Three Actions to Mature Your Security Posture

By: Brittany Holmes, Corporate Communications Manager 

When cybercriminals are consistently evolving their tactics, ensuring the security of your organization’s data and systems has never been more crucial. The increasing sophistication of cyber threats demands that businesses constantly level up their security practices to stay one step ahead of potential breaches. To achieve this, organizations need to go beyond having a security operations platform and consistently think about the potential of their platform. 

While there are various components to consider, three practices stand out as fundamental pillars for strengthening security maturity: vulnerability management, penetration testing, and security awareness training.  

This blog explores each of these components and highlights the reasons why, even implementing just one can significantly elevate your organization’s security posture.

Level Up #1: Vulnerability Management  

Vulnerability management is all about keeping your organization’s network safe from potential threats. You can quickly identify and tend to vulnerabilities, reducing the time it takes to patch them by automating the process. This automated system also provides valuable information about the risks these vulnerabilities pose and offers advice on how to fix them.

It helps you prioritize which vulnerabilities need immediate attention based on the potential harm they could cause. This proactive approach reduces the amount of time that attackers have to exploit these weaknesses, making your network more secure. Implementing vulnerability and patch management is not only a best practice for IT security but also helps ensure compliance with industry regulations. CIS Critical Security Control also indicates CVM as a requirement for meeting IT security best practices and compliance.

Vulnerability Management in Action

Vulnerability management levels up an organization’s security posture by identifying and addressing security weaknesses in its systems and networks. By regularly and consistently managing vulnerabilities, organizations can reduce the attack surface, prevent potential breaches, and enhance overall security resilience.

Here are a few signs that indicate your organization can benefit from Vulnerability Management: 

  1. You want to make the most of your security investments: Vulnerability management helps determine the return on security investment (ROSI), showing the potential financial losses that security measures can prevent. By promptly identifying vulnerabilities within your organization’s environment, these programs reduce the risks and potential costs of cyber-attacks.
  2. You need to streamline your vulnerability management program: Managing vulnerabilities manually can be time-consuming and inefficient. Vulnerability management technologies automate the process, allowing for real-time identification of vulnerabilities as they arise.
  3. You operate in a high-targeted industry: Certain industries, such as financial services or healthcare, are often the primary targets for cyber attacks. Implementing vulnerability management becomes even more crucial if your organization falls within these high-profile sectors.
  4. Your organization is experiencing rapid growth: As your organization expands, it becomes more vulnerable to cyber threats. With vulnerability management, you can ensure that your expanding network and systems are constantly protected. 

Level Up #2: Penetration Testing 

A penetration test, or pen test, is like a real-life game of “cybercriminals vs. defenders” that organizations play to protect themselves from cyber attacks. Experts try to break into the company’s systems in a controlled environment just like a real cybercriminal would. They go through different tactics, like finding weak spots in the system, sneaking in undetected, and even planting malicious software. 

Pen tests are so important because they help organizations understand how strong their defenses are. It’s like testing their security measures to see if cybercriminals could exploit any holes or vulnerabilities. It’s like getting an outside perspective on how well-protected you are.

By simulating real attacks, pen tests can uncover weak spots that the organization’s own security experts might have missed. It’s a way to shine a light on risks that might go unnoticed from the inside. The great thing about pen testing is that it identifies vulnerabilities and shows how much damage they could cause if someone were to exploit them. It gives organizations a heads up on where they need to tighten their security belts.  

Penetration Testing in Action 

Penetration tests can actually help strengthen a company’s security processes and strategies. When executives at an organization see the results of these tests, they can understand the potential damage that could occur and prioritize fixing those vulnerabilities. A skilled penetration tester can provide recommendations to build a solid security infrastructure and help allocate the cybersecurity budget wisely. 

Here are a few reasons your organization might need Penetration Testing:  

  1. You will find system vulnerabilities before cybercriminals
  2. You have the ability to strengthen security strategies and processes 
  3. You will reduce attack dwell time and lower remediation costs 
  4. You will stay compliant  
  5. You can preserve customer loyalty and brand reputation 

Level Up #3: Security Awareness Training 

Security awareness training is a way for IT and security professionals to teach employees to protect themselves and their organizations from cyber threats. It helps employees understand how their actions can put the organization at risk and how to avoid common mistakes.   

In addition, there are common standards and legislations that require organizations to have a security awareness training program in place, KnowB4 details the following: 

  • US State Privacy Laws 
  • NERC CIP 
  • CobiT 
  • Federal Information Security Management Act (FISMA) 
  • Gramm-Leach Bliley Act 
  • ISO/IEC 27001 & 27002 
  • Sarbanes-Oxley (SOX) 
  • Health Insurance Portability & Accountability Act (HIPAA) 
  • PCI DSS 

Research shows that most security breaches are caused by human error, so training is essential in preventing data breaches and other security incidents. It covers topics like proper email, internet usage, and physical security measures like not letting unauthorized people into the office. The best proactive security awareness programs are engaging and delivered in small doses but consistently to fit into employees’ busy schedules.  

Security Awareness Training in Action 

Having proper security awareness training for your team is crucial. It increases your organization’s security and saves you time and money in the long run. By educating your employees about the various threats and risks out there, you can prevent them from making simple mistakes that could hurt your organization.

Think about it – a single moment of carelessness, like checking an email on a public Wi-Fi network, could result in a major breach. But if everyone in your organization knows the dangers and takes the necessary precautions, the chances of a security breach are significantly reduced.  

Here are a few benefits of implementing a Security Awareness Program: 

  1. Saving time and money: Data breaches and similar attacks cost organizations billions of dollars each year. So, spending money on training is a small price to pay if it protects you from potential cyber threats. Time is another valuable resource that can be saved with proper cybersecurity training. If an attack occurs, your team will spend a lot of time the damage and finding ways to prevent future breaches.
  2. Employee empowerment: When your employees are well-informed about phishing emails, malware, and other common threats, they feel confident in recognizing and handling these situations. They won’t have to second-guess themselves or waste time seeking help from IT for simple issues.
  3. Continued customer trust: A data breach can severely damage your reputation. Losing the trust of customers not only results in a loss of revenue but can also impact your partnerships with other organizations. 

