NETWORK THREAT DETECTION

Lacework Quarterly Cloud Threat Report Shows the Automated Techniques Cybercriminals are Using to Attack Businesses in the Cloud

Lacework | August 31, 2021

Lacework, the data-driven security platform for the cloud, today released its quarterly cloud threat report, unveiling the new techniques and avenues cybercriminals are infiltrating to profit from businesses.

The rapid shift of applications and infrastructure to the cloud creates gaps in the security posture of organizations everywhere. This has increased the opportunities for cybercriminals to steal data, take advantage of an organization's assets, and to gain illicit network access.

"It's in enterprises' best interest to start thinking of cybercriminals as business competitors," said James Condon, Director of Research at Lacework. "Last year alone, cybercrime and ransomware attacks cost companies $4 billion in damages. As more companies shift to cloud environments, we're seeing an increase in demand for stolen access to cloud accounts and evolving techniques from cybercriminals, making enterprises even more vulnerable to cloud threats."

New research from Lacework Labs, the dedicated research team at Lacework that focuses on new threats and attack surface risks within the public cloud, sheds light on the crimeware and growing ransomware landscape in the face of new threat models and emerging cybersecurity challenges. Based on anonymized data across the Lacework platform from May 2021 - July 2021, key findings of the report include:

Initial Access Brokers (IABs) Expand to Cloud Accounts
As corporate infrastructure continues to expand to the cloud, so do opportunistic adversaries as they look to capitalize on the opportunity. Illicit access into cloud infrastructure of companies with valuable data/resources or wide-reaching access into other organizations offers attackers an incredible return on investment. In particular, Lacework Labs found Amazon AWS, Google Cloud, and Azure administrative accounts are gaining popularity in underground marketplaces.
Threat Actor Campaigns Continue to Evolve: Lacework Labs has observed a variety of malicious activity originating from known adversary groups and malware families. This section showcases those who continue evolving their operators as a valuable return on investment:
8220 Gang Botnet and Custom Miner: Lacework Labs recently found a new cluster of activity linked to an 8220 Gang adversary group campaign of infecting hosts, primarily through common cloud services, with a custom miner and IRC bot for further attacks and remote control. This cluster shows operations are evolving on many levels, including efforts of hiding botnet scale and mining profits.This is indicative of attacks growing in size.
TeamTNT Docker Image Compromise: The Lacework Labs team discovered threat actor TeamTNT backdooring legitimate Docker Images in a supply chain-like attack. Networks running the trusted image were unknowingly infected.
Developer teams need to be certain they know what's in the image they pull. They need to validate the source or they could open a door to their environment.
Popular cloud relevant crimeware and actors:
Cpuminer, the open-source multi-algorithm miner, has been legitimately used for years. However, Lacework Labs observed an increase in its illicit use for cryptomining altcoins.
Monero and XMRig are the most common accounts for cryptomining against cloud resources, hence activity involving lesser-seen coins and tools may be more likely to go undetected.
Cloud services probing:                                                            
Lacework Labs captures a range of telemetry in both product deployments and custom honeypots, which allows the company to see trends relevant to cloud defense purposes. For these sources, many cloud-relevant applications are continually targeted, but Lacework found that AWS S3, SSH, Docker, SQL and Redis were by far the most targeted.
Based on the findings of this report, Lacework Labs recommends that defenders:

Ensure Docker sockets are not publicly exposed and appropriate firewall rules/ security groups and other network controls are in place. This will help to prevent unauthorized access to network services running in an organization.
Ensure the access policies you set via the console on S3 buckets are not being overridden by an automation tool. Frequent auditing of S3 policies and automation around S3 bucket creation can ensure data stays private.

About Lacework
Lacework is the data-driven security platform for the cloud. The Lacework Cloud Security Platform, powered by Polygraph, automates cloud security at scale so our customers can innovate with speed and safety. Polygraph is the only security solution that can collect, analyze, and accurately correlate data across an organization's AWS, Azure, GCP, and Kubernetes environments, and narrow it down to the handful of security events that matter. Customers all over the globe depend on Lacework to drive revenue, bring products to market faster and safer and consolidate point security solutions into a single platform. Founded in 2015 and headquartered in San Jose, Calif., with offices all over the world, Lacework is backed by leading investors like Sutter Hill Ventures, Altimeter Capital, Liberty Global Ventures, and Snowflake Ventures, among others.

