Navigating NIST 2.0: Essential Cybersecurity Updates for Your Business

By: Brittany Holmes, Corporate Communications Manager 

The National Institute of Standards and Technology (NIST) has rolled out Version 2.0 of its widely utilized Cybersecurity Framework (CSF), a pivotal resource within cybersecurity risk reduction. This updated iteration signifies a revision and a transformative approach to protecting digital assets and infrastructures. The progression from its previous version represents a significant stride forward in tackling the intricate and constantly evolving cyber threat landscape, offering a forward-looking stance on cyber defense that acknowledges the dynamic and multifaceted nature of threats.   

Initially, the NIST CSF was tailored specifically for critical infrastructure sectors such as utilities, transportation, and health. However, threats are no longer sector-specific; they don’t discriminate. Recognizing this, Version 2.0 has broadened its scope substantially. This framework is now adaptable to any sector and can be applied to organizations of varying sizes and levels of cybersecurity program maturity. Broadening the scope helps strengthen the frameworks application to all organizations, regardless of sector, type, or size, to address cybersecurity challenges of all magnitudes. 

This blog details the updates to the framework and their implications. Whether you’re a small business owner or the CEO of a multinational corporation, understanding these changes can help you protect your organization properly.  

What is NIST 2.0?

Initially introduced in 2014 by the National Institute of Standards and Technology, the NIST CSF serves as a set of guidelines crafted to aid organizations in boosting their cybersecurity posture, effectively managing IT security risks, and strengthening their defense against cyber threats. The 2024 release of Version 2.0 marks the first major update since the framework’s inception. 

The enhancements in NIST CSF 2.0 integrate input from users and strive to mirror the contemporary cybersecurity landscape more accurately, tackling emerging threats and technologies to ensure the framework’s relevance, efficacy, and capacity to assist organizations in enhancing their overall cybersecurity stance. 

Key Updates and Differences Between NIST CSF 1.1 and 2.0

Inclusive for All Organizations

As it was briefly mentioned above, NIST CSF 2.0 is designed to be inclusive, catering to organizations of all sizes—from small educational facilities to large corporations. Unlike the previous version, which was primarily aimed at larger entities, Version 2.0 offers a tailored roadmap for smaller businesses, making it easier for everyone to enhance their cybersecurity practices. This new edition includes real-world examples and a new web tool that links to other standards, aiming to level the playing field and strengthen industry-wide defenses against cyberattacks.

New NIST CSF 2.0 Tools Are Available

NIST has rolled out a suite of resources to help every organization hit their cybersecurity targets, focusing primarily on governance and supply chains. These tools are designed to provide various audiences with tailored paths into the CSF, making the framework more accessible and easier to use. Here is a list of the new tools available:

New Searchable Reference Tool NIST CSF’s latest reference tool simplifies how organizations can implement the CSF, letting users browse, search, and export data from the CSF’s core guidance in human-friendly and machine-readable formats. No more sifting through dense documents—this tool puts everything you need right at your fingertips.

Reference Catalog with Mappings CSF 2.0 comes with a searchable catalog of informative references, making it easier than ever to cross-reference the CSF’s guidance with over 50 other cybersecurity documents.

Community Profiles NIST’s new community profiles provided deep insights, showing how different organizations leverage the framework. The CSF is incredibly flexible, and these profiles highlight how various sectors tailor the framework’s taxonomy to suit their unique needs.

Practical Implementation Examples Organizations of all sizes use NIST CSF, and as a result, implementation guidance has been somewhat scattered. NIST CSF 2.0 has stepped up, offering detailed information, including linkages and mappings to specific cybersecurity guidance from NIST and other bodies. These action-oriented steps clarify the subcategories’ outcomes and answer many of your questions on how to get started.

Quick Start Guides They’ve developed quick-start guides for small businesses, enterprise risk managers, and organizations aiming to secure their supply chains. These guides are targeted and concise, designed to get you up and running in no time.

These resources can transform your approach to cybersecurity, making the complex task of safeguarding your organization more manageable and efficient. 

Expansion to Six Core Functions

A pivotal change in NIST CSF 2.0 is the expansion of its core functions from five to six. The original version’s core functions—identify, protect, detect, respond, and recover—are now augmented by adding the govern function. This new function assumes a central role, guiding how an organization implements the other five functions. 

The new govern function guides how an organization should implement the other five functions, providing a comprehensive approach to managing cybersecurity risks throughout its lifecycle. It provides a strategic layer that informs and enhances the management of cybersecurity risks throughout their lifecycle. This holistic view enables a more integrated approach to cybersecurity risk management.

With this foundational shift in mind, let’s explore a detailed breakdown of the core changes introduced in NIST CSF 2.0, how each function is impacted and the specific enhancements brought about by the new govern function.

Detailed Breakdown of Core Changes

  1.  Identify: As in version 1.1, identifying involves developing an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The focus remains on identifying and cataloging physical and software assets, recognizing cybersecurity policies, and establishing risk management strategies.
  2. Protect: This function encompasses implementing appropriate safeguards to ensure the delivery of critical infrastructure services. The updated framework continues to emphasize access control, data security, and protective technology but with refined guidelines to address emerging threats.
  3. Detect: Detecting the occurrence of cybersecurity events is paramount. The 2.0 version enhances capabilities for continuous monitoring, anomaly detection, and improved security information and event management (SIEM) systems, ensuring faster identification of potential incidents.
  4. Respond: This function details the appropriate actions to take once a cybersecurity event is detected. Version 2.0 offers enhanced guidance on incident response planning, communications, analysis, and improvements to effectively mitigate the impact of incidents.
  5. Recover: This function supports timely recovery to everyday operations to reduce the impact of a cybersecurity incident. NIST CSF 2.0 includes more detailed strategies for recovery planning, improvements, and communication, helping organizations restore capabilities or services impaired by cyber incidents.
  6. Govern: The new govern function is the key player of NIST CSF 2.0. It encompasses governance frameworks, risk management strategies, and the establishment of cybersecurity policies and procedures. Govern informs how the identify, protect, detect, respond, and recover functions are executed, ensuring a coherent and integrated approach to cybersecurity across the organization.

Implementing NIST CSF 2.0  

If your organization has already adopted the NIST CSF, it is recommended to review the govern function to identify any gaps between your current and target profiles that need remediation. Additionally, examine the implementation guidance for all subcategories to see if there is any new guidance you should adopt. In addition, update your organizational profile document to reflect the realignment and consolidation of the existing categories and subcategories. 

