CyberheistNews Vol 11 #06
[Heads Up] Email Phishing Is Now the Top Ransomware Attack Vector
New data shows that pushback from the ransomware victim “market” may be influencing just how much cybercriminals are asking for as ransom and are being paid.
2020 seemed to point to ransomware continuing to grow in devastation and cost; Ryuk reached a $34 million ransom payout, organizations were operationally brought to their knees by many of the prominent ransomware families, and the “as-a-Service” market for various parts of ransomware attacks – including the publishing of exfiltrated data – grew in interest.
But new data from security vendor Coveware in their Q4 2020 Quarterly Ransomware Report shows that phishing is now the prominent ransomware attack vector since RDP compromise is being prevented by potential victims.
There are also some shifts in payment amounts – fortunately in the favor of the victim organizations. According to the report:
Phishing Took Over From RDP as the Top Overall Initial Attack Vector
Phishing took over from RDP as the top overall initial attack vector, with the top attack vector varying between ransomware families. RDP picked up steam during the pandemic as many organizations sought to quickly provide remote access to their now remote workforce. Phishing has moved up as the quickest route to get malicious code into an organization and in front of an unwitting victim user.
If you haven’t heard it yet: stop using Internet-facing RDP. Changing the ports isn’t enough; it’s time to pick another more secure technology. And for phishing, many ransomware attacks continue to make it through your email filters. You need to block attacks that have made it in your users' inbox. Turn your users into a strong human firewall with new-school security awareness training and enable your users to make smart security decisions every day.
Post with links and the all-important graph you can use to show management you need budget:
https://blog.knowbe4.com/heads-up-email-phishing-is-now-the-top-ransomware-attack-vector
New data shows that pushback from the ransomware victim “market” may be influencing just how much cybercriminals are asking for as ransom and are being paid.
2020 seemed to point to ransomware continuing to grow in devastation and cost; Ryuk reached a $34 million ransom payout, organizations were operationally brought to their knees by many of the prominent ransomware families, and the “as-a-Service” market for various parts of ransomware attacks – including the publishing of exfiltrated data – grew in interest.
But new data from security vendor Coveware in their Q4 2020 Quarterly Ransomware Report shows that phishing is now the prominent ransomware attack vector since RDP compromise is being prevented by potential victims.
There are also some shifts in payment amounts – fortunately in the favor of the victim organizations. According to the report:
- The average ransom payment decreased 34% in Q4 of 2020 to $154,108 from $233,817 in Q3
- The median payment also decreased by 55% in the same timeframe from $110,532 to $49,450
- Threats to disclose exfiltrated data stepped up in Q4, with a whopping 70% of ransomware attacks using this tactic (up from 50% in Q3)
Phishing Took Over From RDP as the Top Overall Initial Attack Vector
Phishing took over from RDP as the top overall initial attack vector, with the top attack vector varying between ransomware families. RDP picked up steam during the pandemic as many organizations sought to quickly provide remote access to their now remote workforce. Phishing has moved up as the quickest route to get malicious code into an organization and in front of an unwitting victim user.
If you haven’t heard it yet: stop using Internet-facing RDP. Changing the ports isn’t enough; it’s time to pick another more secure technology. And for phishing, many ransomware attacks continue to make it through your email filters. You need to block attacks that have made it in your users' inbox. Turn your users into a strong human firewall with new-school security awareness training and enable your users to make smart security decisions every day.
Post with links and the all-important graph you can use to show management you need budget:
https://blog.knowbe4.com/heads-up-email-phishing-is-now-the-top-ransomware-attack-vector
A Master Class on IT Security: Roger Grimes Teaches Ransomware Mitigation
Cyber-criminals have become thoughtful about ransomware attacks; taking time to maximize your organization’s potential damage and their payoff. Protecting your network from this growing threat is more important than ever. And nobody knows this more than Roger Grimes, Data-Driven Defense Evangelist at KnowBe4.
With 30+ years experience as a computer security consultant, instructor, and award-winning author, Roger has dedicated his life to making sure you’re prepared to defend against quickly-evolving IT security threats like ransomware.
Join Roger for this thought-provoking webinar to learn what you can do to prevent, detect, and mitigate ransomware.