Spotlight

As cyber threats grow in diversity and sophistication, AV-based protection offers less and less effective protection for organizations, creating a pressing need to replace existing signature-based endpoint protection software with a more advanced solution.


Other News
PLATFORM SECURITY

Swimlane Extends Cloud-Based Security Automation into APJ Amid Momentous Growth in Region

Swimlane | April 19, 2022

Swimlane, the leader in low-code security automation, today announced the general availability of Swimlane Cloud in the Asia-Pacific Japan (APJ) region. This deployment is further evidence of Swimlane’s continued commitment to empowering APJ customers to enable new use cases previously not possible with traditional security orchestration, automation and response (SOAR). This includes unlocking the use of automation beyond the SOC, where Swimlane serves as the system-of-record for the entire security organization. Meeting the APJ Staffing Shortage Head-On with Swimlane Cloud The APJ region faces a significant cybersecurity talent shortage with an estimated 2.045 million open cybersecurity roles, accounting for 66% of the total global shortage, signaling the struggle to find qualified, skilled professionals to handle increasing security alerts. Without automation, these overburdened security administrators must manually perform repetitive and time-consuming tasks needed to track, mitigate and resolve security events across multiple security platforms. Despite significant time investments, security teams cannot realistically analyze and adequately prioritize security alerts and events at the rate necessary to protect networks. “In order to mature our security operations, we knew it was necessary to advance how we monitor and respond to threat intelligence by taking a more proactive approach to security operations,” said Tanajak Watanakij, CISO, R V Connex. “With our existing talent pool, we turned to Swimlane’s low-code security automation offering to create a centralized system of record for our Security Operations Center (SOC) and remove dependencies on a host of manual processes. Swimlane’s interactive dashboards and automated, easily customizable workflows reduced our mean time to respond and ultimately helped us ensure continuous compliance and prevent breaches across the entire R V Connex Corporation and our MSSP customers.” “Security teams across APJ need solutions that reduce the manual operations needed to respond to security threats and speed up incident response. We are a customer-focused company with a powerful platform for helping companies ease the burden security teams face daily. Swimlane is fully dedicated to supporting the region’s ongoing cybersecurity challenges through the adoption of low-code security automation.” Johan Wikenstedt, Vice President of Asia Pacific and Japan (APJ) for Swimlane Demand for Low-Code Automation Continues to Climb Swimlane’s current product initiatives in APJ continue to drive regional market traction highlighted by: 173% revenue growth of regional presence in the past four months, with more than 7x revenue growth in the past 6 months. 142% growth of regional employee headcount in the past six months. New sales offices established in Australia, Malaysia and South Korea. Net-new customer adoption in Australia, Bangladesh, India, Japan, Malaysia, Philippines, Singapore, Thailand, and New Zealand. Vertical expansion of customer adoption across banking, technology, financial services, government, MSSP, and manufacturing industries. 8 new go-to-market partners established in the region. Lumen Technologies turned to Swimlane after experiencing a rapid period of growth that challenged the company’s security team to capacity. Swimlane’s low-code security automation platform allowed the organization to maintain the integrity of its security operations and quickly adapt to business growth across its SecOps infrastructure. Within the first quarter of implementing the solution, Lumen achieved a 30% automation level. Today, 70% of security events hitting the Security Operations Center (SOC) can be fully automated without human intervention. “Swimlane was a partner from the start, helping us ensure the solution was easy to manage and operate and providing technical support whenever we needed,” said Wai Kit Cheah, Director of the Security Practice at Lumen Technologies. “With Swimlane’s robust automation engine, events can be processed from any source, enabling our security team to integrate security automation with user and entity behavior analytics (UEBA) and third-party threat intelligence feeds. This allowed us to achieve a holistic look at our ecosystem and has quickly made Swimlane’s platform an essential component of our SOC.” Swimlane Medley Partner Program Expands to Malaysia Swimlane has invested significantly in Malaysia due to the region’s robust national cybersecurity strategy and world-class talent. As part of its growth in the region, Swimlane recently announced a partnership with CyberSecurity Malaysia, the national cyber security specialist agency under the purview of the Ministry of Communications and Multimedia Malaysia (KKMM), to assist the organization on its mission to build a more resilient cyber ecosystem throughout Malaysia. “Our strategic partnership with Swimlane comes at an exciting time for CyberSecurity Malaysia as we seek to elevate a strategic cybersecurity vision for the region,” said Dato’ Ts. Dr. Haji Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia. “Together, Swimlane and Cybersecurity Malaysia will leverage our combined experience, capabilities, and products to deliver innovative cybersecurity solutions across Malaysia and ensure companies in the region have access to the world’s most-capable low-code automation technology to safeguard their networks and data.” Join Swimlane at the SecOps Automation Summit 2022 Swimlane will hold the SecOps Automation Summit 2022 in South Korea, Malaysia and Australia in late April and early May. Presenters include Co-Founder and Chief Strategy Officer Cody Cornell and other members of the Swimlane team, along with various current partners and customers, to explore new and future innovations in the dynamic field of security automation. To learn more about the summit and Swimlane’s expansion in the APJ region, visit https://swimlane.com/swimlane-helps-address-asia-pacifics-security-skills-shortage. About Swimlane Swimlane is the leader in cloud-scale, low-code security automation. Supporting use cases beyond SOAR, Swimlane improves the ease with which security teams can overcome process and data fatigue, as well as chronic staffing shortages. Swimlane unlocks the potential of automation beyond the SOC by delivering a low-code platform that serves as the system-of-record for the entire security organization and enables anyone within the organization to contribute their knowledge and expertise to the protection of the organization.

