Navigating the Resurgence of Raccoon Stealer: Detection, Remediation, and Prevention Strategies

/by

The developers behind the notorious Raccoon Stealer malware have reemerged after a six-month absence from hacker forums, promoting an updated 2.3.0 version of their malware to cybercriminals. Since its introduction in 2019, Raccoon has become one of the most prominent and prolific information-stealing malware families, sold through a subscription model at $200 per month to threat actors.

Raccoon Stealer is capable of extracting data from over 60 applications, including user login credentials, credit card details, browsing history, cookies, and cryptocurrency wallet accounts. In October 2022, the project faced a significant setback when Mark Sokolovsky, the primary developer of the malware, was arrested in the Netherlands, and the FBI dismantled the malware’s service infrastructure.

The Return of Raccoon
In a recent post, first identified by VX-Underground, the current authors of the malware notified the cybercriminal community of their return, revealing that they have been “working tirelessly” to develop new features intended to enhance the user experience of their malicious clientele. These updates were informed by user feedback, specific requests, and prevailing cybercrime trends—with the goal of maintaining Raccoon’s standing in the top echelon of information stealers.

According to a numerous reports, Raccoon 2.3.0 has incorporated several significant user-friendly and operational security enhancements. These improvements are designed to simplify the malware’s use for less technically savvy threat actors and to make tracing by researchers and law enforcement more challenging.


Announcement of Raccoon v2.3.0 on hacker forums
Source: Cyberint

The Ongoing Threat
Information-stealing malware like Raccoon poses a significant and extensive threat to both individual users and businesses. Its pervasive use by cybercriminals ensures that malicious payloads are delivered through numerous channels, targeting a vast and diverse audience. Moreover, since this malware can also steal session cookies, it may enable threat actors to bypass multi-factor authentication safeguards, thereby breaching corporate networks. Once inside, attackers can deploy various offensive strategies, including data theft, ransomware attacks, BEC scams, and cyber-espionage tactics.

The Ongoing Threat and New Features

Quick Search for Cookies and Passes:
The updated Raccoon admin panel introduces an innovative way to search for URLs. This improvement enables threat actors to swiftly find specific links in large datasets, even when dealing with millions of documents and thousands of disparate links—a notable enhancement in efficiency and convenience for users of this malware.


Raccoon Stealer Quick Search Module
Source: Cyberint

Automatic Bot Blocking and Panel Display:
Raccoon now includes a system designed to detect anomalous activity patterns, such as repeated accesses from the same IP address or range. Upon detecting such activity, this system automatically deletes the associated records and updates the client pads, thereby thwarting security tools relying on automation and bots for malware detection.

Raccoon Stealer Dashboard with Bot Blocking and Panel Display
Source: Cyberint

Legend: Green Smiley = Activity of the IP is normal. Red Smiley = High probability that bots or other automated systems created or actively used the log.

Reporting System:
This new feature blocks IP addresses typically used by security practitioners’ crawlers and bots to monitor Raccoon’s network traffic.

Racoon Stealer Reporting System per IP Address
Source: Cyberint

Log Statistics:
This feature enables threat actors to review detailed statistics about their activities, including a geographic breakdown of compromised systems, reminiscent of functionalities in earlier versions of the malware.

Raccoon Stealer Behavior and Capabilities
Raccoon targets a comprehensive range of applications, employing specialized techniques to extract and harvest data. Raccoon’s modus operandi for data extraction from targeted applications generally involves the following steps:

  • Extract the file from the targeted application that contains sensitive data.
  • Copy this file to a designated folder (usually %Temp%).
  • Generate a text file within the targeted application’s directory, which contains the stolen data.
  • To decrypt credentials from applications, Raccoon retrieves and downloads the necessary DLLs associated with these applications.

Based on Proficio’s research, as of 08/15/2023, there are 9,515,216 Raccoon stealer findings listed throughout the dark, deep and surface internet.

Sample Raccoon Malware Logs:

Source: Proficio Cyber Exposure Monitoring Platform

Targeted Applications Include

Browsers:
Google Chrome, Comodo Dragon, Amigo, Orbitum, Bromium, Nichrome, RockMelt, 360Browser, Vivaldi, Opera, Sputnik, Kometa, Uran, QIP Surf, Epic Privacy, CocCoc, CentBrowser, 7Star, Elements, TorBro, Suhba, Safer Browser, Mustang, Superbird, Chedot, Torch, Internet Explorer, Microsoft Edge, Firefox, WaterFox, SeaMonkey, PaleMoon

Email Clients:
ThunderBird, Outlook, Foxmail

Cryptocurrency Wallets:
Electrum, Ethereum, Exodus, Jaxx, Monero, Bither

Detection Steps:

  • Monitor System Behavior: Regularly check for unusual system behavior, such as unexpected data flows or high CPU usage when no major tasks are running, which may indicate malware activity.
  • Antivirus Scans: Conduct frequent and thorough scans using updated antivirus software that can detect known variants of Raccoon and similar malware.
  • Check for Unusual Network Traffic: Continuously monitor network traffic for uncommon data exfiltration attempts or communication with known malicious IP addresses.
  • Inspect System Logs: Review system and security logs for irregularities or signs of intrusion.

Remediation Steps:

  • Isolate Infected Systems: Immediately quarantine affected systems from the network to prevent the malware from spreading.
  • Remove Malware: Use reputable antivirus or antimalware tools to clean the infected systems.
  • Change All Passwords: After removing the malware, change all passwords, starting with the most sensitive accounts.
  • Update Software: Ensure that all systems are running the latest versions of operating systems and applications, which include security patches.
  • Enable Multi-Factor Authentication (MFA): To add an extra layer of security, enable MFA on all possible accounts.
  • Review Permissions and Access: Conduct a comprehensive audit of user permissions and restrict privileges to the minimum necessary for each role.

