Best Practices for Endpoint Security

In today’s highly technical world, endpoint devices are everywhere. Endpoint devices, such as employee workstations, laptops, tablets, and smartphones, connect to and communicate with an organization’s network. Because they are intertwined within an organization, it often only takes successfully exploiting one endpoint for threat actors to carve a path through an organization’s network to cause harm.

Studies show that 61 percent of businesses have 1,000 or more endpoints users on their networks. They are a critical part of daily business and are also targets to a wide range of cyberthreats, which is why endpoint security should be a priority for all organizations.

As often is with cybersecurity, the best defense of endpoints is a good offense. But where do you start? We’ve put together a guide for endpoint security best practices so you can better prepare your organization.

Why Prioritize Endpoint Security?

If you think of endpoints as entryways into your network, it’s clear that securing every endpoint against malicious actors is important or you could be leaving the back – or even front – door open to cybercriminals.

For those organizations offering flexible work options, the increase in mobile working and remote employees introduces greater security risks to endpoints. As users connect your company’s network and access business resources from off-premises devices or in the cloud, traditional network perimeter controls are no longer sufficient to protect your company’s information.

A recent study found that 68 percent of surveyed companies experienced one or more endpoint attacks that successfully compromised data and/or IT infrastructure. Cybercriminals and nation-states carry out increasingly sophisticated attacks on endpoints to:

  • Access valuable assets, including trade secrets or intellectual property
  • Exfiltrate data
  • Disrupt important services

The financial and reputational impacts of cyberattacks make it imperative for companies to take a comprehensive approach to endpoint security and use effective measures that combat modern cyberthreats.

While there are many different threats to endpoints, both internal and external, here are some of the most common:

  • Ransomware/Malware
  • Unpatched Vulnerabilities
  • Fileless Attacks
  • Compromised User Accounts

Following some endpoint security best practices puts the foundations in place to protect your networks from the range of cyber threats that inundate companies daily. These include:

  • Consistent Updates
  • Endpoint Security Tools
  • Employee Awareness
  • Detection and Response

Download the full Securing the Endpoint Guide below


Why An MDR Service Provider for Healthcare Organizations Makes Sense

Healthcare organizations collect and process a lot of sensitive data, making them a prime target for opportunistic cybercriminals. Managing security in-house is a complex undertaking, which is why many healthcare organizations look to outsource some or all of their security needs. Here are our top three reasons partnering with a managed detection and response (MDR) service provider for healthcare organizations makes sense.

#1: Security Expertise

According to ISACA’s State of Cybersecurity 2021 report, over half of surveyed organizations still have unfilled cybersecurity positions, indicating the cybersecurity skills shortage shows no sign of slowing down. By partnering with an MDR service provider, healthcare organizations can take advantage of expert 24/7 security monitoring, threat detection, alerting, and response services that they need to deal with constant threats like ransomware, without having to build an in-house security operations center (SOC).

Partnering with an MDR service provider for your healthcare organization is a more cost-effective way to have 24/7 monitoring of your networks and continuous access to security professionals. And a provider with extensive healthcare security experience will be able provide recommendations on how to quickly improve your security posture, incorporating practices such as setting up business context modelling, creating segmentation with trusted network zones and controlling access to critical medical devices and infrastructure.

By outsourcing your security monitoring, you don’t have to worry about these staffing challenges; you only have to focus on the actionable alerts sent by your provider and can spend the rest of your time on other priorities.

#2: Advanced Threat Discovery and Response

Due to the sensitivity of healthcare files and the critical nature of their services, cybercriminals use a wide range of techniques, including ransomware, phishing and web application attacks to target healthcare organizations. Compounding the problem is that healthcare organizations have complex IT infrastructures, often with multiple locations, diverse departmental applications and legacy systems, plus patient and physician web portals.

Choosing an MDR service provider for healthcare organizations can provide advanced threat discovery by combining expertise with industry best practices such as the NIST cybersecurity framework to ensure your data is protected.

Threat Detection Use Cases

An MDR service provider for healthcare organizations means you get access to their expansive industry knowledge as well as their already built large library of threat detection use cases. This library typically includes support for a range of security tools and vendors and looks for specific indicators of attack or suspicious behavior to better detect threats. A good security team will send you actionable alerts for any critical threats and provide you with recommended next steps and have more confidence you’re keeping your networks secure.

In addition, an MDR service provider’s use case library is constantly changing, with new content being added to keep up with the ever-evolving threat landscape. Best practices also suggest that outdated content gets removed or updated, to make sure logs are only being run through relevant and useful use cases.

It would be highly challenging for an individual organization, starting from scratch, to build up a matching use case library – and unless there’s a dedicated team working on adding and updating the content, there’s still a high probability of missing new threats. Modern MDR service providers have a team specializing on keeping their fingers on the pulse as new threats constantly emerge.

Threat Hunting

Many MDR service providers also have a dedicated team for threat hunting, so they can be quick to react to any new threats in the wild. A team that operates globally provides additional benefits as the teams in each region can communicate information about threats local to their environment that may help hunt down new threats before they gain a foothold in another region. This is an added benefit of an MDR service provider for healthcare organizations that wouldn’t be feasible with a small local team.

For example, the local team in Asia may find a healthcare organization in their region is the target of a specific ransomware attack. The team can communicate information about this attack to other regional teams who can proactively, and extensively, search their clients’ network for any sign of the same threat.

Automated Response

For quick containment of credible threats, MDR service providers may offer a Security Orchestration and Automated Response (SOAR) solution that provides further protection of your critical assets. Automated response solutions are created to look for high-fidelity threats and can stop attacks before they expose sensitive patient information or bring down critical IT systems, mitigating a potentially devastating data breach.

The MDR service provider continually tunes and refines their rules to make sure they can detect the most relevant threats. Automated actions may include blocking an IP address or a compromised device from outbound communication, forcing a password reset on a compromised account, quarantining a device from your network, or proactively blocking newly detected attackers found in other networks via threat hunting.