Read More

DATA SECURITY

Futurex Named a Leader in Hardware Security Modules by ABI Research

Futurex | February 25, 2022

Futurex receives top scores for cloud HSM service and strong cloud integration, extensive payment HSM platform, richest features, customer flexibility BULVERDE, Texas, February 24, 2022 — ABI Research, global technology intelligence firm, today named Futurex a leader in hardware security modules (HSMs). In its latest Hardware Security Module: OEM competitive assessment report, ABI Research gave Futurex, a leader in enterprise-class data security solutions, high scores for its cryptography-as-a-service options, extensive payment HSM offerings, rich features, hybrid deployment options, and customer flexibility. “The HSM market is changing rapidly. This is propelling highly flexible HSM offerings that can scale easily and adapt quickly to emerging demands,” the report by ABI Research reads. “Futurex showcases an extensive payment HSM platform with strong cloud integration and service availability, enabling it to carve itself a particularly successful niche in the HSM market which it is actively expanding.” “We are honored to be recognized by ABI Research as a leader in the HSM space,” said Ryan Smith, vice president, global business development, at Futurex. “Our four decades of HSM R&D, in-depth knowledge of enterprise security needs, and being the first in industry to offer cryptography-as-a-service, have made us the trusted HSM partner for the world’s largest enterprises.” Putting Innovation and Customers First ABI Research’s report highlights Futurex’s commitment to innovation by recognizing the operational flexibility and application versatility its HSMs have to offer. The report also noted that Futurex is the only company offering the same suite of features with its cloud HSM as with its on-premises hardware. With multiple payment HSM vendors currently going through end-of-life processes with their HSMs, organizations are looking for options including migrating their infrastructures to the cloud without changing any application code. As organizations look for robust security while optimizing costs with OPEX models, many turn to Futurex’s VirtuCrypt Cloud Payment HSM for their cryptographic needs. About Futurex For more than 40 years, Futurex has been a trusted provider of hardened, enterprise-class data security solutions. More than 15,000 organizations worldwide, including financial services providers and corporate enterprises, have used Futurex’s innovative hardware security modules, key management servers, and enterprise-class cloud solutions to address their mission-critical systems, data security, and cryptographic needs. This includes the secure encryption, storage, transmission, and certification of sensitive data. For more information, please visit futurex.com.