Leveling up Your Security Maturity

Cybersecurity detection is not just a fancy term or an added feature to your cybersecurity strategy. It is a proactive approach that can save you from the chaos and damage caused by cyber threats. It’s like shining a light into the shadows where cybercriminals hide, exposing their every move and giving you the upper hand.

By taking these components into consideration, you can stop threats in their tracks and prevent them from causing havoc. Whether it’s implementing one or all of the key components discussed, taking action is crucial.

Organizations can ease the burden on their IT teams by leveraging solutions that provide comprehensive threat detection and response capabilities. Adlumin offers enterprise-grade Managed Detection and Response Services that operate as an extension of your IT team.

For more information about why implementing proactive security measures is essential to leveling up your security maturity, download “The Executive’s Guide to Cybersecurity.” 

PlayCrypt Ransomware-as-a-Service Expands Threat from Script Kiddies and Sophisticated Attackers

Key Takeaways

  • Adlumin uncovered evidence that Play ransomware (also known as PlayCrypt) is now being sold “as a service.” Play ransomware has been responsible for attacks on companies and government organizations worldwide since it was first discovered in 2022. Making it available to affiliates that might include sophisticated hackers, less-sophisticated “script kiddies” and various levels of expertise in between, could dramatically increase the volume of attacks using the highly successful, Russia-linked Play ransomware.
  • In recent months, Adlumin has identified and stopped PlayCrypt attacks that had nearly identical tactics, techniques and procedures (TTPs). The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it.
  • Based on the attacks Adlumin has witnessed, small and mid-sized organizations are being targeted and are especially at risk. However, ransomware delivered as a service can often be easier to detect because of the common methods used to deploy it. Security teams should watch for indicators of compromise (IOCs) including malicious IP addresses, domains, TOR addresses, emails, hashes and executables, including the ones identified in the article below.

The Patterns

Play, also known as “PlayCrypt,” was discovered last summer disrupting government agencies in Latin America.  Months later threat actors began using it for targets in the U.S. and Europe. Play, like most ransomware today, employs double-extortion tactics, stealing victim data before encrypting their networks.

Since August, the Adlumin MDR team has tracked separate Play ransomware attacks in different industries. In the attacks Adlumin observed, threat actors used the same tactics, techniques, and procedures (TTP) and followed the same order of steps — almost identically. Furthermore, the indicators of compromise (IOCs) for both incidents were almost indistinguishable.

One of those IOCs includes threat actors using the public music folder (C:\…\public\music) to hide malicious files. Another was using almost the same password to create high privilege accounts. And, in both attacks, many of the same commands were observed.

This high level of consistency in methods used by threat actors is telling. First, it highly suggests reliance on playbooks or step-by-step instructions supplied with RaaS kits. And second, the targeted victims shared a common profile; they were smaller organizations that possessed the financial capacity to entertain ransoms reaching or exceeding $1 million.

The RaaS Kit Market

Purchasing RaaS kits is not difficult, it simply requires a TOR connection and membership to the right dark net forum or market. Once there, a highly experienced threat actor, or even a “script kiddie,” can browse RaaS advertisements.

Below are two ads that Adlumin acquired from RaaS operators peddling their products in the dark web.

Other ransomware ads obtained included those that offered “set-up assistance” “for as low was $200,” and those with “no fees.” Adlumin also observed advertisements offering full builds from $300 to $1100 “ready for deployment.”

One of the ads described the malware being offered as using “many cutting-edge evasion techniques including proprietary methods.”

And in some ads, RaaS operators boasted having ransomware kits for targeting MacOS systems.

“We have developed a new MacOS ransomware as we noticed a lack of it,” the ad read.

At least one post, stated that the ransomware for sale was what “the cool kids are using,” alluding that someone doesn’t have to be “cool” – or perhaps, highly skilled – to purchase and use it.

Easy Enough for a Script Kiddie

Script kiddies are individuals who possess fundamental hacking skills and the knowledge to deploy and execute exploits written by experienced threat actors. They’re able to learn new skills easily and eventually, often become “real hackers” themselves.

Since 2015, researchers have written about the ability script kiddies have for deploying ransomware and often working side-by-side with well-known threat actor organizations.

In March 2022, police in the UK arrested members of the Lapsus$ cybercriminal group known for targeting tech companies such as Okta, Nvidia, Samsung, and Microsoft. The raid included the arrest of teenagers and young adults with ages ranging from 13 to 21, according to the BBC.  It’s not clear, however, if the youngsters were script kiddies simply due to their age.

With enough documentation and technical support – and with generative AI tools now being able to assist them as well – a script kiddie can be more than capable of carrying out an attack. However, attacks by these less-skilled individuals often include a higher degree of basic mistakes that make them easier for an organization with capable cybersecurity operation to stop.

For example, Adlumin has observed ransomware attacks foiled by its security operations platform or its MDR team during an attack’s early stages. In some cases, threat actors don’t even get the chance to encrypt files. There are also incidents where SOAR actions within the Adlumin platform disable accounts created by threat actors, effectively locking them out from the network. Sometimes attacks are carried out, but no data is exfiltrated.  

Money to be Made

Ransomware attacks are very lucrative, especially since 73% of companies attacked pay the ransom. And with double extortion becoming the norm, organizations that don’t pay are publicly shamed by RaaS operators on the clear or dark web.

For script kiddies of any age, ransomware may seem like a great way to make a living and become rich quickly. Also, with high unemployment rates in many countries in Latin America and other parts of the world, cybercrime may be seductive for underemployed or poorly paid computer programmers, or people in similar careers. According to DevelopmentAid.org, “[Poor countries] serve as training grounds for criminal groups in preparation for more ambitious attacks in developed countries.”

When RaaS operators advertise ransomware kits that come with everything a hacker will need, including documentation, forums, technical support, and ransom negotiation support, script kiddies will be tempted to try their luck and put their skills to use. And since there are probably more script kiddies than “real hackers” today, businesses and authorities should take note and prepare for a growing wave of incidents.

Breadcrumbs

IOCs, such as malicious IP addresses, domains, TOR addresses, emails, hashes, executables, and others discovered from an attack can be very useful to analysts, researchers, and law enforcement. They serve as clues to help put together what transpired during the incident and how. They can also offer some insight about the level of sophistication of the attackers.