Defensive Measures:

  • Use Password Managers: Employ password managers as opposed to saving credentials within browsers.
  • Enable Multi-Factor Authentication: Activate MFA across all accounts as a robust preventative measure.
  • Exercise Caution with Downloads: Avoid downloading executable files from questionable websites, even when directed to these sites from seemingly trustworthy platforms like Google Ads, YouTube videos, or Facebook posts.
  • Regular Updates and Patch Management: Keep operating systems and all software up to date with the latest security patches.
  • Educate Employees and Users: Regularly educate and train staff or users about the risks of phishing scams and how to recognize potential malware lures.

Note:
These measures are not exhaustive but represent essential steps in detecting, remediating, and defending against threats like the Raccoon Stealer malware.

Article References:
https://twitter.com/vxunderground/status/1691175828607111171
https://cyberint.com/blog/financial-services/raccoon-stealer/
https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-returns-with-new-stealthier-version/
https://www.bleepingcomputer.com/news/security/ukrainian-charged-for-operating-raccoon-stealer-malware-service/

How to Improve Endpoint Security to Protect Organizations Against Advanced Cyberattacks

/by

Immature security practices make endpoints an easy target in advanced cyberattacks. Security and risk management leaders should follow this guidance to evaluate their current endpoint protection and develop a prioritized roadmap to improve the resilience of their endpoints.

Cyberattacks have become more sophisticated, with threat actors using fileless attacks and identity theft to gain a foothold in the environment. However, not all organizations face the same level of business risk or start from the same baseline of endpoint protection. According to the 2021 Gartner Global Security and Risk Management Governance Survey, roughly half (48%) of the surveyed organizations struggle to find and hire cybersecurity professionals.

Obsolete practices, like relying primarily on preventive controls, such as signature-based antivirus tools, have left many organizations vulnerable to attacks. Prevention alone is not enough. A step up to continual vulnerability assessment (VA), endpoint security tuning, and detection and response are needed to strengthen the endpoint security posture. These capabilities will require increased focus on the expertise, procedures and availability of internal staff to operate these tools.

Every successful attack causes one or several issues to the business, such as disruption and damage to the organization’s reputation, financial loss, critical data loss and subsequent attacks. Regulatory issues may also occur if the data stolen contains information from customers, vendors or third parties.

How can we improve endpoint protection to mitigate these attacks? This research describes the roadmap to enhance endpoint security using five security levels, each containing the respective projects designed to secure an organization against advanced cyberattacks. Accordingly, SRM leaders responsible for endpoint security must:

  • Evaluate the risks to their organization.
  • Assess the attacker’s landscape.
  • Develop a prioritized roadmap to achieve better protection and reduce the endpoint attack surface.

To learn more about securing endpoints from cyberattacks, please click here to continue reading.

7 World Password Day Tips

/by

We live in a world where constant connectivity and online communication are critical to most people’s daily activity. The number of passwords a person has can vary widely depending on factors such as age, job, and personal habits, but some studies have shown that the average person has nearly 200 passwords.

As people increasingly use digital devices and online services, they need to create and remember passwords for each account or service they use. Strong passwords are essential for protecting our personal and professional information from cyberattacks but managing this many different passwords can be a challenge. This is why people tend to reuse the same passwords for multiple accounts or use weak passwords that are easy to remember but also easy to guess. A weak password can easily be hacked, which can lead to a range of consequences from stolen identity to financial loss – and if stolen passwords are also used for a business purpose, this can also be devastating for your organization.

In honor of World Password Day, here are our top tips for creating secure passwords that can help you stay safe online:

  1. Mix It Up: A strong password should include a mix of uppercase and lowercase letters, numbers, and symbols. Many sites are now starting to require this, but even if that’s not the case, using a variety of characters makes it harder for hackers to guess your password.
  2. Don’t Be Common: Common words and phrases such as “password,” “123456,” and “qwerty” are some of the most common passwords used by people. Avoid using these types of passwords or using public facts such as birthdates or phone numbers, as they are easy to guess and can be easily cracked.
  3. Write It Out: A passphrase is a combination of multiple words that are easy for you to remember but hard for others to guess. For example, “HikingWithMyDogInTheMountains” is a strong passphrase that can be difficult to guess or crack.
  4. Make It Long: The longer your password is, the harder it is to guess or crack. Aim for a minimum of 12 characters in your password, and the longer the better.
  5. Create Variations: It can be tempting to reuse the same password across multiple accounts, but this is a significant security risk. If one account is compromised, all the other accounts with the same password are also at risk. Even slight variations give you a leg up on hackers.
  6. Change Passwords Regularly: Changing your passwords every few months is a good practice to ensure that your accounts remain secure. If your site doesn’t require it, you should make it a habit to do it yourself. This way, if a hacker gains access to your password, changing it can limit their access to your account.
  7. Use A Password Manager: Password managers are applications that store all your passwords in a secure vault, and you only need to remember one master password. This makes it easier to use unique and complex passwords for each account without the risk of forgetting them.

Creating strong passwords is essential for protecting your personal and professional information. By following the tips for creating strong passwords, you make it much more difficult for attackers to gain unauthorized access to your accounts or devices and significantly reduce the risk of your accounts being compromised. Remember that protecting your online security is an ongoing process, and taking the necessary precautions can help prevent potential cyberattacks and keep your information safe.

Staying Secure: Proactively Monitoring the Dark Side of the Web

/by

Welcome back to part two of our blog series on the dark web. In part one, we explored what is the dark web and the risks it poses. Now, in part two, we will examine some of the challenges associated with monitoring and policing the dark web, and what you can do to stay protected. By understanding these complex issues, we hope to equip you with the knowledge and tools necessary to stay safe and secure in an increasingly connected world. So, let’s dive in!

