The Challenge

Legacy AV solutions have long dominated storage security for NetApp. However, security innovation has not kept pace with other sectors like EDR and cloud security, even as threat actors have rapidly evolved. Modern threats from hackers for hire or state-sponsored threat actors easily evade signature-based legacy antivirus. Yes, signatures are useful for identifying known or commodity malware, but they are incapable of detecting novel malware.

Beyond ease of evasion, signatures can create administrative nightmares. Storage security admins can become bogged down in a relentless spiral, making sure their blocklists are always updated with the latest signatures.

Another challenging factor is broad access to the data stored on NetApp arrays. Businesses rely upon ready access to this data to function. Considering the wide access, and the ease with which malicious files can evade signature-based detection, one can readily appreciate how securing the NetApp storage is vital to business continuity.

In addition to business continuity and brand reputation, an additional concern is regulatory compliance. While exact compliance details vary by framework, organizations in various industries are often required to regularly scan their network attached storage for malware. Although regulatory frameworks generally do not specify how this is accomplished, more forward thinking frameworks such as GDPR do stipulate that organizations follow the principle of “data protection by design and by default,” and that data protection measures take into account the technological “state of the art.”

Our Solution: Threat Detection for NetApp

To help organizations better provide for continuous security of their data on NetApp storage arrays, and to reduce the risk of business disruption due to advanced malware which evades signature-based alternatives, SentinelOne introduced Threat Detection for NetApp (TD4NA). Generally available in the Singularity Cloud Data Security product line, TD4NA delivers AI-powered cloud data security that protects NetApp arrays from malware. High-performance, low-latency inline file scanning delivers verdicts in milliseconds.

When considering state-of-the-art solutions for securing your NetApp arrays, here are some factors which set SentinelOne and TD4NA apart from alternatives.

1. High-Speed Performance with Low Latency. NetApp invests heavily in performance optimization, so that their storage solutions offer high-speed data access with low latency. So too does SentinelOne. TD4NA leverages SentinelOne’s proprietary Static AI Engine that is optimized for performance and security efficacy, having been trained on nearly 1 billion malware samples over the last decade.
   

   TD4NA delivers verdicts in milliseconds, allowing user access to their data without performance bottlenecks and without compromising security. When a file is judged to be malicious, it is automatically encrypted and quarantined, to stop the potential for spread before it even has a chance to begin.

2. Fully Compatible with ONTAP. NetApp uses a proprietary OS called “ONTAP” for their storage arrays. For this reason, ONTAP is not compatible with traditional endpoint agents. SentinelOne’s Threat Detection for NetApp, however, is fully compatible with the ONTAP protocol.
3. Proven and Trusted Innovation. SentinelOne brings our proven malware detection technology to a data storage security market that has been dominated for years by legacy antivirus. Unlike legacy AV solutions that rely on signatures and frequent updates, SentinelOne’s solution offers uncompromising security against novel and unknown malware without the worry of constant signature updates.
   

   Alternatives which rely upon signatures are easily circumvented. A threat actor can simply pad a malware sample, recompile, and the malware has a new signature not found in any blocklist. In stark contrast, SentinelOne’s proprietary AI deeply analyzes a file’s characteristics for indicators of malicious intent – no signature required. All files are scanned locally. No sensitive data ever leaves your network. For some organizations, this is an important regulatory compliance consideration.

4. Unified Platform: Alongside performance and innovation, the Singularity Platform provides a familiar feel for existing SentinelOne customers that simplifies onboarding and administration. For example, TD4NA respects existing user blocklists or file exclusions, removing the need to rebuild them. Additionally, it provides valuable threat metadata for greater insights and analysis, enhancing security posture.All security data, whether from cloud security, networked storage, user endpoints, and even 3rd party security solutions, are stored in the high-performance Singularity Data Lake. This single security data repository simplifies data access, streamlines investigations, and accelerates incident response.

How It Works

The SentinelOne TD4NA agent is installed on a “Vscan server” which, according to the NetApp ONTAP architecture, is dedicated to malware scanning. System requirements for the Vscan server are documented in the SentinelOne knowledge base. It is possible to configure more than one TD4NA agent on a single Vscan server, depending upon customer requirements for redundancy or IOPS performance.

When a user submits a file put/access request, the NetApp array automatically submits a scan request via ONTAP protocol to the Vscan server. The TD4NA solution then works as follows:

Upon scan completion, the NetApp array grants or denies the user request, depending upon the scan verdict. If the file verdict is not malware, the user is granted access.

If the file verdict is judged by the AI to be malware, the user request is denied and the file is automatically encrypted and quarantined by the solution. The quarantine directory is specified beforehand by the security admin. At their discretion, security admins may access the malicious file via 1-click file fetch for further analysis and sandboxing.

All file scans are local and inline. Local file scanning occurs on the Vscan server. Inline file scanning holds the file until scanning is complete. The solution is optimized for performance, so file scans complete within milliseconds for a low latency user experience.

Conclusion

With SentinelOne’s AI-powered Threat Detection for NetApp, malware is identified and mitigated in real time, thereby minimizing dwell time and downstream data risk. All files are scanned locally so that no sensitive data leaves your network, and TD4NA is managed from the same Singularity Platform that SentinelOne customers know well.

To learn more about Threat Detection for NetApp, visit our Cloud Data Security webpage. There you will find datasheets, customer case studies, and more. And whenever you are ready for a personalized demo, you may connect with one of our cloud security experts.

Singularity Cloud Data Security AI-Powered Malware Scanning

Elevate your defenses with adaptive, scalable, and AI-powered SentinelOne solutions for Amazon S3 and NetApp.

Take a Tour

This week, we focus executive attention on the escalation dynamics in the South China Sea between China, Philippines, and the US, centered at the moment on the Second Thomas Shoal.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | Flashpoint in Focus: South China Sea

China introduced its 9-dash line claiming most of the South China Sea in 1952. The 9-dash line traces the outline of the entirety of the sea, bordering Vietnam, Malaysia, Brunei, the Philippines, and Taiwan. According to Chinese Communist Party (CCP) historians, the line is justified by the apparent (contested and invalid) control over the sea since early recorded history.

China’s claims fly in the face of the UN Convention on the Law of the Sea (UNCLOS), which is the current international framework defining sovereign claims over territory in the ocean adjacent to land. Under UNCLOS, there are many competing claims to territory in the South China Sea by all of its surrounding countries. The image below denotes just how many overlapping claims there are to the islands of the South China Sea, and just how far China’s 9-dash line trods over existing legal frameworks.

Islands (above water at all tides) can extend a country’s 200-mile exclusive economic zone (EEZ). Rocks and reefs, which are partially submerged as the tides rise and fall, can extend the EEZ even further if they are within a short distance of islands, thus causing the EEZ to expand even further. China’s island-building efforts in the South China Sea are partially an effort to extend legality to their claims, although they also provide military bases, too.

In 1999, the Philippines ran aground the Sierra Madre on the Second Thomas Shoal. The vessel has since been home to a deployment of marines whose sole job is to maintain Filipino sovereignty over the landmass.

In recent months, tension over the Second Thomas Shoal has been at a fever pitch. Boats collide regularly. Chinese “fisherman” ram Filipino vessels or tangle nets in propellers. China’s Coast Guard stabs inflatable boats or blockades the Philippines from delivery food and supplies to the Sierra Madre. Two weeks ago, someone had a finger cut off between two colliding boats. This chart shows the number of ships present each time the Philippines tries to take items to its marines.

