GRC]).
  • Mature: In this phase, ASM is more closely integrated to inform cybersecurity validation. There is also more support for remediation through increased integrations. However, the applications are still more technical in nature.

12228585282?profile=RESIZE_584xFigure 1: Evolution Spectrum for ASM

Phase 1 (Siloed): Stand-Alone ASM.  This phase of ASM focuses on supporting enterprises in identifying exposures arising from an expanding attack surface.  As pointed out in other Gartner research (see Emerging Technologies: Top Trends in Security for 2022), this expanding exposure originates from more varied and exposed corporate environments across increasingly interconnected on-premises, cloud, cyber-physical and personally owned assets.  This exposure is also extending to connecting third-party infrastructures coming from supply chain ecosystems and also from merger and acquisition (M&A) activities.

An increasing number of enterprises are exposing new digital assets and therefore experiencing new types of threats, much of which is a direct result of business transformation initiatives enabled by cloud service adoption.  These threats target key digital assets (such as exposed networks, hosts, applications, APIs, intellectual property and critical systems) by leveraging discovered exposures that many organizations have little experience or no expertise in.  There are also the more common issues that, for lack of visibility, have not been detected.  Examples include policy/regulatory noncompliance, misconfigured cloud services, compromised applications, exposed credentials, spoofed domains, unprotected industrial systems and supply chain risks.

ASM is currently made up of a set of converging technologies and services aimed at increasing visibility into digital enterprise assets and the potential risks they may present.  Different roles and security personas, such as CISOs, CROs, members of legal teams and SOC analysts, are currently benefiting from EASM, DRPS and CAASM technologies.  Digital footprinting, vulnerability management, brand protection, security compliance, supply chain risk management and risk reporting are some key use cases supported by ASM.

Technology Characteristics:  The different technologies supporting emerging ASM are in the majority of cases still implemented in isolation, with buyers looking to fulfill very tactical (and sometimes short-term) needs.  But the ASM and adjacent markets have been gradually converging, with DRPS vendors acquiring EASM capabilities or developing them natively and with CAASM players seeking the opportunity to expand into the EASM space.  Currently, while these distinct technologies have common capabilities around asset discovery and risk prioritization, they maintain a distinct focus around the attack surface they primarily cover:

DRPS. This technology focuses on discovering digital risks relating to compromised enterprise assets such as domains, credentials, intellectual property and credit card details.  DRPS solutions monitor the open web, social media, and deep and dark websites for such exposures, providing alerting and remediation capabilities, as with take-down services.

EASM. Providers from this market adopt an attacker’s perspective in discovering digital assets connected to the internet, enumerating them for security vulnerabilities and weaknesses and prioritizing their findings based on TI and other factors such as exploitability and discoverability. These services typically aim to digitally footprint all internet-discoverable assets whether on-premises or cloud-hosted, with the aim of assessing risk in third-party infrastructures, public cloud services and publicly accessible enterprise services.

CAASM. Similar to EASM, CAASM helps increase visibility into any enterprise asset and its interdependencies by aggregating and correlating asset data with vulnerabilities from various source systems to support adherence to security compliance and security operations activities, such as patching prioritization.  This technology also can augment configuration management database (CMDB) technologies and processes through the dynamic population of assets and attribute assignments. While originally primarily focusing on internal infrastructures, CAASM is expected to extend its asset inventory and identify security control gaps in the externally exposed assets.  CAASM can complement an organization’s vulnerability management strategy by enabling organizations to see all assets (internal and external), primarily through API integrations, to identify the scope of vulnerabilities (as well as gaps in security controls).

Market Characteristics:  In this phase of ASM, a range of roles and personas drive demand for different capabilities.  CISOs and other security managers are particularly interested in functionalities that support activities related to vulnerability management, threat hunting, risk assessment and general security operations (see 3 Ways to Apply a Risk-Based Approach to Threat Detection, Investigation and Response).  But there are also non-security-related roles behind interest in different aspects of ASM. Within DRPS, it is not uncommon to encounter legal and marketing executives involved in the buying process.  Within EASM, beside security-related roles, there may be IT operations personas involved with patch management and supporting CMDB infrastructure.