Protecting Data on the Dark Web

Protecting data from cyber threats on the dark web is crucial because the data that is traded and sold on this platform is often sensitive and valuable. This can include personal information such as social security numbers, credit card details, and login credentials, as well as business-sensitive information such as trade secrets, customer data, and intellectual property.

With the increasing frequency and complexity of cyber threats, it is more important than ever to stay vigilant and proactive in protecting sensitive information from compromise. If this data falls into the wrong hands, it can lead to a range of negative consequences. For individuals, it can result in identity theft, financial loss, and a tarnished reputation. For businesses, a data breach can result in lost revenue, damage to their brand reputation, and even legal consequences if they are found to have failed to properly protect customer data. Cyber threats on the dark web can also spread to other parts of the internet and affect other systems and networks, such as a malicious actor using stolen data to launch phishing attacks, spread malware, or even engage in cyber espionage. This is why it’s imperative that individuals and organizations take proactive steps to protect their data from cyber threats on the dark web.

Staying Ahead of Cyber Threats

Protecting your critical data and assets from the hands of cybercriminals take a multifaceted approach. This can include implementing robust cybersecurity measures such as firewalls, antivirus software, and encryption, as well as regularly monitoring their systems and networks for any signs of suspicious activity via dark web or cyber exposure monitoring.

Dark web monitoring involves continuously scanning the dark web for sensitive information, such as login credentials, credit card numbers, and other confidential data, that may have been obtained through a data breach or other means. The goal of dark web monitoring is to detect the presence of sensitive information on the dark web and alert the organization before it can be used by cybercriminals.

Cyber exposure monitoring, on the other hand, involves monitoring the entire internet, including public and private networks, for vulnerabilities and potential attack vectors. The goal of cyber exposure monitoring is to identify and assess the risks posed by these vulnerabilities and take appropriate action to mitigate them. Both services bring benefits to organizations but are two cybersecurity services offering two different measures to protect themselves against cyber threats.

The Importance of Cyber Exposure Monitoring

Cyber Exposure Monitoring has become one of the most important aspects of cybersecurity. The service helps to provide visibility into potential risks and threats, as well as enables organizations and individuals to take proactive steps to address them before they become a problem. There are three critical parts of cyber exposure monitoring:

  • The first step is to identify potential vulnerabilities in systems and applications. This can be done through vulnerability scanning, or the process of scanning networks and systems to identify potential weaknesses or vulnerabilities. Once vulnerabilities are identified, organizations and individuals can take proactive steps to address them, such as applying security patches, updating software, or implementing additional security controls.
  • Another important aspect is threat intelligence. This involves monitoring various sources, such as threat feeds, 3rd party intel sites, blogs and forums or adversary markets, for potential threats and attacks; information is gathered about the tactics, techniques, and procedures used by cybercriminals on these measures. This information can be used to develop proactive security measures and to identify potential threats before they become a problem.
  • Log analysis is the third key component of cyber exposure monitoring. Logs are generated by various systems and applications and can provide valuable insight into potential threats and attacks. By analyzing logs, organizations and individuals can identify potential indicators of compromise and take proactive steps to address them before they result in a data breach or other security incident.

One of the biggest benefits of cyber exposure monitoring is early detection of threats. By monitoring for potential threats and vulnerabilities, you can detect and respond to potential attacks before they become a problem. This can help to prevent data breaches, minimize the impact of security incidents, and reduce the risk of financial loss or reputational damage.

In addition to early detection of threats, cyber exposure monitoring can also improve an organization’s or individual’s overall security posture. By identifying weaknesses in security systems and applications, organizations and individuals can take proactive steps to address them, such as implementing additional security controls or training employees on best practices for cybersecurity.

Cyber exposure monitoring can also help organizations and individuals to meet compliance requirements for data security and privacy. Many industries have specific compliance requirements for data security and privacy, and cyber exposure monitoring can help ensure that these requirements are met and avoid potential fines or legal liabilities.

Conclusion

Staying vigilant and taking proactive steps to address potential threats and vulnerabilities, organizations and individuals can reduce the risk of falling victim to cybercrime and protect sensitive information from compromise. With the increasing frequency and complexity of cyber threats, cyber exposure monitoring is great way for organizations to significantly reduce the risk of a successful cyberattack and protect their sensitive information and systems. If your organization needs help staying ahead of cybercriminals, contact Proficio to learn more about our Cyber Exposure Monitoring service.

The Dark Side of The Web: Understanding the Dark Web and the Risks It Poses to Organizations

/by

The internet has come a long way since its inception, with an ever-growing number of people relying on it for personal and professional activities. However, with this increased usage comes an increased risk of cybercrime and data theft. And as cybercriminals become more sophisticated, constantly finding new ways to access and exploit sensitive information, organizations must become more vigilant in how they protect their data.

For many organizations, the dark web – a hidden network of websites that are not accessible through standard web browsers – is a growing concern. It is a place where cybercriminals can buy and sell stolen data, hacking tools, and other illegal products and services. This information can be sold to the highest bidder, putting individuals and organizations at risk of financial loss, reputational damage, and identity theft.

In this two-part series, we will take a deeper look at the dark web, the risks it poses and how you can protect your data from getting into the wrong hands.

What is the Dark Web:

The dark web is a part of the internet that is not indexed by traditional search engines and is characterized by its high level of anonymity, allowing users to communicate and transact without leaving a trace. Anonymity on the dark web is often used by cybercriminals for illegal activities such as trading stolen data, buying and selling illegal goods and services, and facilitating various forms of cybercrime, such as hacking and fraud. The high level of anonymity provided by the dark web makes it difficult for law enforcement to trace the origin of criminal activities and identify the individuals behind them.