#3: Compliance

For healthcare organizations, ensuring continued compliance with relevant industry regulations like HIPAA creates additional challenges and workload for internal teams. Failure to pass a compliance audit can result in hefty fines and data breaches invariably lead to high legal costs, patient harm, and reputational damage. Research indicates that healthcare organizations incur the highest breach costs of all industries at $499 million per record breach.

A compelling reason to consider an MDR service provider for healthcare is that you can partner with a company that fully understands these specific data protection regulations and requirements. For many, the HIPAA requirements for data storage and paper trails are numerous and ambiguous; partnering with an expert can provide your healthcare organization with best practice guidance and audit preparation for HIPAA compliance so you’re better prepared.

In addition, many MDR service providers for healthcare organizations will also follow industry standard compliance practices, like SOC 2, that demonstrate that they follow strict information security policies and procedures. Partnering with a certified MDR service provider gives you added confidence your data is protected.


Choosing an MDR service provider for healthcare organizations may not be an easy choice for everyone. But in a world of ceaseless attacks, sophisticated threats, and high data breach costs, outsourcing your security monitoring to a dedicated team of professionals who can protect your patient information 24/7 often makes sense. By finding the right partner, you can find a cost-effective security option that will reduce your information security risks and strengthen your cybersecurity posture.

See how Proficio can help secure your healthcare organization.

Lessons Learned: Ransomware Attacks in 2021

While ransomware attacks in 2021 never cease to stop, several high-profile occurrences in the first half of the year gained swift notoriety for either the scale of damage they inflicted or the targets they focused on. Here are four of the biggest attacks, and the lesson that can be learned from each.

Colonial Pipeline

A natural place to begin is with the most severe cyber-attack to ever target critical infrastructure in the United States. Instigated by the DarkSide ransomware group, this has been one of the most newsworthy ransomware attacks in 2021, targeting the IT environment tied to a pipeline system that extends from Texas to New York.

Hackers used a VPN account and a leaked password to gain access to the Colonial Pipeline network. The attack was noticed on May 7, 2021, when an employee saw a message on a computer screen in the control room, demanding a cryptocurrency payment. An operations supervisor decided to respond to the attack by taking the unprecedented step of shutting the entire pipeline down.

Colonial Pipeline decided to make the ransom payment of $4.4 million in bitcoin – and as a positive turn, with the help of the FBI, part of the payment has been recovered. The disruption to the pipeline lasted five days before normal operations resumed.

Takeaway: Use multi-factor authentication so that even if a password becomes compromised, hackers need to provide an additional category of evidence to access a resource on your network.


Taiwanese computer manufacturer Acer became the victim of another notable ransomware attack in March 2021. It’s believed a Microsoft Exchange vulnerability provided an entry route into Acer’s network.

The REvil ransomware group demanded a $50 million payment to return stolen data, releasing samples on the dark web. It’s not publicly known whether Acer paid the ransom.

 Takeaway: Hacking groups don’t keep a 9-5 schedule. It’s critical for organizations to use 24-7 monitoring solutions that constantly seek out new types of attacks, critical vulnerabilities, and suspicious behavior on your network. A dedicated security operations team can provide 24-7 incident monitoring, detection, and response.

Sierra Wireless

Among several high-profile technology companies hit by ransomware attacks in 2021 was the wireless communications equipment designer and manufacturer, Sierra Wireless. The attack targeted both the company’s internal IT systems and corporate website.

Production at the company’s manufacturing locations was temporarily halted while the company quickly initiated measures to counter and contain the damage. While the internal network and corporate website remained affected for a few days, any customer-facing products and services weren’t impacted.

Takeaway: The swift response during the Sierra Wireless attack is critical for rapid threat containment. Fast action can make the difference between an attempted hack and a devastating breach, which is why automated response solutions are essential for modern organizations.

Scripps Healthcare

Finishing things off is one of the most targeted industries – healthcare. In May 2021, a hospital in our own backyard was taken offline for almost a month due to a sophisticated ransomware attack.

While not much is currently known about this attack, during the same timeframe, we saw a similar attack take down Ireland’s Health Service Executive. This attack was due to an employee that unknowingly clicked a malicious link, and the cybercriminals demanded almost €15 million to return 700 gigabytes of confidential patient data.

Takeaway: Opportunistic hackers don’t take ethical or moral considerations into account when looking for targets to exploit. Knowing the signs of a ransomware attack in its early stages is key to stopping cybercriminals before they get into your networks.



While the ransomware attacks in 2021 that make media headlines often involve public infrastructure, health services, and large corporations, these incidents can happen just as easily on small to medium businesses. As we often say – it’s not a matter of if you’ll be attacked, but when – so regardless of the size of your company, preparation is vital to staying safe.

#HowTo: Identify and Appoint the Right Security Partner for Your Organization

This article originally appeared in InfoSecurity Magazine

In the field of cybersecurity, finding a partner you trust can be daunting. It’s an area that still creates uncertainty within many organizations, so it’s no wonder many cybersecurity executives may be hesitant to make this move.

But given the mounting list of CISO challenges, from justifying resource requirements to demonstrating a team’s effectiveness, more and more organizations are looking into outsourcing some, or all, of their cybersecurity.

So, how do you know if partnering is right for you?

The Advantages of Partnering with a Security Provider

Many people wait until after they have suffered an attack or been dinged on a compliance audit to look for a partner, putting them in a rushed situation to make a selection. However, creating a symbiotic relationship takes time – and if done correctly, is a great way to help improve your cyber posture in both the near and long-term…

Read More

The Cybersecurity Acronym Overload

What is the difference between an MSSP and an MDR service provider (and everything in between)?

As any industry evolves, it is common for new categories of products and services to proliferate. In the case of cybersecurity services, many of the new services have been introduced to respond to the evolving threat landscape or to support new technologies – but in some respects, it’s also become a way for vendors to differentiate themselves.