The tension is pushing governments to caution one another against further escalation.

The Financial Times asked Roumualdez “how a dispute over a reef could spark a major conflict” and he “used the example of the first world war, which was triggered by the assassination of Archduke Franz Ferdinand of Austria.”

Further, US deputy secretary of state Kurt Campbell said the crisis could “spark conflicts that would devastate the global economy”.

Escalation Scenarios

Until last week, no one was quite sure why things had come to a head. At least, that was the case until the Financial Times reported that the Philippines had conducted a secret operation last year to reinforce the Sierra Madre as they feared its imminent collapse. The German Marshall Fund’s Bonnie Glaser noted that increasing tension around the vessel stems from China’s 25-year wait for the boat to collapse so that China could claim the Second Thomas Shoal as its own.

The United States and Philippines are subject to a mutual defense treaty, obliging each other to defend their partner in the event of war. The U.S. is putting immense pressure on the Filipino government to not use the mutual defense clause to force the US Navy to help resupply the Sierra Madre. When the PRC blockaded the ship in 2014, the Philippines daringly flew a helicopter over China’s boats. Now neither side seems averse to boat ramming, boarding, or potential fist fights between crew members.

If the boat is believed to soon collapse, both China and the Philippines are set on their objectives. China is on the cusp of winning a 25-year waiting game to claim an island near to the Philippines that would allow the PLA to station key military assets within striking distance of the island nation. The Philippines is holding onto an island in an attempt to stop it from becoming that military base. The U.S. is apparently just trying to avoid conflict.

Failure for either side is hard to stomach and that’s precisely why the risk of a crisis is so high.

Questions that no one can answer will decide the path of escalation or de-escalation for the Second Thomas Shoal: Will the Philippines ask for U.S. assistance? What happens if a sailor from either side dies? What if the boat suddenly collapses in an autumn typhoon? What if a ship is boarded by the Chinese and the Filipino sailors shoot them for doing so?

Implications for Businesses

Many mainstream media outlets are not appreciating the significant risk of the South China Sea at present. As a result, board rooms and CEOs are mulling over their Taiwan-risk scenarios with no thought to their operations in the Philippines, Malaysia, or Vietnam. All actors are incentivized to avoid armed conflict, so sub-kinetic attacks, like cyberattacks against critical infrastructure, ransomware operations against key businesses, and sabotage are all on the table. Companies with significant operations in the area should begin determining how to tighten their regional network security and operational posture.

A malicious cyber actor thought to be behind the WhisperGate attacks on Ukraine in the days prior to Russia’s invasion, as well as attacks on NATO and U.S. computer networks has been indicted by the DoJ.

Amin Stigal, a 22-year old Russian national, is alleged to have managed infrastructure used by Russia’s GRU to stage malicious payloads used in WhisperGate malware campaigns, targeting the Ukrainian government and later U.S allies. U.S. Attorney General Merrick B. Garland said that Stigal conspired with Russian military intelligence to aid the Russian military, including in attacks on government systems and data with no military or defense-related roles.

WhisperGate is one of a number of wiper malware families used in intrusions against government and other institutions in Ukraine in early 2022. Designed to look like ransomware, wipers attempt to destroy the target computer and related data.

In conjunction with attacking systems with WhisperGate, Stigal allegedly helped the GRU to compromise other systems, exfiltrate sensitive data and deface websites. Some of the stolen data later appeared on public forums and included patient health records.

Stigal remains at large but if caught and convicted faces a penalty of five years in prison. Rewards for Justice is offering up to $10 million in bounty for information leading to his capture.

The Bad | Ransomware as a Tool for Spies

There’s been no shortage of bad news thanks to ransomware in our weekly cybersecurity news roundup over the years, but this week SentinelLabs put the spotlight on yet another evolution of this egregious threat. It appears that ransomware has become a tool of choice not just for financially-motivated threat actors but also for those engaged in cyberespionage.

Suspected Chinese APT group ChamelGang targeted multiple organizations with CatB ransomware, including the Presidency of Brazil and India’s healthcare institution AIIMS. In addition, the group is believed to have targeted a government organization in East Asia and critical infrastructure sectors, including an aviation organization in the Indian subcontinent. In unrelated incidents, a separate cluster of intrusions involving off-the-shelf tools BestCrypt and BitLocker have been deployed by espionage actors in a variety of industries, primarily those involved in the U.S. manufacturing sector, across North America, South America and Europe.

What could spies, whose tradecraft typically relies on stealth, want with the noisiest of all malwares, one that literally announces to the user that they have been compromised by splashing a ransom note on the screen and locking files?

The answer to that lies, in part, in the way that organizations respond to ransomware incidents. These are typically reported to local law enforcement agencies which may not share critical data and insights with intelligence agencies. In addition, as organizations across the world ride out a wave of ransomware attacks from an increasing number of unsophisticated-yet-effective cyber criminals buying cheap RaaS offerings, cyberespionage actors can disguise their operations and avoid attribution by dropping ransomware payloads after completing their other objectives.

For cyber spies, deploying ransomware as a final payload affords various opportunities to cause disruption, distraction, misattribution, and the removal of evidence as they conduct their more discrete operations. The researchers also point out that some APTs are not averse to funding their own operations with funds stolen from the organizations they spy on, either.

The Ugly | MOVEit CVE-2024-5806 – Exploit Attempts in Progress

Researchers are warning that a CVSS 9.1 rated vulnerability in Progress Software’s MOVEit Transfer is seeing in-the-wild attempts to exploit it, beginning within hours of the patch becoming available.

CVE-2024-5806 affects MOVEit Transfer version 2023.0.0 earlier than 2023.0.11, version 2023.1.0 earlier than 2023.1.6, and version 2024.0.0. The bug is described as being able to lead to an authentication bypass and can be exploited to allow an attacker to impersonate another user on the system.

Researchers from Rapid7 say they believe that prerequisites for the attack involve knowing an existing user’s name, targeting an account that can be authenticated remotely, and having an SFTP service open to the public internet. Censys research estimates that there are around 2,700 exposed instances of MOVEit Transfer on the internet, with the majority of those in the U.S.

Very shortly after vulnerability details were published today we started observing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx exploit attempts. If you run MOVEit & have not patched yet – please do so now: https://t.co/AenLgqg1wM

NVD: https://t.co/OHQRNFNE9p

— The Shadowserver Foundation (@Shadowserver) June 25, 2024

A previous flaw in MOVEit Transfer was used in attacks by Cl0p ransomware around this time last year. In May and June 2023, CVE-2023-34362 was used to deliver webshells that allowed the attackers to exfiltrate files, including files hosted on Windows Azure if the MOVEit instance was configured to use Azure’s blob services storage. SentinelOne observed opportunistic attacks against more than 20 organizations during that time.

Progress says it strongly urges all MOVEit Transfer customers on versions 2023.0, 2023.1 and 2024.0 to upgrade to the latest patched version immediately, and also to apply the mitigation steps described here.

This week, we draw executive attention to the flashpoint risk of war between Israel and Hezbollah, which would change the security environment for most civilians in Israel, disrupt trade in the eastern Mediterranean and potentially pull larger powers into a regional conflict.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | Flashpoint in Focus: Israel-Hezbollah

The simmering standoff between Hezbollah and Israel is close to boiling over as each side escalates political rhetoric, increases cross-border strikes, and moves military forces into battle positions.