Accessing the dark web can only be done using specialized tools like The Onion Router (TOR), a free, open-source software and network that was designed to provide users with anonymity and privacy online. TOR networks work by routing internet traffic through a series of servers, or “nodes,” before it reaches its destination. Each node only knows the previous and next node in the chain, making it difficult to trace the source of the traffic. TOR is widely used for a variety of purposes, including accessing the dark web, bypassing censorship and geo-restrictions, and protecting sensitive communications from government surveillance or cyberattacks.

Another important aspect of the dark web is the use of cryptocurrencies, like Bitcoin, as the primary mode of payment. Cryptocurrencies have gained popularity in recent years due to their ability to offer fast, low-cost, and borderless transactions, as well as their use of blockchain technology, which provides a secure and transparent ledger of transactions. However, because cryptocurrencies provide a high level of anonymity and make it difficult for authorities to track transactions, it has become very popular to use by cybercriminals.

Finally, the dark web also uses various other encryption technologies to secure its websites and hide the location of its servers. This includes technologies like SSL/TLS certificates and public-key encryption.

Cybercriminals on the dark web use a combination of tools and technologies to achieve anonymity. For example, they may use the TOR network to route their traffic through multiple servers, making it difficult to trace their location. They also use encryption to secure their communications and protect sensitive information.

In addition, many dark web marketplaces require users to use cryptocurrencies, such as Bitcoin, for transactions. These currencies provide a high level of anonymity and make it difficult for authorities to track financial transactions.

It’s important to note that while the dark web provides a high level of anonymity, it’s not completely secure and can still be monitored by law enforcement agencies. Additionally, many of the activities that take place on the dark web are illegal, so it’s best to avoid visiting it unless you have a legitimate reason to do so.

The Risks Posed by the Dark Web:

The dark web is a haven for cybercriminals, who use it to trade stolen data and carry out malicious activities, such as phishing attacks and ransomware attacks. The anonymity of the dark web makes it a popular platform for these activities, and its encrypted networks provide a high level of security, making it difficult for law enforcement agencies to track and prosecute cybercriminals.

In June 2021, T-Mobile confirmed that it had suffered a data breach that affected the personal information of over 50 million customers. According to reports, the data that was stolen included names, addresses, birthdates, social security numbers, and driver’s license information. Shortly after the breach was disclosed, cybercriminals began advertising the stolen data on underground forums on the dark web, offering it for sale to the highest bidder; over six months later, the data from the T-Mobile breach could still be found online.

This incident is just one of many that highlights the importance of implementing robust cybersecurity measures to prevent data breaches and the need to be prepared for the worst-case scenario. It also demonstrates the devastating consequences that can result when sensitive information is traded on the dark web.

Protection from the Dark Web:

The dark web poses a significant risk to the security of personal and sensitive information. Cybercriminals can use the anonymity and untraceability of the dark web to sell stolen data, engage in illegal activities, and conduct cyberattacks. These risks are further compounded by the increasing sophistication of cybercriminals and their ability to access and exploit vulnerabilities in security systems.

Businesses and organizations have a responsibility to protect the personal information of their customers and employees. It is essential to take proactive measures to protect this data and minimize the risk of it being exposed on the dark web. Protecting against the risks posed by the dark web requires vigilance, education, and a commitment to implementing best practices for cybersecurity. Click here for part two of our blog series to learn more about protecting yourself from the dark web.

Decoding the Differences: MDR, XDR, and MEDR

/by

As technology continues to advance and the threat landscape continues to evolve, many organizations are looking for a cybersecurity partner to help them stay protected. However, with so many different solutions on the market, it is crucial for organizations to stay informed and understand the different options available.

MDR, XDR, and MEDR are three commonly used acronyms in the cybersecurity industry – yet each describes different approaches to detecting and responding to cyberthreats. Despite the similar-sounding acronyms, there are important differences between these solutions. Before you select which is right for you, it is essential to understand what each one offers, so you can make an informed decisions about which approach is best for your organization.

What is Managed Detection and Response

Managed Detection and Response (MDR) MDR is a service providing an outcome. This comprehensive security solution utilizing a combination of vendor tools integrated with customer security tools and monitored by the providers Security Operations Center (SOC) security analysts and security engineers. MDR service providers give organizations with real-time visibility and control over their security posture, allowing them to quickly detect, respond to, and prevent cyber-attacks.

Benefits of MDR include:

  • Advanced threat detection: MDR leverages cutting-edge technologies such as artificial intelligence, machine learning, and behavioral analytics to identify potential security threats in real-time.
  • Rapid incident response: In the event of a security incident, MDR provides organizations with a dedicated team of security experts who can quickly assess the situation, contain the threat, and minimize the damage.
  • Managed security services: MDR services are delivered and managed by security experts, taking the burden of security management off the organization and freeing up valuable resources.
  • Real-time visibility and control: MDR provides organizations with real-time visibility into their security posture, enabling them to quickly identify and address potential threats.
  • Customized security solutions: MDR services can be tailored to meet the specific security needs of an organization, ensuring that their security posture is aligned with their overall business goals.

MDR is ideal for organizations of all sizes and industries and can be used to address a variety of security needs, including meeting compliance requirements, reducing the risk of a data breach, improving your overall security posture and streamlining security management to free up valuable resources internally.

What is Extended Detection and Response

Extended Detection and Response (XDR) is a security tool or platform that collects a set of logs and security events from multiple sources to provide a comprehensive view of an organization’s security posture. Paired with a set of basic use cases for threat detection, it can perform automated or centralized manual response action through integration with a set of endpoint protection / detection platforms, perimeter firewalls, or other security controls

An XDR platform is often considered a “SIEM (Security Information and Event Management) lite” with response automation capabilities. Often it is focused on a single vendor set of security tools for log collection, threat discovery, and automation to perform response actions. If the platform supports a broad number of vendors, it is often referred to as an Open XDR. MDR providers can leverage most major XDR tools. XDR capabilities have more recently been incorporated into SOAR (Security Orchestration and Automated Response) platforms.