So, it is not surprising that questions like, “what is the difference between an MSSP and an MDR service provider,” and “what is a SOC-as-a-Service provider” are some of the top managed security services Google searches.

As a co-founder of Proficio I have a unique perspective on how this proliferation of labels came about and what the future holds.

People, Process and Technology

These three pillars are the building blocks of a security operations. People, process, and technology are the threads that run through MSSP, MSS, SOC-as-a-Service (SOCaaS), MDR, and XDR services. However, many organizations are constrained by a limited budget to achieve desirable cybersecurity outcomes which is why the managed security services industry exists.

Let’s quickly put some context around each:

People: Cybersecurity-Skills-Gap

The difficulty of hiring and retaining cybersecurity experts is one of the primary motivations behind outsourcing security operations to service providers. People challenges are due in part to the cyber skills gap and in part a function of scale. Large organizations are better able to staff a 24/7 SOC (requires a minimum team of 10 to 12 people) and train their teams on technologies like AI, next-generation endpoint software, and cloud infrastructures. Medium-sized organizations (and smaller) are often not be big enough to dedicate headcount to specialist roles like SIEM Administrator, Content Developer, Incident Responder, or Data Scientist.


Process is the glue that ensures consistent and effective action. Process encompasses the definition of roles and responsibilities, workflow, policies and procedures, and more. The time and effort needed to harden and document processes is frequently underestimated. Look back in time at some of the largest security breaches and you will find process issues in many cases. The 2013 data breach of the retail giant Target is a prime example. While multiple issues related to this breach, the fact that Target’s SOC did not respond to FireEye alerts resulted in the breach being undetected. How an indicator of compromise is investigated and remediated is fundamentally a process issue.


Technology is the third building block supporting security operations. Building and managing a technology stack for cybersecurity is challenging and doubly difficult for organizations with limited resources. The complexity of Security Information and Event Management (SIEM) software is often sufficient reason for businesses to turn to managed service providers. SIEM systems collect event logs from an organization’s network, endpoints, cloud infrastructure and security tools. Log data is analyzed and alerts are generated for further investigation and remediation. However, the quality of security alerts is only as good as the data ingested by the system, alongside the rules and use cases used to filter and prioritize the alerts. While there are tips to maximizing the value of your SIEM, time erodes the efficacy of a SIEM; products and log formats will change, new threats make old rules irrelevant, and the experts that originally set up the SIEM often move on to greener pastures.

What is a Managed Security Services Provider (MSSP)?

The role of an MSSP starts with log management, as collecting and retaining logs is a requirement for compliance mandates like PCI and HIPAA. But before centralized log management, the event data collected from each security device was siloed. As a result, if a firewall engineer saw an alert for a port scan and a Windows administrator saw failed login attempts followed by a successful login, they may not realize that the same host is involved in both events. Minimally, an MSSP is responsible for alerting their clients to threats and suspicious events with the goal of reducing the risk of a security breach. MSSPs offer a wide range of capabilities including vulnerability management, incident response, and pen testing.

According to Wikipedia, “the roots of MSSPs are in the Internet Service Providers (ISPs) in the mid to late 1990s. Initially, ISP(s) would sell customers a firewall appliance, as customer premises equipment (CPE), and for an additional fee would manage the customer-owned firewall.” Today, MSSPs continue to manage security products such as firewalls, IDS/IPS, and WAFs on behalf of their clients. The management of security devices typically includes making configuration changes, patching, tuning, and health and performance monitoring. Managed Security Services (MSS) has been used to connote both device management and the security monitoring functions offered by MSSPs.

The terms fully managed and co-managed describe the service models used by MSSPs. Fully managed applies where security technologies, like SIEM software, are owned and operated by the MSSP and used for the benefit of their clients who are users of security information. A co-managed approach provides the client more control, for example a SIEM owned by the client where the MSSP and the client share administrative responsibilities.

What is SOC-as-a-Service? Difference-between-MSSP-and-MDR

The term SOC-as-a-Service was created “to describe how clients benefit from 24/7 monitoring and the same advanced threat detection technology that is used in sophisticated SOCs serving large enterprises and governments.” In 2010, Software-as-a-Service (SaaS) was already a significant industry with adoption being driven by the advantages of an on-demand, subscription model with no dependency on the existing IT infrastructure.

SOC-as-a-Service or SOCaaS is a logical extension of the SaaS where SIEM software is delivered as a service, and instead of staffing up an in-house SOC, multiple clients share the capabilities of a 24/7 SOC responsible for threat detection, altering, and response.

The goal for many SOC-as-a-Service providers, like Proficio, is to provide businesses the same quality of service that a large enterprise receives in-house, at an affordable price. This requires a true partnership with clients and the flexibility to act as an extension of their IT security team.

So how does SOC-as-a-Service differ from the offerings of an MSSP and what sort of business should use it? SOC-as-a-Service focuses on fully managed cloud-based services which are ideal for small to medium-sized organizations. Vendors providing SOC-as-a-Service are less likely to work with client-owned SIEMs and manage security devices, but this is not an absolute rule.

While SOCaaS providers offer many of the same capabilities as MSSPs, they are less likely to manage security devices and may not support as broad a set of log sources.

What is the difference between an MSSP and an MDR service provider?

MDR service providers offer more advanced threat detection and response capabilities than MSSPs. Key capabilities to expect from MDRs include:

When Gartner issued their first Market Guide for Managed Detection and Response Services, they categorized MSSPs as being more focused on monitoring perimeter security and lacking threat detection capabilities for the cloud and endpoints. Gartner also posited that MSSPs are more focused on meeting compliance requirements than MDRs. Fewer MDRs manage security devices – a service offered by many MSSPs.

MDRs must continue to adapt to new challenges to meet the demands of a Next-Generation MDR Service Provider.