Background and Recent Events

The Israel-Hezbollah conflict has its roots in the Lebanese Civil War of the 1980s when Hezbollah emerged as an Iran-backed Shia militant group opposed to Israel’s presence in southern Lebanon. The conflict escalated significantly in 2006 when Hezbollah’s abduction of Israeli soldiers led to a 34-day war that resulted in over 1,200 Lebanese and 159 Israeli deaths. Since then, tensions have remained high with periodic exchanges of fire across the Israel-Lebanon border.

Most recently, this intensified in the wake of Hamas’s October 2023 attack on Israel, which has seen tens of thousands of Israelis displaced from northern areas and increasing military reinforcement of frontier positions. Since the start of the Gaza War, the IDF has hit thousands of Hezbollah sites and killed hundreds of fighters, triggering increasingly cross-border skirmishes and strikes.

Fear of a war breaking out on this northern front has gripped policy makers since the start of the Gaza conflict. These fears are now close to realization given recent events. On June 18, the Israeli foreign minister said the government is “getting very close to the moment of deciding on changing the rupees of the game against Hezbollah and Lebanon.” Shortly thereafter, the Israeli Defense Forces announced that “operational plans for an offensive in Lebanon were approved and validated, and decisions were taken on the continuation of increasing the readiness of troops in the field.”

Returning from the region, Washington Post reporter Shane Harris recently described how a sense of pessimism, even fatalism, has seeped into Israel’s national security and political leadership. These officials hoped to initially reach a resolution with Hezbollah after achieving a victory over Hamas, but this optimism has completely faded, and now “everything is turning to the north…[with] reservists getting called up to go back to their 8200 site in the north… [and] a sense of inevitability that they will now have to deal with Hezbollah because people in the north cannot return to their homes and because Hezbollah was not standing down.”

Last week, Biden’s Middle East envoy, Amos Hochstein, issued an ultimatum to Hezbollah — and by proxy to Iran — to “de-escalate within five weeks in Lebanon or risk an Israeli offensive supported by the U.S.” The Kuwait Foreign Ministry told its citizens to leave the country immediately, as has North Macedonia.

Even as senior U.S. diplomats frantically shuttle between Jerusalem and Beirut to find an off-ramp, CNN reported on June 19 that Israeli officials told the U.S. they are “planning to shift resources from southern Gaza to northern Israel in preparation for a possible offensive against [Hezbollah]” and are making the case that it “can pull off a ‘blitzkrieg’.” A senior Biden administration official was quoted as saying “We’re entering a very dangerous period. Something could start with very little warning.”

Escalation Scenarios

Any major outbreak of war between Israel and Hezbollah would immediately put civilian population centers and infrastructure at risk of a massive barrage of missile strikes. Despite the success of Israel’s Iron Dome interception system, military officials recognize that it would be insufficient under an all-out missile attack. Many would get through, even if the impact wouldn’t be, as one official said to Shane Harris, “catastrophic.” Daily life in most urban areas would immediately change, with continuous emergency alerts and many forced to take intermittent shelter.

Even if the IDF is able to pull off a tactically successful “blitzkrieg” to establish a buffer north of the Litani River sufficient to insure security for displaced communities, they are unlikely to eliminate most of Hezbollah’s significant military capabilities, which includes approximately 150,000 rockets and missiles, including thousands of precision munitions, and at least 40 to 50,000 fighters.

Hezbollah could marshal a counterattack on IDF forces and use asymmetric means beyond the northern front to shift the political calculus. For example, Hezbollah released hi-fed drone video of Israeli infrastructure sites, including Haifa port, oil/gas storage tanks, military complexes and Iron Dome batteries, as a signal that they could target key facilities and impose a large economic and strategic cost on the country.

Hezbollah chief Nasrallah said on June 19 that they would fight with “no rules and no ceilings” and could attack targets throughout the eastern Mediterranean, including U.S. military garrisons (holding 1,000+ troops) as well as EU (but not NATO) member state Cyprus, from which Israel might launch airstrikes. Nasrallah threatened that in an all-out war, Israel must expect “us on land, by sea and by air… [and] all its ports, all its boats and ships” would be targeted.

As the Israeli Defense Minister was in Washington to discuss the shifting tempo of Gaza operations and rising hostilities with Hezbollah, Air Force General C.Q. Brown, the chairman of the Joint Chiefs of Staff, said Sunday that an offensive into Lebanon would “drive up the potential for a broader conflict” that might bring in Iran who “would be more inclined to support Hezbollah.” Foreign fighters are expected to pour into any larger conflict:

What might start as a ground offensive on the border could quickly escalate into a wider conflict that pulls in U.S. military forces as an active belligerent. The U.S. is already repositioning carriers to prepare. If the U.S. is in the fight, the U.K. and even French might follow, and if Hezbollah declares war on those nations, Iran may feel it must tag in as well. If no off-ramps are taken along this escalation ladder, a major war could erupt in the Middle East.

Failing that, even localized conflict could see major disruptions to regional trade and significant impacts to daily life and safety for individuals in Israel and Lebanon.

Implications for Businesses

As we described in our last post on navigating escalation dynamics in the Middle East, executives should maintain a heightened state of alert, with a tight loop between risk professionals and organization leaders in the region. In particular, executives should know that staff in Israel are well-acquainted with the realities of war. Many participated in mandatory military service in their youth and some may have been recently deployed for operations in Gaza. As a result, local staff are best equipped to determine their own safety protocols.

• During the coming weeks, the company should exercise work from home flexibility as requested by employees.
• Non-Israeli citizens in the country should be afforded the opportunity to leave if they have not already been offered such accommodations.
• The company should closely monitor Israel’s announcements and changes in diplomatic security posture.

To prepare for a more intense and destructive regional conflict, executives with staff and/or business interests in the region should:

• Expect significant disruptions to their workforce (e.g., call-up, family support, loss of life) and in-country operations (e.g., cascading impacts from attacks on Israeli infrastructure).
• Re-examine business continuity plans and crisis response playbooks.
• Prepare for large commercial spillovers to regional trade and energy markets.

Given the immense costs to taking a large-scale military action, the closer states get to war, the stronger the incentives often become to find a short-term political resolution that “kicks the can”. One might hope that ongoing and intense diplomatic efforts succeed in finding a feasible off-ramp, but the present trend and recent statements provide cold comfort for this view. Prudent executives must prepare now for a significant increase in the regional risk environment.

Two operators of Empire Market, a dark marketplace worth over $430 million in illicit profit, were officially charged this week. Running the marketplace from February 2018 to August 2020, Thomas Pavey (aka “Dopenugget”) and Raheim Hamilton (aka “Sydney” and “Zero Angel”) allegedly facilitated over 4 million transactions involving malware, stolen data, hard drugs, and counterfeit money, using cryptocurrencies like Monero, Litecoin, and Bitcoin.

Before going offline in 2020, thousands of users filtered through Empire Market, their illegal transactions obfuscated through a combination of cryptocurrency and tumbling services in order to evade law enforcement. Pavey and Hamilton profited by retaining portions of the cryptocurrency transactions to compensate themselves and their team of moderators. The DoJ indictment revealed that Pavey and Hamilton had been involved in selling counterfeit currency on another dark marketplace called AlphaBay prior to operating Empire Market.