Benefits of XDR include:

  • Rapid detection of threats: XDR enables organizations to detect and respond to security incidents in real-time.
  • Better visibility: By integrating data from multiple sources, XDR provides a more complete picture of an organization’s security posture
  • Advanced capabilities: XDR also provides advanced analytics and threat intelligence, allowing organizations to quickly identify and respond to emerging threats
  • Cost effectiveness: XDR tools may provide a more cost-effective solution for organizations, as it integrates multiple security solutions into one platform

However, it’s important to note that XDR solutions can be complex and require a significant investment in time and resources to implement and manage. Organizations must also have a strong security posture and expertise in place to effectively use XDR to detect and respond to security incidents. However, by integrating data from multiple sources and providing real-time detection and response capabilities, XDR can provide organizations with a comprehensive view of their security posture and enables them to respond to security incidents more effectively.

What is Managed Endpoint Detection and Response

Managed Endpoint Detection and Response (MEDR) is an endpoint protection platform that can respond to compromises by performing actions like isolating an endpoint from the network, blocking a process, or removing artifacts by using a central EDR console. This solution is designed to monitor and detect threats on endpoint devices in real-time. There are also MEDR as a Service, which is often provided by an MDR provider that will manage the EDR platform rules, monitor and investigate advanced threats, and perform response actions to contain and remediate threats or compromises.

Benefits of MEDR include:

  • Real-time threat detection: MEDR monitors endpoint devices in real-time and can quickly detect and respond to threats before they become a problem.
  • Automated response: MEDR solutions can be programmed to automatically respond to security incidents, reducing the need for manual intervention and speeding up the response time.
  • Centralized management: MEDR solutions provide centralized management, making it easier to track and manage security incidents across multiple devices.
  • Cost savings: MEDR solutions can reduce costs by automating many manual processes and reducing the need for a large security team.

With the high number of endpoints in most organizations, having an Endpoint Detection and Response (EDR) platform in place is critical to defend against a wide range of cyber threats, such as malware, ransomware, and advanced persistent threats (APTs). MEDR is particularly useful for large enterprises that have a large number of endpoint devices and require a centralized solution to manage security incidents. Having an MEDR solution, or MEDR as a Service, allows large organizations to better protect themselves with automated remediations against high fidelity threats.

What’s the Difference?

In conclusion, MDR, XDR, and MEDR are all valuable security solutions that can help organizations detect and respond to security threats. The best solution will depend on the specific security needs of an organization. It’s important to understand the pros and cons of each solution and choose the solution that best meets the organization’s specific security needs.

As cyber threats continue to evolve, it’s increasingly important for organizations to understand the various security solutions that are available to help protect against these threats. MDR, XDR, and MEDR are all valuable solutions that can help organizations detect and respond to security incidents, but they each have different strengths and weaknesses. By understanding these solutions and choosing the best one for their specific needs, organizations can reduce the risk of data breaches and other security incidents.

Proficio offers a wide range of cybersecurity services to help your organization stay better protected. To learn how Proficio can help you, contact us.

Cyber Insurance in 2023: What Every Organization Should Know

/by

In the last few years, cybercrime has increased considerably, often leading to significant costs, reputational damage, and operational disruptions to the companies affected. And while there is no full-proof way to avoid an attack, many organizations are taking steps to further reduce their risks. On top of this, these organizations often take additional steps to reduce the high costs of dealing with a security breach if one were to occur.

Enter cyber insurance—also known as cybersecurity insurance or cyber liability insurance.

Having cyber insurance coverage has become imperative for many organizations due to the rise of cyber incidents and the growing sophistication of these attacks, paired with the potential financial impacts of a successful breach.

In fact, the global cyber insurance market is projected to grow from $12.83 billion in 2022 to $63.62 billion by 2029. This growth is largely driven by the continued rise in the number of data breaches, as well as a greater awareness of cyber risks.

While there is no question having cyber insurance is smart, organizations are often challenged when sorting through the options. Not only do organizations need to understand exactly what each policy covers, but they also must determine the types of digital assets they need to protect to satisfy the basic insurance requirements and they have to worry about getting approved (or if currently covered, how they can avoid the steep increase in premiums). Let’s take a deeper look:

What Do Cyber Insurance Policies Cover?

While cyber insurance can’t prevent a breach or a security incident from happening, this type of policy helps organizations more successfully weather the storm when a data breach or network security failure takes place. Typically, cyber insurance policies cover the following:

  • Breach costs: Costs associated with responding to a breach, including identifying the breach, alerting affected individuals, credit protection services, and crisis management/public relations costs.
  • Cyber extortion: Response costs and financial payments associated with network-based ransom demands.
  • Cybercrime: Financial losses associated with social engineering and funds transfer fraud.
  • Business Interruption: Lost business income that takes place when a company’s network-dependent revenue is interrupted.
  • Data recovery: Costs required to replace, restore, or repair damaged or destroyed data and software.
  • Privacy protection: Costs to resolve claims with regard to the handling of personally identifiable or confidential corporate information.
  • Digital media: Costs to resolve claims related to online content, such as copyright or trademark infringement, invasion of privacy, and defamation.