When threat actors follow RaaS-provided playbooks, they will likely adhere to them closely on the first few attacks. They’ll make mistakes, and if those mistakes are big enough, they could serve as breadcrumbs for the authorities to follow.

Anything an attacker does in a network can help authorities if they are contacted after an incident. This is why investigators request that victims share any IOCs that could help with their investigations. Even if a business pays the ransom, details like Bitcoin or Monero addresses and transaction IDs, communication or chat logs with threat actors, the decryptor file, and a sample of an encrypted file can be very useful.

If a newbie or script kiddie isn’t meticulous with their work, the FBI could soon be knocking on their door.Conclusion

Ransomware attacks continue to be among the most prevalent cyber threats and increased by 37% in 2023. Companies should expect more ransomware attacks in the future, not less. And if more novice attackers are finding that ransomware attacks can be carried out easily with the help and support provided by RaaS operators, they’ll continue to frequent dark net forums to join the most inviting ransomware affiliate group.

At the same time, novice attackers are more likely to make mistakes since they are not as experienced, potentially leaving behind significant IOCs that the authorities can use to help track and apprehend them.

The Adlumin MDR Team will continue to monitor and stop ransomware attacks carried out by newbies and experts alike. Our security operations platform’s SOAR actions have been successful at foiling these attacks in their early stages, stopping cybercriminals on their tracks.

Furthermore, Adlumin now offers Total Ransomware Defense (TRD), a service specifically designed to detect ransomware activity and stop it. In the unfortunate case that files are encrypted, TRD is able to generate decryption keys to restore systems and networks.

Indicators of Compromise (IOCs)

 Usernames

  • admon
  • daksj
  • admin

Objects

  • exe
  • zip.json.PLAY
  • exe
  • exe
  • PLAY
  • exe
  • ini.PLAY
  • aut
  • omaticDestinations-
  • PLAY
  • exe
  • json.PLAY
  • cdp.PLAY
  • HeartBea
  • updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.PLAY
  • exe
  • cookie.PLAY
  • js.PLAY
  • exe

Paths

C:\\Users\\Public\\Music

\\Device\\HarddiskVolume3\\CollectGuestLogsTemp

Hash: null

C:\\Users\\Public\\Music

Hash:

b042bc03144919c0fed9d60c1f68eb04ed7

2c2f6

C:\\windows

Hash:

51d3d661774cc50bb22e62beafc4bc6029d

f2392

\\Device\\HarddiskVolume2\\Users\\it.ad

min\\AppData\\Local\\Google\\Chrome\\

User Data\\Default\\Cache\\Cache_Data

Hash: null

C:\\Windows

Hash:

51d3d661774cc50bb22e62beafc4bc6029d

f2392

\\Device\\Mup\\10.20.0.15\\C$\\$Recycl

e.Bin\\S-1-5-21-3568089881-786281157-

4253494709-1103

Hash: null

\\Device\\HarddiskVolume2\\Users\\AAD

_00864e0326c2\\AppData\\Roaming\\Mi

crosoft\\Windows\\Recent\\AutomaticDe

stinations

Hash: null

C:\\Users\\Public\\Music

Hash:

b042bc03144919c0fed9d60c1f68eb04ed7

2c2f6

\\Device\\Mup\\10.20.0.15\\C$\\Users\\

administrator\\AppData\\Local\\ConnectedDevicesPlatform

Hash: null

\\Device\\Mup\\10.20.0.15\\C$\\Package

s\\Plugins\\Microsoft.EnterpriseCloud.Mo

nitoring.MicrosoftMonitoringAgent\\1.0.1

8067.0\\Status

Hash: null

\\Device\\HarddiskVolume2\\ProgramDat

a\\USOPrivate\\UpdateStore

Hash: null

C:\\Users\\Public\\Music

Hash:

b042bc03144919c0fed9d60c1f68eb04ed7

2c2f6

\\Device\\HarddiskVolume2\\Users\\it.ad

min\\AppData\\Local\\Microsoft\\Windo

ws\\INetCookies

Hash: null

\\Device\\HarddiskVolume4\\Program

Files\\Microsoft Monitoring

Agent\\Agent\\APMDOTNETCollector\\W

eb\\Scripts\\V7.0\\js

Hash: null

C:\\PerfLogs

Hash:

b042bc03144919c0fed9d60c1f68eb04ed7

2c2f6

Unraveling Cyber Defense Model Secrets: Machine Learned Detections

By: Jeet Dutta, Director of Data Science 

Welcome to the Unraveling Cyber Defense Model Secrets series, where we shine a light on Adlumin’s Data Science team and, explore the team’s latest detections, and learn how to navigate the cyberattack landscape. This blog examines how Adlumin Data Science implements automated surveillance against network intrusion and data exfiltration, empowering our incident response teams to track and eliminate threats in four different ways.

The key motivation for Artificial Intelligence in cybersecurity is to find “needle in haystack” anomalies from billions of data points that appear indistinguishable. These applications are usefully grouped under the term UEBA (User and Entity Behavior Analytics), involving mathematical baselining of users and devices on a network followed by machine-identification of suspicious deviations.

Let’s take a look at the innovations and threat alerts in the works. 

Lateral Movement

The Adlumin platform has long featured an AI detection for lateral movement based on deviance from the UEBA baseline of daily access for any account in the network. A separate AI algorithm, developed subsequently to boost fidelity in lateral movement alerts, identifies anomalous logons among Windows users by aggregating events that don’t belong in a machine-defined context for combinations of users, hosts, logon types, and access timestamps. Collectively, the two independently developed algorithms project a high-fidelity threat signal.

The latest round of updates soon to roll out to our lateral movement detection framework will include data filtering and real-time scoring. Applying domain knowledge to filter out logon events unlikely to originate from a threat actor will further boost fidelity. Scoring events as they are ingested into the platform made possible via innovations in our cloud architecture will go a long way to improve the timeliness of the alert. 