Now, the men face five charges: conspiracy to sell counterfeit currency on AlphaBay, conspiracy to distribute controlled substances via Empire Market, conspiracy to possess unauthorized access devices, conspiracy to sell counterfeit currency on Empire Market, and conspiracy to launder money to conceal proceeds from illegal activities. Conviction on all counts could result in life imprisonment for the two operators, especially due to the severe penalties linked with drug trafficking.

Stolen data that ends up on dark marketplaces can provide unauthorized access leading to cyberattacks, fraudulent activity, data breaches, and more. Having a comprehensive security solution focused on machine-speed threat detection and advanced analytics can help protect digital identities and sensitive user information from being exfiltrated and sold online.

The Bad | Network Security Zero-Day Flaws Targeted by China-Nexus APT for Cyber Espionage Campaigns

A Chinese-linked threat actor tracked as UNC3886 has been exploiting a combination of zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices to gain and maintain access to compromised systems. Latest findings from cyber researchers detail how this espionage-focused actor employs multiple persistence mechanisms across network devices, hypervisors, and virtual machines (VMs) to ensure continuous access even if initial compromises are detected and removed.

UNC3886 hackers use Linux rootkits to hide on VMware ESXi VMs https://t.co/XkjQA1o3ng

— Nicolas Krassas (@Dinosn) June 20, 2024

UNC3886 is characterized as sophisticated and evasive, leveraging zero-day flaws such as CVE-2022-41328 (Fortinet FortiOS), CVE-2022-22948 (VMware vCenter), and CVE-2023-20867 (VMware Tools) to deploy backdoors and secure deeper access credentials. They have also exploited CVE-2022-42475 in Fortinet FortiGate shortly after its disclosure.

So far, this series of attacks have targeted entities across North America, Southeast Asia, Oceania, Europe, Africa, and parts of Asia, focusing on critical sectors like government, telecommunications, technology, aerospace and defense, and energy. The key tactic here is their use of publicly available rootkits, such as “Reptile” and “Medusa”, to remain undetected. Medusa, deployed via the SEAELF installer, logs user credentials and commands, aiding in lateral movement within networks.

UNC3886 also uses custom backdoors named MOPSLED and RIFLESPINE, to exploit services like GitHub and Google Drive for command and control (C2) operations. The former is an evolution of the Crosswalk malware, communicating over HTTP with a GitHub C2 server, while the latter operates across platforms using Google Drive for file transfer and command execution.

Given the developing nature of the threats, organizations are urged to follow security advisories from Fortinet and VMware to patch the vulnerabilities at hand. Doubling down on establishing deep visibility, persistent monitoring, and real-time analysis can help protect organizations from advanced persistent threats (APTs).

The Ugly | Suspected Ransomware Attack Shuts Down Thousands of Auto Dealerships Across the U.S.

Fifteen thousand car dealerships across the U.S. were taken out of commission this week due to back-to-back cyberattacks on CDK Global, their SaaS (software-as-a-service) platform. Handing CRM, financing, payroll inventory, support, and administrative functions, dealerships rely on CDK Global as a full stack management and operations solution.

The first attack forced CDK Global to take its two data centers offline to prevent further spread of the attack. This caused widespread outages, affecting dealerships’ ability to track and order car parts, conduct sales, offer financing, and carry out vehicle repairs. Many employees reported being unable to work, reverting to manual methods or being sent home. The second additional breach occurred while the company was working to restore systems shut down from the first attack.

The latest status update from CDK at the time of writing confirms that there is no estimated time frame for resolution yet, and that the outage will likely continue for several more days. IT firms working with some affected dealerships note that the cyberattack led CDK to advise them to disconnect the always-on VPN to prevent potential threats from pivoting into dealership networks.

The prolonged disruptions are raising questions as to whether these attacks are the work of ransomware operators who have potentially impacted CDK’s backups. Ransomware attacks typically involve threat actors stealing data and encrypting systems, demanding a ransom for decryption and to avoid public data leaks. If confirmed, the journey towards resolution could take weeks.

Threat actors continue to keep their eye on the automotive industry to exploit its complex supply chain-based operations and its role as a significant economic sector to gain access to the high-value data from millions of clients and employees.

Our team had a very busy week filled with great conversations at our booth, in-depth speaking sessions, AWS Partner Day, AWS Security LIVE!, and an exclusive, sold-out bowling event with technology partner, Snyk. We had a great time connecting with and learning from everyone at this event. Here’s a recap of AWS re:Inforce 2024 from the SentinelOne perspective.

“Job Zero” | Security Is Everyone’s Responsibility

As a recurring theme year, the event continued to focus on the technology and culture elements of security – both with a collaborative approach. You’ll often hear AWS team members say “Security is Job Zero”, and the programming and activities at this show backed this up. Though attendees enjoyed many exciting technology-focused announcements around AWS and partner innovation (yes, including many about AI), the event reached beyond the tech, providing several opportunities to explore developing thoughts on security culture, inclusion, and education.

With something for everyone, the event hosted immersive and hands-on labs for the technically inclined, compelling keynotes, and lots of practical customer stories about tackling cloud security for the strategists and practitioners helping us all walk away with something new to consider or apply.

AI-Powered Cloud Workload Security for Serverless Containers on AWS

During re:Inforce, SentinelOne announced Singularity Cloud Workload Security (CWS) for Serverless Containers, a solution tailored for containerized workloads on AWS Fargate for Amazon ECS and Amazon EKS. This real-time cloud workload protection platform (CWPP) harnesses the power of AI to swiftly identify and respond to a spectrum of threats, including ransomware, zero-day vulnerabilities, and fileless exploits.

The emphasis on real-time threat detection is crucial for safeguarding cloud workloads, particularly in serverless environments where direct access to infrastructure is limited. CWS for Serverless Containers fortifies security by leveraging Behavioral AI Engine alerts to flag suspicious activities in real-time, arming security analysts with actionable insights to proactively counter threats even on ephemeral workloads.

Announcements such as Fargate support are part of SentinelOne’s commitment to partner with AWS to provide better security outcomes for shared customers. SentinelOne provides real time protection for other common AWS services including Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (S3). To further improve security posture,and power threat hunting and visibility, SentinelOne has also delivered integrations with services such as AWS Disaster Recovery Service (DRS), Amazon AppFabric, and Amazon Security Lake.

Learn more about SentinelOne’s many AWS integrations here.

Cloud Native Security Featuring the Offensive Security Engine

Cloud Native Security was one of the most popular topics of discussion at this year’s AWS re:Inforce. Unveiled first at RSAC in May, Singularity Cloud Native Security (CNS) is an agentless CNAPP with a unique Offensive Security Engine. By thinking like an attacker and automating red teaming efforts around cloud security issues, CNS helps prioritize risks in a cloud environment. Verified Exploit Paths uses evidence-based findings from these red team efforts to prioritize remediation, going beyond the typical attack path graphs.

AWS re:Inforce attendees, including AWS employees and industry analysts, lined up to see what all the buzz around SentinelOne’s CNAPP was about, and gave rave reviews for the Offensive Security Engine capability.