What is an XDR Service

XDR is a new evolution of MDR, that includes threat detection and response capabilities. The X stands for eXtended capabilities, that go beyond EDR. XDR integrates multiple security control points (endpoint, network, cloud, email, authentication) to automate threat detection and response. The concept of XDR has been promoted by leading industry analysts (notably Gartner) and is starting to be adopted, and perhaps hyped, by vendors.

You might ask, how is XDR different from SOAR? Both approaches apply use cases to log data to trigger automation and orchestrations. However, XDR will have broader integration among security controls using native APIs. For example, where an event might result in SOAR triggering containment of an endpoint and even orchestrating a remediation workflow, XDR could also automate responses from other layers of security such as blacklisting the source of malware at the perimeter.

One challenge for prospective users of XDR is they risk being locked into a single vendor solution. Most enterprises have multiple existing security vendors and unless they are already budgeted for a broad refresh, adopting this approach may be a protracted and expensive process.

Proficio and others are addressing the shortfall of XDR with Open XDR. Like XDR, Open XDR  integrates multiple layers of security while also supporting more than one vendor for each control point to provide customers with more flexibility and security.

What Does it All Mean? MSSP and MDR business person question marks

When you think to yourself, “what is the difference between an MSSP and an MDR service provider?”, it’s obvious there is no clear-cut answer. There continues to be some fluidity around the labels used to describe the providers of managed security services or security tools. Buyers of these services need to assess if the core capabilities of a prospective partner complement their existing capabilities and align with their goals.


Here are 5 areas to explore:

  1. Compliance

If your organization must adhere to one or more compliance mandates, validate the service achieves that goal. Can your MSSP or MDR retain logs for the required period? Does your MSSP or MDR support industry specific requirements such as file integrity monitoring in the case of PCI? These are important criteria to discuss before selecting a partner.

  1. Threat Discovery

Effective threat detection is a precondition to protecting your organization from damaging cyberattacks. Understand how the provider uses threat intelligence, security analytics, and automation for cost effective threat discovery and what expert human resources are applied to event investigations and threat hunting. Determine what is important for you and realistic within your budget.

  1. Response Automation

The ability to rapidly contain a threat is a good reason to select a specific MDR service provider. Some MDR providers support third party SOAR products and others offer automated response using native capabilities in their threat management platform. But don’t assume anything – you should always validate that the MDR provider supports your preferred endpoint and firewall vendors. Before implementing, it is also important to check that you have organizational buy in to automating changes to endpoints or network configurations.

  1. Technology Stack

Whichever label your vendor uses to describe their services, they will come to you with a predefined technology stack. This will affect how well your existing and planned technologies integrate with your provider. For example, your provider may support one or several SIEM vendors or they may have developed their own threat management platform. Ask if your vendor requires you to install a hardware sensor or add endpoint agents; these requirements can create network clutter and negatively impact performance and compactivity. Not all vendors are able to parse data from critical points of telemetry in your environment or support automation and orchestration for your existing security products.

  1. Control

Ask yourself how much control you need of the infrastructure and data involved in security operations. Do you want to use your own SIEM or do you prefer a platform hosted by your managed security service provider? Will this change in the future? Do you need to own the log data that has been collected? How important is it to have the ability to do granular searching and run reports with the providers system? Conventional wisdom is organizations are willing to devolve control to reduce cost and complexity, but this should be a conscious decision.

Final Thoughts

Choosing a cybersecurity partner is a major decision. Proficio has been acting an extension of our clients’ team to help them achieve their cybersecurity goals for over 10 years. If you’re currently using, or considering using, an MDR Service Provider, download our MDR Checklist to ensure you’re getting an effective service. Tune into our video podcast series called Cyber Chats to hear industry experts discuss cybersecurity issues and best practices. If there’s anything more we can do to help, please let us know.


2020 Threat Hunting Campaigns and the Lessons Learned

Society has learned a lot of lessons in 2020. While many may focus on the covid-19 pandemic, it’s fair to say that cybersecurity faced its share of challenges too – especially with many organizations being thrust into a remote working environment.

For Proficio’s Threat Intelligence team, we had to face a slew of new threats, all while battling some familiar faces as well. We spent the last year doing extensive threat hunting campaigns, learning and improving along the way.

Here are three things we’ve learned this year and how you can use them to improve your cybersecurity in 2021.

1.    Old Threats, New Faces: Malware and Phishing Continue to Endure

In 2020, malware, often in the form of a ransomware attack, continued to be incredibly prominent. The most popular variants we encountered were those that exfiltrated the victim’s data as a way of threatening victims who refuse to pay their ransom, such as REvil/Sodinokibi and DoppelPaymer.

Also popular are phishing attacks, which continue to be a key technique utilized by all classes of attackers. This was especially noticeable when many cybercriminals took advantage of COVID-19 as a topic to lure victims, but there have also been other varieties of phishing campaigns with different contents and formats to trick victims. As hackers adapt to a reality where cloud service offerings like Office 365 are increasingly used in corporate environments, one very common tactic we observed is the use of fake Microsoft login pages. We have been able to identify a significant number of these during our threat hunting campaigns, like the one seen in this HTM spear-phishing email campaign.

There have also been multiple attack campaigns that utilized unpatched vulnerabilities in widely used software. Some examples of campaigns that we have investigated include attacks on the Citrix vulnerability (CVE-2019-19781) as well as the Zerologon vulnerability. There are also campaigns that exploit software updates instead of a vulnerability in the software, and compromise victims via the compromised updates. Some examples of this include the GoldenSpy campaign and the recent SolarWinds Sunburst campaign.

Below is the breakdown of threat hunting campaigns we have conducted throughout 2020. It also highlights where we had identified and escalated incidents of true positive hits to our clients.

