CrowdStrike deepens its AWS partnership with automated Falcon SIEM configuration, AI security capabilities, EventBridge integrations and new MSSP-focused advancements.
The post CrowdStrike Extends Scope of AWS Cybersecurity Alliance appeared first on Security Boulevard.
최근 랜섬웨어를 비롯한 사이버 공격이 기업의 핵심 리스크로 부상하고 있다. 공격의 빈도와 정교함이 높아지면서 침입 차단에만 의존한 기존 보안 체계의 한계가 지적되고 있다. 이에 따라 공격 발생 후 얼마나 신속하게 탐지하고 복구하느냐가 비즈니스 연속성 확보의 핵심 요소로 떠오르고 있다.
이번 웨비나는 사이버 보안과 공격 이후 복원 체계를 포괄하는 사이버 회복탄력성(Cyber Resilience) 개념을 다룬다. IBM 스토리지 플래시시스템(FlashSystem)과 IBM 테이프 라이브러리(Tape Library)를 중심으로 실제 적용 사례를 살펴본다.
IBM 플래시시스템은 운영 데이터 보호와 복원 기능을 갖춘 스토리지 솔루션이다. 논리적 에어갭과 불변 스냅샷 기능으로 데이터를 외부 접근으로부터 격리하며, 패턴 분석 기반의 이상 징후 탐지 및 알림 기능을 제공한다.
IBM 테이프 라이브러리는 물리적 에어갭 격리를 통해 데이터를 보호하는 백업 솔루션이다. 네트워크에서 분리된 환경에서 대규모 데이터를 장기 보관할 수 있어 랜섬웨어 공격 시 복구 수단으로 활용된다.
IBM은 사이버 회복탄력성의 핵심 요소로 ▲신속한 탐지 및 복원 ▲오프사이트 저장 ▲간편한 관리 체계 등 세 가지를 제시한다. 패턴 탐지와 불변 스냅샷 기반의 빠른 대응, 물리적 격리를 통한 데이터 보존, 통합 관리 콘솔을 통한 운영 효율화가 주요 내용이다. 구체적인 구현 방안은 웨비나에서 소개된다.
웨비나는 사전 등록 시 무료로 참여 가능하다. 등록은 파운드리 코리아가 운영하는 IT 전문 콘텐츠 플랫폼 테크라이브러리를 통해 진행된다. 기존 회원은 로그인 후 바로 등록할 수 있으며, 비회원은 간단한 회원 가입 후 이용할 수 있다. 상세 정보는 공식 페이지에서 제공한다.
dl-ciokorea@foundryco.com
이커머스 업체 쿠팡이 29일 발표한 입장문에 따르면, 회사는 11월 18일 약 4,500개 계정의 개인정보 무단 노출을 확인하고 경찰청, 한국인터넷진흥원, 개인정보보호위원회에 신고했다. 이후 조사 과정에서 피해 규모가 약 3,370만 개 계정으로 확대된 것으로 확인됐다.
유출된 정보는 이름, 이메일 주소, 배송지 주소록(입력 이름, 전화번호, 주소), 일부 주문정보다. 쿠팡 측은 결제 정보, 신용카드 번호, 로그인 정보는 포함되지 않았다고 밝혔다. 2025년 6월 24일부터 해외 서버를 통해 무단 접근이 이루어진 것으로 추정하고 있다. 또한 침해 원인에 대해 현재 관련 당국과 협력하여 조사를 진행 중라고 언급했다.
과학기술정보통신부, 서울경찰청 등 관계 기관은 11월 19일 침해사고 신고와 11월 20일 개인정보 유출 신고를 접수한 뒤 현장 조사를 실시했다. 조사 결과, 공격자가 쿠팡 서버의 인증 취약점을 악용해 정상적인 로그인 절차를 거치지 않고 고객 정보를 유출한 것으로 확인됐다.
정부는 11월 30일부터 민관합동조사단을 가동하고 있으며, 개인정보보호위원회는 쿠팡이 개인정보 보호 관련 안전조치 의무(접근통제, 접근권한 관리, 암호화 등)를 위반했는지 조사 중이다. ‘한국의 아마존’으로 불릴 만큼 많은 사용자가 이용하는 서비스인 만큼 11월 29일에는 바로 2차 피해 방지를 위한 대국민 보안 공지를 진행하기도 했다. 또한 11월 30일부터 3개월간 인터넷상 개인정보 유출 및 불법 유통 점검 강화 기간으로 운영한다.
한편 국회 과학기술정보방송통신위원회 최민희 위원장은 30일 보도자료를 통해 이번 사고의 구체적인 원인을 분석한 결과를 공개했다. 쿠팡으로부터 받은 자료에 따르면, 쿠팡은 토큰 서명키 유효 인증기간에 대해 “5~10년으로 설정하는 사례가 많다”라며 “로테이션 기간이 길고, 키 종류에 따라 매우 다양하다”고 답변한 것으로 전해졌다.
최 위원장 측은 이번 사고를 출입 시스템에 비유해 설명했다. 로그인에 필요한 ‘토큰’이 일회용 출입증이라면, ‘서명키’는 출입증을 발급하는 인증 도장과 같다. 출입증이 있어도 인증 도장이 없으면 출입할 수 없지만, 서명키를 장기간 방치할 경우 지속적으로 악용될 수 있다는 것이다.
최민희 의원실이 확인한 결과, 쿠팡의 로그인 시스템에서는 토큰이 생성 후 즉시 폐기되도록 설계되어 있으나, 토큰 생성에 필요한 서명 정보가 담당 직원 퇴사 시 삭제되거나 갱신되지 않고 방치되어 내부 직원에 의해 악용된 것으로 파악됐다.
최민희 위원장은 보도자료를 통해 “서명키 갱신은 가장 기본적인 내부 보안 절차임에도 쿠팡은 이를 지키지 않았다”라며 “장기 유효 인증키를 방치한 것은 단순한 내부 직원의 일탈이 아니라, 인증체계를 방치한 쿠팡의 조직적·구조적 문제의 결과”라고 밝혔다.
이번 침해 사고의 피해 대상자에게는 이메일 또는 문자 메시지를 통해 관련 사실이 안내됐다. 추가 문의가 필요한 경우 고객 센터 또는 incident_help@coupang.com으로 연락하면 된다. 관련 정보는 별도의 안내 페이지를 통해서도 확인할 수 있다.
침해 사실 안내문과 별도로 박대준 쿠팡 대표이사는 30일 별도의 입장문을 통해 “국민 여러분께 큰 불편과 걱정을 끼쳐드려 진심으로 사과드린다”라며“쿠팡은 과학기술정보통신부, 개인정보보호위원회, 한국인터넷진흥원, 경찰청 등 민관합동조사단과 긴밀히 협력하여 추가적인 피해 예방을 위해 최선을 다하겠다”라고 밝혔다.
jihyun.lee@foundryco.com
Gartner has recognized One Identity as a Visionary in the 2025 Gartner Magic Quadrant for Privileged Access Management (PAM).
In a rapidly transforming market, innovation and demonstrated performance continue to shape expectations. The placement as a Visionary reflects what the company observes across its customer and partner ecosystem, highlighting a collective emphasis on simplified security, accelerated adoption and intelligence-driven identity protection.
According to Gartner, Visionaries are “noted for their innovative approaches to PAM technologies, methodologies, and means of delivery.”
Being named a Visionary validates their strategy – blending AI-driven administration, flexible deployment and customer-first design – as we continue building the next era of privileged access management. They believe the focus on streamlined innovation, automation and value is exactly what modern organizations demand.
One Identity has seen analyst support for several key strengths across the One Identity Safeguard and Cloud PAM Essentials portfolio:
These strengths extend beyond functional capabilities and reflect how customer feedback influences development priorities, including usability and affordability.
Visionary recognition also reflects the company’s current trajectory, indicating external validation of a path oriented toward leadership and sustained advancement.
To meet the pace of identity-driven enterprises, PAM continues to transition from static control to adaptive intelligence. The following seven innovations remain central to modern privileged access management and illustrate how One Identity Safeguard supports evolving requirements:
Enhanced control over privileged access with integrated password vaulting, session recording, and analytics – all within the One Identity Safeguard platform.