In this session you’ll learn:
Date/Time: TOMORROW, February 10 @ 2:00 PM ET
Save My Spot!
https://event.on24.com/wcc/r/2995116/FB08DEBEB60D5878F31B05D9D6B85AED?partnerref=CHN2
Cyber-criminals have become thoughtful about ransomware attacks; taking time to maximize your organization’s potential damage and their payoff. Protecting your network from this growing threat is more important than ever. And nobody knows this more than Roger Grimes, Data-Driven Defense Evangelist at KnowBe4.
With 30+ years experience as a computer security consultant, instructor, and award-winning author, Roger has dedicated his life to making sure you’re prepared to defend against quickly-evolving IT security threats like ransomware.
Join Roger for this thought-provoking webinar to learn what you can do to prevent, detect, and mitigate ransomware.
In this session you’ll learn:
- How to detect ransomware programs, even those that are highly stealthy
- Official recommendations from the Cybersecurity & Infrastructure Security Agency (CISA)
- The policies, technical controls, and education you need to stop ransomware in its tracks
- Why good backups (even offline backups) no longer save you from ransomware
Date/Time: TOMORROW, February 10 @ 2:00 PM ET
Save My Spot!
https://event.on24.com/wcc/r/2995116/FB08DEBEB60D5878F31B05D9D6B85AED?partnerref=CHN2
Using Legitimate Services to Bypass Phishing Protections
Researchers at Abnormal Security have identified two techniques that attackers are using to bypass email security filters. The first tactic takes advantage of the fact that Microsoft Office 365 sends automated read receipts for emails that are deleted without being read.
“The scammer prepares a BEC attack (in this case, an extortion email), and manipulates the email headers (‘Disposition-Notification-To’) so the target would receive a read receipt notification from M365, instead of the attacker,” the researchers explain. “The extortion email is sent, gets by traditional security solutions and lands in the employee inbox, where it is auto-remediated by Abnormal.
However, even though the original extortion email was auto-remediated, the manipulated email header triggered a read receipt notification back to the target that includes the text of the extortion.”
In the example shared by Abnormal, the subject of the unread message was “I have full control of your device,” which could catch the attention of the user even if the email didn’t end up in their inbox.
The second technique involves redirecting an automated out-of-office reply to another employee within the organization.
“Similar to the read receipts scam, the scammer prepares a BEC attack (another extortion email), and manipulates the email headers (‘Reply-To’),” the researchers write. “The difference here is, if the target has an Out of Office Reply turned ON, the notification can be directed to a second target within the organization, not the attacker.
As with the Read Receipts attack, the extortion email gets by traditional security solutions and lands in the employee inbox, where it is auto-remediated by Abnormal. Even though the original extortion email was auto-remediated, the manipulated email header triggered an Out of Office reply to a second target that includes the text of the extortion.”
Cybercriminals are always finding new ways to get around technical security measures. Continue training your users.
Abnormal Security has the story:
https://abnormalsecurity.com/blog/scammers-target-microsoft-365-read-receipt-and-out-of-office-reply-loophole-for-bec-attacks/
Researchers at Abnormal Security have identified two techniques that attackers are using to bypass email security filters. The first tactic takes advantage of the fact that Microsoft Office 365 sends automated read receipts for emails that are deleted without being read.
“The scammer prepares a BEC attack (in this case, an extortion email), and manipulates the email headers (‘Disposition-Notification-To’) so the target would receive a read receipt notification from M365, instead of the attacker,” the researchers explain. “The extortion email is sent, gets by traditional security solutions and lands in the employee inbox, where it is auto-remediated by Abnormal.
However, even though the original extortion email was auto-remediated, the manipulated email header triggered a read receipt notification back to the target that includes the text of the extortion.”
In the example shared by Abnormal, the subject of the unread message was “I have full control of your device,” which could catch the attention of the user even if the email didn’t end up in their inbox.
The second technique involves redirecting an automated out-of-office reply to another employee within the organization.
“Similar to the read receipts scam, the scammer prepares a BEC attack (another extortion email), and manipulates the email headers (‘Reply-To’),” the researchers write. “The difference here is, if the target has an Out of Office Reply turned ON, the notification can be directed to a second target within the organization, not the attacker.
