At the end of last year, we interviewed America’s first Federal CISO, General Gregory Tuohill. In that talk, he characterized the state of cybersecurity as ‘unsettled’. Now, in April 2022, it seems that it’s more unsettled than ever. Here are the top questions we’ve been receiving about cybersecurity and emerging cyber threats, as well as our response.
How should we prepare our cyber-risk and threat intelligence plans following the Russo-Ukrainian crisis?
The White House recently issued a communication emphasizing the importance of accelerating cybersecurity efforts in preparation for cyberattacks targeting the United States. Here are some thoughts:
- Cybercrime will inevitably rise, due to the heightened incentive for cybercriminals, especially nation-state actors. Organizations of all sizes will be targeted and therefore need to have a plan in place and be prepared.
- Protection alone will not be enough—focus also on intentional attack detection. Proactive measures will prevent reactive measures. Continuous, intentional monitoring will ensure real-time response across your organization.
- You can read the entire statement by the White House here and a fact sheet on how to prepare your organization here. It’s never been more critical to have a cybersecurity response plan in place. Have a proactive approach to protecting your organization and take these warnings seriously.
Are there any emerging ransomware strategies we should be worried about?
Ransomware will continue to plague organizations around the world. Strategies vary, but most ransomware attacks begin with some form of unusual activity across your network. Ransomware doesn’t appear out of the blue; there are some signs that an attack is on its way.
The most prevalent ransomware precursors you should be on the lookout for are:
- Emotet, which deploys Ryuk and Conti
- Phorpiex, which deploys Avadon, Nemty, BitRansomware, DSoftCrypt/ReadMe, GandCrab, and Pony
- Dridex, which deploys DoppelPaymer, and BitPaymer
- Trickbot, which deploys Ryuk and Conti
- Ursnif, which deploys Egregor
Considering the current climate, what does an ideal cybersecurity operation look like?
Cybersecurity strategies vary depending on the needs of an organization. These are some of the key components to a strong cybersecurity strategy:
- A zero trust approach across all cybersecurity strategies and solutions.
- Comprehensive, continuous network monitoring with special focus on detecting ransomware precursors.
- Company-wide policies around patching software/hardware for vulnerabilities.
- Ability to detect and prevent threats targeting roaming devices.
- Monitoring for external threats such as phishing scams targeting your customer base.
What are some best practices around responding to malicious activity detected by Lumu?
Lumu provides organizations with compromise context around all malicious activity detected. Understanding the context around communication with known IoCs will help your company intentionally respond to cyber threats. Most customers use this information and respond to malicious activity by blocking communication with these IoCs across their entire network.
Automation and integration with other cybersecurity tools will enhance response efforts. Lumu offers various out-of-the-box integrations with security providers and plenty of flexibility around configuring APIs. Leveraging these tools will ensure that you can respond to threats in real time, closing threat actors’ window of opportunity.
How does Lumu ensure that its IoC database is updated with the latest threats associated with the current landscape?
Our product and research team works 24/7 with other cybersecurity providers to stay up to date with the latest IOCs and keeps a repository of these IoCs over time. We always correlate this real-time data with known IoCs from more than 83 sources of threat intelligence, including our private alliance with Malware Patrol and Virus Total. If there is a correlation at this stage it means that we have identified contact with a known adversary. Alerts are generated upon the identification of matching data, immediately reported to the customer, and continuously monitored.
All incoming metadata is also put through Artificial Intelligence and heuristic engines that allow us to understand anomalous behavior.
Lumu also has a playback feature that stores customers’ network metadata for up to two years, allowing the retrospective detection of compromises by comparing new IoCs with the stored metadata.
How does Lumu handle network encryption?
Lumu detects incidents regardless of the encryption level in the network since we use the information on the outside of the envelope (network metadata) as opposed to what is inside of the envelope (packet data). Lumu’s approach ensures that your network can be monitored regardless of the encryption level as opposed to traditional solutions that rely on packet information which more and more organizations are now encrypting. Our method allows for continuous monitoring, regardless of encryption.
When we detect communications with IoCs across your network, we’re able to report it, letting you know exactly which assets were in contact with the adversary. We can pinpoint these events and provide context with great detail while keeping the information of this communication encrypted.
Real-life analogy: we can see that there is an envelope being sent back and forth, but we don’t open the envelope to read its content. We just know it goes from point A to point B at this time of the day, this many times, and we know all about the negative impact that point A can have on point B regardless of the content.
If there are any other questions about emerging cyber threats that you’d like answered, please don’t hesitate to contact us. Don’t forget to subscribe to the Lumu Blog for more updates.