Expanded support for cloud, on-prem, and hybrid models with scalable, cost-efficient licensing.
Simplified setup through automation tools and cloud-ready configurations that reduce time-to-value.
One Identity Safeguard has a modernized UI, with ease of use, smoother workflows, and in-product help minimizes complexity and training needs.
Standardized professional services and strong implementation guidance ensure excellence everywhere.
Contextual in-product guidance and intelligent search deliver faster answers, fewer support tickets and smarter administration.
Agile, customer-driven updates in our solutions enhance speed, usability and value across releases.
As organizations secure both human and machine identities, the future of PAM demands clarity, automation and intelligence.
One Identity is uniquely positioned to deliver all three – helping customers protect privileged access, simplify operations and accelerate digital transformation with confidence.
The 2025 Gartner Magic Quadrant for Privileged Access Management outlines how vision, innovation and customer success continue to influence the evolution of privileged access.
About One Identity
One Identity delivers unified identity security solutions that help customers strengthen their overall cybersecurity posture and protect the people, applications, and data essential to business. Their Unified Identity Security Platform encompasses a variety of identity access and management tools, including AI-driven security solutions. One Identity brings together the 4 pillars of IAM: Identity Governance and Administration (IGA), Access Management (AM), Privileged Access Management (PAM), and Active Directory Management (AD Mgmt) capabilities to enable organizations to shift from a fragmented to a holistic approach to identity security. One Identity is trusted and proven on a global scale – managing more than 500 million identities for more than 11,000 organizations worldwide.
Users can find more information here: https://www.oneidentity.com
Global Corporate Communications
Liberty Pike
One Identity LLC
liberty.pike@oneidentity.com
New courses, certifications, and hands-on training strengthen workforce readiness.
INE, the leading provider of hands-on IT and Cybersecurity training and industry-recognized certification prep, today announced a significant expansion of its learning portfolio, reaffirming its commitment to empowering technology professionals with the skills they need to thrive.
As organizations across the globe accelerate their adoption of cloud, AI, automation, and advanced security technologies, IT teams must remain more adaptable than ever. INE continues to meet this demand by releasing new, high-impact content and refreshing existing learning paths to ensure learners stay aligned with industry standards, master emerging tools, and build real-world, muscle-memory expertise.
Expanding Content for Today’s Most In-Demand Skills
Over the last quarter, INE has rolled out a wide range of new courses, hands-on labs, and certification prep resources designed to help professionals cross-skill and upskill within one integrated training platform. New and updated content includes:
“Technology doesn’t stand still, and neither should the people who power it,” said Lindsey Rinehart, INE Chief Executive Officer. “Our goal is to give learners one place to grow from novice to expert, with continuously refreshed, hands-on content that reflects what top employers need right now.”
A Platform Built for Real Skill Development
INE’s training model emphasizes hands-on learning, scenario-based exercises, and progressive skill-building paths. Learners can practice concepts in real environments, gaining practical experience that transfers directly to on-the-job performance. Through this approach, INE enables individuals and teams to build lasting, applied knowledge rather than rely on passive video training.
Supporting Professionals on Their Learning Journey
In an effort to make high-quality technical training accessible to as many professionals as possible, INE is also offering limited-time pricing during the Black Friday period. These offers provide reduced-cost access to INE’s most comprehensive training plans and certifications, supporting learners at every stage of their career development.
Learners can choose from bundles that include annual subscriptions, certification vouchers, and hands-on labs, saving up to $750! For the first time, INE is offering the INE Premium Subscription for 50% off to ensure the most comprehensive training subscription is accessible to learners at every level.
To learn more about INE’s commitment to accessible, high-impact training—and to explore this year’s limited-time Black Friday opportunities—users can visit https://learn.ine.com/promo/black-friday-2025.
About INE
INE x INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.
Chief Marketing Officer
Kim Lucht
INE
press@ine.com
AI-enabled cybercriminals are exploiting the holiday shopping season with precision phishing, account takeovers, payment skimming and ransomware, forcing retailers to adopt real-time, adaptive defenses to keep pace.
The post AI Cybercriminals Target Black Friday and Cyber Monday appeared first on Security Boulevard.
AI-powered cyberattacks are rising fast, and AI firewalls offer predictive, adaptive defense—but their cost, complexity and ROI must be carefully justified as organizations weigh upgrades.
The post Are AI Firewalls Worth the Investment? appeared first on Security Boulevard.
공격자는 잠들지 않는다는 말은, 보안 전문가에게도 적용될 수 있다. 특히 시스템을 교란하려는 상대보다 항상 한발 앞서 대응해야 하는 역할에서는 이런 부담을 느낄 가능성이 높다.
사이버 보안은 단순한 기술 업무가 아니라 심리전에 가깝다. 기업의 최전선에서 방어를 맡는 이들에게 보안 전쟁은 업무가 끝난 순간에도 멈추지 않는다. 집으로 따라붙고, 밤잠을 깨우고, 경계를 불안으로 바꾼다. 정신을 괴롭힌 뒤에는 에너지를 고갈시키고, 수면 시간을 빼앗고, 건강을 헤치며, 때로는 정체성마저 흔들어 놓는다.
미국 국립의학도서관(NLM)은 사이버 보안 종사자 사이에서 확산되는 ‘사이버 보안 피로’ 현상이 생산성과 정신 건강에 미치는 영향을 조사한 바 있다.
보안 침해는 뉴스가 되지만, 번아웃은 그렇지 않다. 이것이 바로 보이지 않는 싸움인 이유다.
보안 전문가의 일은 시스템을 보호하는 것이지, 건강을 잃는 것이 아니다. 하지만 압박이 커지고 기대치가 끝없이 늘어나면서, 정신 건강은 기록되지 않는 부수적 피해로 남는다. 결국 사람들은 회사를 떠나거나, 무너지거나, 조용히 사라진다.
이 일은 오전 9시부터 오후 6시까지 이어지는 일반적인 업무와는 거리가 멀다.
보안 전문가는 단순히 퍼즐을 푸는 역할이 아니다. 끊임없는 공격에 노출된 디지털 요새가 무너지지 않도록 지키는 책임을 맡는다. 이런 압박은 뇌의 작동 방식까지 바꿀 만큼 강하며, 결코 긍정적인 방향으로 작용하지 않는다.
위협은 기다리지 않으며, 알람도 마찬가지다. 보안 전문가는 휴일이든 생일이든, 주말이든, 새벽 2시든 시스템 경보가 울리면 언제든 즉시 대응해야 한다고 요구받는다. 따라서 문제가 발생하지 않았을 때조차 머릿속은 긴장 상태에서 벗어나지 못한다.
이런 상시 대기 상태는 기업을 향한 헌신처럼 보이지만 사실상 피로가 위장된 모습에 가깝다. 잠은 줄고 집중력은 흔들리며, 신경계가 한순간도 쉬지 못해 결국 균열이 생기기 시작한다.
패치 누락, 잘못 설정된 접근 권한, 피싱 메일 클릭 한 번만으로도 수백만 달러 규모의 사고가 발생하거나, 더 심각하게는 신뢰가 무너질 수 있다. 보안 담당자는 그 부담을 고스란히 떠안는다. 근본 원인이 바깥에 있더라도 문제가 생기면 깊은 죄책감이 뒤따를 수밖에 없는 구조다.
여기에 윤리적 딜레마도 겹친다. 직원 활동을 모니터링해야 할지, 미흡한 보안 관행을 이사회에 보고해야 할지, 무시된 위험을 외부에 알려야 할지 매번 고민해야 한다. 이는 단순한 기술 위험을 넘어 도덕적 트라우마로 이어질 수 있다.
많은 사이버 보안 조직이 고립된 구조로 운영된다. 존재감이 거의 드러나지 않음에도 불구하고 문제가 터질 때마다 책임을 지게 된다. 현업 부서는 보안팀을 업무를 방해하는 부서로 인식하고, 이사회는 사고가 난 뒤에야 보안팀을 찾는다.
특히 중소기업에서 혼자 보안을 총괄하는 위치라면 상황은 더 어렵다. 말 그대로 도움을 요청할 동료도, 스트레스를 해소할 창구도 없다. 기대치는 계속 높아지지만 하는 일을 제대로 이해해 주는 사람이 없다는 고립감만 커진다.