As with the Read Receipts attack, the extortion email gets by traditional security solutions and lands in the employee inbox, where it is auto-remediated by Abnormal. Even though the original extortion email was auto-remediated, the manipulated email header triggered an Out of Office reply to a second target that includes the text of the extortion.”
Cybercriminals are always finding new ways to get around technical security measures. Continue training your users.
Abnormal Security has the story:
https://abnormalsecurity.com/blog/scammers-target-microsoft-365-read-receipt-and-out-of-office-reply-loophole-for-bec-attacks/
[NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster With PhishRIP
Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!
PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft 365 and G Suite to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.
Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.
Now you can with PhishER, which is the key ingredient of an essential security workstream. PhishER allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!
See how you can best manage your user-reported messages.
Join us Wednesday, February 17 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
Date/Time: Wednesday, February 17 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/2975714/528BB95E3F00E61D0FF56838BAC4F592?partnerref=CHN
Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!
PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft 365 and G Suite to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.
Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.
Now you can with PhishER, which is the key ingredient of an essential security workstream. PhishER allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!
See how you can best manage your user-reported messages.
Join us Wednesday, February 17 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
- NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
- NEW! Use Security Roles to Create a Multi-Tiered Incident Response System in PhishER
- Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
- Automate message prioritization by rules you set into one of three categories: Clean, Spam, or Threat
- Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Date/Time: Wednesday, February 17 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/2975714/528BB95E3F00E61D0FF56838BAC4F592?partnerref=CHN
TrickBot Is Targeting Your Lawyers
Researchers at Menlo Security warn of an ongoing Trickbot campaign targeting the legal and insurance industries. Trickbot is a notorious remote access Trojan that was in the crosshairs of separate operations by US Cyber Command and Microsoft late last year.
While these operations crippled the malware’s botnet ahead of the US elections, they weren’t expected to deal the malware permanent damage. Menlo Security says this new campaign is a sign that Trickbot’s operators are back on their feet.
“This ongoing campaign that we identified exclusively targeted legal and insurance verticals in North America,” the researchers write. “The initial vector appears to be an email, which includes a link to a URL. While in the past Trickbot has used weaponized documents, the infection mechanism detailed in this campaign seems to be a new modus operandi used by this group.”
The attackers are using emails with a link to a phishing page that informs the user that they’ve committed a traffic violation (“negligent driving” in the example shared by the researchers). The page has a button for the user to “Download PHOTO PROOF,” and instructs the user to download their documentation.
Clicking this button will download a zip archive that will result in the installation of Trickbot. Menlo Security notes that, “At the time of writing this blog, some of the URLs identified in this campaign have very little to no detection on [VirusTotal].”
“Where there’s a will, there’s a way,” the researchers conclude. “That proverb certainly holds true for the bad actors behind trickbot’s operations. While Microsoft and it’s partners' actions were commendable and trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment.”
You may think that the crook’s screamer “PHOTO PROOF” would tip anyone off, sadly, it can work, especially on the unfamiliar. Step those users through *monthly* simulated phishing attacks!
Menlo Security has the story:
https://www.menlosecurity.com/blog/trickbot-new-year-old-lure
Researchers at Menlo Security warn of an ongoing Trickbot campaign targeting the legal and insurance industries. Trickbot is a notorious remote access Trojan that was in the crosshairs of separate operations by US Cyber Command and Microsoft late last year.
While these operations crippled the malware’s botnet ahead of the US elections, they weren’t expected to deal the malware permanent damage. Menlo Security says this new campaign is a sign that Trickbot’s operators are back on their feet.
“This ongoing campaign that we identified exclusively targeted legal and insurance verticals in North America,” the researchers write. “The initial vector appears to be an email, which includes a link to a URL. While in the past Trickbot has used weaponized documents, the infection mechanism detailed in this campaign seems to be a new modus operandi used by this group.”
The attackers are using emails with a link to a phishing page that informs the user that they’ve committed a traffic violation (“negligent driving” in the example shared by the researchers). The page has a button for the user to “Download PHOTO PROOF,” and instructs the user to download their documentation.