The ASM space is composed of many independent private commercial entities, often with a sharp market focus.  However, market consolidation has been reshaping this space, with a number of large providers acquiring different ASM capabilities.  We estimate that, by 2024, about 50% of the overall ASM market will be owned by large players with more than $1 billion in revenue.

Recent acquisitions include the following:

  • IBM acquired Randori (EASM)
  • Google acquired Mandiant (which acquired Intrigue)
  • Microsoft acquired RiskIQ
  • ReliaQuest acquired Digital Shadows (DRPS)
  • Palo Alto Networks acquired Expanse (EASM)
  • Recorded Future acquired SecurityTrails (EASM)
  • CrowdStrike acquired Reposify (EASM)
  • ZeroFox acquired IDX (DRPS)
  • Tenable acquired Bit Discovery

Products and Services:  ASM providers at this stage of maturity offer a mix of tools and services.  Specialized analyst resources are offered alongside platforms and portals to carry out dedicated activities, such as take-down services, with DRPS providers and analysts supporting clients deploying EASM tools with advisory support on how to remediate.

Phase 2 (Advanced): ASM Integrated Into a Continuous Threat Exposure Management Program

While it is important to note that continuous threat exposure management (CTEM) is not a technology but rather a program that involves processes, people skills and tools, ASM technologies offer a key support in aiding and automating some CTEM activities.  CTEM supports a continuous, integrated, actionable security exposure remediation and posture optimization strategy, with a focus on assessing the most critical exposures and their mitigation. A CTEM program is a set of processes and capabilities that allow enterprises to continually and consistently evaluate the accessibility, exposure and exploitability of an enterprise’s digital and physical assets (see Implement a Continuous Threat Exposure Management (CTEM) Program).

CTEM is part of a broader security process and architecture (see Figure 2). It interplays with cyber-risk management, threat detection response and security posture optimization.

12228585896?profile=RESIZE_584xFigure 2: CTEM Integrations

Technology Characteristics:  ASM technologies within this stage support continuous monitoring of exposure and enable vulnerability prioritization, establishing a close integration to tools that support remediation and incident response (IR) processes.  This is particularly relevant within a scenario where enterprise IT infrastructure keeps expanding and interplays with an increased set of external environments.  Here, security teams will need support to achieve a better coordinated approach to enable asset inventory and vulnerability prioritization across environments that traditionally have been outside the scope of traditional IT security.  Within this stage, we see ASM capabilities extend further to cover cyber-physical systems (CPS) that include operational technology (OT), Internet of Things (IoT) and other connected edge devices/systems.  Here, ASM supports visibility into a more comprehensive set of assets (some owned by the enterprise and some not) and the exposures they present.  Closer integration of ASM capabilities with IR, VA and TI, as well as automated pen testing and BAS, will support a more concerted approach toward assessment, validation/posture management and mitigation efforts.

Market Characteristics:  Digital transformation will continue to drive the expansion of enterprises’ attack surfaces over the next five years.  ASM is expected to become an integral part of a CTEM strategy that needs to be implemented to enable organizations to better counteract the evolution of risks alongside the externalization of vulnerabilities.  Comprehensive identification of vulnerabilities and risks will not be enough.  It is also fundamental to be able to identify and focus on priorities and implement continuous monitoring of risks and exposures as they evolve over time.  These risks and exposures relate to an increasingly diverse set of environments, such as public clouds, industrial systems, connected devices and third-party infrastructures.  Within this stage, we expect to see ASM capabilities expanding to more closely support the response stage of a CTEM process. This will be particularly enabled by the deployment of ASM as part of existing related markets:

Cyber insurance. Along with its increasing involvement in the deployment and supply of security controls, the insurance sector is expected to focus particularly on ASM capabilities. As enterprises adopt more cyber insurance coverage, there will be a growing demand for tools that help assess the level of risk exposure that organizations might have in relation to the insurance premium.  Cyber insurance providers will utilize ASM to assess clients but are also expected to offer ASM capabilities as part of the insurance package or as an additional premium service.