최근 BBC 보도에 따르면, 사이버 보안 종사자들은 끊임없는 고강도 업무 요구, 쉴 새 없이 울리는 경보, 그리고 비난이 반복되는 조직 문화로 인해 번아웃을 호소하고 있다. BBC는 정신건강 지원과 제도적 보호 장치, 초기 개입이 강화되지 않을 경우 업계 종사자들이 장기적인 피해를 입을 위험이 있다고 경고했다.
이것이 현장의 현실이다. 이제 이 문제를 악화시키는 요인들을 살펴본다.
문제는 업무 자체만이 아니다. 업무가 설계된 방식, 리더십이 보안을 대하는 태도, 업계 전반에 퍼진 통념이 문제를 키운다. 이런 요소들이 결합돼 보안 전문가의 압박을 병리적 수준의 스트레스로 바꾼다.
옥스퍼드대학교가 최근 발표한 논문에 따르면, 정신 건강 상태는 사이버 위협을 인지하고 대응하는 방식에 결정적 영향을 미칠 수 있다. 스트레스나 피로, 우울감이 쌓이면 악성 링크를 클릭하거나 경고 신호를 놓치는 등 실수를 저지를 가능성이 훨씬 높아진다는 것이다.
조직 문화는 여전히 ‘침해 사고는 절대 안 된다’, ‘실수는 용납되지 않는다’, ‘얼마나 지쳤는지는 중요하지 않다’는 분위기를 만든다. 번아웃 직전까지 일해야만 제대로 일하는 것처럼 여기는 ‘영웅 신화’가 자리 잡고 있는 셈이다.
업무 부담이 과하다는 말을 꺼내려 해도, 곧바로 약한 사람처럼 보이거나 심할 경우 대체될 수 있는 인력으로 비칠 수 있다는 부담이 따른다. 그래서 보안 전문가들은 속내를 드러내지 못하고 더 무리해서 버티게 된다. 그렇게 밀어붙이다 보면 결국엔 조용히 무너지게 된다.
보안 담당자는 예산 삭감, 부족한 인력, 과도하게 많은 도구뿐만 아니라, 감사, 위협 인텔리전스, 이사회 보고 자료, 데브섹옵스(DevSecOps), IAM, 규제 준수 부담까지 동시에 떠안는다. 설계자이면서 소방관이고, 때로는 상담자 역할까지 맡는다. 한 사람이 5가지 역할을 수행하면 품질은 떨어지고 사기도 함께 무너지기 마련이다.
경영진은 위험 감수 의지에 대해 논의하면서도 정작 팀에는 충분히 투자하지 않는 경우가 많다. 그렇게 열악한 환경에서 공격을 막아내지 못하면 ‘제대로 일하지 못했기 때문’이라는 식의 비난을 받게 된다.
사이버 보안 분야에는 새로운 위협, 새로운 도구, 새로운 규제들이 계속 등장한다. 어렵게 SIEM을 익히고 나면 새로운 AI 도구를 통합해야 하는 식이다. DORA 규정이 시행되고, NIS2는 개정되며, ISO 기준도 달라진다. 조직은 보안 담당자가 이런 모든 내용을 숙지하고 있을 것을 요구한다. 문화가 잘못 자리 잡은 조직에서는 자격증만이 유일한 인정 수단이 되기도 한다.
이런 구조적 혼란은 결국 개인의 위기로 이어진다. 그 영향은 추상적인 차원이 아니라, 신체적·감정적으로 정량화되어 분명하게 드러난다.
사이버 보안 분야에서의 스트레스는 이론적 개념이 아니다. 담당자의 사고 방식, 감정, 리더십에 실제로 드러난다.
만성 스트레스는 신경계를 변화시킨다. 집중하지 못하고, 수면이 무너지고, 과도한 경계 상태가 일상이 된다. 일부 전문가들은 공황 발작을 경험하고, 어떤 이들은 우울감에 빠진다. 대규모 보안 사고를 처리한 뒤 외상 후 스트레스 장애(PTSD) 증상을 보고하는 경우도 있다.
이런 환경에서는 ‘충분히 유능하지 못한 것이 원인’이라는 불안감도 쉽게 자란다. 공격자는 단 한 번만 성공하면 되지만, 방어자는 매 순간 완벽해야 한다는 압박 속에서 늘 한박자 뒤처지는 듯한 감각이 들기 때문이다.
번아웃은 개인만 무너뜨리지 않고 팀 전체로 번져나간다. 높은 이직률이 팀의 연속성을 해치고, 남아 있는 소수 인력은 과부하에 시달린다. 조직 규모는 줄어들고, 지식은 사라지며, 압박은 더 커진다.
더욱이 사람들은 점점 무관심해진다. 보안 업무는 형식적 체크리스트로 전락하고, 신뢰 대신 냉소가 자리 잡으며, 대화는 방어적으로 변한다. 팀이 더 이상 승산이 있다고 믿지 못하는 순간에 침해 사고는 피할 수 없는 일이 된다.
보안팀이 피로감에 휩싸이면 잘못된 결정으로 이어지고, 경고 신호를 놓칠 수 있다. 보이지 않는 스트레스는 결국 조직 곳곳에 다음과 같은 취약점을 만든다.
결국 스트레스는 애초에 막아야 했던 사고를 스스로 불러오게 한다. 다만 이는 피할 수있다. 잘못 설계된 구조의 문제이며, 설계 문제는 고칠 수 있다.
요가 수업이나 겉치레에 불과한 위로는 해결책이 될 수 없다. 모든 단계에서 체계적이고 조화된 행동이 필요하다.
뛰어난 인재가 번아웃에 빠지면, 어떤 시스템도 조직을 지켜주지 못한다.
이는 구성원을 지나치게 보호하자는 주장이 아니다. 역량에 관한 문제다. 탄탄한 정신은 강력한 사고 대응 도구가 될 수 있다.
직시해야 할 사실은, 사이버 보안 종사자가 2가지 전쟁을 동시에 치르고 있다는 점이다. 하나는 외부 공격자와의 싸움이고, 다른 하나는 완벽을 요구하고, 희생을 미화하며, 취약점을 처벌하는 조직 시스템과의 싸움이다.
복원력은 고통을 버티는 능력이 아니다. 애초에 고통을 느끼지 않는 구조를 세우는 일이다. 번아웃을 ‘헌신의 훈장’으로 취급하는 문화를 멈추고, 침해 사고와 동일한 신호로 바라봐야 한다. 침해 사고와 번아웃 둘 다 무언가 잘못됐음을 드러내는 경고이며, 둘 다 즉각적인 조치를 요구한다.
보안 인재가 기업을 보호하길 기대한다면, 먼저 그들을 지키는 시스템을 갖춰야 한다. 여기에는 감성적 접근이 아니라 전략이 필요하다.
dl-ciokorea@foundryco.com
대부분의 보안 조직에서는 사고 이후 분석이 여전히 중요한 과제로 남아 있다. 파운드리의 ‘보안 우선순위(Security Priorities)’ 조사에 따르면, 보안 리더의 57%가 지난 1년 동안 발생한 보안 사고의 근본 원인을 파악하는 데 어려움을 겪었다고 답했으며, 이는 재침해 위험을 더욱 높이는 요인으로 나타났다.
보안 전문가들은 사고 발생 이후 즉각적인 진화와 복구 압박이 커지면서, 학습과 분석에 투입되는 자원이 부족해지는 것이 문제의 핵심이라고 진단했다. 반복 침해 가능성을 낮추기 위해서는 사고 대응을 단순한 일회성 정리 작업이 아니라 지속적인 학습 주기로 운영해야 한다는 설명이다.
관리형 보안 대응 기업 헌트리스(Huntress)의 보안 운영 총괄 드레이 아가는 “많은 조직이 즉각적인 침해 차단에만 집중하고 있다. 이 때문에 정작 핵심적인 포렌식 조사가 뒷전으로 밀리고, 결국 다음 공격자가 그대로 다시 들어올 수 있는 상황을 만들고 있다”라고 설명했다.
아가는 “근본 원인을 정확히 짚어내는 철저한 사후 분석이 이뤄지지 않으면 조직은 사실상 눈을 가린 채 방어하는 셈이며, 같은 실수를 반복하게 된다”라고 지적했다.