Clicking this button will download a zip archive that will result in the installation of Trickbot. Menlo Security notes that, “At the time of writing this blog, some of the URLs identified in this campaign have very little to no detection on [VirusTotal].”
“Where there’s a will, there’s a way,” the researchers conclude. “That proverb certainly holds true for the bad actors behind trickbot’s operations. While Microsoft and it’s partners' actions were commendable and trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment.”
You may think that the crook’s screamer “PHOTO PROOF” would tip anyone off, sadly, it can work, especially on the unfamiliar. Step those users through *monthly* simulated phishing attacks!
Menlo Security has the story:
https://www.menlosecurity.com/blog/trickbot-new-year-old-lure
[World Premiere] KnowBe4’s New Season 3 of Netflix-Style Security Awareness Video Series - ‘The Inside Man’
We’re excited to announce Season 3 of the award-winning KnowBe4 Original Series ‘The Inside Man’. This network-quality video training series delivers an entertaining learning experience that ties security awareness principles from each episode to key cybersecurity best practices. From social engineering, insider threats and physical security, to vishing and deepfakes: ‘The Inside Man’ teaches your users real-world application that makes learning how to make smarter security decisions fun and engaging.
The Story So Far… Six months after his transformation from undercover hacker to company defender, Mark Shepherd, our flawed hero from Season 1, struggles to keep his past a secret as he forges new relationships to thwart an elusive threat to the company's latest acquisition, while at the same time navigating a budding romance in Season 2, and delivering a cliff-hanger ending.
Season 3 reunites Mark and his newly-fledged team at 'Good Shepherd Security' to take flight into the world of security consulting and penetration testing. They've been commissioned by an international bank to do something that pushes both the limits of legality and their skill-set. They need to recruit new blood to help - but who can they trust?
The answer will set Mark, the ‘Inside Man’ himself, on the emotional journey of a lifetime.
Watch the trailer now and get access to the full series of ‘The Inside Man’ to see how entertaining security awareness training can be!
https://info.knowbe4.com/inside-man-chn
Let's stay safe out there.
We’re excited to announce Season 3 of the award-winning KnowBe4 Original Series ‘The Inside Man’. This network-quality video training series delivers an entertaining learning experience that ties security awareness principles from each episode to key cybersecurity best practices. From social engineering, insider threats and physical security, to vishing and deepfakes: ‘The Inside Man’ teaches your users real-world application that makes learning how to make smarter security decisions fun and engaging.
The Story So Far… Six months after his transformation from undercover hacker to company defender, Mark Shepherd, our flawed hero from Season 1, struggles to keep his past a secret as he forges new relationships to thwart an elusive threat to the company's latest acquisition, while at the same time navigating a budding romance in Season 2, and delivering a cliff-hanger ending.
Season 3 reunites Mark and his newly-fledged team at 'Good Shepherd Security' to take flight into the world of security consulting and penetration testing. They've been commissioned by an international bank to do something that pushes both the limits of legality and their skill-set. They need to recruit new blood to help - but who can they trust?
The answer will set Mark, the ‘Inside Man’ himself, on the emotional journey of a lifetime.
Watch the trailer now and get access to the full series of ‘The Inside Man’ to see how entertaining security awareness training can be!
https://info.knowbe4.com/inside-man-chn
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc
PS: Check THIS! One-Fourth of a SOC’s Life Is Researching Sketchy Emails:
https://blog.knowbe4.com/one-fourth-of-a-socs-life-is-researching-sketchy-emails
Quotes of the Week
"All that was great in the past was ridiculed, condemned, combated, suppressed — only to emerge all the more powerfully, all the more triumphantly from the struggle."
- Nikola Tesla, Inventor (1856 - 1943)
"Your success and happiness lies in you. Resolve to keep happy, and your joy and you shall form an invincible host against difficulties."
- Helen Keller, Author (1880 - 1968)
Thanks for reading CyberheistNews
- Nikola Tesla, Inventor (1856 - 1943)
"Your success and happiness lies in you. Resolve to keep happy, and your joy and you shall form an invincible host against difficulties."