LIVE! From the Show Floor

It wouldn’t be an AWS event without livestreaming from the Expo Hall floor, and the SentinelOne team was thrilled to be in on the action again this year with Security LIVE! This is an AWS-hosted Twitch show that focuses on AWS and AWS Partners solving current security challenges for customers. With a rotating cast of expert hosts, it’s always a pleasure to be included as a guest, and to watch. This year from the re:Inforce floor, Himanshu Verma, Worldwide Security GTM Leader for AWS Security Services, and Rob Hale, Principal Security Segment Leader for AWS chatted with SentinelOne Cloud Security Evangelist Chris Hosking about how SentinelOne is changing the game for AI-powered security. From Purple AI to the Offensive Security Engine within Singularity Cloud Security, this segment seen by over 2000 viewers live, covered some of the latest and greatest from SentinelOne.

Check out this session here and tally up how many times Chris had to put a coin in the “acronym jar” while talking about AI-powered CNAPP!

Busy Days at the SentinelOne Booth

The SentinelOne booth was busy all show long with customers, prospects, partners and industry analysts stopping by to listen in on our presentations and catch up with the team. The most popular presentations in the booth centered around Purple AI, Security Data Lake, and Singularity Cloud.

Of course, what’s an event without some swag? The custom Lego kits we gave away were a huge hit, with attendees thrilled to be able to build their very own mini security center. AWS re:Inforce is a very inclusive and welcoming environment, and we were happy that attendees felt represented by allowing them to customize the mini figure in their kit to include a face, hairstyle, and outfit that best represented them.

Thank You AWS re:Inforce 2024!

The SentinelOne team would like to thank all of our customers, partners, and the AWS team for another awesome re:Inforce event. It’s a wonderful opportunity to participate in such an esteemed cloud security event, and the energy and innovation continue to make AWS events exciting ones to be at. We hope to see you again next year, but let’s not wait so long. Connect with us at AWS re:Invent in Las Vegas from December 2nd to 6th later this year!

In the meantime, feel free to take a self-guided tour of SentinelOne Solutions and learn more about SentinelOne solutions for AWS customers. Keep the conversations going with us by booking a demo today or contacting us directly.

SentinelOne has once again demonstrated industry-leading real world performance in the latest independent MITRE ATT&CK® Evaluation of managed security service (MSS) providers. The attack scenario in this year’s test highlights the importance of speed, visibility, and reduced noise; with SentinelOne’s Vigilance MDR+DFIR delivering:

• 100% detection of major attack steps – 14 out of 14 steps identified, investigated and reported
• Best signal-to-noise ratio amongst top performers – Providing clear and actionable analysis and not a flood of automated alerts
• Optimal Mean-Time-to-Detect and Mean-Time-to-Escalate – SentinelOne’s autonomous, AI-powered Singularity Platform balances speed and accuracy to ensure organizations stay ahead of attacks
• Enriched reporting – Our final incident report was recognized by MITRE for enrichment with contextual analysis – including a key timeline of events, a detailed technical analysis, and clear, actionable recommendations to reduce the likelihood of incident recurrence

These results clearly illustrate how SentinelOne’s Singularity Platform, combined with its Vigilance MDR + DFIR services, provide the most comprehensive, thorough, and efficient real-world protection against sophisticated attacks for every organization.

Measuring Real-World Protection | Understanding MITRE Enginuity’s ATT&CK Evals MSS Round 2

This year’s evaluation emulated the adversary behavior of menuPass (G0045) and an ALPHV/BlackCat ransomware affiliate. Prevention and remediation were not in scope of the evaluation. menuPass (aka APT10) has been active since at least 2006 and is believed to be sponsored by the Chinese Ministry of State Security. The group focuses on the exfiltration of sensitive data such as intellectual property and business intelligence in support of Chinese national security objectives. ALPHV/BlackCat, a prolific Russian-speaking RaaS group that emerged in 2021, is linked to BlackMatter, DarkSide, REvil, and other RaaS groups. ALPHV/BlackCat utilizes ransomware coded in Rust, allowing for enhanced performance, flexibility, and cross-platform capabilities.

SentinelOne Cuts Through the Noise to Deliver Expert Managed Detection & Response with Speed and Accuracy

It is estimated that security teams receive more than 1,000 events, alerts, or incidents per day, with more than half of these going uninvestigated. While visibility is critical to identifying and understanding threats, it can also lead to information paralysis and alert fatigue. As stated in the MITRE Enterprise Evaluation Round 5: “100% visibility” is not always a positive. AI and automation become critical in ensuring the right information gets to the right hands quickly and with context.

Managed Detection and Response bridges this gap by performing 24/7 detection, investigation, and mitigation of all attacker activity, summarizing incident scope, impact, and recommending critical next steps and actions to the customer.

This combination of machine and human intelligence makes the Autonomous SOC a reality, mitigating and remediating at cloud scale to stay ahead of attackers while escalating only the most critical incidents for attention. This allows analysts to stay focused on what matters most. SentinelOne’s MDR team fully resolves more than 99% of all threats without requiring an escalation to the customer. As evident in the table below, many vendors bombard analysts with notifications and alerts, as many as 8 or more per unique attacker action. Security teams need to spend their time responding to critical notifications, not creating mail rules.

Mean Time To Detect | The Power of the AI-powered Singularity Platform

Not all detections are created equal. It is important to note there is a significant material difference between Mean-Time-To-Detect (MTTD) and Mean-Time-To-Escalation (MTTE), though the MITRE Evaluation does not differentiate between the two. MITRE defines MTTD as the time each vendor took to notify the customer about every stage of the attack. Conversely, SentinelOne defines MTTD as the time when technology first notifies a human analyst about suspicious or malicious activity.

The Singularity Platform detects and blocks threats in near real-time; often sub-second or within seconds. During the MITRE evaluation, components of the platform were turned off to allow the MITRE test to run. While MITRE did not evaluate participants based on our definition of MTTD, our assessment showed that our MDR analysts were notified within 3.3 minutes on average of every major attack step that was detected.

Only the most critical alerts, or those requiring human intervention or approval, are escalated after careful investigation. The time between the detection of the activity (first alert) and the escalation to the customer is known as MTTE.

Mean Time To Escalate | Balancing Accuracy & Speed

Once alerted by The Platform, our MDR analysts conduct their expert analysis, filtering out unrelated activity, correlating multiple data points, and in cases of actual incidents, performing containment and mitigation actions – all before escalating to the customer. During the evaluation, SentinelOne’s MDR experts achieved an incredible 47 minutes between detection and escalation to the customer — reported by MITRE as MTTD, but often referred to as Mean-Time-To-Escalate (MTTE) —ensuring that within 50 minutes of each major stage of the attack, the customer was presented with a single clear summary of the activity identified and the response actions that either should be or have already been taken on their behalf.

This final escalation to the customer is the last stage in the response process – not the first. Extremely low MTTD results (especially when combined with a low signal to noise ratio) should be a red flag for customers seeking MDR services. Short time frames imply a lack of expert analysis, investigation and response; meanwhile, rapid auto-notifications at high volume only creates additional noise for customers to sort through.

SentinelOne provides our customers with both exceptional Mean-Time-to-Detect (MTTD) on the Singularity Platform and Mean-Time-to-Escalate (MTTE) from our MDR team.