Threat Hunting Campaigns with Escalations Chart

While attackers will continue to use these avenues to exploit victims, there are still some common precautionary measures that can be taken to further safeguard you and your organization:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Performing regular backups on critical files and systems.
  • Keeping your operating systems up to date on the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Close unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

2.   The Constant Evolution: Handling Increasingly Disparate Threats

Given the ever-evolving threat landscape, Proficio’s Threat Intelligence Team is constantly on the lookout for the newest cyber threats. We keep a close eye on the news and initiate threat hunting campaigns for threats are likely to have an impact on our clients. Throughout 2020, we conducted a significant number of threat hunting campaigns based on this research as well as threats found within our clients networks. We continually are looking for ways to improve how we conduct our threat hunting campaigns, as well as how we store and share information of interest with our internal teams and clients, to maximize our efficiency and make sure we give our clients the best protection possible.

When our team was first established, most threat hunting campaigns were self-contained within the Threat Intelligence team. As time progressed, and threats became increasingly complex, we found ourselves working with other internal teams, such as Security Advisors or Project Managers. We find collaborations can make us more effective and ensures all teams within Proficio are able to quickly and efficiently take appropriate actions when required, ensuring consistency of our security operations.

In addition, the structure and methodology we used for carrying out our threat hunting campaigns grew increasingly more robust throughout the year. We are better able to conduct rapid-response research and data collection efforts, with a clear plan of actions and priorities for every campaign we embark on. Depending on the extent of the hunt and the platforms used for searches, the amount of time taken to provide our clients with our investigation findings can vary from a few days to over a week; However, these efficiencies and improved methodology have allowed us to decrease our turnaround time.

In order to adapt to the more complex threat landscape, our threat hunting campaigns must continue to evolve; we have gone from using simple IOCs, like file hashes and IP addresses, to tactics, techniques and procedures tied to that of our adversaries. We have also transformed the way we document our threat hunts. We found that by enhancing our investigation write-ups with threat diagrams, attack maps and incorporating the MITRE ATT&CK classification framework, we are better able to organize our findings to create a library. We also take inspiration from documentation produced by other well-established security organizations sharing information such as JPCERT.

Creating a library of your threat hunts over time is a great way for any organization to better track the adversaries your organization is dealing with. In addition, the cybersecurity community has a tremendous amount of open source tools to take advantage of, that will better help us all defend against cybercriminals.

3.   Outside Looking In: Synergizing Efforts to Create Maximum Value

As a team, we are always looking for ways to synergize everything we do as force multipliers that help  make a big impact on all our clients.

We keep up with threat news and developments in cybersecurity on a daily basis, sharing those that we found to be potentially relevant on our official Twitter account. We also have a Threat Intelligence page, where you can sign up to receive a weekly threat digest with the top threat news each week.

These tools play a big part in our ongoing data collection efforts, allowing us to better track trends in cyberattacks across different industry sectors as well as document known threat group activities. The data collected also plays a big role in terms of our decision to initiate threat hunting campaigns, with the goal of identifying potential attacks or existing compromises that might have slipped past the cracks.

One of the greatest things about the cybersecurity community is that they are open to sharing knowledge in our joint efforts to combat cybercriminals. We recommend you join communities and follow along with the latest trends – and if you’ve found something, we encourage you to also share what you learned, so others can benefit from your research! That’s how we make the community stronger, one threat hunting campaign at a time.

While the Threat Intelligence team observed numerous new cyberthreats throughout 2020, we have no doubt the uphill battle on cybercrime will continue into 2021 and beyond. We will continue to conduct high-quality investigations for our clients for any relevant threats and share these findings, both with our clients and the community as a whole, in hopes to do our part in this war on cybercrime.

Key Takeaways from the SolarWinds Compromise

FireEye has recently released a detailed report on a global supply chain cyber-espionage campaign that utilizes compromised Solarwinds Orion software updates to distribute a backdoor codenamed “SUNBURST” by FireEye.

This particular campaign was announced by FireEye to be associated with a breach reported earlier on the 8th of December 2020, where it was revealed that attackers have gained access to FireEye’s environment, attempted to obtain information relating to certain US government customers and stole some of their Red Team tools.

FireEye isn’t the only organization using SolarWinds Orion software, with the malicious updates being pushed to 18000 other customers of the SolarWinds Orion platform, including Microsoft, the US Treasury and Commerce Departments, the Department of Energy and the National Nuclear Security Administration Of course, not all organizations affected were actively targeted and breached by the threat group, with majority of the targets located in the United States and the rest in seven different countries; Canada, Mexico, Belgium, Spain, United Kingdom, Israel and the UAE.

At this time, it is too early to say that we have a full understanding of the scope of the SolarWinds compromise. The number of organizations impacted is based on very limited visibility with an expectation that we understand all the compromise routes and adversary command and control capabilities. We do not know that to be true and more time is needed before we can say that we have a complete idea of the scale and scope of the compromise. Everything we know at this time relates to cyber-espionage and US national security institutions and there are no indications that most customers of SolarWinds Orion are actively breached by the threat group.

There are also no indications that the SolarWinds compromise was the only way in which the adversary could have gotten to their targets. The Cybersecurity and Infrastructure Security Agency has evidence that there are initial access vectors other than the SolarWinds Orion platform. As mentioned previously, we recommend following the remediation measures recommended by CISA. Even if your organizations aren’t active targets of this threat group, there are no reasons to leave a backdoor into your network lying around if you are using the affected versions of SolarWinds Orion.

Some Interesting Details

Proficio has issued several advisories regarding the SolarWinds compromise and will be issuing more advisories as we learn more about the compromise. We are also in the midst of conducting an ongoing threat hunting campaign. Here are some of the interesting details that will shed light on the lessons we can draw from this campaign thus far.