- Helen Keller, Author (1880 - 1968)
Thanks for reading CyberheistNews
Security News
Hackers Are Winning the Cyberwar, Largely Because They Target People
Researchers at HackNotice have found that the number of data breaches is increasing, while the number of breach notifications is declining, SecurityWeek reports. HackNotice analyzed 67,529 publicly reported breaches between 2018 and 2020.
“The interesting point here is the relatively small number of breaches, around 13.5% of the total, that are reported through official channels,” SecurityWeek says. “This has fallen from 25% at the beginning of the period analyzed.”
HackNotice’s CEO and co-founder Steve Thomas told SecurityWeek that this is probably due to the patchwork of different US state laws that allow up to a month before an affected company has to disclose a breach.
“There is no federal breach notification law in the US, so you have to go by the states,” Thomas said. “However, each state writes its law different[ly] and the laws allow the breached company 30 days or even more before they have to disclose.
News outlets, ransomware, and defacement gangs end up disclosing before the official notice, so we are seeing market share being taken away from official disclosures.”
Thomas also said he believes breaches are on the rise because organizations are neglecting the human element of security. “Hackers are winning the cyberwar, largely because they don’t target the infrastructure, but they target people,” Thomas said. “Phishing, credential stuffing, account takeover of personal accounts to get into business accounts…
All the major attack vectors rely on the fact that average employees are not informed as to how exposed they are, and they value security much less than the security team does.”
Likewise, Alec Alvarado, threat intelligence team lead at Digital Shadows, told the publication that organizations need to pay attention to this crucial area of security. “The bad guys are winning the war simply because they are sticking to ways that work and have proven effective,” Alvarado said. “The most robust security team with the most extensive cybersecurity practices and a multi-million dollar cybersecurity budget will fail with the single click of a well-crafted phishing email or a weak password.”
New-school security awareness training can create a culture of security within your organization by enabling your employees to recognize social engineering tactics and follow security best practices.
SecurityWeek has the story:
https://www.securityweek.com/deep-analysis-more-60000-breach-reports-over-three-years
Researchers at HackNotice have found that the number of data breaches is increasing, while the number of breach notifications is declining, SecurityWeek reports. HackNotice analyzed 67,529 publicly reported breaches between 2018 and 2020.
“The interesting point here is the relatively small number of breaches, around 13.5% of the total, that are reported through official channels,” SecurityWeek says. “This has fallen from 25% at the beginning of the period analyzed.”
HackNotice’s CEO and co-founder Steve Thomas told SecurityWeek that this is probably due to the patchwork of different US state laws that allow up to a month before an affected company has to disclose a breach.
“There is no federal breach notification law in the US, so you have to go by the states,” Thomas said. “However, each state writes its law different[ly] and the laws allow the breached company 30 days or even more before they have to disclose.
News outlets, ransomware, and defacement gangs end up disclosing before the official notice, so we are seeing market share being taken away from official disclosures.”
Thomas also said he believes breaches are on the rise because organizations are neglecting the human element of security. “Hackers are winning the cyberwar, largely because they don’t target the infrastructure, but they target people,” Thomas said. “Phishing, credential stuffing, account takeover of personal accounts to get into business accounts…
All the major attack vectors rely on the fact that average employees are not informed as to how exposed they are, and they value security much less than the security team does.”
Likewise, Alec Alvarado, threat intelligence team lead at Digital Shadows, told the publication that organizations need to pay attention to this crucial area of security. “The bad guys are winning the war simply because they are sticking to ways that work and have proven effective,” Alvarado said. “The most robust security team with the most extensive cybersecurity practices and a multi-million dollar cybersecurity budget will fail with the single click of a well-crafted phishing email or a weak password.”
New-school security awareness training can create a culture of security within your organization by enabling your employees to recognize social engineering tactics and follow security best practices.
SecurityWeek has the story:
https://www.securityweek.com/deep-analysis-more-60000-breach-reports-over-three-years
UKRI Hit With Ransomware
UK Research and Innovation (UKRI) has been hit by a ransomware attack that impacted two of its services, BleepingComputer reports. The UK government department said it’s still unsure if data were exfiltrated during the attack.