전문가들은 많은 기업이 사고 대응을 분석이 아닌 운영 중심의 절차로만 취급하고 있다고 지적한다. 이 때문에 침해 차단과 복구 같은 절차는 충분히 반복 연습돼 있지만, 심층 포렌식 조사나 사고 이후의 학습은 뒤처지고 있다.
관리형 보안 서비스 기업 블루보이언트(BlueVoyant)의 디지털 포렌식·사고 대응 디렉터 톰 무어는 “증거 보존과 근본 원인 분석이 체계적으로 이뤄지지 않으면 중요한 통찰이 사라지게 된다. 견고한 사고 대응은 단순히 시스템을 다시 가동하는 데 그치지 않는다. 사고로부터 얻은 교훈을 탐지·예방·위험 감소 전략에 반영하는 과정까지 포함해야 한다”라고 설명했다.
무어는 또한 “이 같이 지속적으로 학습 및 개선하는 순환 구조가 장기적인 회복력을 강화한다. 빠르게 변화하고 적응하는 사이버 위협 환경에서는 그 가치가 더욱 커진다”라고 말했다.
클라우드 보안 기업 셈페리스(Semperis)의 위기관리 수석 컨설턴트 마리 하그레이브스도 “대다수 조직은 ‘불길에서 무엇을 배울지’보다 ‘눈앞의 불을 끄는 데’ 더 집중하고 있다”라고 평가했다.
그는 모든 위기가 감지, 대응, 검토라는 3단계로 구성된다고 언급하며, “회복력이 구축되는 지점은 3번째 단계인 사후 검토 과정이다. 실시간 데이터를 수집하고 이를 면밀히 분석해, 도출된 교훈을 실제 조치로 연결하는 조직은 더 빠르게 회복하고 더 강해진다. 사고 대응은 단순히 살아남는 것이 아니라, 변화에 적응하며 회복력을 쌓는 과정”이라고 조언했다.
충분한 사전 대비가 필수이기 때문에, 기업은 SIEM(보안 사고 및 이벤트 관리) 같은 기술을 통해 디지털 포렌식에 필요한 전용 도구와 역량을 갖춰야 한다.
SIEM이 중요한 이유는 게이트웨이와 VPN 장비 상당수가 몇 시간 내에 자체 저장 공간을 덮어쓰도록 설계돼 있기 때문이다.
헌트리스의 아가는 “공격자가 VPN을 통해 침투한 뒤 하루 정도 내부에 머물다가 핵심 서버로 이동하면, 그 사이에 VPN 텔레메트리 정보는 이미 사라졌을 가능성이 크다. SIEM처럼 VPN 로그를 중앙에서 수집·보존하는 체계를 마련하면 사고 이후 탐지는 물론, 초기 침해가 어떻게 발생했는지 근본 원인을 분석하는 데 필요한 핵심 데이터를 확보할 수 있다”라고 말했다.
헌트리스의 통계에 따르면, 숙련도 높은 사이버 범죄자의 약 70%가 VPN을 통해 침입하는 것으로 나타났다. 아가는 “SIEM을 도입한 환경에서는 공격 경로 초기에 위협을 포착할 수 있을 뿐 아니라, 사후 분석을 통해 침해로 이어진 정확한 근본 원인을 규명하는 작업도 가능하다”라고 설명했다.
또한 MDR(관리형 탐지·대응), XDR(확장형 탐지·대응) 같은 다양한 서비스에 포렌식 캡처 소프트웨어를 포함할 수도 있다. 이런 기술은 벤더와 포렌식 조사 전문가가 협력해 침해의 출발점을 식별하고 이를 해결하는 데 필요한 분석과 조치를 수행할 수 있도록 지원한다.
사이버 보안 기업 시큐러스 커뮤니케이션(Securus Communication)의 CTO 롭 더비셔는 “이런 도구가 갖춰져 있지 않으면 침해가 어떻게 발생했는지 사후에 파악하기가 훨씬 어려워진다. 침해가 발생했을 때 사고 대응 서비스를 제공하는 기업도 있지만, 침해를 신속히 정리하고 재발을 막는 핵심은 대응을 훨씬 효율적으로 수행하는 도구와 절차를 미리 갖추는 데 있다”라고 말했다.
에클렉틱IQ(EclecticIQ)의 시니어 위협 인텔리전스 애널리스트 아르다 뷔윅카야는 “근본 원인 분석이 충분히 이뤄지지 않으면 실제 공격 원인이 여전히 파악되지 않은 상태로 남아 있을 수 있고, 심지어 활성 상태일 가능성도 있다”라고 지적했다.
뷔윅카야는 “디지털 포렌식 전문성, 근본 원인 분석 절차, 위협 인텔리전스 통합을 통해 개별 사고를 공격자의 전술 및 캠페인과 연결하는 접근이 필요하다. 이런 방식은 조직이 경험하는 모든 사고를 회복력 강화의 계기로 삼는 기반이 된다”라고 조언했다.
사고가 발생했을 때 상황을 총괄하는 대응팀은 일반적으로 CISO가 주도권을 행사하도록 해야 한다. 또한 IT 담당자부터 법률 자문까지 각 이해관계자의 역할과 책임이 계획서에 명확히 정의돼 있어야 한다.
전문가들은 사고 대응 플레이북이 일반적으로 다음 핵심 단계를 이룬다고 설명한다.
많은 조직이 ISO 등 이미 검증된 프레임워크를 사고 대응 체계의 템플릿으로 활용하고 있다. 인티그리티360(Integrity360)의 CTO 리처드 포드는 “이런 프레임워크는 거버넌스부터 기술적 대응까지 모든 핵심 요소를 체계적으로 구성할 수 있도록 섹션 단위로 정리돼 있다. 널리 알려진 프레임워크를 사용하면 완성도를 높일 수 있을 뿐 아니라, 해당 기준에 익숙한 외부 이해관계자와의 소통도 훨씬 수월해진다”라고 설명했다.
효과적인 사고 대응은 시간이 지날수록 조직의 회복력을 높일 수 있도록, 체계적으로 구조화되고 반복적으로 실행 가능하며 인텔리전스를 기반으로 운영되는 프로세스를 구축하는 데 초점을 둬야 한다.
사고 대응 계획은 모의 훈련이나 테이블탑 훈련 등을 통해 정기적으로 테스트하고 보완하며 업데이트해야 한다. 이는 더 넓은 차원의 비즈니스 연속성 및 조직 회복 전략의 일부로 수행돼야 한다.
사이버 보안 기업 트렌드마이크로(Trend Micro)의 필드 CTO 바라트 미스트리는 많은 조직이 여전히 사고 대응 체계가 충분히 성숙한 수준에 이르지 못하고 있다고 지적한다. 그는 사고 대응이 단순한 차단과 복구에 그쳐서는 안 되며, 포렌식 분석과 사후 검토까지 확장돼야 한다고 강조했다.
미스트리는 “근본 원인 분석을 건너뛰면 결국 겉으로 드러난 증상만 해결하는 셈이다. 이런 문제는 여러 요인이 겹쳐 발생한다. 공격 과정을 정확히 재구성하기 어렵게 만드는, 도구 간 단절로 인한 가시성 부족, 포렌식과 위협 헌팅 역량이 부족한 인재 격차, 그리고 사후 분석이 형식적으로 끝나거나 아예 생략되는 프로세스 취약점이 대표적 요인이다”라고 지적했다.
많은 경우 운영을 신속히 복구하는 데만 집중하다 보니, 서버 초기화나 로그 손실, 포렌식 흔적 소실 등 핵심 증거가 의도치 않게 사라지곤 한다.
미스트리는 “여기에 업무 압박, 시간 제약, 제한된 자원 등이 겹치면서, 사고로부터 무엇을 배울지보다 다음 긴급 업무를 처리하는 데 더 몰두하게 된다. 그 결과, 사후 스캔이나 근본 원인 분석, 절차 업데이트 같은 필수 작업이 자주 건너뛰어진다”라고 설명했다.
이렇게 되면 초기 공격 경로와 내부 확산 방식이 끝내 규명되지 못한 채 취약점이 남게 되고, 이는 ‘침해-복구-재침해’가 반복되는 악순환을 만든다.