To effectively implement NIST CSF 2.0 in your organization, follow these key steps:

  • Comprehend the enhanced core functions: Thoroughly understand the expanded core functions, focusing on the new govern function, which will guide your strategic cybersecurity initiatives.
  • Utilize new tools and resources: Leverage the newly introduced web tool and real-world examples to align your cybersecurity practices with best-in-class standards. These resources are designed to streamline implementation and ensure alignment with industry norms.
  • Customize the framework: Adapt the framework to your organization’s specific needs. NIST CSF 2.0 provides a flexible roadmap that can be tailored to enhance the cybersecurity posture of both small and large entities.
  • Focus on governance: Establish a strong governance structure for all cybersecurity activities. This involves creating comprehensive cybersecurity policies, conducting regular risk assessments, and ensuring continuous compliance with regulatory requirements.
  • Continuous monitoring and improvement: Implement continuous monitoring processes to immediately detect and respond to cybersecurity events. Regularly evaluate your cybersecurity strategies to address evolving threats and vulnerabilities. 

By embracing these steps, your organization can harness the full potential of NIST CSF 2.0, ensuring a fortified cybersecurity posture that is resilient against the dynamic landscape of cyber threats. 

Enhancing Cybersecurity Posture with NIST CSF 2.0

The new NIST CSF 2.0 changes bring enhancements that help organizations better manage cybersecurity risks through improved governance, practical tools, and a more inclusive approach. To assist your organization’s cybersecurity posture and align with the latest NIST CSF 2.0 changes, Adlumin’s suite of solutions—spanning Managed Security Services (MSS), Extended Detection and Response (XDR), and Managed Detection and Response (MDR)—provides the tools and support necessary to manage cybersecurity risks. 

Adlumin’s business model focuses on offering enterprise-grade cybersecurity solutions to small to medium-sized businesses. Adlumin’s offerings are tailored to each core function of the NIST framework, ensuring protection, detection, response, recovery, and governance capabilities. 

For in-depth insights on NIST CSF 2.0 and its impact on cybersecurity, tune into the latest episode of Cyber Tide with Adlumin’s VP and Chief of Strategy, Mark Sangster.  

M365 Email Security: Dynamic Cloud Security with Adlumin MDR

Cloud email services like Microsoft 365 (M365) have become the linchpin of modern business operations, ensuring secure and seamless communication while forming the backbone of organizational workflows. As of 2023, M365 boasts over 345 million monthly users worldwide, making it a prime target for cybercriminals; one of the most alarming threats? Business Email Compromise (BEC) scams.

According to recent FBI warnings, BEC scams are rising for organizations in the United States, naming them the $43 billion scam in 2022. Cybercriminals ruthlessly target small to medium-sized businesses by researching and posing as vendors or employees attempting to siphon money. BEC scams do not require much sophistication, making them simple yet effective.

These cybercriminals aren’t just after data; they use compromised emails to launch ransomware, steal sensitive information, and wreak havoc on organizational networks. The surge in these threats underscores the urgent need for robust security measures to safeguard cloud email platforms like M365.

This blog details the latest feature Adlumin launched to help combat M365 events.

Comprehensive Security with Dynamic M365 Prevention

To address this growing challenge, we are excited to introduce our latest feature exclusive to Adlumin Managed Detection and Response (MDR) customers: Dynamic M365 Prevention. This cutting-edge capability implements dynamic compromise prevention across nearly every detectable M365 event. Dynamic M365 Prevention goes beyond traditional security measures by correlating account and location activities with sophisticated behavior analytics within the organization.

In addition, it integrates data from other security entities, including endpoint computers, identity products like Cisco DUO and Okta, Virtual Private Network (VPN) technologies, and more. By analyzing these diverse data points, the feature can detect anomalies and potential threats with unparalleled precision.

The key to this feature is that it automates a response action depending on the severity of the detection. By leveraging Security Orchestration, Automation, and Response (SOAR) capabilities, Dynamic M365 Prevention ensures that the appropriate measures are quickly taken to mitigate threats, minimizing the risk of compromise and enhancing the organization’s overall security posture.

Key Highlights Dynamic M365 Prevention Offers:

Scalable Risk Responses: Tailored Actions for Threat Management

Dynamic M365 Prevention offers a scalable response mechanism tailored to the severity of the detected risk. Depending on the aggravating and mitigating risk factors, the system can enforce a range of actions, from a user-driven password reset to disabling the account and revoking its sessions. This adaptive response ensures that the security measures are proportionate to the threat level, providing a balanced approach to protecting your M365 environment. For instance, a minor anomaly might trigger a simple password reset, while multiple red flags could result in an immediate lockdown of the compromised account. This dynamic approach minimizes disruptions to legitimate users while maintaining a robust defense against potential compromises.

Enhanced Security Posture Against BEC and Cyber Threats

By integrating Dynamic M365 Prevention, organizations can significantly enhance their security against BEC and other sophisticated cyber threats targeting their Microsoft 365 environment. This feature empowers businesses to proactively manage risks, ensuring their critical communication and collaboration tools remain secure. With the ability to dynamically respond to threats based on comprehensive analytics and cross-entity data correlation, organizations can thwart potential attacks before they escalate. Adlumin’s commitment to innovation and security excellence ensures that our customers are always equipped with the most advanced tools to protect their digital assets and maintain operational resilience.

Harness Advanced Security Solutions

Embrace the future of cloud email security with Dynamic M365 Prevention and experience the peace of mind that comes with knowing your M365 environment is protected by the most advanced and responsive security solutions available.

Test Your Defenses – For Free

Adlumin has developed a complimentary tool that measures an organization’s security against today’s most popular cyberattack tactics targeting Microsoft. Adlumin’s M365 BEC Simulator tool allows organizations of all sizes to evaluate their defenses against a variety of threats, including brute force attacks on Microsoft 365 accounts, logins from foreign countries, and Tor usage to access the network from randomized locations. This quick but effective simulation provides a clear assessment of how well your systems are being monitored, ensuring you don’t overlook threats lurking in plain sight.

Test your defenses today and secure your organization with confidence.

Protecting Student Privacy with GLBA Compliance

By: Brittany Holmes, Corporate Communications Manager

It’s no secret that higher education institutions have become top targets for cybercriminals and ransomware groups. For example, news stories like those about cyberattacks disrupting classes at Clackamas Community College where classes were cancelled, making this the second attack against schools in the Portland area this year, add to the growing statistics. Microsoft reported the education industry makes up 80% of enterprise malware encounters.

To help mitigate the risk of student’s personal data, compliance regulations are becoming stricter when it comes to cybersecurity, starting with recent changes to how the Gramm-Leach-Biley Act (GLBA) applies to higher education. While GLBA is often associated with financial institutions, its relevance extends far beyond that. For higher education institutions handling financial aid, student loans, and other financial activities, compliance with GLBA is important.

The GLBA compliance checklist focuses on safeguarding students’ personal data and fostering trust within the education community. Failing to comply puts students at risk of identity theft and financial fraud and exposes institutions to penalties and reputational harm. Ensuring GLBA compliance is not just a legal requirement but a measure to protect students and institutional security amid increasing cyberthreats.