  1. SolarWinds hackers did a test-run of the spy operation in Oct 2019, when malicious SolarWinds files were first downloaded by customers. That version did not contain a backdoor, but indicates that the hackers were dwelling in SolarWinds network in 2019, if not earlier.Code with the word password in red stolen credentials Solarwinds
  2. FireEye first discovered the breach when hackers utilized stolen employee credentials to register their own device to FireEye’s MFA system so as to receive the employee’s unique access codes. FireEye’s security system sent an alert to the employee and to the company’s security team saying a new device had just been registered to the company’s MFA system as if it belonged to the employee, prompting FireEye to investigate. FireEye uncovered the SolarWinds breach into their network while trying to determine how the hackers obtained the employee’s credentials to register their device.
  3. The SUNBURST backdoor is only an initial persistent entry point used to deploy other tools to take root and subtly compromise the network configurations to allow future accesses. Remediating the SolarWinds breach is only the first step to be taken.The SUNBURST backdoor is known to distinguish between malleable detectors (services modified and tracked in the config file) and dealbreakers (running processes that will make SUNBURST abort immediately). Malleable detectors include several AV/EDR agents, while dealbreakers include several generic and specialized forensic tools, one of those being Sysmon. The distinction between the buckets of target system processes/drivers for evasion purposes is pretty important. Upon encountering one of the 8 malleable detection product families, SUNBURST takes a backup of SCM ACL for the service, modifies the ACL to take ownership and disables the service. Before going dormant, SUNBURST restores the original ACL and settings. This means that:
    1. Dealbreaker drivers installed prevents execution of SUNBURST completely.
    2. Dealbreaker processes at RUNTIME prevents Job Execution at that time.
    3. The 8 AV/EDR products would not have been very effective at preventing actions taken by SUNBURST unless anti-tampering settings are cranked up.

Lessons to Take Away

The SolarWinds compromise is a good case study of the impact, scale and scope of a supply chain compromise by a serious and capable adversary. It is important for us to draw the right lessons away from chasing buzzwords and what is popular and trendy.

  1. Most organizations should not shift all their focus to supply chain attacks. Most organizations do not have sufficient visibility, network segmentation, administrative tiering, insider threat programs, sufficient detection and response, backups and asset management capabilities and those pose far more risks in terms of actual impact on most organizations. Supply chain compromises are incredibly serious, but they are far from being the only way organizations get hit by serious cyber-attacks.
  2. Prevention is increasingly a no-win game. Well-orchestrated supply chain compromises are almost impossible to prevent. However, where prevention can fail, detection and response can succeed and did succeed in this case. FireEye was able to detect and respond correctly to the actions of a capable nation-state adversary. Organizations should look to beef up their detection and response capabilities either internally or with a managed detection and response partner like Proficio. Contact Proficio
  3. The success of detection and response actions depends significantly on basic visibility and monitoring. DNS logs play a key role in identifying if a breach has taken place, and other activity indicators include file-write events to the ‘SolarWinds Orion DLL config file’, as well as changes to services in registry while using anyone of the 8 AV/EDR families tracked by the SUNBURST backdoor.
    1. In fact, the adversary does not even attempt to infect your network if it looked like you were watching the machine with something as simple and as effective as Sysmon. This means that the adversary knows that such dealbreakers work very effectively against them.
    2. That is not to say that FireEye and other organizations do not have monitoring in place, but it simply may not have been tools in the list of SUNBURST dealbreakers.
  1. Make use of defence-in-depth principles when crafting a detection strategy. When it comes to visibility, logging and detection and response capabilities. EDR and NDR solutions provide the ability to detect and rapidly contain threats, and should be complemented with solutions focusing on complete visibility and logging like Zeek and Sysmon. Reach out to Proficio to find out more about how we can help you create a more complete detection strategy.
  2. Make use of multi-factor authentication where possible and ensure that you have a robust asset management program. FireEye first discovered the breach when hackers utilized stolen employee credentials to register their own device to FireEye’s MFA system, and that requires both robust asset management and the use of multi-factor authentication.
  3. Enhance actual detection and response bandwidth and capability by reducing noise and excessive alerting. Reach out to Proficio to understand how we can help you enhance your existing capabilities by helping you to focus on what matters most.

Cybersecurity in a Work from Anywhere (WFX) Environment

In 2020, thanks in large part to the COVID-19 virus, the work environment in Europe has shifted, with remote working leading the way. This presents many challenges for IT and security teams as they now must deal with an increase in cyberattacks in less a secure environment.

As the UK and other European countries enter a second lockdown period in an attempt to contain the virus, more and more organisations are announcing that not only will employees continue working from home into 2021… it may be permanent. So how can cybersecurity teams adjust to this “new normal”?

Working from Everywhere (WFX)

According to a report from Interpol, cyberattacks are at their highest levels in three years as a result of COVID-19. In turn, the number of data breaches has almost doubled, with 3950 confirmed breaches so far in 2020 against 2103 recorded breaches in 2019. Attackers are also getting more creative in their methods, with attack types ranging from man-in-the-middle attacks to network spoofing and packet sniffing of unencrypted traffic.

Hacker-in-hoodie-in-dark-room securing WFX

In the light of the global pandemic, many predict that working from home (WFH) will become working from anywhere (WFX), with a massive upturn in digital transformation as a result. As organisations announce that home working will be permanent, even when the COVID-19 virus is under control, it is predicted that millions of employees will turn this change into the chance to work from anywhere, perhaps relocating to the countryside or closer to relatives to make up for lost time during the pandemic.

So now, teams across Europe and the globe must combat the challenging task of securing staff who work from anywhere. This brings a host of new concerns. Notably, home networks are less secure than corporate offices and users with spotty WiFi connections may migrate to even less secure public WiFi options. The absence of advanced intrusion prevention tools available in office environments risk leaving more gaps for cyber attackers to gain access and steal confidential information. Frequently sending data between the office and home, or between two home networks, leaves more opportunities for cybercriminals to catch data in transit if communication is not properly secured.

The increased volume of cyberattacks that we are now seeing, combined with the shift to WFX, is forcing European organizations to revisit their strategies. Technology needs to be able to keep up with these changes and the focus of IT teams should be shifting to ensure their cybersecurity is a priority. And with the average cost of a data breach standing at £2.9 million, organisations know that a security incident will be expensive in addition to the cost of damaging their reputation.