미스트리는 “이 악순환을 끊기 위해서는 조직이 사고 대응 전략에 포렌식 준비태세를 반드시 포함해야 한다. 증거 보존, 체계적인 사후 분석, 학습 내용을 보안 아키텍처와 교육에 반영하는 과정이 필수”라고 조언했다.
dl-ciokorea@foundryco.com
Chinese state-backed hackers hijacked Anthropic’s Claude AI to run an autonomous global cyberattack, marking a major shift in AI-driven cyberwarfare.
The post Anthropic: China-Based Hackers Used Claude to Automate Global Cyberattack appeared first on TechRepublic.
Chinese state-backed hackers hijacked Anthropic’s Claude AI to run an autonomous global cyberattack, marking a major shift in AI-driven cyberwarfare.
The post Anthropic: China-Based Hackers Used Claude to Automate Global Cyberattack appeared first on TechRepublic.
Researchers from Anthropic said they recently observed the “first reported AI-orchestrated cyber espionage campaign” after detecting China-state hackers using the company’s Claude AI tool in a campaign aimed at dozens of targets. Outside researchers are much more measured in describing the significance of the discovery.
Anthropic published the reports on Thursday here and here. In September, the reports said, Anthropic discovered a “highly sophisticated espionage campaign,” carried out by a Chinese state-sponsored group, that used Claude Code to automate up to 90 percent of the work. Human intervention was required “only sporadically (perhaps 4-6 critical decision points per hacking campaign).” Anthropic said the hackers had employed AI agentic capabilities to an “unprecedented” extent.
“This campaign has substantial implications for cybersecurity in the age of AI ‘agents’—systems that can be run autonomously for long periods of time and that complete complex tasks largely independent of human intervention,” Anthropic said. “Agents are valuable for everyday work and productivity—but in the wrong hands, they can substantially increase the viability of large-scale cyberattacks.”
© Wong Yu Liang via Getty Images
Welcome back, my aspiring SCADA/ICS cyberwarriors!
SCADA (Supervisory Control and Data Acquisition) systems and the wider class of industrial control systems (ICS) run many parts of modern life, such as electricity, water, transport, factories. These systems were originally built to work in closed environments and not to be exposed to the public Internet. Over the last decade they have been connected more and more to corporate networks and remote services to improve efficiency and monitoring. That change has also made them reachable by the same attackers who target regular IT systems. When a SCADA system is hit by malware, sabotage, or human error, operators must restore service fast. At the same time investigators need trustworthy evidence to find out what happened and to support legal, regulatory, or insurance processes.
Forensics techniques from traditional IT are helpful, but they usually do not fit SCADA devices directly. Many field controllers run custom or minimal operating systems, lack detailed logs, and expose few of the standard interfaces that desktop forensics relies on. To address that gap, we are starting a focused, practical 3-day course on SCADA forensics. The course is designed to equip you with hands-on skills for collecting, preserving and analysing evidence from PLCs, RTUs, HMIs and engineering workstations.
Today we will explain how SCADA systems are built, what makes forensics in that space hard, and which practical approaches and tools investigators can use nowadays.
A SCADA environment usually has three main parts: the control center, the network that connects things, and the field devices.
The control center contains servers that run the supervisory applications, databases or historians that store measurement data, and operator screens (human-machine interfaces). These hosts look more like regular IT systems and are usually the easiest place to start a forensic investigation.
The network between control center and field devices is varied. It can include Ethernet, serial links, cellular radios, or specialized industrial buses. Protocols range from simple serial messages to industrial Ethernet and protocol stacks that are unique to vendors. That variety makes it harder to collect and interpret network traffic consistently.
Field devices sit at the edge. They include PLCs (programmable logic controllers), RTUs (remote terminal units), and other embedded controllers that handle sensors and actuators. Many of these devices run stripped-down or proprietary firmware, hold little storage, and are designed to operate continuously.
Understanding these layers helps set realistic expectations for what evidence is available and how to collect it without stopping critical operations.
SCADA forensics has specific challenges that change how an investigation is done.
First, some field devices are not built for forensics. They often lack detailed logs, have limited storage, and run proprietary software. That makes it hard to find recorded events or to run standard acquisition tools on the device.
Second, availability matters. Many SCADA devices must stay online to keep a plant, substation, or waterworks operating. Investigators cannot simply shut everything down to image drives. This requirement forces use of live-acquisition techniques that gather volatile data while systems keep running.
Third, timing and synchronization are difficult. Distributed devices often have different clocks and can drift. That makes correlating events across a wide system challenging unless timestamps are synchronized or corrected during analysis.
Finally, organizational and legal issues interfere. Companies often reluctant to share device details, firmware, or incident records because of safety, reputation, or legal concerns. That slows development of general-purpose tools and slows learning from real incidents.
All these challenges only increase the value of SCADA forensics specialists. Salary varies by location, experience, and roles, but can range from approximately $65,000 to over $120,000 per year.
To understand why SCADA forensics matters, it helps to look at how real incidents unfold. The following examples show how a single compromise inside the corporate network can quickly spread into the operational side of a company. In both cases, the attack starts with the compromise of an HR employee’s workstation, which is a common low-privilege entry point. From there, the attacker begins basic domain reconnaissance, such as mapping users, groups, servers, and RDP access paths.
In the first path, the attacker discovers that the compromised account has the right to replicate directory data, similar to a DCSync privilege. That allows the extraction of domain administrator credentials. Once the attacker holds domain admin rights, they use Group Policy to push a task or service that creates a persistent connection to their command-and-control server. From that moment, they can access nearly every machine in the domain without resistance. With such reach, pivoting into the SCADA or engineering network becomes a matter of time. In one real scenario, this setup lasted only weeks before attackers gained full control and eventually destroyed the domain.
The second path shows a different but equally dangerous route. After gathering domain information, the attacker finds that the HR account has RDP access to a BACKUP server, which stores local administrator hashes. They use these hashes to move laterally, discovering that most domain users also have RDP access through an RDG gateway that connects to multiple workstations. From there, they hop across endpoints, including those used by engineers. Once inside engineering workstations, the attacker maps out routes to the industrial control network and starts interacting with devices by changing configurations, altering setpoints, or pushing malicious logic into PLCs.
Both cases end with full access to SCADA and industrial equipment. The common causes are poor segmentation between IT and OT, excessive privileges, and weak monitoring.
A practical framework for SCADA forensics has to preserve evidence and keep the process safe. The basic idea is to capture the most fragile, meaningful data first and leave more invasive actions for later or for offline testing.
Start with clear roles and priorities. You need to know who can order device changes, who will gather evidence, and who is responsible for restoring service. Communication between operations and security must be planned ahead of incidents.
As previously said, capture volatile and remote evidence first, then persistent local data. This includes memory contents, current register values, and anything stored only in RAM. Remote evidence includes network traffic, historian streams, and operator session logs. Persistent local data includes configuration files, firmware images, and file system contents. Capturing network traffic and historian data early preserves context without touching the device.
A common operational pattern is to use lightweight preservation agents or passive sensors that record traffic and key events in real time. These components should avoid any action that changes device behavior. Heavy analysis and pattern matching happen later on copies of captured data in a safe environment.
When device interaction is required, prefer read-only APIs, documented diagnostic ports, or vendor-supported tools. If hardware-level extraction is necessary, use controlled methods (for example JTAG reads, serial console captures, or bus sniffers) with clear test plans and safety checks. Keep detailed logs of every command and action taken during live acquisition so the evidence chain is traceable.
Automation helps, but only if it is conservative. Two-stage approaches are useful, where stage one performs simple, safe preservation and stage two runs deeper analyses offline. Any automated agent must be tested to ensure it never interferes with real-time control logic.
Network captures are often the richest, least disruptive source of evidence. Packet captures and flow data show commands sent to controllers, operator actions, and any external systems that are connected to the control network.
Start by placing passive capture points in places that see control traffic without being in the critical data path, such as network mirrors or dedicated taps. Capture both raw packets and derived session logs as well as timestamps with a reliable time source.