Malicious Scheduled Task 

After compromising a privileged account, authenticated threat actors can abuse the Windows Task Scheduler for running malware. Adlumin Data Science will soon deploy a defense against this vulnerability by stringing a sequence of neural networks for isolating process execution anomalies and applying subsequent checks for known indicators of compromise. These checks include verifying the binary hash being called by the scheduler has a history of malware delivery.

Malicious Script Block

Adlumin provides automated detection of malicious PowerShell executions via an AI algorithm that matches each executed command in a customer network against a huge dataset of benign commands, performing string-matching calculations at scale. Script Block executions are excluded, however, being too large for feasibly matching strings.  Adlumin Data Science is in the development of anomalous Script Block detection capability via rule-based filtering and ensemble machine learning methods. 

AI Code Analysis

The malicious PowerShell alert often requires intense and lengthy post-detection incident response from our security analysts, who go through the code in each flagged command. A breakthrough innovation we recently deployed leverages the power of ChatGPT to do the initial heavy lifting. Adlumin data scientists have prompt engineered a new feature that obtains an explanation from GPT4 (the most advanced GPT model) for the command initially flagged anomalous under our proprietary AI model. This results in the delivery to our customer portal of a step-by-step explanation of the command code and independent determination if it is malicious, benign, or questionable.

Experience The Innovations 

In an era where cybersecurity threats are continuously advancing, organizations need enhanced visibility to stay ahead of emerging threats. It is crucial for them to have modern solutions in place to detect and respond to security incidents efficiently, ultimately enhancing their security maturity.

At Adlumin, we understand the vital role of visibility in cybersecurity solutions and offer a tailored Security Operations Platform and MDR services to provide organizations with a 360 view of their IT landscape. But we don’t stop there. We believe in the power of experience, so we invite you to take a platform tour, giving you firsthand access to our solution’s benefits.

Discover how our platform empowers your team to effectively detect and respond to threats by scheduling a demo or signing up for a free trial today. Take the tour and elevate your organization’s visibility to new heights. 

Level Up Your Cybersecurity Posture Actionable Steps

By: Brittany Holmes, Corporate Communications Manager 

Navigating the cybersecurity landscape is not easy, especially when you are managing everything on your own or with a small team. Advancing your cybersecurity posture requires time to research and an understanding of your current state of security to help navigate a path forward. As the end of the year approaches, it’s important to carve out time and reflect on the current state of your organization’s security position.

No matter where you are on your cybersecurity journey, there are some important questions you should ask yourself to ensure that the necessary steps to strengthen your defenses are being taken.

In this blog, we aim to equip you and your team with the knowledge and awareness to help guide you regardless of where you are on your journey. Below are a few questions you may be asking yourself along the way.

Need help narrowing down an MDR provider?

MDR is a technology that aims to speed detection and response through automation and provide a solution to empower lean teams by acting as an extension to their current security operations. Finding an MDR provider that will meet your organizational challenges takes research and careful consideration.

Here are essential questions you need to ask when considering an MDR provider with answers that will help you make informed decisions when protecting your organization. Read the 8 Essential Questions to Ask: Choosing the right MDR Provider.

Looking to level up your SIEM solution?

The traditional role of SIEM solutions, centered around data ingestion and compliance, is no longer sufficient in the face of complex threats. Security teams must actively seek a modern SIEM solution to combat modern day threats.

Read the Modern SIEM Solutions: What to Look For to uncover five things that should be included in a modern-day SIEM solution to meet evolving cybersecurity challenges head-on.

What type of solution do you need? EDR, XDR or MDR?

Deciding between EDR vs. XDR. vs. MDR can significantly impact your efforts to optimize your resources and your organization’s exposure to threats. It is imperative to understand the differences between the three solutions and how to choose the right one for your organization’s needs.

The Cybersecurity ABCs Explained key takeaways:

  • An overview and comparison of three primary threat detection and response solutions:
    • Endpoint Detection and Response (EDR)
    • Managed Detection and Response (MDR)
    • Extended Detection and Response (XDR)
  • Insights to guide your investment choice with a limited budget while maximizing your cyber protection.
  • The right solution for your organization based on your criteria.
  • Additional considerations and service add-ons.

What should be included in your cybersecurity strategy?

Executives need to have a clear understanding of their cybersecurity solutions to effectively protect their organizations from cyber threats. As key decision-makers, executives are responsible for setting strategic direction and allocating resources towards a robust cybersecurity posture. Without a clear understanding of the solutions in place, you cannot accurately assess risks, make informed decisions, and ensure the security of valuable assets, sensitive data, and the overall reputation of their organization.

This overview guide outlines the current cybersecurity threat landscape and how a security operations platform can help organizations better secure their network while also providing security and IT teams with additional resources. It aims to provide executives with a clear understanding of the platform’s business benefits.

The Executive’s Guide to Cybersecurity will cover:

  • Why implementing proactive security measures is important
  • Three critical elements to incorporate into your cybersecurity strategy
  • The evolution of the threat landscape and the model by which you can protect your organization

Take a Tour: The Ultimate Resource

Adlumin recognizes the importance of visibility when it comes to cybersecurity solutions. Our Security Operations Platform and MDR services provide visibility to your IT landscape, allowing you to see exactly what threats and risks you are facing.

But we don’t just stop at visibility. We believe in the power of experience, which is why we offer the opportunity to try our solution before making a commitment. You can schedule a demo, or sign-up for a free trial to experience firsthand how our platform empowers your team to detect and respond to threats effectively.

Let’s begin with a platform tour in under 5 minutes.

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Modern SIEM Solutions in Action: What to Look For

By: Brittany Holmes, Corporate Communications Manager 

Organizations face increasing cybersecurity challenges that demand a new approach to Security Information and Event Management (SIEM) solutions. The traditional role of SIEMs centered around data ingestion and compliance, is no longer sufficient in the face of complex security threats. As cybercriminals continually find ways to exploit blind spots, organizations need an evolving SIEM to meet these challenges head-on.  

The current state of SIEMs is marked by the need for enhanced visibility across the entire organization. Cybercriminals can easily hide, making the security team’s jobs more difficult. Recognizing this, modern SIEM solutions have emerged, leveraging advanced analytics and machine learning to ensure improved visibility, risk assessment, and accurate alerts. However, given the evolving nature of threats, assessing the effectiveness of these capabilities in practice is essential. 