While cyber insurance provides fairly comprehensive coverage, it is very important to note that not every cost or claim is covered. The following is typically not covered by most cyber insurance policies:

  • Criminal proceedings: Claims brought in the form of a criminal proceeding, such as a criminal investigation, grand jury proceeding, or criminal action.
  • Funds transfer: Other than transfers associated with cybercrime coverage, most uncovered claims include loss, theft, or transfer of funds, monies, or securities.
  • Infrastructure interruption: Claims stemming from failure or interruption of water, gas, or electric utility providers.
  • Intentional acts: Fraud, dishonesty, criminal conduct, or knowingly wrongful act of the business or its employees.
  • Property damage: Property damage stemming from a data breach or cyberattack, such as hardware that was destroyed during the cyber incident.
  • Intellectual property: Property losses and lost income associated with attacks are commonly excluded from coverage.
  • Costs for proactive preventive measures: Measures to avoid a future attack, such as training employees or developing an incident response plan.

Common Insurance Requirements

Most insurance companies require organizations to have certain safety protocols in place before being accepted for coverage. While these requirements tend to vary by insurance company and by the size of the company being insured, today’s insurance companies they all require organizations to have some basic security controls in place.

The reason for this is quite simple: insurance companies need to know organizations are addressing the highest likelihood of attacks, which in turn reduces the insurance company’s risk. And while most insurance companies currently allow organizations to self-verify these requirements, the industry is moving in the direction of requiring a professional IT service company to confirm that these standards are in place and up to date.

These requirements typically include the following:

  • Centralized security device log collection and threat detection analytics platform (Security Information and Event Management (SIEM) monitoring)
  • Active 24×7 security event monitoring, investigation, and alerting (Security Operations Center or SOC)
  • Active incident response and threat remediation
  • Regular software patching and automatic updates
  • Strong endpoint security, often times an Endpoint Detection & Response (EDR) solution
  • Access control methods to protect critical systems, apps, and data. These include multi-factor authentication, least-privilege access policies, securing system administrator access to key data, and securing third party access to all systems.
  • Use of strong password management policies
  • Backup and disaster recovery methods that employ cloud or off-premises offline storage
  • Financial controls to verify fund transfers and access change control requests
  • Data protection methods for personal or other private information, including encryption and network segmentation
  • Use of network security methods, such as network segmentation and firewalls
  • Adhering to common email security recommendations
  • Employee management policies to control account access
  • A specific security risk manager employed by the organization
  • Employee security training
  • Formal incident response plans
  • Written privacy and data security policies

Selecting a Policy – and Getting Approved

When selecting a cyber insurer, organizations should consider several factors, including the financial stability of the insurer, the type of coverage provided, and the cost. It is also important to keep in mind that some insurance companies provide supplementary services to help protect against and respond to breaches, while others have strong partnerships with cybersecurity vendors to help mitigate a breach.

If you are trying to get approved for cyber insurance, and want to get lower rates, it’s critical you not only have the bare minimum requirements in place, but also take extra precautions to ensure you’re a desirable candidate for cyber insurance. Many organizations are looking for outside security vendors that will not only help them be more secure, but also will ensure they check off the requirements for cyber insurance approval.

Logging and Monitoring of Event Logs

One of the top requirements from cyber insurance providers is log monitoring. Proficio’s Managed Detection and Response (MDR) solution provides you all the benefits of having a SIEM, without the complexity of owning and managing it through our shared SIEM service. For those with a current SIEM, Proficio can help you manage the platform and provide content from our large library of threat detection use cases. Proficio also provides 24×7 Security Operations Center monitoring, alerting and response solutions with either our SIEM and SOAR (Security Orchestration and Automated Response platform) or utilizing your security tools and platforms.

Patch Management/Vulnerability Management

Knowing what systems are most vulnerable enables your team to quickly patch the biggest risks first. With Proficio’s Risk-Based Vulnerability Management (RBVM), you can prioritize patching based on the risk of a vulnerability being exploited and the relative importance of each system. In addition, Proficio offers security device management to help you ensure your security devices are being maintained to vendor-recommended best practices.

Endpoint Detection and Response

Many of today’s biggest data breaches were the result of a cybercriminal getting access to one endpoint, and laterally moving through their networks. Proficio’s Managed Endpoint Detection and Response (EDR) helps you secure their critical devices through device monitoring and management, helping to detect risks in real time.

When it comes to cyber insurance requirements, Proficio can also help with the scenarios such as:

  • You have a new requirement for security log collection, active threat monitoring, and threat response solution
  • You have an MSSP but want a new provider with better threat detection and response capabilities
  • You had a breach and need a provider (new or replacement)
  • You have an internal SOC but are having trouble keeping staff and getting desired outcomes

As we enter into a new year and cybercrime hits record highs, it seems inevitable for every business to be affected in some way. And as a result, preparation is key. There is no question that cyber insurance is a great way to mitigate risk but remember – having insurance does not reduce your risk. However, cyber insurance is a great layer of protection to add to your complete security stack.

To learn more about how Proficio can help you choose the right cyber insurance for your organization, click here.

Cybersecurity Predictions for 2023: Looking Ahead

/by

The last few years have been difficult for all of us and for many, and unfortunately, 2022 did not bring the reprieve we were hoping for. Not only did we experience ongoing supply chain issues and extreme staffing shortages, but we were forced to navigate soaring inflation and economic turmoil, as well as overall political unrest.

Alongside all these problems is the growth of cyberattacks, both on individuals and organizations—and this trend is expected to continue, with increasing frequency and sophistication. And while the pandemic accelerated the digital transformation trend, it has also created new opportunities for cybercriminals to attack.

Cybersecurity continues to be a major concern for corporate America. In fact, most of today’s security and risk leaders understand that if their organization incurs a successful cyberattack, it will cause momentous disruptions to business. While we continue to battle the ever-changing threat landscape, proper planning, and effective solutions can be developed to reduce the potential risk and damage. The key is to be prepared for the road ahead.

Here are the four cybersecurity predictions we expect to see in the coming year:

Increased Measures for Ransomware

Given the continued rise of ransomware attacks on organizations, we expect to see an increase in the number of countries passing legislation to control payments, fines, and negotiations. This change will encourage organizations to be more proactive in their cybersecurity and ensure they follow proper procedures when an incident occurs.