Setting Security Teams up for Success

While most organisations realize the importance of having a strong cybersecurity posture, many find it difficult to assemble and integrate the right components when it comes to building an in-house security team and having 24/7 monitoring and protection. The resources and staff needed to successfully run an in-house operation require a significant investment of time and money. Even if they can afford to build a team in-house, many struggle to find and retain the right calibre of candidates when trying to hire experienced analysts, content developers and engineers.

While security programmes may differ in organisations, often their underlying security needs are the same, especially when it comes to securing their WFX teams. That is why many in Europe are turning to outsourced security services as a more cost-effective way to stay secure.

Benefits of Outsourcing your Cybersecurity Needs

If you’re considering outsourcing some or all of your cybersecurity needs, the best way to start is to identify what your team can do most effectively in-house. Then, look to fill the gaps by finding a partner to complement your skillset. You still need a team in place to handle certain tasks, ideally one who also knows what partners to look for and how to maximize the relationship. Outsourcing your cybersecurity needs helps to free up your team and alleviates a large portion of the hiring burden. It also enables you to have shared liability and gives you 24/7 protection without building an in-house Security Operations Centre (SOC).

The trend of outsourcing cybersecurity services in Europe has been growing faster than has been seen in many years. In addition to addressing new challenges, IT teams are faced with shrinking budgets. Many European organisations are now considering outsourcing some or all of their security needs as the key to getting more done with less.

There are many benefits of partnering with an external security company, in addition to taking advantage of their 24/7 services and staff (although that piece is critical for most!). Here are some reasons organisations across Europe are choosing to partner with an external organisation for their cybersecurity:

  • 24/7 ProtectionProficio-SOC

Cybercrime is not a 9-5 problem, so you need more than a 9-5 solution. With hackers and cybercriminals striking at any time, networks need to be monitored around the clock. This is especially critical if employees will not be returning to a normal office environment. Having a successful 24/7 operation in-house requires a staff 12 or more. And with the  shortage of trained cybersecurity professionals, even if you are able to find people with the right skills, the cost to hire and retain those experts does not come cheap.

Utilizing a Managed Security Services Provider (MSSP) or similar cybersecurity partner means you’ll have a team of experts available whenever you need them. You won’t have to worry about staffing the graveyard shift or holidays to make sure you’ve got someone monitoring your networks, and their team is ready to respond quickly to any potential threats.

  • Free Up Time

Many IT departments often get bogged down with mundane and manual work, spending more time fixing issues rather than implementing strategic projects. When outsourcing to an MSSP, you gain instant access to a team of expert cybersecurity professionals.

Managed security services are valued by organisations that wish to refresh their security stack but lack the in-house expertise to maximize the value of new tools. Also, many organizations find that tasks like reconfiguring firewalls need to be completed outside of business hours but lack the staff to operate 24/7.

  • Improve your Security Posture

Partnering with a managed cybersecurity provider will help you improve your security posture. They should have a library of threat detection use cases already built and optimized, so you instantly get access to relevant content. Paired with a streamlined on-boarding process, this allows you to quickly start receiving actionable alerts and reduce false positives that cause alert fatigue.

In addition, MSSPs offer a wealth of security knowledge and can offer guidance on best practices to help you ensure you’re getting the most value from the security tools you have in place. Some advanced providers have tools available that can help you uncover gaps in your security posture and provide recommendations to help fill in any gaps. Ask your provider to combine this data into a cyber risk score and compare your score to other similar organisations.

  • Automate Response

Automated response and containment is a critical capability to protect organisations from attacks that could lead to damaging security breaches. Despite their best efforts, cyber defenders may miss indicators of attack or take too long to remediate problems. Leading Managed Detection and Response (MDR) service providers can leverage their client’s existing perimeter and endpoint products to automatically block IP traffic and contain endpoints, quickly containing a threat to stop an attack before it causes damage.

  • Save on Costs

Many security providers are now offering services in the cloud. If you opt for this, it can present substantial cost savings over building your own facilities. For example, a SOC-as-a-Service gives you access to a powerful SIEM without investing in your own. This not only saves on hardware, but also means you don’t have to look for (and retain) staff in-house to manage the technology. Partnering lets you better protect your business without the prohibitive costs that go with upfront purchasing costs, maintenance, storage, staffing and other costs.

Securing the WFX in 2021 and Beyond

The rapid pace of change and the increasingly complex cybersecurity environment is leading security teams to evolve and adapt and making outsourcing a smart option for many European organisations.

While there are many creative options on how to stretch your security budget, partnering with a MDR service provider it should be near the top of your list. If you’re looking for a partner who can help you meet your cybersecurity goals, please feel free to contact us.

ENISA Report Highlights: Guidelines for Securing the Internet of Things

Over the past four years, I’ve been fortunate enough to contribute to several papers produced by the European Union Agency for Cybersecurity (ENISA). ENISA was started in 2004 as a place for industry experts to partner and work together towards the common goal of making Europe more cyber secure. The Agency works closely with both Member States and the private sector to deliver advice and solutions as well as improving their capabilities. It also supports the development of a cooperative response to large-scale cross-border cybersecurity incidents or crises. Since 2019, the Agency has also drawn up cybersecurity certification schemes.

Our latest report, “Guidelines for Securing the Internet of Things”, was written to help establish a security framework for securing the Internet of Things (IoT). The framework provides guidance for both consumers and providers on how to secure IoT devices and infrastructures, considering the whole cybersecurity cycle. In writing this paper, one of the main objectives was to address the challenges that the global supply chains for IoT must overcome to deliver greater security. We include a non-exhaustive list of security considerations alongside a set of best practices to help ensure not only the security but also the overall quality of the supply chain.

An important area of focus is our section on best practices. While the development of good security practices in the supply chain for IoT is critical, the majority of our advice extends beyond this; similar models and concepts can be applied for IT networks and many IT devices. We provide recommendations that will assist in countering and mitigating the threats that might impact the supply chain, classified into three main groups – actors, processes, and technologies.

