Profero

A few days ago, a talk I gave at t2 infosec conference last year surfaced online. Many thanks to the organizers for letting me share my day-to-day experience as a professional incident responder and explain why I think that, by and large, IR is utterly broken. It's an hour-long talk (link in the first response), so I'll try to give you just the bulleted version: * Resources gap - Large organizations have the budget, and they can go to large IR companies and get help when they need it. Demand and supply. But small companies - SMBs and SMEs - have tight budgets, therefore almost no one to turn to (And sure enough, they are in need more and more often). * Expertise gap - Most of the time IR is done by consultants. They are usually not very technical, and they sell IR alongside PT services, compliance services, and more. But almost no one specializes in IR. * Time frame problem - In IR there are bottlenecks everywhere. It usually takes between 12 to 36 hours to engage a company if they don't have a pre-existing arrangement with an IR provider. Then, it usually takes between 1 to 3 days to actually get access to the systems (!). All in all, a successful incident takes weeks to months just to start the remediation phase (Graph attached). Slow response to incidents is a real problem. * Incentives gap - One of the most important aspects that shapes this market is that consultants (like lawyers) bill by the hour, so they are incentivized to stretch out engagements for as long as possible while bleeding the customer. It is a predatory practice. The title of my talk was "Closing the Gap." Profero was established 5 years ago (birthday approaching) with all of those gaps in mind. We are solving those gaps with a recurring SaaS business model, a preemptive readiness approach, and ongoing assessments. It is like having all the fire extinguishing equipment in place, knowing the firefighters by name, and running joint drills. This has proved itself numerous times as a healthy approach to prevent cyber incidents in the first place or dramatically reduce the mean time to recover. Most importantly, it gives our customers peace of mind.

Infostealer - A Threat on the Rise: Last year, an employee of the Israeli National Cyber Directorate?learned a harsh lesson. His private workstation was mysteriously infected, and his details leaked to the internet, including screenshots of his desktop and other details. The researcher was hit by "Stealer malware" (aka Infostealer) called Redline. This is THE most trending kind of malware currently – even more prevalent than ransomware – so allow me to elaborate: Stealer malware is designed to steal information from a PC. The attack vectors are numerous – including phishing, software bundles, browser plugins, and more. Once the victim downloads the rogue software, the virus steals all sorts of data: browser cookies, passwords, crypto wallets, files, and more. As the software doesn't need to encrypt files, the attack fingerprint is minimal, and the malware is hard to detect. According to Specops, hundreds of millions of passwords have already leaked online, and it is estimated that millions of devices are infected worldwide. The journey of the stolen files is fascinating. First-hand – the OGs – they skim the cream after evaluating the data and gain access to large wallets, lucrative bank accounts, etc. They then sell the dump with all the data on the dark web or Telegram. The buyers are usually cybercriminals who use this bulk of stolen usernames and passwords to gain access to organizations' networks (this practice is called Credential Stuffing). This is how Uber was breached. We're not done yet because eventually, the data typically leaks onto the web, where strategic players lurk for diamonds. This is presumably how the details of the Israeli gov employee got out. The data changes hands and is exploited multiple times; you've got to admire the scavenging. Two weeks ago, law enforcement agencies from 6 countries managed to take down the infrastructure of Redline – the most notorious stealer malware gang. This is great news, but you know, there is no checkmate in cyber defense. The game is on. So, what can individuals and organizations do to avoid stealer malware? ? It is wise to protect employees' personal assets as well – as they are the weakest link in the network. However, privacy issues must be considered. ? Strict access management is critical, under Zero-Trust assumptions. No BOYD should be allowed in. ? Two-factor authentication across all sensitive assets is always wise, also as protection for this kind of attack. ·?????Make sure SSO is implemented in every SaaS and on-prem. ·?????Avoid dual users accounts in any cost, leave no generic users such as “support” or similar used by multiple people and teams. ·?????Make sure to implemented credential breach monitoring. If you have any thoughts or battle-earned experience with this kind of threat – you're invited to comment and share your knowledge for the benefit of all parties. Be Breach Ready!

??? ??????: ?????? ????? ???? ?????? ?????? ??????? ????? ? ??????? ?????? ????? ?????? ????? ?????, ??????? ????????? ?????? ???? ?????? ???????? ?????? ?? ?????? ???? ????????? ?? ?????? ????. ??? ??????? ???? ???? ???? ?? ????? ?????? ??????? ????? ???? ??????? ???????? ????????? ?? ????? ??????? ???. ???? ?????, ??? ????, ??????? ???????? ?????: ?? ?????? ?????? ??? ????? – ????? ????? ??????? ????? ???? ????? ????, ??? ??? ?? ?????? ?????. ?? ??????? ???????? – ????? ????? ??????? – ????? ??????????? ???? ?????? ????. ?? ??????? ??????? ????? ?????? ??????? ????? – ???? ????? ?????? ????? ????????? ?? ?????? ?????????? ?????? ?? ??????? ????????. ??????? ?????? ???? ??? – ?????, ??????? ????, ??????? ????? ????? ???????? ????? ?? ???? ??????? ????? ?? ????? ??????. ? ?????? ?????? ?????? >> https://lnkd.in/dTTggP6S Ran Sprinzak | Naama Ehrlich | Arik Brenneisen | Lior Etgar | Hadas Bekel | ???? ???? Guy Barnhart-Magen | Peter Teishev | Hadar Zofiof (gridish) | ACC Israel | IDU Israel Directors Union