The demand for SIEM solutions is skyrocketing, with the global market expected to reach $5.5 billion by 2025. Consequently, organizations seek the right SIEM solution to address their unique needs effectively. When evaluating SIEM options, it is crucial to consider how well they adapt to the evolving landscape and challenges. This requires ensuring that the chosen SIEM solution aligns with the organization’s network infrastructure and provides specific criteria. 

5 Things to Look for in a Modern SIEM 

User & Entity Behavior Analytics (UEBA): Your platform should consistently analyze your operational and security data to uncover threats. UEBA goes beyond traditional rule-based detection and can identify known and unknown threats, including insider threats, compromised accounts, and sophisticated attacks.  

It focuses on threats unique to a user’s activity, which is difficult to identify with rule-based detections. UEBA leverages artificial intelligence (AI) and machine learning (ML) algorithms to detect and identify abnormal behavior within an organization’s network and systems.  

UEBA creates a baseline of behavior for each user and entity and then identifies any deviations from that baseline, which may indicate potential security threats. This contextual analysis helps accurately determine the severity and risk associated with identified anomalies. 

Security Orchestration, Automation, and Response (SOAR): With ransomware on the rise along with other threats, it’s important to halt security incidents when they occur. SOAR provides automated playbooks to take action to contain threats as they occur. These capabilities should go beyond isolating a host and include password resets, disabling accounts, and more.  

SOAR also accelerates response and reduces risks for organizations. It provides the space for IT teams to investigate what occurred and the extent, so they can take appropriate actions to strengthen their security defenses.   

No Data Limits: A SIEM’s effectiveness in detecting threats early depends on its access to a wide array of data sources, including network traffic, endpoints, and cloud data. Data limits can hinder the collection of this comprehensive data, potentially leaving security blind spots and not providing full visibility into an organization’s environment.  

By removing data limits, organizations enhance their ability to detect more threats and have the data required to investigate what occurred. 

Easy Deployment: It’s essential to look for cloud-native solutions that provide easy deployment to minimize disruption to ongoing business operations. Organizations can maintain their IT infrastructure without experiencing extended periods of downtime or significant productivity losses. Additionally, since the solutions are easy to deploy, they should offer a chance to try before you buy.  

One-Touch Compliance Reporting: Compliance reporting is time-consuming, often requiring security teams to sift through vast amounts of data to generate accurate reports. One-touch compliance reporting is a critical feature in SIEM solutions because it saves time and resources and enhances accuracy, real-time monitoring, and overall security posture. By automating the compliance reporting process, organizations can better manage their compliance requirements and reduce the risks associated with non-compliance.  

What the Future Holds for SIEMs 

The future of SIEMs promises enhanced capabilities through the integration of machine learning and artificial intelligence, allowing for more accurate threat detection and automated responses. SIEMs will continue to evolve, offering cloud-native solutions, greater scalability, and simplified deployments to adapt to the changing IT landscape. Additionally, they will play a key role in addressing the growing complexities of compliance, privacy regulations, and data protection as organizations seek comprehensive solutions to secure their digital assets while staying agile in the face of evolving cyber threats. 

Take Control of Your IT Environment 

In an era where cybersecurity threats are continually evolving, SIEM solutions play a pivotal role in safeguarding organizations against these risks. With the right SIEM in place, organizations can stay ahead of emerging threats, detect and respond to security incidents more efficiently, and enhance their security posture for the challenges that lie ahead. The SIEM search may not be easy, but with the right approach, it becomes a critical step toward ensuring a resilient and secure digital environment. 

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Experience a tour of Adlumin’s platform, schedule a demo, or sign-up for a free trial. 

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Adlumin Secures $70M in Series B for Mid-Market Security Mission

SYN Ventures Leads Investment in the Security Operations Platform and Managed Detection and Response Provider Making Sophisticated Security Attainable  

Adlumin, a security operations platform and managed detection and response (MDR) provider, has announced the closure of a $70 million Series B funding round led by SYN Ventures with participation from First In Ventures, Washington Harbor Partners and BankTech Ventures. The funding will accelerate Adlumin’s growth and meet the demand for enterprise-grade security solutions for small and mid-market organizations. 

Adlumin’s proven ability to meet this demand through its modern platform, expert services, and channel-first approach has propelled the company to rank among the top 10% of America’s fastest-growing private companies and earn a spot on The Information’s 50 Most Promising Startups list for 2023.  

With the new funding, Adlumin plans to expand its channel partnerships and continue innovating to better address the evolving needs of its partners and end-users. The company aims to empower service providers who can deliver expert support that may be difficult for organizations to hire and retain. Adlumin also offers its own MDR services and collaborates with managed service providers and managed security service providers to ensure customers have access to 24/7 human insights, threat hunting, and trusted support. The company has recently introduced subscription-based incident response services and additional financial protections, such as a no-cost warranty and discounted cyber insurance policies, to cater to the specific needs of middle-market organizations.  

Read the full press release here. 

Cybersecurity Time Machine Series: Solutions Through the Years

By: Brittany Holmes, Corporate Communications Manager 

Cybersecurity has rapidly transformed in protecting valuable data and systems from malicious threat actors. From its inception as a simple notion of secure protocols to the complex and sophisticated solutions of the present day, the journey of cybersecurity has been nothing short of extraordinary.  

This year’s Cybersecurity Awareness Month’s theme celebrates 20 Years of Cybersecurity Awareness. In relevance, we took you through the evolution of threat actors over the past two decades in Cybersecurity Time Machine Series: The Evolution of Threat Actors to showcase the complexity of the threat landscape. Now, we explore the past 20 years’ advancement of cybersecurity solutions, tracking its progress through various stages and highlighting the milestones that have shaped its current landscape. 

Cybersecurity: The Early Years (2000-2005) 

A digital revolution was underway in the early years of the new millennium. This era saw the rise of antivirus software, emerging as the first line of defense against malicious software and cyber threats. This development was accompanied by firewalls, protecting the digital boundaries of networks and systems.  

However, understanding cyber threats and vulnerabilities was limited, exposing organizations to unknown dangers. Comprehensive cybersecurity strategies were absent within this landscape, leaving organizations struggling to navigate this deep digital landscape. These early years were marked by a race against time to understand and combat the threat landscape. 