Read More

DATA SECURITY

HUB Security Announces Ultimate Docker Lifecycle Management Platform

HUB Security | December 17, 2021

HUB Security, a secure computing solutions provider, announced today its Docker Digital Twin product to better protect, authenticate, and verify traffic created by Docker, a highly used platform for package containment. The HUB Security Docker Digital Twin enforces access control and provides governance processes, such as approvals for sensitive actions, on incoming Docker traffic. It blocks attack vectors involving the loss or theft of credentials, vulnerabilities, and unauthorized access. Docker creates virtual containers (called packages) that allow applications and their dependencies to run seamlessly on any operating system. It is used by some 55% of professional developers daily and is the leading solution for cloud-based SaaS platforms. It is also ubiquitous in large enterprises, financial institutions, and public clouds, as well as defense equipment, servers, and data centers. Docker packages, because of their extensive use, are often the target of cyber security threats from hackers. "We want to create a seamless experience for our customers when it comes to security,Our new system enables multi-layered security processes for the entire compute stack with Docker being part of it. The solution is also future proof, meaning clients can rest assured for years that their systems are safe and secured." Andrey Iaremenko, HUB Security's CTO The Docker Digital Twin solution will be incorporated into existing HUB Security technology without changing existing operational controls and services. The product's complete remote update capabilities will provide full support for any and all Docker versions and security capabilities. About HUB Security HUB Security was established in 2017 by veterans of the 8200 and 81 elite intelligence units of the Israeli Defense Forces. The company specializes in unique Cyber Security solutions protecting sensitive commercial and government information. The company debuted an advanced encrypted computing solution aimed at preventing hostile intrusions at the hardware level while introducing a novel set of data theft prevention solutions. HUB operates in over 30 countries and provides innovative cybersecurity computing appliances as well as a wide range of cybersecurity professional services worldwide.

Read More

PLATFORM SECURITY

Trend Micro Unites Industry With Most Powerful and Complete Security Platform

Trend Micro | April 26, 2022

Trend Micro Incorporated , a global cybersecurity leader, announced the launch of Trend Micro One, a unified cybersecurity platform with a growing list of ecosystem technology partners that enables customers to better understand, communicate, and lower their cyber risk. Organizations are battling on all fronts to face mounting cyber risks from their complex and growing attack surface with stretched teams and siloed security products. The unified security platform approach delivers a continuous lifecycle of risk and threat assessment with attack surface discovery, cyber risk analysis, and threat mitigation and response. Inaugural partners of the Trend Micro One technology ecosystem include: Bit Discovery, Google Cloud, Microsoft, Okta, Palo Alto Networks, ServiceNow, Slack, Qualys, Rapid7, Splunk, and Tenable. "We are so proud that ecosystem partners value integrating into our platform. Collectively we help enterprises fight the bad guys known as cybercriminals. Alone we are strong, but together our industry is unstoppable in helping customers eliminate security gaps anywhere, identify internal and external enterprise assets, and take critical steps to mitigate them. Kevin Simzer, COO of Trend Micro According to Gartner®, "vendors are increasingly acquiring or developing these adjacent technologies and integrating them into a single platform. The benefits are best realized when this integration minimizes consoles and configuration planes and reuses components (e.g., endpoint agents) and information.1" "We all know that digital transformation is table stakes for the post-pandemic enterprise. But this comes with additional risks: a bigger target for threat actors to aim at and more visibility and security coverage gaps for them to hide in," said Jeremiah Grossman, CEO of Bit Discovery. "Trend Micro's approach stands out from the crowd — notably with its blend of multiple sources of asset and risk visibility, including external attack surface visibility powered by Bit Discovery. Trend Micro's platform helps customers quickly get a prioritized and comprehensive understanding of their attack surface." As a unified platform, Trend Micro One delivers powerful risk assessment capabilities, but the ecosystem partners extend that to make it the most complete in the industry. Joint customers benefit from truly connected visibility, better detection and response capabilities, and comprehensive protection across security layers and systems. Trend Micro One supports this approach by enabling customers to: Discover the attack surface: Identify, monitor, and profile cyber assets in customers' environments. Understand and continuously assess risk: Analyze risk exposure, the status of vulnerabilities, the configuration of security controls, and types of threat activity. Effectively mitigate risk: Ensure the right preventative controls and take swift action to mitigate risk and remediate attacks across the enterprise by leveraging Trend Micro's threat and risk intelligence. About Trend Micro Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response.

Read More

Spotlight

As cyber threats grow in diversity and sophistication, AV-based protection offers less and less effective protection for organizations, creating a pressing need to replace existing signature-based endpoint protection software with a more advanced solution.

Resources