While those factors are important in security, one must not forget that there is always a human element needed. Without the right people or partners in place, it is difficult to create and maintain a secure environment. Similar to IT devices, monitoring  IoT devices  24×7 is crucial to being able to quickly detect threats and respond to incidents. If you’re unable to manage this in-house, using an MDR service provider to assist with or augment your security is a great way to help orchestrate actions in complex and hybrid environments.

To read ENISA’s recommendations on how to secure the IoT supply chain, download the full report.

To learn more about how Proficio can help you improve your security posture, contact us.

Why Singaporean Businesses should Incorporate AI / Machine Learning into their Cybersecurity Operations

Did you know that 96 percent of Singaporean businesses have reportedly suffered a data breach? And cybercrime is not slowing down. With the financial risk from cyberattacks estimated to be US$5.2 trillion between 2019 and 2023, it creates an ongoing challenge for investors, corporations, and consumers around the world. In Singapore, experts detected approximately 4.66 million web threats in 2019. This shocking statistic acts as a reinforcement for the need for innovative ways of enhancing cybersecurity within our region.

Earlier this year, Finance Minister Heng Swee Keat revealed that the Singapore government will be investing S$1 billion to strengthen its cyber and data security systems to safeguard its critical information infrastructures, as well as its citizens’ data. Moving forward as a digital economy and smart nation, and with increasingly adopted technologies like artificial intelligence (AI), Machine Learning (ML), and Internet of Things (IoT), the Singapore government will also provide more funding to local deep-tech startups and small and midsized businesses (SMBs).

While the term AI was first coined in 1956, today is it a field of computer science, focused on how machines can imitate human intelligence. Successful applications of AI include beating humans at Go, diagnosing cancer, and operating autonomous vehicles. Over the last 10 years, the potential of AI to help with cybersecurity problems has evolved from being over hyped into a critical ingredient of enterprise security programs. In their Top Security and Risk Trends for 2020, Gartner projects that “AI, and especially machine learning (ML), will continue to automate and augment human decision making across a broad set of use cases in security and digital business.”

Finding a Needle in a Haystack

While it is common knowledge to security professionals, others may be surprised by the daily volume of security logs generated by enterprises. The number of logs generated by firewalls, authentication servers, endpoints, and a variety of other devices and security tools total multiple millions every day.  Security information and event management (SIEM) tools can use rules to filter and prioritize these logs into alerts but it is the job of security analysts to investigate the most critical alerts. For example, out of 10 million daily logs, hundreds may require expert human investigation.

Security analyst investigations include examining detailed log data, reviewing correlated events and threat intelligence, and looking for suspicious behavior. Analysts must quickly determine if the event has actually compromised the organization’s security, is a potential threat, or is a false positive. This difficult and time consuming work is made even more challenging by the high percentage of alerts that are false positive. This is why it is not uncommon for security analysts to get “alert fatigue” – losing motivation to thoroughly investigate alerts.

Reactive investigations are necessary but insufficient for a robust security defense. Security teams should also proactively hunt for threats that are not triggered by system alerts. Targeted attacks often aim at stealing critical data and use techniques like obtaining user credentials, upgrading access to a privileged user, and moving laterally across the network. These attacks, also known as advanced persistent threats (APTs), can result in an attacker gaining unauthorized access to a system or network and remaining there for an extended period of time without being detected.  The time a hacker goes undetected on your network, or “Dwell Time”, is commonly measured in months. APTs that use multi-stage attacks that occur over longer periods, commonly referred to as low and slow attacks, are hard to detect with rule based analytics alone. The practice of hackers changing or morphing their attack techniques further adds to the challenge of threat hunting.

AI to the Rescue ai-cybersecurity-superhero-in-gallant-pose

Initial approaches to detecting threats used a subset of AI called unsupervised machine learning to detect anomalies. Unfortunately, while AI has been proven to predict significant future events, the range of behaviors of users, applications, and external data is so complicated it is very hard to identify malicious outliers. The result was many AI-powered products that generated too many false positives to be practical.

While unsupervised learning attempts to find patterns among data points without knowing the meaning of the data, supervised learning infers a relationship based on existing data labels. For example, an AI model can learn to recognize pictures of a table after being trained on a large number of images that are identified as tables. However, in the field of cybersecurity, it is very hard to obtain labelled data to train detection models. Additionally, hackers can change or adapt the attack techniques faster than a supervised learning model can be trained.

The solution to these limitations is active supervised learning, which engages human experts to help create and train threat hunting models. Organizations that are using both AI and humans are 20 times stronger against cyberattacks than traditional methods. The resulting AI models combined with expert feedback can quickly learn to distinguish between malicious and normal behavior. AI-powered threat hunting enables security analysts to significantly increase productivity and detect and respond to more real threats that would have otherwise resulted in a damaging breach.

Can AI Defend Against AI?

Just as security teams and technology vendors are adopting AI to detect and contain threats, hackers can also use AI to power their attacks. Hackers are expected to use AI techniques to target organizations, develop new exploits, and detect vulnerabilities. AI is expected to increase the speed of attacks while reducing cost. For example, writing an effective phishing email takes time and creativity, AI can help automate this process.

The good news is developers of security tools are also rapidly adopting AI as part of the product development and enhancements. However, there is still a lot of marketing hype around AI, so we advise you to dig into the details to assess if your vendors are fully leveraging AI/ML technologies before you make the leap.


Organizations can use machine learning to detect suspicious and unusual patterns that are nearly impossible to discover through the human eye. The intelligent detection algorithms can compare the network data packets continuously to discover anomalous traffic, then apply strategies, such as statistical monitoring and anomaly detection, to identify malware variants communicated over a network. Cybersecurity is traditionally a very time-consuming task but with effective use of AI, you can begin to make your cybersecurity teams more efficient.