This blog details how the GLBA compliance checklist applies to higher education, security program requirements, and opportunities.

Understanding GLBA in Higher Education: A Brief Overview

Originally enacted in 1999 under the Federal Trade Commission (FTC), GLBA mandates transparency in information-sharing practices and protection of sensitive data within financial institutions. To comply with GLBA, higher education institutions must tell their students and employees how they share their data and follow specific parameters to protect it.

While GLBA has existed for years, its impact on higher education institutions has become more pronounced within the last four years. Specifically, GLBA applies to colleges and universities in terms of collecting, storing, and utilizing student financial records containing personally identifiable information.

In July 2019, the Office of Management and Budget (OMB) Compliance Supplement introduced a new audit objective to evaluate institutional compliance with the Safeguards Rule, a key component of GLBA. Subsequently, in December 2021, the FTC revised its Safeguards Rule, with specific provisions taking effect 30 days later and others becoming enforceable by December 9, 2022. To allow institutions enough time for adaptation, the FTC granted a six-month extension, extending the compliance deadline to June 9, 2023.

What Higher Education Needs to Know

Universities and colleges have significant responsibilities when it comes to managing sensitive financial data, including student aid, loans, tuition payments, and payroll information. The Safeguards Rule includes nine elements that higher education’s cybersecurity programs must consist of.

Below are elements from the GLBA compliance checklist that higher education must include in their security program:

  1. Designate a qualified individual for information security oversight: Appoint an individual knowledgeable in cybersecurity, beyond just IT, to lead the institution’s security efforts. This person should understand the complexities of safeguarding student data and coordinating with various departments and service providers. Even if a service provider or affiliate helps, the institution remains responsible for compliance.
  2. Conduct periodic risk assessments: Regularly assess the risks associated with student data, research information, and institutional assets. This includes evaluating internal and external threats to data integrity, confidentiality, and availability, aligning with frameworks like NIST, and tailoring them to higher education needs.
  3. Implement safeguards based on risk assessments: Deploy encryption for sensitive data, enforce multi-factor authentication, regularly review access controls, maintain asset inventories, securely dispose of data, and anticipate network changes. Employ a Security Operations Platform to detect and respond to threats effectively.
  4. Train employees on cybersecurity awareness: Develop a proactive security awareness program tailored to the higher education environment. Educate faculty, staff, and students on recognizing and reporting suspicious activities to bolster the institution’s security posture.
  5. Maintain oversight of third-party service providers: Evaluate service providers with expertise in securing educational data. Utilize Security Operations platforms and Managed Detection and Response (MDR) services to monitor vendor access and activities for compliance.
  6. Conduct regular vulnerability scanning and penetration testing: Schedule routine vulnerability scans and penetration tests to identify weaknesses in the IT infrastructure. Utilize progressive penetration testing to simulate different attack scenarios, ensuring critical data remains protected.
  7. Keep security programs current: Continuously update security programs to adapt to evolving threats and operational changes within the institution. Employ Security Operations Platforms to provide real-time insights into network health, compliance, and at-risk programs.
  8. Develop a written incident response plan: Establish a comprehensive incident response plan outlining roles, responsibilities, and steps to mitigate cyberattacks. Conduct tabletop exercises to ensure stakeholders are prepared to respond effectively to security incidents.
  9. Provide an annual security program report: Deliver a comprehensive report to the Board of Trustees or relevant governing body detailing the institution’s security posture, compliance status, risk assessments, incident response activities, and recommended improvements. Utilize specialized reporting tools to streamline compliance reporting processes.

Compliance with GLBA is not just a legal obligation, it is a commitment to protecting sensitive data, upholding student privacy, and safeguarding institutional integrity. Embracing GLBA compliance mitigates risks and fosters a culture of security consciousness essential in today’s digital landscape. For more details, the FTC outlines all nine elements here.

What Happens to Non-Compliant Institutions?

Significant repercussions exist if a higher education institution fails to comply with the GLBA. First, if discovered during the annual audit, the institution’s access to Department of Education information systems may be restricted by the Federal Student Aid’s Postsecondary Institution Cybersecurity Team. Repeated or serious breaches could lead to fines or other administrative actions.

In addition, penalties outlined in the GLBA include fines of up to $100,000 for institutions and individuals. However, the most severe consequence of non-compliance is the risk of a security breach. In such an event, sensitive student data could be compromised, leading to potential ransom payments to recover the information without guaranteeing its return. The higher education’s reputation would suffer, impacting its ability to attract prospective students who may question its ability to safeguard their personal information.

An Opportunity to Strengthen Your Cybersecurity Posture

Higher education institutions have a unique opportunity to enhance their security measures while simultaneously complying with GLBA regulations. By proactively adhering to GLBA standards, these institutions protect sensitive financial information and strengthen trust and reputation within their communities.

Compliance ensures legal adherence and mitigates risks, fostering a culture of transparency and integrity. It also secures funding, supports financial stability, and enables investments in cybersecurity infrastructure, ultimately preserving accreditation and academic excellence. Through efficient compliance management, institutions optimize resources and focus on core educational objectives while safeguarding data and enhancing overall security posture.

Many rely on a Security Operations platform to help with their journey toward compliance. Their proactive approach to threat detection and response aligns seamlessly with the demands of GLBA regulations, ensuring constant vigilance against cyber threats. XDR alleviates the burden on internal teams, streamlining compliance management processes. By harnessing the power of XDR, higher education institutions can navigate the complexities of regulatory compliance more efficiently, safeguarding data integrity and elevating their overall security posture.

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Cybersecurity for Healthcare 2024: Mitigation Strategies

Industry Spotlight: Healthcare

In our quarterly industry spotlight series, we highlight the evolving threats faced by various industries and provide recommendations to enhance their security posture. Today, we shift our focus to the healthcare sector, a critical industry that faces unique challenges in safeguarding sensitive patient data and maintaining crucial healthcare operations. 

Mitigating cybersecurity risks is critical in the healthcare industry due to the highly sensitive nature of patient information stored within Electronic Health Records (EHRs) and the important role these systems play in patient care. Healthcare organizations are prime targets for cybercriminals seeking to exploit vulnerabilities for financial gain or disrupt essential services.  

Recent cyberattacks on healthcare organizations, like the Change Healthcare cyberattack, have demonstrated the growing sophistication and persistence of threat actors targeting this sector. Ransomware attacks, such as those leveraging Ransomware-as-a-Service (RaaS) and employing double extortion techniques, have caused significant disruptions and financial losses for healthcare providers. In response to these threats, organizations recognize the need to strengthen their cybersecurity defenses. 

Top Threat: Ransomware

Adlumin previously detailed significant trends and developments in the threats, vulnerabilities, and cyberattacks faced by the healthcare industry in the U.S observed from January to March 2024 by Adlumin’s Threat Research Team, in Cybersecurity for Healthcare: 2024 Threat Insights. 