In Real-World Scenarios, Noise to Signal Matters

MDR services are trusted partners for security teams and their real value lies in turning signal noise into actionable insights. SentinelOne’s MDR+DFIR teams: 

• Triage and investigate all suspicious activity on behalf of customers;
• Filter out false positives;
• Investigate the scope and impact of malicious activity;
• Escalate only the incidents that matter most for the customer’s business (see figure 1); and
• Provide clear, actionable updates until the incident is contained and remediated (see figure 2 for example notification).

SentinelOne’s performance in this evaluation shows that our team of analysts and threat hunters identified and investigated all major steps of the attack, filtering out unrelated alerts and unnecessary details, and providing our customer with detailed, actionable updates and guidance.

At the conclusion of the incident, our team delivered a detailed and comprehensive incident report, including a full view of the scope and impact of the attack (figure 3) and detailed technical analysis (figure 4).

A Team of Skilled Experts Augmented by Powerful Technology

At SentinelOne, we prioritize real-world protection for our customers, combining our autonomous, AI-powered Singularity Platform with a global team of MDR analysts, investigators, and threat hunters to cut through the noise and take proactive mitigation actions to prevent attacks. Together, our machine and human intelligence enable us to continue our leading performance in ATT&CK Evaluations based on real-world protection and results. This latest evaluation proves how we deliver on what customers need in an MDR provider and why leading partners and organizations of all sizes choose the Singularity Platform to autonomously detect and prevent threats and achieve complete enterprise protection.

We encourage buyers to continue to lean on third-party evaluations such as MITRE Engenuity to assess the best fit for their organizations. Dive deeper into SentinelOne’s leading performance over five years of MITRE Engenuity ATT&CK evaluations here. To join the ranks of other customers who have gained peace of mind and simplified their security with SentinelOne’s MDR services, learn more about Vigilance Respond Pro.

This week, we flag three emerging threats to the “deep tech” venture ecosystem underpinning western technological and strategic advantage.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | Deep Tech in The Crosshairs

Throughout the 20th century, most strategic technologies were incubated or directly invented by the Federal Government or by contractors and academic institutions under its protective umbrella. Not anymore.

Now, many cutting edge technologies of strategic and foundational importance (in AI, robotics, quantum, biotech, space, materials, and new energy) are spawned in a diffuse private ecosystem. Instead of well-resourced government programs of the 1950s-1990s, small teams of founder scientists and engineers convince “deep tech” venture capitalists they have caught lightning in a bottle. In venture capital jargon, “deep tech” signals that a company’s business model relies on significant advances in science and technology. Adversaries and cybercriminals are also catching on. We see them aggressively targeting these startups for their post-funding round cash, critical IP, proprietary R&D, and talented expertise.

Pre-IPO deep tech firms and their VC backers now face a fundamentally different threat environment than those of decades past. Decisions made now to protect themselves are critical not only to future investment rounds and successful exits, but also for the technological advantage of western liberal democracies confronting an acute and aggressive authoritarian challenge.

Those working in the cutthroat trenches of venture capital or the worktop benches of a deep tech startup understand risk. It is the essential premise of the outsized returns that motivate their high pressure endeavors, where failure is the baseline expectation. However, there are three emerging risks that are not currently priced into most venture valuation models: Criminals, China, and Co-Opters.

Criminals

“[VOWELLESS] startup today announces a $15M Series A funding round led by [blue chip VC firm] with participation by [Sand Hill Road standbys…]”. Such a headline tells a certain cohort of aggressive cybercriminals that this specific company (whose infosec staff is so small they can probably share an appetizer) now has millions in the bank and a cohort of deep-pocketed investors deeply motivated to make any incident quickly and quietly go away.

All it takes is a willingness to commit crimes, teenage hubris, some googling, off-the-shelf ransomware tools, and maybe some AI-assisted social engineering and presto… payday. The thing about such targeting trends among cybercriminals is that a successful tactic spawns imitators and what may now be a very quiet and limited circle of victims could expand quickly. The lack of headlines on this issue is likely a result of incentives to keep things secret, not an evidence of absence.

China

President Xi has given marching orders to his scientific, economic, and security bureaucracies to seize the “commanding heights” of technology development and make China into the “World’s Primary Center for Science and High Ground for Innovation.” Xi aims to leap ahead to the frontier of emerging technologies he sees driving a “S&T and industrial revolution” and critical to the “new quality productive forces” that will accrue strategic advantage to those nations in the lead position.

In Xi’s words, “creative breakthroughs in areas such as information technology, life sciences, manufacturing, energy, space, and maritime are supplying ever more wellsprings of innovation for cutting-edge and disruptive technologies…and S&T have never before so profoundly influenced the future and fate of nations.”

As described in a previous post on China’s hacking ecosystem, this top-level strategic demand signal drives an all-of-government (and commercial) effort to acquire (by any and all means, overt or not) the West’s technical crown jewels, many of which are being cut and polished by small startups in Silicon Valley and the “Gundo”.

For example, while it’s very cool to develop a breakthrough jet engine that could change the economics of space launch, posting your workshop location and part designs, and identifying key personnel roles along with your seed funding and backers is likely to invite unwarranted attention. We understand the important function hype and in-group social visibility play in early-stage venture success, but Lockheed engineers don’t post on X from their secret commuter plane flying into the Nevada desert for a reason.

If you want to play in the critical tech big leagues – or invest in it – and overtly signal the strategic value of your R&D, understand that your threat model isn’t that of a standard SaaS startup. If you claim your technology to have a strategic impact on competition between nations, expect strategic APTs.

Co-Opters

China isn’t the only nation looking to capture the frontier of these emerging technologies. The UAE and Saudi Arabia have lofty ambitions of their own, as we detailed in our earlier post on the new digital great game in the Middle East. While political “decoupling” has severed many of the (direct) venture links between China and the U.S., the western VC ecosystem has now “recoupled” to these deep-pocketed Gulf powers.

The private jets landing in Riyadh, Abu Dhabi, and Dubai over the last two years include a veritable who’s-who of leading deep tech VC players. It is hard to pass up on a nine or ten figure check from a sovereign wealth fund or royal UHNWI (ultra-high net-worth individual), even if the conditions require they be made sole limited partners of standalone funds, maybe at the expense of existing domestic limited partners (LPs).

These domestic LPs tend to be pension funds, family offices, endowments and other wealthy entities with no objective other than maximizing financial returns. But there is a key difference. These new Emirati and Saudi LPs are deploying state capital with a different objective: to scout, nurture, and accelerate critical technologies they intend to co-opt for their own national advantage, in line with their national strategic visions and economic innovation plans.

We are aware that some of these LPs receive detailed non-public reports on their investments, including not only the value of fund portcos, but closely-held R&D strategies, key hires, product roadmaps, high value customers and planned partnerships (which may include the U.S. and allied governments), technical dead-ends and imminent breakthroughs. This information is an S&T intelligence targeting officer’s dream and would provide a critical advantage to adversary aligned competitors looking to fast-follow western tech firms exploring the difficult and capital-intense scientific frontier.

We are also aware of firms leading in strategic and scientifically prized technology domains being “encouraged” by their Gulf backers to set up domestic R&D teams co-located at national universities where Chinese researchers just happen to be lab neighbors working on very similar projects. This is a remarkable coincidence to say the least.

The self-serving argument, for now, is that this is a win-win marriage of convenience between Gulf capital and Western venture, and that while the money buys some influence, the fundamental advantage and leverage remains where the brains and tech come together. This may be the case at the moment, but the trend of structural deep tech venture dependence on Gulf capital seems to be only going one way. The nature of addiction is that each hit can be justified in the moment, even if one knows it is ultimately self-destructive.