“The two services impacted are a portal for our UK Research Office (UKRO) based in Brussels and an extranet (often known as the BBSRC extranet) used by our Councils,” UKRI stated. “The UKRO portal provides an information service to subscribers. The extranet is used to support the peer review process for various parts of UKRI.
To support the investigation and protect users, we have suspended these services. No other UKRI systems are impacted and the important work of UKRI is continuing. UKRI councils and a number of cross-cutting schemes use the impacted extranet for some of their peer review activity; as a result the data that has been compromised includes grant applications and review information.”
UKRI added that it’s working to discover if financial information was taken, and it will notify potential victims if this is confirmed.
“In some instances, for a limited number of UKRI review panel members, the extranet service is used to support the processing of expense claims,” the department said. “We do not yet know whether any financial details have been taken, but we will endeavour to contact panel members to advise on personal protection against possible fraud in this situation.
If we do identify individuals whose data has been taken we will contact them further as soon as possible. The UKRO subscription service has 13,000 users but does not contain sensitive personal data. We are working to recover this service as soon as possible.”
BleepingComputer notes that UKRI has a budget of more than £6 billion, and as a result “the agency is an attractive target for big-game ransomware gangs that target organizations with large pockets to pay for data decryption.” Ransomware gangs are opportunistic and indiscriminate in their targeting, and they adjust their ransom demands based on the nature of their victim.
Organizations of all sizes can benefit from new-school security awareness training to help their employees identify phishing emails and other forms of social engineering attacks.
BleepingComputer has the story:
https://www.bleepingcomputer.com/news/security/uk-research-and-innovation-ukri-suffers-ransomware-attack/
UK Research and Innovation (UKRI) has been hit by a ransomware attack that impacted two of its services, BleepingComputer reports. The UK government department said it’s still unsure if data were exfiltrated during the attack.
“The two services impacted are a portal for our UK Research Office (UKRO) based in Brussels and an extranet (often known as the BBSRC extranet) used by our Councils,” UKRI stated. “The UKRO portal provides an information service to subscribers. The extranet is used to support the peer review process for various parts of UKRI.
To support the investigation and protect users, we have suspended these services. No other UKRI systems are impacted and the important work of UKRI is continuing. UKRI councils and a number of cross-cutting schemes use the impacted extranet for some of their peer review activity; as a result the data that has been compromised includes grant applications and review information.”
UKRI added that it’s working to discover if financial information was taken, and it will notify potential victims if this is confirmed.
“In some instances, for a limited number of UKRI review panel members, the extranet service is used to support the processing of expense claims,” the department said. “We do not yet know whether any financial details have been taken, but we will endeavour to contact panel members to advise on personal protection against possible fraud in this situation.
If we do identify individuals whose data has been taken we will contact them further as soon as possible. The UKRO subscription service has 13,000 users but does not contain sensitive personal data. We are working to recover this service as soon as possible.”
BleepingComputer notes that UKRI has a budget of more than £6 billion, and as a result “the agency is an attractive target for big-game ransomware gangs that target organizations with large pockets to pay for data decryption.” Ransomware gangs are opportunistic and indiscriminate in their targeting, and they adjust their ransom demands based on the nature of their victim.
Organizations of all sizes can benefit from new-school security awareness training to help their employees identify phishing emails and other forms of social engineering attacks.
BleepingComputer has the story:
https://www.bleepingcomputer.com/news/security/uk-research-and-innovation-ukri-suffers-ransomware-attack/
SOC Teams Spend Nearly a Quarter of Their Day Handling Suspicious Emails
Jeremy Fuchs at Avanan just blogged about a new report they released. It revealed some surprising results about the time SOC teams have to spend investigating suspicious emails reported by employees.
Avanan shared their research with SC Mag who said: "Researchers at email security firm Avanan claim to have authored the “first comprehensive research study” that quantifies the amount of time security operations center (SOC) employees spend preventing, responding to, and investigating emails that successfully bypassed default security and are flagged by end users or other reporting mechanisms.
According to the study, email threats take two to three hours of a SOC team’s time per day, or 22.9% of a SOC team’s daily routine. The data is based upon the responses of more than 500 IT managers and leaders surveyed by Avanan. Of the time spent managing emails threats, nearly half – 46.9% – was allocated toward investigation, while response and prevention each took 26.6 percent of a SOC team’s time.