Healthcare Threat Highlights: 

  • Ransomware was identified as a top threat to the healthcare industry in the U.S. in Q1 2024 
  • Surge in ransomware attacks targeting healthcare organizations 
  • Increase in double extortion tactics by ransomware gangs like AlphV/BlackCat and BlackSuit 
  • Disruption of patient care operations and regulatory risks under HIPAA regulations 
  • Growing use of Living-Off-the-Land techniques by attackers to evade detection 
  • Emphasis on heightened security measures and preparedness to mitigate ransomware threats 

Shifting from the identification of ransomware as the top threat in the healthcare industry, Adlumin’s Threat Research Team has developed crucial mitigation strategies and recommendations to help healthcare organizations better defend against these malicious attacks. Let’s explore key strategies recommended by Adlumin’s experts to enhance cybersecurity resilience in the healthcare sector. 

Mitigation Strategies & Adlumin Recommendations 

Cybercriminals are continuously evolving their strategies, highlighting the importance for entities within the healthcare sector to remain alert and proactive. Key developments in their methodologies include: 

  1. Practice Good Cyber Hygiene
    • Stay Informed of the Threat Landscape: Leverage resources from CISA, HHS 405(d), and the H-ISAC to enhance organization’s resilience against such formidable cyber threats and complex threat landscape.
    • Regular Software Updates and Patch Management: Ensure that all software, especially operating systems, and applications, are kept up to date with the latest patches to close security vulnerabilities.
    • Endpoint Protection Solutions: Deploy advanced endpoint protection platforms (EPPs) that include antivirus, antimalware, and EDR (Endpoint Detection and Response).
    • Network Segmentation: Segment networks to limit the spread of ransomware. Critical systems and sensitive data should reside in separate segments with strict access controls.
  2. Enhanced Detection and Response Capabilities
    • Security Monitoring and Anomaly Detection: Utilize security information and event management (SIEM) systems, along with AI and machine learning-based anomaly detection to identify unusual activity patterns indicative of a breach.
    • Integration of Managed Detection and Response (MDR) Systems: One of the key advantages of MDR systems is the ability to integrate and analyze security data from a wide range of sources, including endpoint systems, endpoint detection and response products, network devices, and more. This integration allows for a more comprehensive view of the security landscape, enabling the identification of complex attack patterns and subtle indicators of compromise that might be missed when these systems operate in isolation.
    • Implement a Zero Trust Architecture: Assume that threats can come from anywhere and verify every access request as if it originates from an open network. This involves strict identity verification, least privilege access, and micro-segmentation.
    • Incident Response Planning: Develop, maintain, and regularly test an incident response plan that includes procedures for ransomware attacks. This plan should outline roles, responsibilities, communication strategies, and recovery processes.
  3. Data Protection and Backup Strategies
    • Regular, Secure Backups: Maintain regular backups of critical data and systems, storing them in an isolated environment that is not accessible from the network where the primary data resides.
    • Immutable Backup Solutions: Use immutable backups where possible, ensuring that data cannot be altered or deleted after it’s written.
    • Encryption of Sensitive Data: Encrypt sensitive data both at rest and in transit to protect it from unauthorized access and reduce the impact of data theft.
    • Immutable Log Storage: Logs should be backed up and stored in a separate immutable and guaranteed system to avoid tampering and assure integrity.
  4. User Training and Awareness
    • Security Awareness Training: Conduct regular training sessions for all staff members on cybersecurity best practices, phishing awareness, and procedures for reporting suspicious activities.
    • Simulated Phishing Exercises: Carry out simulated phishing attacks to assess staff vigilance and reinforce training on identifying and responding to phishing attempts.
  5. Regulatory Compliance and Reporting
    • HIPAA Compliance: Ensure that all cybersecurity measures comply with HIPAA regulations to protect patient health information (PHI).
    • Breach Notification Procedures: Develop clear procedures for breach notification in compliance with regulatory requirements, ensuring timely communication with affected individuals and regulatory bodies.
  6. Special Attention to Emerging Threats
    • Monitor Emerging Ransomware Tactics: Stay informed about new ransomware tactics, such as double extortion and supply chain attacks, adapting defense mechanisms accordingly.
    • valuate Security of Third-Party Vendors: Conduct thorough security assessments of third-party vendors and insist on compliance with stringent security standards to mitigate supply chain risks.
    • Pay Special Attention to Electronic Health Records (EHR) Systems: EHR’s like Epic present an enticing target to attackers while holding critically sensitive patient health data and enabling healthcare operations. Strategies should be in place for isolating EHR enabling systems from other machines and for dealing with potential lengthy EHR system outages.

Eliminate Risks from One Centralized Location 

For healthcare organizations looking to amplify their cybersecurity resilience against the pervasive threat of ransomware and other evolving cyber threats, the implementation of a comprehensive and integrated security strategy is paramount. By leveraging a centralized Security Operations Platform that incorporates all the recommended mitigation strategies and practices, organizations can streamline their cybersecurity efforts and enhance their ability to detect, respond to, and mitigate potential threats effectively.  

Additionally, partnering with Managed Detection and Response (MDR) services can provide organizations with the expertise, tools, and continuous monitoring needed to mitigate risks, optimize threat response, and ensure a proactive defense against cyber threats. By adopting this holistic approach, healthcare organizations can strengthen their cybersecurity posture, safeguard patient data, and protect critical infrastructure in the face of threats. 

Adlumin Platform - Ransomware Prevention

Explore the Platform 

Adlumin ensures swift setup, unrivaled visibility spanning endpoints, users, and the perimeter, and provides contextual insights for rapid, informed decision-making.

Adlumin’s Threat Research Team is the innovator behind Adlumin’s comprehensive threat hunting to improve visibility, reduce complexity, and manage risk. The team proactively searches for cyber threats lurking undetected in your network environment. They dig deep to identify non-remediated threats and other malicious activities to reinforce security defenses. 

How to Create a Ransomware Recovery Roadmap

Ransomware attacks have become an omnipresent threat to organizations worldwide, posing significant risks to data integrity, financial stability, and organization continuity. As cybercriminals continue to evolve their tactics and target organizations of all sizes and industries, it’s imperative for organizations to strengthen their defenses and protect themselves against ransomware incidents.

Organizations must also be equipped with a detailed recovery plan to mitigate the impact of such incidents effectively. In this blog, we delve into the essential steps and solutions for recovering from ransomware attacks and restoring organization operations quickly and securely.