Risk-Return

Deep Tech seed investments typically have a longer horizon for return than B2B products or SaaS apps and rely disproportionately on the talents and insights of a small team of highly technical founders (often scientists and engineers). Additionally, the path to growth (especially in military, intelligence, and adjacent dual-use application spaces) often weaves through government programs or related defense technical primes that buffer the “valley of death” between prototype and product-market fit. This exposes such startups and their VC backers to more “key man” and “loss of competitive edge” risk than typical software ventures that rely less on a scientific edge than on sales, partnerships, and platform scaling strategies.

The standard practice of USG-affiliated deep tech venture activities like the Defense Innovation Unit, In-Q-Tel, as well as the venture arms of major defense and intelligence contractors (like Booz Allen Hamilton, Lockheed, etc.) has been to scout and quickly incorporate leading edge tech under their protective umbrella (experienced as they are with managing sensitive R&D programs at acute risk of adversary compromise). In some cases, truly disruptive startups are known to “disappear”, their technology tucked behind the classification curtain, and their patents classified.

Such protections are now the exception, not the rule, for the breakthrough technologies emerging from the U.S.’s venture engine of innovation. In most cases, their teams, tech, and tools are in full public view, if not aggressively hyped as the foundation for strategic national advantage. It is high time these firms and their funders wake up to the fact that they are squarely in the crosshairs, before this advantage bleeds away to illiberal authoritarians and U.S. adversaries.

A Russian national was arrested this week for allegedly working with Conti and LockBit ransomware groups, helping to make their malware undetectable and also conducting at least one attack himself. Ukrainian cyber police apprehended the 28-year-old man in Kyiv during Operation Endgame, a major operation carried out two weeks ago to dismantle an extensive ecosystem of malware droppers.

According to Ukrainian law enforcement, the arrested had expertise in developing custom crypters that encrypted and obfuscated ransomware payloads into what looked like innocuous files. This made them fully undetectable (FUD) to legacy antivirus software. His services were sold to both Conti and LockBit syndicates, which bolstered their success rates in infiltrating networks.

Reports from Dutch police confirm that the man orchestrated at least one of his own attacks using a Conti payload in 2021, indicating his involvement as an affiliate and goals to gain maximum profits from the relationship. His arrest includes seizure of computer equipment, mobile phones, and handwritten notes, all being held for ongoing examination. As it stands, the Russian suspect has already been charged under Part 5 of Article 361 of the Criminal Code of Ukraine for unauthorized interference with information systems. He faces up to 15 years in prison.

This arrest is the latest in a string of actions against LockBit operations, most recently following the distribution of 7000 decryption keys to all affected victims of the Ransomware-as-a-Service (RaaS). Earlier last month, the DoJ unveiled the identity of LockBit’s developer, placing a reward up to $10 million for his arrest or conviction.

The Bad | Hamas-Linked Threat Group Spies on Android Users in Egypt & the Palestinian Territories

An espionage-focused threat actor known as Arid Viper has been linked to an ongoing mobile-based campaign, involving trojanized Android apps delivering ‘AridSpy’ spyware. Based on a recent report, the Hamas-aligned actor is distributing malware through websites that mimic legitimate messaging, job search, and civil registry applications.

Arid Viper’s latest appearance is marked by a new version of AridSpy – a multi-stage trojan capable of downloading additional payloads from a command-and-control (C2) server. The attacks are primarily targeting Palestinian and Egyptian users through websites that distribute the fake (but functional) apps. The apps themselves are clones of legitimate services, but with malicious features.

In one case, researchers found a website impersonating a Palestinian Civil Registry, which had a nearly 200-person following on its dedicated Facebook page. While the app on this site is not a direct clone of the legitimate version found on Google Play Store, it communicates with its legitimate server, indicating a high level of sophistication by Arid Viper.

The actor is also responsible for registering a fake job opportunity app which, upon install, downloads a first-stage payload posing as a Google Play Services update. The spyware then executes various commands, including taking pictures with the front camera when specific conditions are met and sending the data to the actor’s C2 server.

Arid Viper continues to cause concern due to its consistent use and development of mobile spyware to target military personnel in the Middle East as well as journalists and political dissidents. Organizations in critical infrastructures guarding high-value intel can mitigate the threat of cyber espionage by implementing proactive and AI-enhanced threat detection, advanced response capabilities, and deep visibility across networks.

The Ugly | Multi-Platform Malware Campaign Targets Indian Critical Sectors via RATs

Cyber researchers have uncovered a six-year-long threat campaign, dubbed ‘Operation Celestial Force’, that employs a combination of GravityRAT, an Android-based malware, and HeavyLift, a Windows-based malware loader. Their report ties Pakistani threat group Cosmic Leopard (aka SpaceCobra) to the campaign with high confidence.

While analyzing a sample of #GravityRAT, i came across an interesting binary. It turned out to be the #C2 #panel binary for #GravityRAT and a #Loader dupped #HeavyLift.
Apparently #APT related, i turned to @TalosSecurity for a joint investigation https://t.co/4wZKgVv2WI

— Gi7w0rm (@Gi7w0rm) June 13, 2024

Most recent activity in the operation shows a defined expansion and evolution in the malware suite being used, suggesting ongoing success of the campaign in targeting users in the Indian subcontinent. The operation leverages both Gravity RAT and HeavyLift which are simultaneously managed through another standalone tool called ‘GravityAdmin’.

Though GravityRAT was originally a Windows-based malware deployed via spear phishing emails, it has since been adapted for Android systems as well. The Android version of the tool has now been observed in attacks against the Indian military and Pakistani Air Force personnel by masquerading as cloud storage, entertainment, and chat apps. The HeavyLift malware loader is shipped as an Electron app and targets Windows, macOS and Linux.

Cosmic Leopard commonly uses spear phishing and social engineering tactics to gain the trust of their victims. After being directed to visit malicious sites, victims are lured into downloading benign-looking programs that then deploy either GravityRAT or HeavyLift depending on the OS in question. The GravityAdmin binary has been used to control the compromised systems since at least August 2021 and works by managing connections with GravityRAT and HeavyLift’s C2 servers.

Researchers posit that the long-running operation will continue to harvest sensitive information from users in the Indian defense, government, and technology sectors, making it crucial for these organizations to shore up their data encryption and monitoring, real-time monitoring, and automated response capabilities.

Where larger companies may have entire teams of cybersecurity analysts or full-fledged security operation centers (SOCs), many SMBs rely on a single IT person to manage their security. Or, companies may outsource cybersecurity to managed service providers (MSPs) who may not yet have the required skills or services in place to plan, build out, and manage a full cyber program.

In this blog post, we examine the most common types of cybersecurity threats SMBs face today and share a list of top 5 cybersecurity tips that SMBs can follow to start building a more robust cyber posture against modern threats.

Types of Cybersecurity Threats for Small Businesses

In a 2023 Data Breach Investigations Report, researchers found that the top patterns of cybersecurity threats for small businesses (less than 1,000 employees) were system intrusion, social engineering, and basic web application attacks – representing 92% of breaches. Several types of attacks including, phishing, malware, watering hole attacks, and drive-by downloads drive these categories of threats.