Increased Awareness: Mid-2000s (2006-2010) 

In the mid-2000s, a sense of unease began to settle over the digital landscape. Organizations were becoming increasingly aware of the lurking threat of cyberattacks, launching a new era of caution and vigilance. As the world connected and information flowed freely on the Internet, the need for protection became essential. This is where there were intrusion detection systems, powerful gatekeepers that tirelessly monitored network traffic, searching for any signs of malicious intent.  

Simultaneously, encryption technologies created shields around sensitive data and communications. However, as defenses strengthened, so did the adversaries. Cybercriminals grew increasingly sophisticated, their tactics to match the advancing digital landscape. These developments raised the stakes. 

Introduction of Behavior-Based Threat Detection (2010-2015) 

Between 2010 and 2015, traditional reactive approaches were gradually replaced by innovative strategies to stay one step ahead of threat actors. With the introduction of behavior-based threat detection, security experts began analyzing patterns and anomalies to anticipate potential attacks, neutralizing them before any damage could occur.  

As technology advanced, cloud-based security solutions emerged as a game-changer, providing organizations with scalable, efficient, and cost-effective protection against rapidly changing threats. Machine learning and artificial intelligence brought a new era, empowering cybersecurity systems to continually learn, adapt, and predict potential vulnerabilities with uncanny accuracy.  

These developments heightened the level of defense and brought about a sense of assurance, as organizations were armed with proactive measures to safeguard their digital assets. With these advancements, the world of cybersecurity was forever transformed, nurturing a future where staying secure is no longer a question of luck but rather a matter of strategic planning and cutting-edge technology. 

Cybersecurity in Recent Years (2016-2020) 

Cybersecurity has witnessed significant advancements and transformations in recent years that have revolutionized how organizations approach data protection and privacy strategies. One crucial development that has taken center stage is the focus on endpoint security. With the rise of remote work and the spread of devices connected to corporate networks, organizations are investing in endpoint security solutions to safeguard their data from threats. 

However, not just endpoint security has gained traction. The importance of data protection has sparked a shift in how organizations handle and secure their sensitive information. In a world where data breaches and leaks regularly make headlines, organizations are under increasing pressure to implement strict data privacy policies and deploy protection mechanisms to safeguard customer and employee data. 

Additionally, the evolution of threat intelligence platforms has played a crucial role in cyber threats. These platforms actively collect, analyze, and interpret vast amounts of data from various sources, allowing organizations to stay one step ahead of cybercriminals. Machine learning, artificial intelligence, and threat intelligence platforms can promptly identify and respond to emerging cyber threats, minimizing potential damage and downtime. 

Examples of Solutions in Recent Years:

  • Endpoint Detection and Response (EDR): EDR continually monitors an endpoint (laptop, tablet, mobile phone, server, or internet-of-things device) to identify threats through data analytics and prevent malicious activity with rules-based automated response capabilities.
  • Managed Detection and Response (MDR): In response to a growing portfolio of security products, organizations turned to Managed Security Service Providers (MSSP) to manage these devices, update and patch systems, aggregate information, and provide frequent reporting. MSSPs manage devices, whereas customers also need a service to manage alerts, investigate threats, and contain attacks. MDR provides a turnkey combination of tools and security expertise to protect clients from cyber threats.
  • Extended Detection and Response (XDR): XDR collects security data from network points, operating systems logs, application logs, cloud services, endpoints, and other logging systems to correlate information and apply threat detection analytics to this data lake of information.  

To find the best solution for your organization, explore comparison guides like EDR vs. XDR vs. MDR: The Cybersecurity ABCs Explained 

Current and Future Cybersecurity Solution Trends (2021-Present) 

Several key cybersecurity solution trends are gaining traction as we move into the future. The adoption of zero-trust architecture is rapidly growing, with organizations realizing that traditional perimeter-based security is no longer sufficient. This approach focuses on granting access based on authentication and authorization, regardless of the user’s location or device, effectively minimizing the potential for breaches.  

Advanced analytics and automation tools are increasingly integrated to enhance threat detection and response capabilities. These technologies provide real-time insights into potential threats, allowing faster and more efficient incident response. Additionally, there is a noticeable shift towards decentralized cybersecurity, with organizations opting for distributed security measures instead of relying solely on centralized systems.  

The rise of emerging technologies like 5G and the Internet of Things (IoT) presents both opportunities and challenges for cybersecurity. While these technologies offer immense benefits, they also expand the attack surface, requiring security measures to be implemented alongside their deployment. The future of cybersecurity lies in these trends, allowing organizations to proactively protect their digital assets while harnessing the full potential of technology.  


Adlumin’s Spot the Lurker Challenge 

Unleash the power of knowledge and stand a chance to win big in the ‘Defeat the Lurker’ contest. Download Adlumin’s 2023 Threat Report Round-Up, shine a light on hidden threats and equip yourself with the tools to protect your network while entering for a chance to win amazing prizes. 


Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos

By: Max Bernal, Technical Content Writer, and Adlumin’s Threat Research Team

A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos is a part of Adlumin’s Threat Bulletin Series content series.

In early September 2023, Caesars Entertainment in Las Vegas experienced a major cyberattack. The threat actors used a combination of social engineering tactics and ransomware to breach the casino’s networks and steal sensitive data. On September 10, another gambling conglomerate, MGM Resorts International, experienced a cyberattack by threat actors in the ALPHV ransomware-as-a-service (RaaS) group. The two attacks cost the casinos millions of dollars in losses.

Caesars Entertainment Cyberattack

Caesars Entertainment’s SEC filing on September 7, 2023, stated that it had suffered a social engineering attack “on an outsourced IT support vendor used by the company.” The exact date of the cyberattack was not disclosed, nor who carried out the assault.

In the filing, Caesars also stated that the cyberattack did not impact customer-facing operations like slot machines, guest services, and other services but that among the data stolen, the threat actor(s) had acquired a copy of the loyalty program database, which included member driver’s license and Social Security numbers.