CPS. Enterprises will need to update their vulnerability and risk management strategies because of the new risks and expanding attack surfaces introduced by digital transformation initiatives.  Likewise, ASM tools will need to expand their capabilities to cover all environments where such exposures might occur. The perception among an increasing number of industries is that a significant level of exposure originates from IT/OT/IoT convergence.  This will drive demand for ASM tools to cover CPS environments.

MSSPs and managed detection and response.  ASM capabilities are particularly suitable for security service providers because they support different stages of CTEM processes.  Most organizations don’t have the maturity or resources to leverage ASM capabilities, and professional services providers offer a way to fulfill their security operations needs.  Within this trend, we expect to see rising demand for professional services providers that support CTEM processes that include converging IT/OT/IoT security requirements.  This is particularly the case as most enterprises, within an increasing set of industries, are not able to handle the complexity and specialization arising from the new CPS security requirements.  These requirements are characterized by the need to implement detection and remediation functions with the involvement of IT and OT personnel to be effective.

Products and Services:  Product leaders with an interest in delivering ASM will face a market that has consolidated into an integrated set of capabilities.  In this market, EASM and DRPS will be delivered as a solution, and CAASM will have expanded features into EASM and other areas, such as vulnerability prioritization.  The involvement of big players such as IBM, Microsoft and Palo Alto Networks will facilitate the delivery of EM capabilities as part of broader platforms.  The integration of VA players with EASM capabilities will drive the evolution of vulnerability management into exposure management. Here, also, EASM and DRPS features will be increasingly available as part of VA vendors’ platforms.

Phase 3 (Mature): ASM Integrated Into Cybersecurity Validation:  In this next phase, ASM will evolve to support cybersecurity validation practices.  Cybersecurity validation is a practice of validating how potential attackers would actually exploit an identified threat exposure, and how protection systems and processes would react.

  • The scope of cybersecurity validation includes: Security effectiveness: Red team activities to assess how much existing security controls can block and detect, leveraging attack simulation or semiautomated penetration testing
  • Security consistency: Automated and scheduled audits, such as analysis of security tool configurations, or repeated attack scenario runs
  • IR efficacy: Evaluating the timeliness and effectiveness of response mechanisms by measuring the time to investigate the tested attack scenarios.
  • User readiness: Generally achieved through training, such as user awareness or tabletop and simulated exercises

ASM will be included as a key feature of cybersecurity validation tools and services, providing an outside-in view and enabling the simulation of the initial phases of an attack.

Technology Characteristics:  For ASM to support cybersecurity validation practices, it will need to focus on not only expanded and continuous visibility of the organization’s digital presence on the public-facing internet but on better context around those digital assets.  The visibility itself is not providing an attacker’s view of the exposed assets and related vulnerabilities. Instead, context around the discoverability of the asset, the level of attractiveness of the asset for an attacker, and the ease of exploitation of the asset provide the necessary refinement of findings during the reconnaissance.  This means testing the asset beyond just identifying the common vulnerabilities and exposures.  EASM does not attempt anything beyond the discovery and the prioritization of the exploitable points of entry. So, its integration with cybersecurity validation tools is what will then provide visibility of the end-to-end attack routes once attackers penetrate the perimeter and how effectively security controls will detect and respond.  EASM will most likely integrate with cybersecurity validation tools such as BAS, automated penetration testing and penetration testing as a service (PTaaS) to provide insights relevant to the reconnaissance phase of the attack kill chain.

BAS platforms are the preferred tools to carry out repeatable and consistent measurable assessments and refocus the scope of existing penetration testing engagements.  Penetration testing is the testing of a computer system or network to find exploitable vulnerabilities.  The process involves gathering information about the target before the test, identifying possible entry points, attempting to break in and reporting back the findings.  PTaaS simplifies the administrative tasks and automates penetration testing tools, augmenting existing penetration testing and red team capabilities.  PTaaS is still primarily delivered as a managed service rather than a solution one can purchase.  It is a more scalable way to deliver pentesting and is more collaborative between direct consumers, other business units within the organization and the testers.  Cybersecurity validation tools and ASM can collectively provide organizations with a realistic view of the full attack surface within their environment. This enables organizations to test what they can or cannot prevent and detect, as well as determine how they would respond in the event of an attack.