90% of the events they deal with are actually phishing
“In our conversations with [Security Orchestration Automation & Response] vendors… they said to us that 90% of the events they deal with are actually phishing,” said Avanan co-founder and CEO Gil Friedrich. In that regard, SOC workers condensing 90% of their work into 23% of their time sounds like good efficiency.
But even if that’s the case, the report warns that managing email threats “is time-consuming and costly for enterprises of all sizes. Between preventing malicious email from causing damage to reviewing end-user suspicious email reports and false positive reports, SOC employees are overwhelmed and overworked by the sheer state of email, both good and bad.“
SOC fatigue resulting from these reports and requests can result in “real phishing attacks being released back to employees” inadvertently, said Friedrich. “The other problem we see is that too often the SOC professional will not handle the threat; they will [only] handle the email. So they will not look for the phishing campaign. They would not look for similar emails [or ask] ‘Did I get anything else from that sender? Should I create a blocklist?’”
Spending too much time to go through reported emails?
The research covered organizations that --have-- a SOC. How about those tons of IT Pros that have this as one of their many InfoSec tasks? We recommend to take a look at PhishER. It ingests the emails, PhishML gives you a fast score, and it’s a huge time saver to then remove them with PhishRIP.
Here are tech resources you can watch right now, no registration required:
https://blog.knowbe4.com/soc-teams-spend-nearly-a-quarter-of-their-day-handling-suspicious-emails
Jeremy Fuchs at Avanan just blogged about a new report they released. It revealed some surprising results about the time SOC teams have to spend investigating suspicious emails reported by employees.
Avanan shared their research with SC Mag who said: "Researchers at email security firm Avanan claim to have authored the “first comprehensive research study” that quantifies the amount of time security operations center (SOC) employees spend preventing, responding to, and investigating emails that successfully bypassed default security and are flagged by end users or other reporting mechanisms.
According to the study, email threats take two to three hours of a SOC team’s time per day, or 22.9% of a SOC team’s daily routine. The data is based upon the responses of more than 500 IT managers and leaders surveyed by Avanan. Of the time spent managing emails threats, nearly half – 46.9% – was allocated toward investigation, while response and prevention each took 26.6 percent of a SOC team’s time.
90% of the events they deal with are actually phishing
“In our conversations with [Security Orchestration Automation & Response] vendors… they said to us that 90% of the events they deal with are actually phishing,” said Avanan co-founder and CEO Gil Friedrich. In that regard, SOC workers condensing 90% of their work into 23% of their time sounds like good efficiency.
But even if that’s the case, the report warns that managing email threats “is time-consuming and costly for enterprises of all sizes. Between preventing malicious email from causing damage to reviewing end-user suspicious email reports and false positive reports, SOC employees are overwhelmed and overworked by the sheer state of email, both good and bad.“
SOC fatigue resulting from these reports and requests can result in “real phishing attacks being released back to employees” inadvertently, said Friedrich. “The other problem we see is that too often the SOC professional will not handle the threat; they will [only] handle the email. So they will not look for the phishing campaign. They would not look for similar emails [or ask] ‘Did I get anything else from that sender? Should I create a blocklist?’”
Spending too much time to go through reported emails?
The research covered organizations that --have-- a SOC. How about those tons of IT Pros that have this as one of their many InfoSec tasks? We recommend to take a look at PhishER. It ingests the emails, PhishML gives you a fast score, and it’s a huge time saver to then remove them with PhishRIP.
Here are tech resources you can watch right now, no registration required:
- Tutorial Videos:
https://support.knowbe4.com/hc/en-us/articles/360057471914-PhishER-Tutorial-Videos - Full technical product walk-thru:
https://www.knowbe4.com/phish-er-demo
https://blog.knowbe4.com/soc-teams-spend-nearly-a-quarter-of-their-day-handling-suspicious-emails
What KnowBe4 Customers Say
"Stu, you reached out to me back in 2017 to see if I was a happy camper with KnowBe4 and your services. I just wanted to relay that I am still a happy camper! I really enjoy working with my CSM AylaH. She makes setting up phishing campaigns and trainings super easy, and has such a great attitude. KnowBe4 rocks!"