Caesars also disclosed that it had taken steps to “ensure that the stolen data [was] deleted,” alluding that it had paid a ransom. Numerous news outlets, including Bloomberg, reported that the company paid “tens of millions of dollars.”1 Other news outlets, including CNBC, reported that Caesars paid $15 million.2

The company did not provide specific details on how the social engineering attack was carried out or identify the cybercriminal(s) by name. However, numerous news reports published statements from sources “familiar with the matter” that pinned the attacks on a hacker group called Scattered Spider, also known as “Scattered Swine,” “Muddled Libra,” and UNC3944 (by Mandiant), which is likely affiliated with the ransomware group, ALPHV.

The threat actor group is known for its sophisticated social engineering techniques and the ability to target and bypass Okta login security services.

MGM Resorts International Cyberattack

On September 12, 2023, MGM Resorts International issued a statement via PR Newswire stating that it had “identified a cybersecurity issue affecting the company’s systems.”3 MGM also stated that it had notified law enforcement to help protect networks and data, including by “shutting down certain systems.”

According to the Associated Press, MGM began experiencing disruptions on Sunday, September 10,4 and its reservations website was down that day. Soon after, numerous other media outlets reported that slot machines were out-of-service or were displaying errors across MGM-owned casinos, including at the MGM Grand, Bellagio, Aria, Mandalay Bay, Delano, Cosmopolitan, New York-New York, Excalibur, and Luxor. In addition, it was reported that thousands of guests had to wait in long lines for hotel check-ins and that credit card point of sales systems were down, forcing guests to pay cash.5

However, some of the same news outlets published statements from unvetted sources citing that the attack on MGM was carried out by the “same threat actors” that attacked Caesars Entertainment, Scatted Spider. On September 14, the ransomware-as-a-service (RaaS) group ALPHV issued a rare statement claiming sole responsibility for the attack and condemned news media and cybersecurity firms for publishing “false” and “unsupported” details on the attack.

“The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point. Rumors were leaked from MGM Resorts International by unhappy employees or outside cybersecurity experts prior to this disclosure. Based on unverified disclosures, news outlets decided to falsely claim that we had claimed responsibility for the attack before we had,” part of the statement read. “Tech Crunch & others: neither you nor anybody else was contacted by the hacker who took control of MGM. Next time, verify your sources more thoroughly, or at the very least, give some hint that you do.” 

In an earlier version of the statement, ALPHV had also distanced itself from the Twitter/X account, “vx-underground,” which had published a post on September 12 stating that the attack was carried out by looking up employee information on LinkedIn and that a 10-minute phone call to the company’s help desk was all it took to “defeat” the multi-million-dollar company.

Numerous news media erroneously believed the threat actors had published the post to explain how they gained access to the MGM networks and used it in their reporting.  


1. Screen capture of the 9/12/2023 post published by vx-underground.

At some point, ALPHV removed the reference to “vx-underground” and issued another update:

“As of September 16, 2023, we have not spoken with journalists, news organizations, Twitter/X users, or anyone else. Any official updates are only available on this blog. You would think that after the tweet below, people would know better than to believe anything unreliable they would hear about this incident. If we talk to a reporter, we will share it here. We did not and most likely won’t,” ALPHV wrote.

The Adlumin Threat Research Team cannot confirm what tactics ALPHV used to break into MGM servers nor provide more details on the attack until MGM discloses what transpired.

According to ALPHV’s statement, the group was able to deploy ransomware once inside MGM’s network, encrypting about 100 ESXi hypervisors at the onset of the attack. The group also alluded to targeting the casino’s Okta services.

MGM operations resumed normal customer-facing operations on September 20. According to news reports, MGM lost about $8 million each day its servers were down, which adds up to $40 million.6

Adlumin contacted MGM for more details on the attack, but the company only referred us to their original September 12 statement.

Recommendations

How to Protect Yourself from Social Engineering

Verify

In Caesars Entertainment’s case, a simple vishing tactic, where a cybercriminal attempts to obtain information via phone call, was used to impersonate a legitimate employee and request a password reset. How? While the exact details are still unclear, we can surmise that personally identifiable information (PII) was obtained by the threat actors and used to reset an account.

An organization’s IT or cybersecurity department should verify an individual’s identity using information that cannot be found on social platforms, such as a unique company-issued ID, and not just a full name and date of birth, for example. If the individual calling can provide you with all the correct information, you may need to think outside the box; what are the circumstances surrounding this issue? Is the caller experiencing the issue they’re asking about? For example, if the caller asks for a password reset due to an ‘account lockout,’ you should verify that the account is locked out before proceeding with assistance. Most organizations have a form of internal communications platform used for employee-to-employee messaging and the like. Some organizations even have a call roster with the employee’s personal number. Therefore, give the employee a quick call to verify that the individual is contacting you.

Training

Training is the most crucial defense against social engineering tactics. With incidents happening daily, remaining vigilant is essential. However, mere vigilance is not enough; frequent proactive security awareness training is vital to mitigate this type of threat. By consistently providing training, users gain a deeper understanding of the risks and measures to counter social engineering attacks.

This continuous education keeps cybersecurity at the forefront of their minds, ensuring they are better equipped to identify and respond to potential threats. Employing various training techniques and approaches helps to reinforce key principles and enhance overall cybersecurity proficiency among users. By prioritizing proactive cybersecurity awareness programs, organizations can establish a culture of security awareness and significantly reduce the propensity for successful social engineering attacks.

How Adlumin Can Help Protect Your Organization

Proactive Security Awareness: Adlumin offers a managed Proactive Security Awareness Program, which, as stated previously, is the best defense to counter social engineering tactics. Adlumin will develop and run monthly customized phishing simulations to educate and equip your users on how to identify phishing attempts. Learn more here.

Illuminate Threats and Eliminate Risks

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts. Join our community and be part of the frontlines against cyber threats.


Cybersecurity Time Machine Series: The Evolution of Threat Actors

By: Brittany Holmes, Corporate Communications Manager 

In an interconnected world, the digital landscape has become the breeding ground for opportunities and dangers. Cybercriminals have taken advantage of this evolution every step of the way and have become more prevalent. As a result, all organizations are now targets. Staying one step ahead is imperative. For organizations to protect themselves and their assets effectively, they need to understand how threat actors adapt and refine their strategies.