Strengthening Your Ransomware Recovery Arsenal

While recovering from a ransomware attack requires a strategic and methodical approach, having the right tools and solutions in place can significantly expedite the process and enhance overall resilience. Here are some key solutions to consider integrating into your recovery plan:

  1. Endpoint Detection and Response (EDR) Solution: Implement EDR solutions to enhance containment and isolation efforts by swiftly detecting and responding to ransomware threats at the endpoint level. These solutions provide real-time visibility into endpoint activities, enabling rapid containment and mitigation of ransomware incidents.
  2. Secure Backup and Recovery Solutions: Deploy secure backup and recovery solutions that adhere to best practices, ensuring the integrity and cleanliness of backups. Look for solutions that offer immutable backups and robust encryption to safeguard against ransomware attacks and ensure seamless data restoration.
  3. Security Operations Platform: Invest in automated tools that can swiftly assess the extent of the damage caused by the ransomware attack. These tools used algorithms to identify compromised systems and data, providing actionable insights for prioritizing recovery efforts.
  4. Threat Intelligence Services: Enlist the support of threat intelligence services to stay informed about the latest ransomware trends, tactics, and techniques employed by threat actors. Leveraging actionable threat intelligence can help organizations proactively adapt their cybersecurity defenses to counter emerging ransomware threats effectively.
  5. Security Awareness Training: Prioritize security awareness training for employees to empower them to recognize and respond to ransomware threats effectively. Investing in comprehensive security awareness programs can help foster a culture of cybersecurity awareness within the organization, reducing the risk of successful ransomware attacks.
  6. Cyber Warranty Coverage: Consider obtaining cyber warranty coverage to mitigate the financial impact of ransomware attacks and facilitate recovery efforts. Cyber warranties are often provided through managed detection and response (MDR) providers. The warranties can provide financial assistance for ransom payments, data restoration costs, and other expenses associated with recovering from ransomware incidents.

By incorporating these solutions into your ransomware recovery plan, you can enhance your organization’s resilience and expedite the recovery process in the event of a ransomware attack. Remember to regularly review and update your recovery plan to adapt to evolving ransomware threats and ensure continued effectiveness.

Strengthening Resilience and Recovery Strategies

In effort to strengthen resilience and recovery strategies against ransomware attacks, organizations must adopt a proactive approach by implementing the right solutions and technologies. By establishing clear roles, responsibilities, and communication protocols, organizations can effectively respond to attacks and minimize their impact on operations.

Additionally, using simulator tools can help organizations assess their readiness and identify gaps in defense mechanisms, allowing for the implementation of stronger security measures and better protection of data. Through testing defenses, organizations can stay ahead of cyberthreats and safeguard their valuable information effectively.

Unraveling Cyber Defense Model Secrets: Credential Harvesting and Insider Threats

By: Bronwen Cohn-Cort, Data Scientist, and Shaul Saitowitz, Data Scientist

Welcome to the Unraveling Cyber Defense Model Secrets series, where we shine a light on Adlumin’s Data Science team, explore the team’s latest detections, and learn how to navigate the cyberattack landscape.

The Essential Role of Threat Detection

Threat detection is a critical component of an organization’s cybersecurity strategy. Requiring the combination of human expertise and machine learning, risk can be significantly reduced by identifying threats before a potential attack.

Many threats can go unnoticed for months or even years. In IBM’s latest report, it takes an average of 277 days for security teams to identify and contain a data breach, and the cost of a breach skyrocketed, reaching an average of $4.45 million. Given the extended timeframe it often takes to detect and contain a data breach, organizations must proactively implement measures to quickly respond to potential threats and reduce the risk of costly damages.

To effectively combat malicious activity in your environment, it can be challenging to stay on top of all the potential threats, particularly as it demands skilled professionals who can develop models to apply artificial intelligence. Setting up alerts for when suspicious activity is detected can help organizations quickly respond to potential breaches and mitigate the risk of further damage to their systems and data.

Critical Detections for Your Network Security

While there are many types of security threats and detections to consider today, we highlight credential harvesting and insider threats as two crucial ones to add to your queue.

Adlumin Data Science is rolling out alerts for credential harvesting and insider threats, each capable of warning against prevalent attack tactics within their domains by utilizing user and entity behavior analytics. These detections are crucial as they are often difficult for organizations to identify.

Credential Harvesting Detection

A credential harvesting alert addresses a post-exploitation technique to broaden network access. After gaining a foothold, this alert will notify an organization about suspicious activities related to stealing login credentials from a computer system. This information can then be used to access other systems, steal data, or even compromise an entire network.

Sources of stored credentials include files, databases, registry entries, and memory structures where login credentials are stored, whether in plaintext or encrypted form. Some of these locations include LSASS (Local Security Authority Subsystem Service), GPP (Group Policy Preferences), and web browsers that store passwords. Cybercriminals can use one of many tools or techniques to capture the stored credentials.

These include utilities like Mimikatz, Hashcat, and SharpChromium. Once the credentials have been extracted, the attacker harvests them for future use. Encrypted passwords can be cracked offline and then used to access other systems within the network, furthering the attack.

The detection exposes several credential dumping techniques and delivers background on the tool discovered. This allows prompt stoppage of the unfolding attack and helps protect business assets. The detection model should be updated regularly to keep up with new tactics and methods.

Credential harvesting poses a significant threat to organizations, leading to unauthorized access, data breaches, and financial loss. Setting up alerts for credential dumping processes is crucial as it enables early detection and swift response to mitigate potential damage. Organizations can protect their sensitive information, maintain operational continuity, and uphold trust with customers and stakeholders by efficiently enriching, containing, and recovering from such incidents.

Insider Threat Detection: Aggregating and Analyzing Widespread File Deletion

Some ransomware variants, like REvil, involve mass file deletion; in some instances, an unauthorized insider may gain permissions sufficient to mass-delete files. The Insider Threat model detects and alerts on cases of a user or attacker deleting an abnormally high number of files across many different subdirectories. Further analysis is conducted to filter out file extensions and locations that likely correspond to benign deletion activity. For example, a user emptying the Recycle Bin would not trigger an alert.

Setting up an Insider Threat alert uses a machine learning model to determine anomalies in the number of Windows Event ID 4663 (“An attempt was made to access an object”) events with Delete access permissions. A high quantity of these 4663 events in a half-hour period significantly deviating from the customer baseline is considered anomalous.

The table below displays partially redacted information from 4663 events associated with an alert. For each, it shows the time of the log message, the computer name on which it occurred, and which Object Name and Process Name were associated with the event. This table can be used to further investigate the deletion activity by reviewing the details of what computers, locations, and types of files were involved.

Following an alert, activity from the username(s) in question should be examined if a threat actor compromised a user account. Suspicious behavior may warrant disabling the account and quarantining affected computers from the network. Review user actions and run an anti-malware scan and vulnerability assessment to check if the threat actor has performed any other actions, such as creating a logic bomb or backdoor.

Insider threats pose a significant risk to organizations as they can result in data breaches, financial loss, reputational damage, and operational disruptions. Malicious insiders or compromised accounts can intentionally or unintentionally cause harm by deleting critical files, installing malware, or stealing sensitive information.