Protocol awareness is essential. We will cover some of them in the next article. A lot more will be covered during the course. Industrial protocols like Modbus, DNP3, and vendor-specific protocols carry operational commands. Parsing these messages into readable audit records makes it much easier to spot abnormal commands, unauthorized writes to registers, or suspicious sequence patterns. Deterministic models, for example, state machines that describe allowed sequences of messages, help identify anomalies. But expect normal operations to be noisy and variable. Any model must be trained or tuned to the site’s own behavior to reduce false positives.
Network forensics also supports containment. If an anomaly is detected in real time, defenders can ramp up capture fidelity in critical segments and preserve extra context for later analysis. Because many incidents move from corporate IT into OT networks, collecting correlated data from both domains gives a bigger picture of the attacker’s path
Field devices are the hardest but the most important forensic targets. The path to useful evidence often follows a tiered strategy, where you use non-invasive sources first, then proceed to live acquisition, and finally to hardware-level extraction only when necessary.
Non-invasive collection means pulling data from historians, backups, documented export functions, and vendor tools that allow read-only access. These sources often include configuration snapshots, logged process values, and operator commands.
Live acquisition captures runtime state without stopping the device. Where possible, use the device’s read-only interfaces or diagnostic links to get memory snapshots, register values, and program state. If a device provides a console or API that returns internal variables, collect those values along with timestamps and any available context.
If read-only or diagnostic interfaces are not available or do not contain the needed data, hardware extraction methods come next. This includes connecting to serial consoles, listening on fieldbuses, using JTAG or SWD to read memory, or intercepting firmware during upload processes. These operations require specialized hardware and procedures. It must be planned carefully to avoid accidental writes, timing interruptions, or safety hazards.
Interpreting raw dumps is often the bottleneck. Memory and storage can contain mixed content, such as configuration data, program code, encrypted blobs, and timestamps. But there are techniques that can help, including differential analysis (comparing multiple dumps from similar devices), data carving for detectable structures, and machine-assisted methods that separate low-entropy (likely structured) regions from high-entropy (likely encrypted) ones. Comparing captured firmware to a known baseline is a reliable way to detect tampering.
Where possible, create an offline test environment that emulates the device and process so investigators can replay traffic, exercise suspected malicious inputs, and validate hypotheses without touching production hardware.
Right now the toolset is mixed. Investigators use standard forensic suites for control-center hosts, packet-capture and IDS tools extended with industrial protocol parsers for networks, and bespoke hardware tools or vendor utilities for field devices. Many useful tools exist, but most are specific to a vendor, a protocol, or a device family.
A practical roadmap for better tooling includes three points. First, create and adopt standardized formats for logging control-protocol events and for preserving packet captures with synchronized timestamps. Second, build non-disruptive acquisition primitives that work across device classes, ways to read key memory regions, configuration, and program images without stopping operation. Third, develop shared anonymized incident datasets that let researchers validate tools against realistic behaviors and edge cases.
In the meantime, it’s important to combine several approaches, such as maintaining high-quality network capture, work with vendors to understand diagnostic interfaces, prepare hardware tools and safe extraction procedures, while documenting everything. Establish and test standard operating procedures in advance so that when an incident happens the team acts quickly and consistently.
Attacks on critical infrastructure are rising, and SCADA forensics still trails IT forensics because field devices are often proprietary, have limited logging, and cannot be taken offline. We showed those gaps and gave practical actions. You will need to preserve network and historian data early, prefer read-only device collection, enforce strict IT/OT segmentation, reduce privileges, and rehearse incident response to protect those systems. In the next article, we will look at different protocols to give you a better idea of how everything works.
To support hands-on learning, our 3-day SCADA Forensics course starts in November that uses realistic ICS network topologies, breach simulations, and labs to teach how to reconstruct attack chains, identify IOCs, and analyze artifacts on PLCs, RTUs, engineering workstations and HMIs.
During the course you will use common forensic tools to complete exercises and focus on safe, non-disruptive procedures you can apply in production environments.
Learn more: https://hackersarise.thinkific.com/courses/scada-forensics
The post SCADA (ICS) Hacking and Security: An Introduction to SCADA Forensics first appeared on Hackers Arise.
OPINION / EXPERT PERSPECTIVE — The clock is ticking toward September 30, 2025, when one of America's most vital cybersecurity protections will expire unless Congress acts. The Cybersecurity Information Sharing Act of 2015 (CISA 2015) has quietly become the backbone of our nation's cyber defense. Without creating any additional regulations, it enabled the rapid sharing of threat intelligence between government and businesses that has prevented countless cyberattacks over the past decade. The Act’s protections have facilitated threat warnings to thousands of organizations just this year. Its potential sunset threatens to unleash a wave of cyberattacks that will devastate the small and medium-sized businesses (SMBs) that form a foundational part of our economy.
As someone who has worked on both sides—first leading public-private partnerships at the FBI and now facilitating industry collaboration—I've witnessed firsthand how CISA 2015 transformed our cybersecurity landscape. The law provides crucial liability protections that encourage companies to share threat indicators with the government and each other, while offering antitrust protection for industry-to-industry collaboration. Without these safeguards, the robust information sharing that has made American networks more secure simply stops.
The SMB Crisis Waiting to Happen
The consequences of letting CISA 2015 lapse will fall most heavily on America's small and medium-sized businesses. Recent data from NetDiligence’s 2024 Cyber Claims Study shows that ransomware cost SMBs an average of $432,000 per attack. These businesses don't have the cash reserves to weather extended downtime. At most, many can only survive three to four weeks of operational disruption before facing permanent closure.
According to industry analysis, small and medium enterprises represent 98% of cyber insurance claims while accounting for $1.9 billion in total losses, underscoring their vulnerability in today's threat landscape. CISA 2015’s expiration will significantly weaken the early warning system that has helped businesses stay ahead of emerging threats. Without the government's ability to share robust intelligence about new attack methods, SMBs become sitting ducks for cybercriminals who specifically target organizations that can't afford to lose days or weeks.’’
The Cyber Initiatives Group Fall Summit on Wednesday, September 17 from 12p – 3p is convening experts to engage on the most pressing cybersecurity risks. Save your virtual seat now.
Healthcare: Where Cybersecurity Becomes Life and Death
The stakes become particularly dire in healthcare, where ransomware attacks don't just threaten profits—they threaten lives. The University of Minnesota School of Public Health’s experts estimate that ransomware attacks killed 42 to 67 Medicare patients between 2016 and 2021. These numbers represent a horrifying trend: threat actors deliberately target hospitals because they know healthcare systems will pay quickly to avoid putting patients at risk.
If information sharing degrades after CISA 2015's sunset, hospitals–and all other critical infrastructure–very likely will lose crucial early warnings about ransomware variants and other attack methods. When a hospital's systems are threatened, rapid information sharing matters. Minutes count in medical emergencies, and delays can be fatal.
Economic Ripple Effects
The economic impact extends far beyond individual companies. SMBs make up the vast majority of (99%) businesses in the U.S., and employ nearly half of the private sector’s workforce. According to the U.S. Chamber of Commerce, they’re responsible for 43.5% of our GDP, so their widespread failure would create devastating ripple effects throughout the economy.
More concerning, America's technological leadership depends on the robust threat intelligence sharing that CISA 2015 enables. Our cybersecurity companies lead the world precisely because they have access to comprehensive threat data that helps them develop superior products and services.
Other countries modeled its cybersecurity information sharing after our system, recognizing that America's approach gives us a competitive advantage. If we allow this framework to collapse, we're not just making individual businesses more vulnerable—we're undermining the foundation of American cybersecurity leadership that other nations seek to emulate.
Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.
The Path Forward: Clean Reauthorization Now
There's bipartisan agreement that CISA 2015 should be reauthorized, with experts from across the political spectrum recognizing its vital importance. DHS Secretary Kristi Noem has urgently called for reauthorization, emphasizing that public-private partnerships have grown stronger because of the information-sharing guidelines established in CISA 2015.
The cleanest path forward is a straightforward reauthorization while Congress works through any technical improvements. The core framework has proven its worth over a decade of operation, facilitating billions of dollars in prevented losses and creating a culture where information sharing is the default rather than the exception.