With or without governments involvement, it will become imperative for companies to employ solutions that help to prevent attacks. For example, in a 2021 White House cybersecurity mandate, multi-factor authentication (MFA) to secure access was named as an important preventative measure. Having an MFA tool is also a requirement of many of today’s cyber insurance policies in an effort to control points of exposure. In general, there will be more steps taken – both at the organizational and government levels – to help ensure we stay ahead of cybercriminals.

Supply Chain Attacks

The number of cyberattacks related to third-party vendors is undoubtedly on the rise. However, only a small percentage of security and risk managers are currently checking external vendors for security exposure.

As this trend continues, organizations will begin to make cybersecurity risk a determining factor in doing business with third parties. This will range from simple oversight of a critical technology vendor to complex due diligence for mergers and acquisitions. In fact, according to research from Gartner, by 2025, 60 percent of companies will use cybersecurity risk as a determining factor when conducting third-party business transactions and engagements.

Vendor Consolidation

Consolidation of security vendors will be another popular trend. Studies show that many CISOs have a high number of tools in their cybersecurity portfolio. Because purchasing a mix of tools from different security vendors can result in complex security operations and increased requirement for security headcount, it is becoming vital to have less vendors and more consolidated solutions. And many single-vendor solutions offer better security effectiveness and efficiency for today’s businesses. As a result, organizations are creating strategies to unify their security toolset to reduce vendor fatigue and simplify their security operations.

Passwordless Authentication in Partnership with a Zero Trust Framework

Going passwordless and developing a Zero Trust framework, requiring rigid authentication to gain access to a system, will continue to grow in popularity in the coming year. In fact, studies show that more than half of the organizations surveyed already have a Zero Trust initiative in place, and more than 95 percent of organizations plan to embrace Zero Trust as a starting point for security in the next 12 to 18 months.

Additionally, passwordless authentication will help make the implementation of Zero Trust more effective in achieving a layered approach to security. By using approach, instead of relying on just a password as a form of verification, organizations will depend on more secure authentication methods, such as biometrics and AI-powered verification. This takes into account numerous factors to grant, verify, or deny access.

Looking Ahead

Our world has changed enormously. Not only have businesses had to adjust to numerous ups and downs related to the pandemic, but they have had to adopt new technologies that support a different type of workforce. As we enter 2023, we must think about our security efforts and how we can continue to be vigilant about protecting our organizations against cybercriminals. We can use lessons learned not only to make cybersecurity predictions for 2023, but also to better help us manage risks and defend against the increasingly complex cyber threat landscape.

No matter what your cybersecurity plans are for the coming years, Proficio’s team of security experts is here to help. Our services help organizations mitigate cybersecurity risks, so you can be confident your networks are protected 24/7. To learn more about how Proficio can help your organization stay safe, contact us.

Three Cybersecurity Strategies for Healthcare Leaders in a Digital-First World

/by

This post was originally published on elastic.co. Blog by Suranjeeta Choudhury, Elastic, and Carl Adasa, Proficio.

From on-demand healthcare services like telehealth to wearable technologies, predictive healthcare to blockchain technologies for electronic health records, 5G for healthcare services to AI and augmented reality for state-of-the-art medical treatments, the healthcare industry is at an inflection point. These digital transformations also bring along elevated cybersecurity risks. Earlier this year, in a comprehensive cybersecurity benchmarking study conducted by ThoughtLab, the healthcare industry was found to be lacking in maturity from a cybersecurity implementation standpoint, to be placed only slightly ahead of the media and entertainment industry and industrial manufacturing.

[Download the report: Cybersecurity solutions for a riskier world]

Healthcare companies can take advantage of some proven cybersecurity strategies, accelerating their readiness to operate in a highly digital world.

Continuous monitoring of critical assets

On an average, organizations take 128 days to detect a breach – a timeline that could completely cripple mission critical applications and services in healthcare. To detect a threat in real-time, healthcare companies need the ability to continuously monitor their critical assets, analyze user behavior in their networks, track smart devices, and look for anomalies in events and end-user activity. Choosing the right SIEM solution can be the very first step in addressing vulnerabilities across people, processes, and technologies. Infact, the COO of a German healthcare provider believes that his organization’s investment in the right SIEM was the most effective cybersecurity investment towards detecting and identifying threats at scale and even recommending the right remediation plan.

[Check out the SIEM buyer’s guide to help you pick the right SIEM for your business.]

Outsourcing security operations for enhanced security with optimal spend

Approximately 30% of the world’s data volume is generated by healthcare.  In a post-pandemic world, this trend will only see an uptick with massive data collection efforts to thwart risks of another pandemic. Compound that with the unprecedented shortage of skilled cybersecurity workers , and we can see why many healthcare firms prefer to outsource security operations to managed security service providers (MSSP) and managed detection and response (MDR) firms. MSSPs and MDRs can help healthcare organizations with their cybersecurity needs by bringing in industry best practices, monitoring and responding to cyber threats for healthcare services and assets 24/7, and relieving internal resources for better patient care and healthcare services, while ensuring organizations remain fully compliant to mandates like the Health Insurance Portability and Accountability Act (HIPAA).

[Find out how Proficio helps healthcare organizations meet stringent cybersecurity needs.]

[Learn more about Elastic Security and Compliance.]

Protecting applications and workloads in the cloud

While compliance, operational agility, and better patient care have driven cloud adoption in the healthcare industry, cloud security continues to be a major challenge . Legacy security solutions are not designed to cope with the complexity and ephemeral nature of cloud-based applications.