- P.S., SSA
"Stu, you reached out to me back in 2017 to see if I was a happy camper with KnowBe4 and your services. I just wanted to relay that I am still a happy camper! I really enjoy working with my CSM AylaH. She makes setting up phishing campaigns and trainings super easy, and has such a great attitude. KnowBe4 rocks!"
- P.S., SSA
The 10 Interesting News Items This Week
- SOC Teams Spend Nearly a Quarter of Their Day Handling Suspicious Emails:
https://blog.knowbe4.com/soc-teams-spend-nearly-a-quarter-of-their-day-handling-suspicious-emails - A Second SolarWinds Hack Deepens Third-Party Software Fears:
https://www.wired.com/story/solarwinds-hack-china-usda/ - U.K. Arrest in ‘SMS Bandits’ Phishing Service:
https://krebsonsecurity.com/2021/02/u-k-arrest-in-sms-bandits-phishing-service/ - Scammers posing as FBI agents threaten targets with jail time:
https://www.bleepingcomputer.com/news/security/scammers-posing-as-fbi-agents-threaten-targets-with-jail-time/ - Study - More than 80% of APAC organizations suffered a cyber attack in 2020:
https://securitybrief.com.au/story/more-than-80-of-apac-organisations-suffered-a-cyber-attack-in-2020-study - Ransomware Gangs now have industrial targets in their sights. That raises the stakes for everyone:
https://www.zdnet.com/article/ransomware-gangs-now-have-industrial-targets-in-their-sights-that-raises-the-stakes-for-everyone/ - A company paid millions to get their data back, but forgot to do one thing. So the hackers came back again:
https://www.zdnet.com/article/ransomware-this-is-the-first-thing-you-should-think-about-if-you-fall-victim-to-an-attack/ - Microsoft 365 Becomes Haven for BEC Innovation:
https://threatpost.com/microsoft-365-bec-innovation/163508/ - Huge labor department printing mistake results in data breach:
https://vtdigger.org/2021/02/01/huge-labor-department-printing-mistake-results-in-data-breach/ - Why Insider ‘Zoom Bombs’ Are So Hard to Stop:
https://www.wired.com/story/zoombomb-inside-jobs/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- This is one of the most astonishing Avalanche videos I've ever seen. Complete with shock wave:
https://youtu.be/mbgv7ntfRUQ - Danny Macaskill testing the limits of mountain biking, riding down the infamous Dubh Slabs on the Isle of Skye:
https://www.flixxy.com/danny-macaskill-the-slabs-amazing-freestyle-bicycling.htm?utm_source=4 - Most Extreme Jumps, Parachuters, & Skydivers Ultimate Compilation:
https://youtu.be/ARKfvO6WSAI - "Spot's Got an Arm!" Spot can now lend a helping hand. Looks very useful:
https://www.youtube.com/watch?v=6Zbhvaac68Y&feature=youtu.be - New released commercial. Spot making the rounds doing autonomous inspections!:
https://youtu.be/F843AqfNsaA - "Candide Thovex Does A Bit Of Skiing" LOL, this is a Super Freestyle Ski Run!:
https://www.flixxy.com/candide-thovex-a-bit-of-skiing.htm?utm_source=4 - Most Impressive Fit & Strong People. The Ultimate Compilation:
https://www.youtube.com/watch?v=ltB5pNNd-To&feature=youtu.be - Penn and Teller Fooled by a STICKER:
https://www.youtube.com/watch?v=ddUo_ZWccno&feature=youtu.be - Robbie Maddison Dirtbikes Through Downtown LA & Jumps 1st Street Bridge:
https://www.youtube.com/watch?v=FSORp4dfnCE&feature=youtu.be - Backseat Italians - When you buy a new Fiat 500 you should be a bit careful, because you might get a little bit more than just a car:
https://www.flixxy.com/backseat-italians-fiat-500.htm?utm_source=4 - GoPro Awards: MTB Through Mining Cave. Kids do *not* do this at home:
https://www.youtube.com/watch?v=tgWF5fN3FnE