Setting up Insider Threat alerts, like the one described here, is crucial for detecting suspicious activities, such as widespread file deletion, in a timely manner. By observing user behavior, organizations can proactively identify and respond to potential insider threats, mitigating the impact of security incidents and safeguarding their assets and operations.

Experience The Innovations 

Here at Adlumin, we know how important it is to see everything in cybersecurity. That’s why we offer a customized Security Operations Platform and Managed Detection and Response services to give organizations a complete view of their IT environment. But we go further than that. We believe in the value of firsthand experience, so we invite you to explore our platform yourself with a guided tour.

See how our platform helps your team find and address threats by arranging a demo or trying out our platform for free. Join the tour and boost your organization’s visibility to a whole new level.

Cybersecurity for Healthcare: 2024 Threat Insights

The recent ransomware attack on UnitedHealth’s Change Healthcare subsidiary highlighted the attractiveness of the data-rich U.S. healthcare industry to cybercriminals and the severe impact on patients and doctors. Total expenses from the attack are expected to surpass $1 billion, including a $22 million ransomware payment. With cybercriminals leveraging sophisticated techniques to infiltrate systems, encrypt data, and extract sensitive information, the healthcare sector faces significant challenges in safeguarding patient records and maintaining operational efficiency.

This industry spotlight highlights significant trends and developments in the threats, vulnerabilities, and cyberattacks faced by the healthcare industry in the U.S observed from January to March 2024 by Adlumin’s Threat Research Team. 

Industry Spotlight: The Healthcare Industry

Top Threat: Ransomware

Last year, the FBI’s Internet Crime Complaint Center released its latest report on Internet crimes and identified the healthcare and public health sectors as the most victimized by ransomware[1]. In fact, the healthcare sector had over 33% more reported victims than the second leading sector, critical manufacturing; 82% more than government facilities, and well more than double the number reported by the financial service sector. While waiting for the latest data reflecting 2023 cases, it’s almost certain that the healthcare sector will continue to see more ransomware attacks.

Ransomware gangs which operate under affiliate models often capture vital data, impose hefty ransoms for data retrieval, and significantly hinder patient care operations. The ransomware affiliate model resembles legitimate affiliate programs – hackers code the malware, while affiliates distribute it through Ransomware-as-a-Service (RaaS), then share the ransom profits. There may also be shared infrastructure for payout and money laundering operations. Combined, this lowers the barrier to entry for attackers and increases attack volume, fueling the overall threat.

Adlumin has observed wide adoption of a tactic known as double extortion in healthcare sector attacks. In double extortion operations, attackers encrypt sensitive and critical data as part of traditional ransomware operations, and exfiltrate or steal sensitive data. Ransomware actors then threaten public release of the data, meant to force payment of hefty ransoms even if defenders can recover encrypted data and systems from backups or other sources.

Adlumin has also observed ransomware operators increasingly threaten to report victims to regulatory authorities such as the SEC, resulting in almost certain fines if applicable under a host of old and new laws and regulations. Additionally, in uncovering Play ransomware. operations, Adlumin uncovered that ransomware attackers threaten to notify organization’s partners and customers as part ransom messages, a tactic meant to coerce payment. These factors can be especially important for those in the healthcare sector as HIPAA (Health Insurance Portability and Accountability Act) can impose fines for data breaches involving protected health information (PHI). The four categories used for the penalty structure are:[2]

TierDescriptionFines per Violation*
Tier 1A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA Rules.$137 to $68,928
Tier 2A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA Rules).$1,379 to $68,928
Tier 3A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation.$13,785 to $68,928
Tier 4A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days.$68,928 to $2,067,813

*Yearly cap of $2,067,813

Ransomware operators are also beginning to forgo encryption entirely, favoring data exfiltration and extortion operations. Both types have seen usage of Living-Off-the-Land (LOTL) techniques.

LOTL attacks are a stealthy tactic where attackers exploit legitimate tools already present on a system, like PowerShell, the command prompt, or native binaries like certutil, to carry out malicious activities. These “Living Off the Land Binaries” (LOLBins) blend in with normal system operations, making them more difficult to detect and allows attackers to steal data, move laterally within a network, or gain persistence without relying on easily identifiable malware.

Healthcare Top Threats

AlphV/BlackCat

On December 19, 2023, the FBI announced disruption of RaaS operations carried out by AlphV (also known as “BlackCat”). The FBI seized several websites created by the group and gained visibility into the BlackCat ransomware group’s computer network as part of the investigation[3]. Additionally, authorities offered victims access to an FBI-developed decryption tool allowing for recovery of encrypted data.

In response BlackCat called for open season against the healthcare sector stating, “Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS. You can now block hospitals, nuclear power plants, anything, anywhere.”[4]

On February 27, 2024, CISA, the FBI, and the Department of Health and Human Services (HHS), released a joint advisory which addressed BlackCat’s operations and attacks against the healthcare sector. They noted that, “Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most victimized. This is likely in response to the AlphV / Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”[5]

In late February 2024, as part of attacks against the healthcare sector, insurance provider UnitedHealth found itself in the crosshairs of BlackCat operations, it was reported the attack “had a knock-on effect on players across the U.S. healthcare system, as disruptions triggered by the attack have impacted electronic pharmacy refills and insurance transactions.”[6] In a quickly deleted post to its darknet hosted website, BlackCat stated that it stole millions of sensitive records.

BlackSuit Ransomware

In November 2023, the Health Sector Cybersecurity Coordination Center (HC3) at the U.S. Department of Health and Human Services (HHS), released a detailed analysis on BlackSuit, a new ransomware strain that poses a credible threat to the healthcare and public health (HPH) sector.

BlackSuit emerged in May 2023 and exhibits significant parallels to the Royal ransomware family, which succeeded the infamous Conti group linked to Russia. BlackSuit’s ties to these active threat actors suggest ongoing, aggressive targeting of the healthcare industry. HC3 outlined BlackSuit’s operations, including its use of double extortion tactics, specific technical details, and potential impact on healthcare services, alongside recommended defenses, and mitigation strategies.

As outlined in the HC3 report, BlackSuit’s impact could be significant, particularly if the group’s ties to the Royal and Conti ransomware families are confirmed. With its use of double extortion tactics, BlackSuit not only encrypts sensitive data on compromised healthcare networks but also threatens to leak stolen data unless a ransom is paid. This approach poses a dual threat: the immediate disruption of healthcare services due to inaccessible patient records and systems, and the long-term damage from the potential exposure of confidential patient data.

BlackSuit operates by encrypting sensitive data on compromised networks, employing a double extortion scheme that has so far targeted a limited number of victims across various sectors, including healthcare, in countries such as the U.S., Canada, Brazil, and the U.K. The analysis reveals BlackSuit’s operational techniques, encrypted file extensions, ransom demand methods, and its distribution via infected email attachments, torrent websites, malicious ads, and trojans.