Beyond Politics: A National Security Imperative
In an era of political division, cybersecurity remains one of the few areas where Americans across the political spectrum can find common ground. We need to defend against constant attacks coming from the likes of Chinese actors using ransomware during SharePoint vulnerabilities to Iranian groups deploying ransomware as a political weapon to hundreds of criminal ransomware groups operating at any given time.
The solution isn't more regulation or government overreach. It's the collaborative approach that CISA 2015 has fostered. As I used to tell businesses when I was at the FBI: we can't help you if we don't hear from others, and we can't help others if we don't hear from you. This principle of mutual aid and shared defense has made America stronger, and we cannot afford to abandon it now.
Congress must act before September 30. If we allow our cybersecurity information sharing framework to collapse it will devastate small businesses, endanger the sick, and undermine America's position as the global leader in cybersecurity. The time for action is now, before the attacks that could have been prevented become the disasters we failed to stop.
This column by Cipher Brief Expert Cynthia Kaiser was first published in Fortune.
Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.
Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.
Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.
Signature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective property. With signature-based detection, traditional antivirus products can scan a computer for the footprints of known malware.
These malware footprints are stored in a database. Antivirus products essentially search for the footprints of known malware in the database. If they discover one, they’ll identify the malware, in which case they’ll either delete or quarantine it.
When new malware emerges and experts document it, antivirus vendors create and release a signature database update to detect and block the new threat. These updates increase the tool’s detection capabilities, and in some cases, vendors may release them multiple times per day.
With an average of 350,000 new malware instances registered daily, there are a lot of signature database updates to keep up with. While some antivirus vendors update their programs throughout the day, others release scheduled daily, weekly or monthly software updates to keep things simple for their users.
But convenience comes at the risk of real-time protection. When antivirus software is missing new malware signatures from its database, customers are unprotected against new or advanced threats.
While signature-based detection has been the default in traditional antivirus solutions for years, its drawbacks have prompted people to think about how to make antivirus more effective. Today’s next-generation anti-malware solutions use advanced technologies like behavior analysis, artificial intelligence (AI) and machine learning (ML) to detect threats based on the attacker’s intention rather than looking for a match to a known signature.
Behavior analysis in threat prevention is similar, although admittedly more complex. Instead of only cross-checking files with a reference list of signatures, a next-generation antivirus platform can analyze malicious files’ actions (or intentions) and determine when something is suspicious. This approach is about 99% effective against new and advanced malware threats, compared to signature-based solutions’ average of 60% effectiveness.
Next-generation antivirus takes traditional antivirus software to a new level of endpoint security protection. It goes beyond known file-based malware signatures and heuristics because it’s a system-centric, cloud-based approach. It uses predictive analytics driven by ML and AI as well as threat intelligence to:
Today’s attackers know precisely where to find gaps and weaknesses in an organization’s network perimeter security, and they penetrate these in ways that bypass traditional antivirus software. These attackers use highly developed tools to target vulnerabilities that leverage:
To counter these attackers, next-generation antivirus focuses on events – files, processes, applications and network connections – to see how actions in each of these areas are related. Analysis of event streams can help identify malicious intent, behaviors and activities; once identified, the attacks can be blocked.
This approach is increasingly important today because enterprises are finding that attackers are targeting their specific networks. The attacks are multi-stage and personalized and pose a significantly higher risk; traditional antivirus solutions don’t have a chance of stopping them.
Explore IBM Security QRadar Solutions
Endpoint detection and response (EDR) software flips that model, relying on behavioral analysis of what’s happening on the endpoint. For example, if a Word document spawns a PowerShell process and executes an unknown script, that’s concerning. The file will be flagged and quarantined until the validity of the process is confirmed. Not relying on signature-based detection enables the EDR platform to react better to new and advanced threats.
Some of the ways EDR thwarts advanced threats include the following:
EDR agent software is deployed to endpoints within an organization and begins recording activity on these endpoints. These agents are like security cameras focused on the processes and events running on the devices.
EDR platforms have several approaches to detecting threats. Some detect locally on the endpoint via ML, some forward all recorded data to an on-premises control server for analysis, some upload the recorded data to a cloud resource for detection and inspection and others use a hybrid approach.
Detections by EDR platforms are based on several tools, including AI, threat intelligence, behavioral analysis and indicators of compromise (IOCs). These tools also offer a range of responses, such as actions that trigger alerts, isolate the machine from the network, roll back to a known good state, delete or terminate threats and generate forensic evidence files.
Managed detection and response (MDR) is not a technology, but a form of managed service, sometimes delivered by a managed security service provider. MDR provides value to organizations with limited resources or the expertise to continuously monitor potential attack surfaces. Specific security goals and outcomes define these services. MDR providers offer various cybersecurity tools, such as endpoint detection, security information and event management (SIEM), network traffic analysis (NTA), user and entity behavior analytics (UEBA), asset discovery, vulnerability management, intrusion detection and cloud security.
Gartner estimates that by 2025, 50% of organizations will use MDR services. There are several reasons to support this prediction:
The technology behind an MDR service can include an array of options. This is an important thing to understand when evaluating MDR providers. The technology stack behind the service determines the scope of attacks they have access to detect.
Cybersecurity is about “defense-in-depth” — having multiple layers of protection to counter the numerous possible attack vectors. Various technologies provide complete visibility, detection and response capabilities. Some of the technologies offered by MDR services include:
Extended detection and response (XDR) is the next phase in the evolution of EDR. XDR provides detection and protection across various environments, including networks and network components, cloud infrastructure and Software-as-a-Service (SaaS).
Features of XDR include:
Benefits of XDR include:
XDR is gaining in popularity. XDR provides a single platform that can ingest endpoint agent data, network-level information and, in many cases, device logs. This data is correlated, and detections occur from one or many sources of telemetry.
XDR streamlines the functions of the analysts’ role by allowing them to view detections and respond from a single console. The single-pane-of-glass approach offers faster time to value, a shortened learning curve and quicker response times since the analysts no longer need to pivot between windows. Another advantage of XDR is its ability to piece multiple sources of telemetry together to achieve a big-picture view of detections. These tools are able to see what occurs not only on the endpoints but also between the endpoints.
Security is constantly evolving, and future threats may become much more dangerous than we are observing now. We cannot ignore these recent changes in the threat landscape. Rather, we need to understand them and stop these increasingly destructive attacks.
The post The Evolution of Antivirus Software to Face Modern Threats appeared first on Security Intelligence.
On September 19, 2022, an 18-year-old cyberattacker known as “teapotuberhacker” (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer’s worst nightmare.
In addition, the malicious actor claimed responsibility for a similar security breach affecting ride-sharing company Uber just a week prior. According to reports, they infiltrated the company’s Slack by tricking an employee into granting them access. Then, they spammed the employees with multi-factor authentication (MFA) push notifications until they gained access to internal systems, where they could browse the source code.
Incidents like the Rockstar and Uber hacks should serve as a warning to all CISOs. Proper security must consider the role info-hungry actors and audiences can play when dealing with sensitive information and intellectual property.
Stephanie Carruthers, Chief People Hacker for the X‑Force Red team at IBM Security, broke down how the incident at Uber happened and what helps prevent these types of attacks.
First, Carruthers believes one potential and even likely scenario is the person targeted at Uber may have been a contractor. The hacker likely purchased stolen credentials belonging to this contractor on the dark web — as an initial step in their social engineering campaign. The attacker likely then used those credentials to log into one of Uber’s systems. However, Uber had multi-factor authentication (MFA) in place, and the attacker was asked to validate their identity multiple times.
According to reports, “TeaPot” contacted the target victim directly with a phone call, pretended to be IT, and asked them to approve the MFA requests. Once they did, the attacker logged in and could access different systems, including Slack and other sensitive areas.
“The key lesson here is that just because you have measures like MFA in place, it doesn’t mean you’re secure or that attacks can’t happen to you,” Carruthers said. “For a very long time, a lot of organizations were saying, ‘Oh, we have MFA, so we’re not worried.’ That’s not a good mindset, as demonstrated in this specific case.”
As part of her role with X-Force, Carruthers conducts social engineering assessments for organizations. She has been doing MFA bypass techniques for clients for several years. “That mindset of having a false sense of security is one of the things I think organizations still aren’t grasping because they think they have the tools in place so that it can’t happen to them.”