Cloud adoption is also a journey and as multi clouds and hybrid cloud architectures evolve, healthcare organizations will need security solutions that can protect their workloads, irrespective of where the information resides and how it flows in the data architecture. Having access to security experts and their research work can be of significant advantage to internal IT and security teams in reducing mean time to identify, detect, and respond to threats in the network. Healthcare companies can also seek support from MSSPs and MDRs to configure their systems correctly, avoiding security loopholes and as needed, consult experts for their overall security strategy along their cloud transformation journey.

[Learn more about Elastic Security Labs.]

Towards a better patient experience

In today’s digital first world, cybersecurity is an imperative, especially when it comes to a mission critical service such as healthcare. The healthcare industry needs trusted partners in security to continue delivering the best patient care while keeping their patient data secure. It also needs the right tools, processes, and people to minimize the impact in case of an unfortunate security breach. Find out how Elastic Security and Proficio can bring the best of security solutions and managed security services.

The Top Cyberattacks on Small & Medium Businesses

/by

Not long ago, it seemed that cybercriminals were mainly targeting large companies. As bigger targets, they may have more gaps to sneak in…and oftentimes, more risk to data and reputation. But times have changed, and for many of today’s small- and medium-sized businesses (SMBs), they know this is no longer the case. In fact, some reports indicate the number of cyberattacks on SMBs are significantly higher than attacks on larger companies. According to a 2021 study, small businesses experience 350 percent more social engineering attacks than those at large businesses.

To make matters worse, it is challenging for SMBs to recover from a cyberattack given their limited resources. A recent report revealed that the cost of a cyberattack on SMBs created losses of more than $2.5 million, on average. In addition to the steep financial damage, these smaller businesses must navigate the serious reputational damage that often results from these attacks – which sometimes may be too much to recover from.

With all of these things working against SMBs, it’s no wonder that cybercriminals are changing their focus. They know these business leaders tend to have limited resources when it comes to IT security, which may mean they have less rigorous defenses, as well as less time and manpower to apply toward cyber protection. And this makes them appear to be much easier targets for hackers.

But this doesn’t have to be the case. To help lessen the risk of cyberattacks on SMBs, it’s critical to understand some of the most common threats they face and how to best stay protected.

Phishing Scams

One of the most widespread and damaging threats facing small and medium businesses are phishing attacks. Phishing not only accounts for 90 percent of all breaches that organizations face, but they account for more than $4 million in business losses. These scams, which occur when attackers pretend to be a trusted contact or site, have become smarter and more targeted in recent years. Once a cybercriminal successfully lures a user to click a malicious link, download a malicious file, or provide access to sensitive information, account details, or credentials, they can unlock the door to much more far reaching company data.

To avoid these types of cyberattacks on SMBs, companies should provide their users with comprehensive cybersecurity training. Tips should include:

  • Always ensure the sender and email address match and verify all links before you click them
  • Double-check with senders to ensure they sent the email
  • Verify the legitimacy of emails via your IT team.
  • Never post or email sensitive/personal information online

Cybersecurity training for employees is a critical step, but it’s also good to have your backend configured well– if and when an attacker breaks into your organization. These include:

  • Ensuring you consistently back up data
  • Maintaining software updates and patches
  • Using an email filtering program
  • Developing protocols to verify suspicious communications, and how users can report them (also part of employee training)

Ransomware

Ransomware is the type of malware most people are familiar with. When installed, it prevents users from accessing their systems/personal files and demands payment to regain access. This information, which typically includes passwords, files, databases, credit card details, personal information, or other valuable assets, is critical to a business so once activated, businesses will scramble to get back online. These types of cyberattacks on SMBs are commonly spread through email spam and network attacks.

According to a recent study, 84 percent of SMBs are concerned about a ransomware attack impacting their business, and 60 percent are not confident–or only somewhat confident– that they can fend off a ransomware attack.

Your best offense is a strong defense. While it’s not always possible to stop these attacks, there are some things you can do to catch them before they cause too much damage. Setting up endpoint security and antivirus software is a good starting point, as long as you ensure they are kept updated. More importantly, having monitoring set up helps you catch the early signs of an attack, so you can stop the malicious behavior before it does serious damage. If you don’t have the team in-house to support this 24/7, look for a security partner who can help you improve your security defenses.

Insider Threats

The actions of current and former employees, contractors, vendors, partners, and associates can lead to devastating results if not properly managed. Many of these individuals have access to vital company data, which if in the wrong hands, can cause harm to your organization—either by accidentally clicking a malicious link or intentionally stealing or leaking company data. Studies found that 60 percent of data breaches were caused by insider threats, and the current average annual cost of an insider threat is more than $11 million.

Building a strong culture of education and cybersecurity awareness within an organization is an important step to blocking insider threats. Additionally, organizations should have a thorough new hire screening and off-boarding process, and create security policies and use cases to detect misuse of company resources.

Weak Passwords

While the recommendation of setting a strong password has become a commonplace, the amount of individuals using weak passwords is still high, making this another problem that make it easy for cybercriminals to attack SMBs. In fact, studies show that 59 percent of professionals use their name or birthdate in their password, and 43 percent regularly share their passwords.

This is why many of today’s businesses are choosing to implement multi-factor authentication (MFA) technologies. This second layer of protection forces users to employ more than just a password to access business accounts. It’s not full proof (and surprisingly, a lot of businesses still haven’t implemented this), but it does help to prevent identity attacks. In addition, it is essential to implement and enforce a strong password policy, making sure passwords should consist of more than 12 characters, as well as random numbers, symbols, and letters, and must be changed on a regular basis.

Protecting your Business

While there are many different cyberthreats out there, there are several ways you can reduce the likelihood of a cyberattack on your SMB. If you don’t have the internal resources to stay protected, Proficio can help. We tailor our security services to help SMBs mitigate the risks of cyber threats, so you can be confident your organization is protected.

To learn more about how Proficio can help your organization stay safe, contact us.