Market Characteristics:  The market will observe the convergence of cybersecurity validation tools such as BAS and automated penetration testing toward an integrated platform.  The integrated platform approach outputs feasibility scores for various attack scenarios and/or attack paths, but also weighted scoring, based on detection by security controls and potential impacts. In addition, this can be performed more consistently.  While this consolidation is happening, ASM providers (including EASM, CAASM and DRPS providers) will actively partner or be acquired to offer these cybersecurity validation platforms.  Cybersecurity validation solution providers may also pursue a strategy of adding ASM capabilities natively. AttackIQ, Bishop Fox, Cymulate, FireCompass, Google, IBM, Intruder, NetSPI and Pentera are examples of vendors that have started to incorporate ASM with cybersecurity validation solutions.  This is expected to drive an acceleration of ASM capabilities with the provision of integrated functionalities.

Products and Services:  Cybersecurity validation platforms will embed or integrate with ASM to gather additional insights and identify vulnerable attack paths.  Some of these solutions will primarily be technology delivery, and others will be technology-enabled service delivery.  And while both delivery models will attract interest it is likely that, in terms of growth opportunities, the service model will offer the more significant opportunity.  This is because only more sophisticated security practices will have the personnel and skills to carry out validation, with the bulk of the market needing service providers to carry out such functions.

Security service providers delivering penetration testing and red team services will increasingly leverage cybersecurity validation platforms to deliver services to their customers.  Most penetration testing performed today is human-driven and conducted annually (making it a point-in-time view).  The introduction of cybersecurity validation platforms, including ASM, will enable greater scalability for service providers by automating highly repeatable and predictable aspects of assessment. It will also allow them to allocate more expertise in delivering services that cannot be replaced by technologies, such as red team activities.

Additionally, the continuous nature of cybersecurity validation tools will present new opportunities.  An example is a managed service delivery model (as opposed to a one-off or annual consulting engagements) that provides consistent and regular benchmarks of attack techniques, security controls and processes.  Other opportunities include expanded applications into risk assessment and cyber insurance through integrations with cyber-risk quantification solutions.  Much of the context provided by cybersecurity validation tools can inform the impact and likelihood of a breach.  For more information on cyber-risk quantification, see Emerging Technologies: Overcome the Hurdles of Cyber-Risk Quantification Solution Delivery.

Market Opportunities:  ASM will offer revenue growth opportunities across a range of use cases and stages. The main trend is that market opportunities will evolve from a tactical and stand-alone specialist purchase to ASM being deployed closely integrated with broader solution sets.  Opportunities will also be made available from the expanding roles and personas within an organization that will show interest in ASM features.

Figure 3 rates each ASM segment in terms of market opportunities, ranging from −4 to +4.  The rating is based on the penetration rate within each market as well as how each segment is expected to perform as it gets integrated into broader solution sets across the different phases.

12228586485?profile=RESIZE_584xFigure 3: Market Opportunity Heat Map for Various Phases of ASM

Phase 1: Siloed ASM:  This stage will present an opportunity to broader platform providers to build a solution set that integrates EASM, DRPS and CAASM.  Stand-alone vendors also have the opportunity to expand their market by covering additional use cases within an organization.  Specifically, the acquisition of EASM capabilities offers a significant opportunity for VA providers.  It enables them to support a more comprehensive EM strategy with the ability to cover internally and externally exposed vulnerabilities.

Technology and service providers of ASM within this stage have the opportunity to take advantage of new buying trends in security, where enterprises are increasingly oriented to purchase multifunction solution sets.  Opportunities within this stage are driven by the realization that traditional vulnerability and risk management approaches are not enough.  That’s because an increasing level of exposure is emerging from digital transformation initiatives such as public cloud adoption, convergence with third-party infrastructures as part of M&A or supply chain integration, and edge shadow IT.  Organizations planning for the emerging ASM stage are prioritizing discovery functions aimed at improving visibility of enterprise assets and the vulnerabilities they might present. The validation of controls available within such assets, as well as identification of other exposures beyond software vulnerabilities, is also a key area of interest.