According to Carruthers, social engineering tests fall into two buckets: remote and onsite. She and her team look at phishing, voice phishing and smishing for remote tests. The onsite piece involves the X-Force team showing up in person and essentially breaking and entering a client’s network. During the testing, the X-Force teams attempt to coerce employees into giving them information that would allow them to breach systems — and take note of those who try to stop them and those who do not.
The team’s remote test focuses on an increasingly popular method: layering the methods together almost like an attack chain. Instead of only conducting a phishing campaign, this adds another step to the mix.
“What we’ll do, just like you saw in this Uber attack, is follow up on the phish with phone calls,” Carruthers said. “Targets will tell us the phish sounded suspicious but then thank us for calling because we have a friendly voice. And they’ll actually comply with what that phishing email requested. But it’s interesting to see attackers starting to layer on social engineering approaches rather than just hoping one of their phishing emails work.”
She explained that the team’s odds of success go up threefold when following up with a phone call. According to IBM’s 2022 X-Force Threat Intelligence Index, the click rate for the average targeted phishing campaign was 17.8%. Targeted phishing campaigns that added phone calls (vishing, or voice phishing) were three times more effective, netting a click from 53.2% of victims.
For bad actors, the more intelligence they have on their target, the better. Attackers typically gather intelligence by scraping data readily available from public sources, called open source intelligence (OSINT). Thanks to social media and publicly-documented online activities, attackers can easily profile an organization or employee.
Carruthers says she’s spending more time today doing OSINT than ever before. “Actively getting info on a company is so important because that gives us all of the bits and pieces to build that campaign that’s going to be realistic to our targets,” she said. “We often look for people who have access to more sensitive information, and I wouldn’t be surprised if that person (in the Uber hack) was picked because of the access they had.”
For Carruthers, it’s critical to understand what information is out there about employees and organizations. “That digital footprint could be leveraged against them,” she said. “I can’t tell you how many times clients come back to us saying they couldn’t believe we found all these things. A little piece of information that seems harmless could be the cherry on top of our campaign that makes it look much more realistic.”
While multi-factor authentication can be bypassed, it is still a critical security tool. However, Carruthers suggests that organizations consider deploying a physical device like a Fido2 token. This option shouldn’t be too difficult to manage for small to medium-sized businesses.
“Next, I recommend using password managers with long, complex master passwords so they can’t be guessed or cracked or anything like that,” she said. “Those are some of the best practices for applications like Slack.”
Of course, no hacking prevention strategies that address social engineering would be complete without security awareness. Carruthers advises organizations to be aware of attacks out in the wild and be ready to address them. “Companies need to actually go through and review what’s included in their current training, and whether it’s addressing the realistic attacks happening today against their organization,” she said.
For example, the training may teach employees not to give their passwords to anyone over the phone. But when an attacker calls, they may not ask for your password. Instead, they may ask you to log in to a website that they control. Organizations will want to ensure their training is always fresh and interactive and that employees stay engaged.
The final piece of advice from Carruthers is for companies to refrain from relying too heavily on security tools. “It’s so easy to say that you can purchase a certain security tool and that you’ll never have to worry about being phished again,” she said.
The key takeaways here are:
Finally, it’s important to reiterate what Carruthers and the X-Force team continue to prove with their social engineering tests: a false sense of security is counterproductive to preventing attacks. A more effective strategy combines quality security practices with awareness, adaptability and vigilance.
Learn more about X-Force Red penetration testing services here. To schedule a no-cost consult with X-Force, click here.
The post An IBM Hacker Breaks Down High-Profile Attacks appeared first on Security Intelligence.
It’s no secret that cyberattacks in the U.S. are increasing in frequency and sophistication. Since cyber crime impacts millions of businesses and individuals, many look to the government to see what it’s doing to anticipate, prevent and deal with these crimes.
To gain perspective on what’s happening in this area, the U.S. government’s budget and spending plans for cyber is a great place to start. This article will explore how much the government is spending, where that money is going and how its budget compares to previous years.
In June 2022, the U.S. announced new spending bills for the fiscal year 2023, including an allocation of $15.6 billion for cybersecurity. The majority of the money — $11.2 billion — will be appropriated for the Department of Defense (DoD), and $2.9 billion will go to the Cybersecurity and Infrastructure Security Agency (CISA).
The money going to the DoD will be used in a variety of ways. For example, Paul Nakasone, commander of the U.S. Cyber Command, has discussed plans to grow five Cyber Mission Force teams. Approximately 133 of these already exist and focus on carrying out defensive cyber operations.
Clearly, the majority of funds in the new budget will go to government agencies. However, the government also plans to invest in the private sector and has discussed the importance of strengthening relationships with companies and private organizations.
One key area here is information sharing; after all, cybersecurity is a team sport. However, the government has faced criticism in the past for expecting detailed data from companies while failing to provide adequate information on their end. Recently, government agencies have spoken more about working towards more open and two-sided information sharing, but only time will tell how successful that strategy will be.
U.S. lawmakers have asked the defense secretary to work more closely with CISA and the private organizations within it, especially in areas related to Russian and Chinese activity. CISA has also received $417 million more in funding than was initially requested by the White House.
Compared to the previous few years, investment in cybersecurity is gradually increasing. 2021 saw $8.64 billion in spending, followed by a slight increase in 2022.
It’s a positive trend that signals the government is taking the issue seriously. But are state and local governments keeping up?
The data shows that the government is also investing in cybersecurity in non-financial capacities at the local and state level. In 2021, for instance, state legislative sessions saw more than 285 pieces of cybersecurity-related legislation introduced, and in 2022 that number increased to 300.
In addition, President Biden introduced the Infrastructure Investment and Jobs Act in 2021, which allocated $1 billion in grants to bolster cybersecurity at the local, state, tribal and territorial levels. The government will distribute this amount over four years until 2025.
It adds up to a promising development for local and state governments, who are finally gaining the resources to protect their communities more effectively. Plus, it demonstrates a growing understanding of the importance of cybersecurity at the federal level and, hopefully, a more informed approach in the future.
While cybersecurity funding is one truly positive sign, there are more reasons to be hopeful — such as the appointment of the USA’s first-ever National Cyber Director, Chris Inglis.
Looking to the future, the U.S. will need to constantly readjust its cyber defense posture and adapt to this ever-changing landscape, especially as cyber crime becomes not only more common but also more challenging and complex. It costs money to do that effectively, so the government must prioritize cyber funding for the foreseeable future.
Of course, individual organizations will need to take responsibility for their own security, too.
IBM can help — with solutions like the Security QRadar XDR, you get a suite of tools and powerful features to help you defend your organization against attacks and keep your teams focused on what’s important. Find out more here.
The post How Much is the U.S. Investing in Cyber (And is it Enough)? appeared first on Security Intelligence.
Cygilant, a threat detection cybersecurity company, has confirmed a ransomware attack.
Christina Lattuca, Cygilant’s chief financial officer, said in a statement that the company was “aware of a ransomware attack impacting a portion of Cygilant’s technology environment.”
“Our Cyber Defense and Response Center team took immediate and decisive action to stop the progression of the attack. We are working closely with third-party forensic investigators and law enforcement to understand the full nature and impact of the attack. Cygilant is committed to the ongoing security of our network and to continuously strengthening all aspects of our security program,” the statement said.
Cygilant is believed to be the latest victim of NetWalker, a ransomware-as-a-service group, which lets threat groups rent access to its infrastructure to launch their own attacks, according to Brett Callow, a ransomware expert and threat analyst at security firm Emsisoft.
The file-encrypting malware itself not only scrambles a victim’s files but also exfiltrates the data to the hacker’s servers. The hackers typically threaten to publish the victim’s files if the ransom isn’t paid.
A site on the dark web associated with the NetWalker ransomware group posted screenshots of internal network files and directories believed to be associated with Cygilant.
Cygilant did not say if it paid the ransom. But at the time of writing, the dark web listing with Cygilant’s data had disappeared.
“Groups permanently delist companies when they’ve paid or, in some cases, temporarily delist them once they’ve agreed to come to the negotiating table,” said Callow. “NetWalker has temporarily delisted pending negotiations in at least one other case.”
Cyber threat startup Cygilant hit by ransomware by Zack Whittaker originally published on TechCrunch
Login