Despite its limited use, the connections to Royal and Conti hint at a potentially significant threat landscape for the healthcare sector. Technical similarities with the Royal ransomware family, based on binary comparison tools, suggest BlackSuit could be a variant or affiliate of these larger, well-organized ransomware operations.

HHS emphasizes the importance of heightened security measures and preparedness within the healthcare industry to mitigate risks associated with ransomware attacks.

Recommendations to Eliminate Risks

To protect against evolving cyber threats in the healthcare sector, Adlumin recommends practicing good cyber hygiene by staying informed of the threat landscape, updating software regularly, implementing a Security Awareness Program, and deploying endpoint protection solutions.

Adlumin’s threat research team advises healthcare organizations to regularly update software, segment their networks, and plan for incident response. They also recommend implementing security monitoring, and anomaly detection tools. In addition, secure backups, encryption of sensitive data, and HIPAA compliance are crucial elements of a strong cybersecurity strategy.

With a deep understanding of the healthcare sector’s unique challenges and vulnerabilities, Adlumin stands as a reliable partner in strengthening cybersecurity posture and ensuring regulatory compliance. Partnering with Adlumin equips healthcare organizations with the necessary tools and expertise to combat ransomware and protect critical infrastructure effectively.

Stay tuned, Adlumin’s Threat Research team is releasing in-depth mitigation strategies for the healthcare sector.

The Best Mitigation Strategies for Ransomware Attacks

By: Brittany Holmes, Corporate Communications Manager 

The rise of ransomware attacks can be traced back to the infamous WannaCry outbreak in 2017, a watershed moment for cybercriminals. This high-profile incident revealed the potential profitability of ransomware attacks and spurred the development of numerous variants since then.

Additionally, the COVID-19 pandemic played a significant role in the recent surge of ransomware attacks. With organizations hurriedly transitioning to remote work, vulnerabilities in their cybersecurity defenses became more apparent and exploitable. Cybercriminals took advantage of these weaknesses to launch ransomware attacks, sharply increasing such incidents.

As history has shown, ransomware attacks continue to evolve and become more sophisticated in their tactics. This makes it crucial for small and medium-sized businesses (SMBs) to understand the growing threat landscape and take proactive steps to protect their data and systems.

This blog explores the mechanisms through which ransomware is delivered, the reasons behind its alarming success rate, and effective mitigation strategies for SMBs.

How is Ransomware Delivered?

From a cybercriminal’s point of view, there are numerous ways to break into a network and encrypt its data for ransom. Stealing and holding data hostage has proven to be an effective way to extort money from organizations, so cybercriminals are increasingly utilizing this tactic.

To successfully breach a network, cybercriminals target the most vulnerable link in the security chain—the people. It is crucial for companies to prioritize employee training on cybersecurity awareness and to update and strengthen their security measures constantly.

Ransomware is often delivered through phishing emails and malicious websites. Phishing emails typically contain deceptive links or attachments that, when clicked, can install ransomware onto a victim’s device. These emails are made to appear sincere and may even impersonate trusted sources, tricking users into taking actions that compromise their security. On the other hand, malicious websites can also distribute ransomware through drive-by downloads or exploit kits. These websites can quickly infect a user’s system with ransomware by luring unsuspecting visitors to click on malicious links or download files.

Why is Ransomware so Effective?

One of the main reasons why ransomware is so effective is because it preys on peoples’ fear and urgency to regain access to their data. Many individuals and organizations rely heavily on their data for everyday operations, and the idea of losing that data can be terrifying. This fear often leads victims to pay the ransom, even though there is no guarantee that the cybercriminals will provide the decryption key once the ransom is paid.

Additionally, the speed at which ransomware operates also contributes to its effectiveness. By the time detection occurs, most files are encrypted, making it difficult to stop the attack in its tracks. Even with detection, analysts still need to look at the alerts and take the appropriate action, which can be time-consuming and may result in further data loss. This rapid encryption process adds to the sense of urgency that victims feel, pushing them to consider paying the ransom as a quick solution to regain access to their data.

Ransomware is particularly effective against SMBs because they often lack the proper resources and expertise to defend against such attacks. SMBs are also more likely to pay the ransom, as they may not have proper backups in place or the means to recover their data through other methods.

According to Adlumin’s most recent Threat Insights 2024 Volume I, the top two tactics/methods used by ransomware gangs include:

Ransomware attacks continue to be successful due to the evolving tactics employed by cybercriminals, who are now packaging their methods into more streamlined and sophisticated approaches. The two primary tactics driving the success of ransomware include double extortion and the rise of Ransomware-as-a-Service (RaaS), enabling easier access and increased efficiency for cybercriminals looking to exploit organizations for financial gain.

Double Extortion: In addition to encrypting an organization’s data, cybercriminals are increasingly stealing sensitive information and threatening to release it publicly unless the ransom is paid. This additional pressure increases the likelihood that victims will pay the ransom.

Ransomware-as-a-Service (RaaS): Some ransomware groups now offer their ransomware as a service to other cybercriminals, allowing them to distribute and deploy ransomware attacks without technical expertise efficiently. This has led to increased ransomware attacks, as more criminals can launch their own campaigns with minimal effort.

By understanding how ransomware works and the tactics used by cybercriminals, organizations can better protect themselves against these attacks and prevent falling victim to ransomware.

How SMBs Can Mitigate Ransomware Risks

To effectively mitigate ransomware risks, SMBs must educate and train employees to identify and report the signs of a potential attack. By raising awareness about suspicious emails, links, and attachments, employees become the frontline defense against ransomware infiltrations. Encouraging the use of strong, unique passwords and multi-factor authentication further bolsters security measures.

In addition to employee training, implementing a robust data backup and recovery plan is essential. Regularly backing up data to offline or secure cloud storage ensures that systems can be restored without succumbing to ransom demands.

Maintaining up-to-date patch updates, particularly through Continuous Vulnerability Management, adds another layer of security. Staying vigilant and updating systems regularly makes it more challenging for threat actors to gain unauthorized access to sensitive data.

By combining these strategies, SMBs can significantly reduce their vulnerability to ransomware and protect their valuable data.

Illuminate Threats and Eliminate Risks

Last year, there was an increase of ransomware attacks at a rate of 73% totaling 4,611 cases reported. The staggering statistics on ransomware attacks highlight the critical need for heightened awareness and preparedness across all industries.

Implementing a multi-layer defense strategy and prioritizing early detection are pivotal steps in safeguarding organizations against the damaging impact of ransomware. It is imperative that organizations invest in cybersecurity measures, conduct regular training for employees, and stay vigilant against evolving threats.

By staying informed and proactive, organizations can significantly reduce the potential damage inflicted by ransomware attacks and ensure the security of their valuable data and systems.