Among key value propositions, vendors supporting this stage offer the ability to obtain comprehensive visibility into internal- and external-facing enterprise assets. They also offer support in the prioritization of risks and mitigating approaches to be employed toward risk management.

Phase 2: Advanced ASM:  In this phase, vendors can monetize from supporting more business-centric requirements and from sales expanding to new roles.  These include CROs, and security practitioners tasked with stretching security coverage to OT/IoT environments as well as professionals involved with GRC management.   Opportunities for providers supporting this phase will originate from the requirements to support the different processes and activities involved to fulfill an EM life cycle.  These include the initial discovery phase, prioritization of vulnerabilities and exposures identified, assessment of the likelihood for an attacker exploiting the attack surface, and the readiness of an organization security setup to cope with a potential attack.

Opportunities will also reside in the ability to connect EM to related activities, such as aligning and prioritizing with key enterprise compliance and business requirements, through integration with cyber-risk management tools.  This will improve threat management and response capabilities based on a better understanding of type of exposure and related risks faced and ultimately the ability to review assessment and validate processes to improve overall security posture and policies.  However, while the different ASM vendors and tools are expected to converge over time, the different processes involved as part of the different CTEM cycles are unlikely to be supported by a single platform over the coming years.

Vendors supporting the advanced ASM stage can expand digital footprinting and EM capabilities to cover the increasing risks coming from digital transformation investments such as those related to IT/OT convergence and industrial IoT (IIoT)/IoT initiatives.  This is particularly valuable for a growing set of industries that are adjusting their cybersecurity strategy to cover exposures arising from a new set of CPS exposures.  Within this stage, we expect to see EASM and CAASM providers expanding capabilities to support discovery, vulnerability/risk prioritization and posture management across the IT-CPS divide.

The need for remediation capabilities is a significant driver for professional services providers to integrate ASM tools and support clients with risk mitigation and risk management and response services.  This will become a significant opportunity as most organizations don’t have the skills and resources to implement a comprehensive threat and exposure management program.

Phase 3: Mature ASM:  This phase provides opportunities for security control validation providers to expand their assessment basis, creating efficiencies in their technical delivery. It also provides an avenue for consolidation for the security leader leveraging vulnerability prioritization as its go-to-market justification.

Expanding ASM features into the security validation space will enable the validating product/service to scope its assessments to the most critical or probable attacker entry points, providing a better outcome for end users.  In essence, it would create the starting point or dynamically seeding attack simulations based on actual organizational risk.  This in turn could assist in reducing the effort required to identify what assets to test and where to start, ultimately saving time and inherently elevating the priority of the output on the basis of risk.

Opportunities also exist in consolidating investments for the end user.  Buyers leveraging vulnerability prioritization as their go-to-market justification can look to validation providers that also offer ASM features or capabilities as an opportunity to decrease time to value under a single contract vehicle.  This will simplify the procurement process and have the added operational benefit of preestablished integrations/enrichments.  This stage presents opportunities to providers of cybersecurity validation, such as BAS, PTaaS and automated penetration testing, to integrate or feature EASM capabilities.

Recommendations for Product Leaders:

  • Phase 1: Siloed ASM

Plan for a relatively fast market consolidation by developing or acquiring capabilities across the convergence of EASM, DRPS and/or CAASM.

  • Phase 2: Advanced ASM

Support different processes involved in an EM strategy by reviewing your product portfolio strategy with a view aligned to specific stages of CTEM and, in particular, improve remediation capabilities.

Better support organizations that aim to mature their overall approach toward comprehensive EM strategies by improving your technology integrations and partnership ecosystem strategy.

Phase 3: Mature ASM:  Improve your chances of success by identifying the different personas and teams that can benefit from Phase 3 ASM capabilities. This will range from penetration testers to members of red/blue teams and SOC personnel.