Phishing

Phishing attacks continue to grow year-over-year and remain one of the main methods threat actors use to gain entry into their victims’ systems alongside vulnerability exploitation and stolen credentials.

A phishing attack is launched when a threat actors poses as a legitimate entity to lure individuals into providing sensitive data or launching malicious files. Phishing scams are both common and growing increasingly convincing with the help of generative AI tools like ChatGPT. Where spelling errors and odd tone of voice were once a main tip-off, AI-crafted content makes it harder to decipher legitimacy. This leads to the sharing of credit card information, bank account numbers, login credentials, and other sensitive data – all gateway data to the lifeblood of SMBs.

Malware

Malware is the overarching term for malicious software of any kind. It is the software, script, or code that performs an attack on your system against the owner’s consent. Attackers disseminate malware through various vectors, including websites, files, phishing and drive-by downloads.

Watering Holes

Watering hole attacks compromise users by infecting websites they frequent. Once cyber criminals lure people to the website, they infect their computer with malware. Attackers first work to identify and research the websites that their targeted users like to visit frequently, looking for clues to common interests and online habits. Attackers then inject malicious code via vulnerabilities found in the website’s code or server. When the targeted users access the website, malware is installed on the user’s device which can lead to unauthorized access to their organization’s network and valuable data.

Drive-By Downloads

Drive-by downloads can be particularly frustrating as the attack doesn’t always require user interaction. When a person visits a website, an unintentional download of malicious code happens without any interaction (e.g. clicking or taking an action on the site), implanting it on the victim’s computer or mobile device. Once on the endpoint, it can hijack the device, spy on activity, exfiltrate data, or disable the device entirely.

Why Do Small Businesses Need Cybersecurity?

According to the U.S. Small Business Association, “surveys have shown that the majority of small business owners feel their businesses are vulnerable to a cyberattack.” A Small Business Index report for Q1 2024 from the U.S. Chamber of Commerce stated that 27% of small businesses reported that they were one disaster or threat away from shutting down their business. The margins for small businesses are razor thin, making cybersecurity controls a top priority.

The damage can also go beyond small businesses. Since cybercriminals know that smaller businesses are often part of the same digital supply chain as larger companies, SMBs can be seen as the less protected entry point to a larger corporation’s network for double the profit. The good news is, there have never been more resources to help small businesses put protections in place.

Cybercriminals assume that small businesses have limited resources and time and weaker security measures, making them easier to crack than enterprises. Not only are SMBs a target, but bad actors are using more sophisticated and widespread attacks that easily thwart common security practices such as traditional antivirus software.

The Impact of a Cyberattack on Small and Midsize Businesses (SMBs)

Small and midsize businesses are an essential part of the economy, and require the same protection as large enterprises at scale. When attacks hit, costs can be far-reaching. Some of the costs post-attack may include, but are not limited to:

• Mitigating damages and repairs
• Paying ransoms (even though this is not recommended)
• Supplying free credit monitoring to affected clients
• Paying fines/penalties (applicable to businesses in regulated industries) and managing lawsuits
• Hiring outside help from security consultants, lawyers, risk management and public relations consultants
• Downtime and loss of productivity both in the short and long term
• Losing potential new and existing business due of reputational damage and loss of trust
• Increased cyber insurance premiums, which add to operational costs

5 Essential Cybersecurity Tips for Small Businesses

Cybersecurity tips for small businesses should be actionable, not overwhelming. This checklist rounds up the top ways to strengthen SMB defenses against cyberattacks. While cybersecurity can be expensive, these tips come at little to no cost.

1. Conduct Regular Software and Patch Updates

The two main ways to protect against software vulnerabilities are routine and timely patches and updates. While commonly confused, these are two distinct processes.

Software patching – Software developers release small updates that fix specific issues or vulnerabilities within a program. These can address known security flaws, bugs, or any other issues that users or developers have found since the initial release of the software.

Software updates – This is what you may be more familiar with from the automatic updates pushed to your laptops and PCs. Released on a specific schedule such as monthly or quarterly, these improvements provide a set of changes to the software.

2. Implement Cybersecurity Training for Employees

Cybersecurity is the responsibility of all employees within an organization, regardless of its size. Regular training programs and courses can teach employees of all levels how to identify, mitigate, and report security issues appropriately. Educated employees can be a strong first line of defense when it comes to preventing security events from occurring and greatly reduce the risks of data breaches, malware infections, and more. If they are aware of how cybercriminals are trying to target them, they can be more aware and able to detect scams like phishing emails.

3. Enforce Strong Passwords and Authentication Policies

Weak and common passwords such as 123456 and qwerty are an easy entry point for data theft. Creating a password policy that requires the use of strong passwords – one that is at least 12 characters long, including letters, numbers, and symbols – is a must. The more difficult and time-consuming it is for a cybercriminal to guess a password, the less likely they are to try and compromise sensitive data. According to NIST’s password guidelines, password security can be bolstered by:

• Focusing on length more so than complexity
• Using password managers
• Avoiding the use of password hints
• Limiting the number of authentication attempts

Multi-factor authentication (MFA) is also a must-have in today’s threat landscape. With the amount of business-critical data users have access to and the number of digital identities associated per user, MFA adds an extra layer of security beyond just passwords. MFA is a trusted way to protect against phishing attempts and cases involving credential theft since it requires another form of authentication, like a text message with a code that only the rightful user has possession of to grant access.

4. Schedule Timely Risk Assessments

Small businesses should conduct informal risk assessments, at a minimum, by meeting with cybersecurity vendors to brainstorm scenarios based on recent cybersecurity events. Discussing current threats allows SMBs to identify gaps that exist in their current security program.

Regular risk assessments are one of the first steps to establishing a more proactive threat identification program. Before potential threats can be exploited by threat actors, risk assessments allow SMBs to map out the actions needed to shore up weaknesses and keep up with the evolving threat landscape. Risk assessments are also vital for planning out incident response plans (IRPs), emergency communication matrices, and post-attack strategies.

5. Use Virtual Private Networks (VPNs)

In the age of remote work, virtual private networks (VPNs) allow employees to work anywhere and gain secure access to the company network. VPNs mitigate cyberattacks by creating a secure, encrypted tunnel for users to hide their personal information, location, and other data while connecting to the internet. Using VPNs is a cost-effective solution for SMBs with limited security budgets.

VPNs work by encrypting internet traffic, making it difficult for cybercriminals to intercept and read data. This is crucial for protecting sensitive business information and communications. They can also help in network segmentation efforts, providing access control to different parts of the network based on user roles. This minimizes the risk of unauthorized access.

Conclusion

The landscape of cybersecurity threats is evolving and threat actors are no longer distinguishing between the size of their targets. SMBs, often perceived as easier targets with less means of cyber defense, now face the same sophisticated attacks that large enterprises do. Phishing schemes, ransomware attacks, and data breaches are just as prevalent and damaging for a small business as they are for a Fortune 500 company. This convergence in the threat landscape notes a stark shift in how cybersecurity is approached across all industries.

Cybersecurity attacks on a small business can be devastating. SMBs around the globe have turned to SentinelOne’s Singularity Platform, allowing them to proactively resolve modern threats at machine speed. Learn how SentinelOne works with best-in-class security service providers to more effectively manage risk across user identities, endpoints, cloud workloads, IoT, and more. Contact us today or book a personalized demo here to learn more.