Early Detection and Multi-Layered Defense Against Ransomware Attacks

By: Brittany Holmes, Corporate Communications Manager 

Ransomware attacks continue to pose a serious and persistent threat, causing widespread disruption to organizations of all sizes. This underscores the critical need for proactive cybersecurity measures to stay ahead of cybercriminals.  

A recent high-profile incident involving approximately 60 Credit Unions highlighted the ongoing impact of these attacks. Many of the credit unions affected lacked adequate backup coverage and dedicated security, which serves as an example of the importance of early detection and a multi-layered defense strategy to protect valuable data from ransomware threats.  

This blog explores top methods for detecting ransomware, response strategies, and the importance of a multi-layer protection approach.   

Detecting Ransomware and The Need for Early Detection 

Ransomware protection strategies commonly focus on various stages of attack detection, as outlined by MITRE. From blocking known variants to detecting signs of compromise before execution and identifying malicious activities during the execution phase, each step plays a crucial role in preventing file encryption and data loss. Here are some top ways ransomware is detected:  

  • Blocking Ransomware Variants: Blocking known ransomware variants is common in cybersecurity defense. Organizations can proactively block known ransomware strains from executing on their systems by leveraging threat intelligence feeds and signature-based detection tools. 
  • Detecting Signs of Compromise: Detecting signs of compromise before ransomware execution is another crucial strategy in ransomware detection. Organizations can identify a ransomware attack in its early stages by monitoring for indicators of compromise (IoCs), such as unusual network traffic patterns, unauthorized access attempts, or anomalous file modifications. 
  • Detecting Ransomware at Execution Stage: Detecting ransomware at the execution stage is a critical step in mitigating the impact of an attack. Behavior-based detection techniques can monitor system activities in real-time to detect and respond to malicious behavior, including ransomware encryption processes. Organizations can identify and contain ransomware before it causes extensive damage by analyzing the behavior of processes and file system activities. 

Additionally, leveraging frameworks such as MITRE ATT&CK can provide organizations with a standardized approach to understanding ransomware tactics, techniques, and procedures (TTPs). By mapping ransomware behaviors to the MITRE ATT&CK framework from left to right, organizations can identify gaps in their detection and response capabilities and implement targeted security measures to enhance their ransomware defense strategy.  

However, cybercriminals continually evolve their tactics, and ransomware strains emerge, hindering some security approaches. To address the shortcomings of each detection method, organizations can adopt a strategy that combines multiple layers of defense. Ransomware detection capabilities can be enhanced by integrating threat intelligence feeds with advanced behavioral analytics and proactive threat hunting, improving their overall cybersecurity posture. 

Adlumin’s Innovative Ransomware Protection Feature   

Adlumin’s Managed Detection and Response (MDR) now includes a ransomware prevention feature focused on file system preservation to combat the evolving ransomware landscape. This new capability safeguards and preserves most files by killing the process at the earliest detection sign. 

One crucial aspect of ransomware protection is proactive testing and preparedness. It is important to understand how secure your organization’s security tools are against ransomware by prioritizing testing defenses and response protocols to ensure readiness in the face of potential threats. 

Embracing a Multi-Layered Defense Approach 

Ransomware protection is a complex and challenging threat that demands a multi-layered defense approach. Early detection, proactive response strategies, secure backups, and innovative technologies like Adlumin’s Ransomware Prevention are essential to a comprehensive defense posture against attacks. By understanding the importance of early detection and implementing a multi-layered defense strategy, organizations can significantly enhance their resilience to evolving cyber threats.   

The threat of ransomware is large, but by staying informed and leveraging advanced security solutions, the risks can be mitigated, and data assets can be safeguarded. Remember, there is no single answer to ransomware protection – it requires a holistic and dynamic approach to stay ahead of cyber adversaries. With 24×7 coverage and innovative technologies, you can protect your organization against the threat of ransomware and ensure organization continuity in the face of evolving cyber risks. 

Misconfiguration in Zero-Trust Solution Could Allow Threat Actors to Bypass 2FA

The Adlumin team recently investigated a security incident in which a malicious actor(s) successfully managed to gain unauthorized access to a company’s networks by completely bypassing Duo, a popular zero-trust security solution used by hundreds of organizations worldwide.

Background

The incident occurred in early February 2024 when threat actor(s) used two compromised sets of email credentials to log in remotely to the targeted company’s network from servers with IP addresses registered to Russia and Brazil. Subsequently, the company’s security tools, including Adlumin, generated several alerts for malicious activity detected within the network. This activity included credential brute forcing attempts, attacks against Microsoft Active Directory and Kerberos, and the use of Netscan to enumerate endpoints and servers.

Security teams responded to the alerts and successfully halted and locked out the threat actors before they could inflict more harm on the network, but questions remained as to why Duo’s two-factor authentication (2FA) was not prompted to verify the legitimacy of the login sessions which would have protected against compromised credential-based attacks.

Investigation Findings

The Adlumin investigation revealed that the two compromised email accounts used by the threat actor(s) were stale accounts which had been mistakenly configured with a policy that allows for unenrolled or partially enrolled users to authenticate into their network without 2FA.

According to Duo’s online documentation (last updated on Jan. 29, 2024), a “New User Policy” to allow access without 2FA, does not prompt users to complete enrollment and they are granted access without two-factor authentication.1

This type of user policy is made available to organizations for several reasons, including facilitating a gradual rollout of 2FA within the organization or a slow adoption of new zero-trust practices. However, it remains important to monitor events generated by users that bypass 2FA. Duo does offer such a monitoring feature to companies using Duo Premier, Duo Advantage, and Duo Essentials Plan.

With any 2FA solution, it’s important to consider the risks of enabling or using user policies that bypass it in any scope. Bypassing 2FA for certain users or scenarios reduces the overall security posture of the system and network. It can create fringe but exploitable instances where authentication relies solely on a single factor (e.g., username and password) that may be more susceptible to compromise – which was the case in the security incident investigated by Adlumin.

When users are not required to use 2FA, there is an increased vulnerability window. Attackers may exploit this period, especially if users with reduced authentication factors can enable access to sensitive information or critical systems.

In its online documentation, Duo does warn account owners and administrators who configure login access to remember that users with bypass status are not subject to restrictions and can bypass Duo authentication entirely.2

Conclusion

To protect against similar attacks at organizations that use Duo or other zero-trust solutions, Adlumin recommends that companies and organizations ensure user access policies are correctly configured and consider the security risks that come with allowing some users to bypass 2FA.

Organizations can avoid or reduce their exposure to an attack by practicing good account hygiene. This includes routinely conducting account reviews to identify and deactivate accounts that are no longer needed, establishing efficient communication between IT departments and human resources when employees leave an organization, and automating account provisioning and deprovisioning processes.

Indicators of Compromise (IOCs)