GLOBAL TRENDS:

US – Casinos are being hit by hackers.  Does anyone care?  The chief security officer of the identity management company Okta, said five of the company's clients, including MGM and Caesars, had fallen victim to hacking groups known as ALPHV and Scattered Spider since August 2023.  In an interview with Reuters, Okta didn't name the other companies, but said it was cooperating with official investigations into the breaches.  The hacks have cast fresh spotlight on ransomware attacks - cyber intrusions that affect hundreds of companies every year, from healthcare providers to telecom firms.  MGM and Caesars lost market value last week as stock prices fell, and MGM is yet to recover from various operations disrupted at the hotels and gaming venues it owns from Las Vegas to Macau.[2]

12228586300?profile=RESIZE_400xSan Francisco-based Okta, which says it has more than 17,000 customers around the world, provides identity services such as multi-factor authentication used to help users securely access online applications and websites. Multiple breaches it identified at its customers last month prompted the company to issue an alert then, Okta said.  "We saw this happened in such a small period of time and we thought we should be coming forward to the industry at large and explaining what's happening here," he said.

At the time, Okta said its US customers were reporting a consistent pattern of attacks where hackers impersonated a victim firm's employees and convinced their information technology helpdesk into providing them duplicate access.  "We've seen consistently over the past six to 12 months, a ramp up in these types of attacks," Okta said.  MGM has not commented on the statement or the hack, beyond saying last week that it was dealing with a "cybersecurity issue." Caesars earlier said it was investigating the breach.

The financially-motivated hacking group ALPHV claimed the MGM hack in a post on its website on 20 September, and warned MGM of further attacks if it didn't strike a deal.  It's unclear how much ransom ALPHV has demanded.  Okta said the group had breached into MGM and obtained access to its Okta client, which allowed it further access to more credentials in the identity management firm's system.

Scattered Spider appears to have worked with ALPHV on the latest hacks, Okta said, citing research by security analysts who have tracked both groups. "Think of them more as business associates or affiliates," it reported.

Google's Mandiant Intelligence last week called Scattered Spider, also known as UNC3944, as one of the most disruptive hacking outfits in the US.  Okta said Mandiant's description of the group's tactics aligned with what it had observed in the recent hacks.

International - Owed in part to the pandemic-induced increased shift from offline to online, cyber-attacks have become a lucrative avenue for criminals in recent years.  Statista experts estimate global losses of $7.1 trillion in 2022 compared to 2019's $1.2 trillion, with crypto exchange and protocol hacks by prolific groups like the state-affiliated North Korean hacking team Lazarus dramatically increasing in the years 2021 and 2022 according to Chainalysis.  While the number of hacks and the damage caused has been on a constant uptick, the types of cyber attacks have shifted dramatically in the past five years.

12228586662?profile=RESIZE_400xIn 2017, roughly 42% of recorded cybercrimes were connected to non-payment or non-delivery.  This category includes purchases made via fraudulent online stores that never materialize and promised payments never arriving. Personal data breaches and phishing scams constituted an additional 28%, while identity theft, credit card fraud and other cyber-attacks had a relatively low share in all reported cybercrimes.

Five years later, phishing has become the most prevalent cyber-attack. This past year more than half of criminal online activity was connected to this long-running type of cybercrime.  While phishing via e-mail has been around since the advent of the internet, hackers have since come up with specialized versions of phishing tailored to the corresponding channels.  Spear phishing, for example, is aimed at a specific group or role at a company, often utilizing more sophisticated wording and jargon to fool would-be victims, while whaling targets the C-suite. Other types of phishing unrelated to e-mail are smishing (text messages) or vishing (voice calls).

This chart shows the share of worldwide cyber-attacks by type.

Share of worldwide cyber attacks by type© Provided by Statista

[1] https://www.gartner.com/doc/reprints/

[2] https://www.msn.com/en-ca/money/topstories/hackers-who-breached-casino-giants-mgm-caesars-also-hit-3-other-firms-okta-says/ar-AA1gXMFH

Topics by Tags

Monthly Archives