The 2023 Cybersecurity Awareness Month’s theme celebrates 20 years of cybersecurity awareness. In relevance, we want to look back on the past 20 years to shed light on the significance of understanding a few prominent threat actors’ evolutions.

Threat Actors in The Early 2000s 

During the early 2000s, the internet was crawling with cybercriminals and script kiddies as primary threat actors. A script kiddie is a cybercriminal who uses existing code or computer scripts to hack into a computer. They usually lack the knowledge to come up with it on their own.

Motivated by a thirst for knowledge and the desire to showcase their technical skills, these individuals exploited vulnerabilities across networks. Their targets varied, encompassing everything from corporate entities to personal computing systems. Using a wide range of techniques, script kiddies mimicked the actions of their more experienced counterparts on a less sophisticated level. As time went on, their motivations began shifting towards financial gain.

As a result, advanced phishing and malware attacks started gaining traction within the digital world. These malicious actors honed their skills in deceiving unsuspecting individuals, often using highly sophisticated techniques to harvest personal information and turn it into profits. This transition marked a turning point in the world of cyber threats, setting the stage for more organized and financially driven attacks in the years to come.

Rise of Nation-State Actors 2005-2010 

The rise of nation-state actors has significantly impacted cybersecurity. One trend is the emergence of state-sponsored cybercriminals, who are employed by governments to sabotage operations and carry out cyber espionage. These cybercriminals are motivated by various factors, including gathering intelligence, financial gain, and gaining a competitive edge in certain industries. Their targets often include government agencies, defense contractors, and critical infrastructure.  

Two Notable Cyberattacks: 

  • In 2007, Estonia experienced a massive wave of distributed denial-of-service (DDoS) attacks, believed to be orchestrated by Russia in response to a diplomatic dispute.  
  • In 2010, the Stuxnet worm created a new era of cyber warfare by targeting industrial control systems (ICS) used in Iran’s nuclear program. It was later revealed to be a joint effort by the United States and Israel. 

These incidents demonstrate the extent to which countries are now leveraging cyberattacks as a strategic tool for achieving their geopolitical goals.

Rise of Hacktivist Groups (2010-2015) 

Between 2010 and 2015, groups such as Anonymous and LulzSec came onto the scene. Their targets and motivations were wide-ranging, as they aimed to challenge authority, expose secrets, and promote freedom of information. Using tactics like data breaches and DDoS attacks, these groups looked to disrupt and damage the systems and credibility of their targets. 

Two Notable Hacktivist Groups:

  • Anonymous, founded in 2003, is a group that often attacks with a justice philosophy in mind. They targeted corporations, governments, and organizations that they thought were corrupt, oppressive, or unethical. Their actions included taking down the websites of major financial institutions during the Occupy Wall Street movement.  
  • LulzSec focused on causing chaos and amusement within the online community. Operating as a small team of cybercriminals, they deployed various cyberattacks targeting high-profile organizations like PBS, Fox, the X Factor, and individuals. Their motivations were often driven by the pursuit of “lulz,” or laughter, as they exposed vulnerabilities.

Ultimately, hacktivist groups demonstrate cyber activism to challenge authority and expose injustices. Their actions, whether through DDoS attacks or data breaches, highlighted the potential power of the internet in promoting transparency and holding institutions accountable. This period also raised questions about the lines between activism, vigilantism, and criminal activity, forcing governments and corporations to adapt their cybersecurity measures in response to this new digital landscape.

Shift Towards Advanced Persistent Threats (APTs) and Ransomware (2015-Present) 

Over the past few years, we have seen a significant shift in threats with a rise in APT groups. These groups have a specific goal and aim to infiltrate and maintain long-term access to systems and networks. Another growing threat in the cyber landscape is ransomware attacks. Unlike APTs, ransomware attacks focus on quickly encrypting or disabling systems data until a ransom is paid. The reason behind these attacks is usually financial gain. Ransomware groups target small and large businesses. What is particularly concerning about ransomware attacks is the evolution and sophistication of the strains being used. 

Notable ATP Examples:

  • Deep Panda: This group mainly targets US government institutions looking to steal intellectual property and state secrets. They focus on high tech, education, legal services, telecommunications, finance, energy, and pharmaceuticals. They have been known to be highly organized and remain undetected on networks for months at a time.  
  • GhostNet: This has been a large-scale cyber spying operation that tricked users into downloading a malicious file. Once the user interacts with the file, a remote access trojan, known as ‘Ghost Rat,’ is then installed on their computer. They are known to have breached over 1,200 computers belonging to foreign ministries, government offices, and embassies in 103 countries.  

These attacks often target governments, corporations, and other high-value organizations, stealing sensitive information or conducting espionage.

Notable Ransomware Attacks:

  • WannaCry: In 2017, malicious software spread globally, encrypting Windows operating systems. It encrypted files and demanded ransomware to restore access. These attacks went after hundreds of thousands of computers in over 150 countries.  
  • LockBit: In 2019, LockBit deployed advanced encryption algorithms to make files inaccessible and display a ransomware note demanding payment. There are various delivery methods, including gaining access to unauthorized networks, phishing emails, and software vulnerabilities. They use double-extortion methods, setting LockBit apart from other ransomware.  

The overall evolution of threat actors will continuously change and become more sophisticated. They are growing in scale, posing a significant risk to organizations of all sizes. Educating yourself and your organization on the latest threat actors can help prepare you.  

Take Proactive Security Measures 

The past two decades have shown a significant evolution in the cybersecurity landscape, particularly in the sophistication and complexity of threat actors. The market has shifted and now every organization, big or small, is a target. Organized groups have emerged, adding a new level of threat to mid-market organizations that previously believed they were too small to be targeted. The financial gains associated with cyber threats have become the main motivator, and it is crucial to recognize the evolving nature of these attacks in order to stay protected.  

Stay tuned for our blog next week to explore the next steps to protect your organization from cyber threats. 


Adlumin’s Spot the Lurker Challenge 

Unleash the power of knowledge and stand a chance to win big in the ‘Defeat the Lurker’ contest. Download Adlumin’s 2023 Threat Report Round-Up, shine a light on hidden threats and equip yourself with the tools to protect your network while entering for a chance to win amazing prizes. 


Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.