360 SOC Jumps Up to Number 34 on the MSP 501

We are excited to announce that 360 SOC and HTG 360 Inc have been named to the MSP 501 list for 2021.  This is the third year in the last four years that 360 SOC has been named to the MSP 501 list.  The MSP 501 in 2021 had its largest turnout of applicants in 2021.  This included Global companies like Insight, Optiv, TPX, Konica, SIRIUS and many others.  This year 360 SOC moved up 126 spots and was named #34 on the list.  In 2020, 360 SOC was 180th on the list.


Want to learn more about how to manage your cybersecurity or technology services more efficiently and with higher security levels?  Contact us at info@360soc.com


“The MSP 501 is the IT Channel’s first, largest, and most comprehensive survey and ranking of managed service providers and Managed Security Service Providers (MSP/MSSPs) worldwide. Each year, the MSP 501 recognizes some of the biggest and most successful managed service providers in the world.”


Link to the rankings:  https://www.channelfutures.com/msp-501/2021-msp-501-winners-day-5-part-3-50-26

Welcome to the Team!

Excited to announce our 4 New Hires for April.  Vicky Ross, Robert Schull, Natalie Yarbourgh will be joining our SOC Analyst Development Program at our Prescott office and Connor Mindak started as Business Development Representative in our Phoenix Office. Soon we will also announce our 2021 Board Member Additions. We are growing…Looking to Join an Award Winning Team? Located in Phoenix or Prescott? Please reach out to us at info@360soc.com.

10 Things We Learned About the Solarwinds Breach (FireEye)

Ten things we learned or were reminded of with the Solarwinds breach:

1. Without Searchable Logs “you were screwed” or no logs at all…..made it impossible to historically investigate.

2. Cloud SOC Platforms made it nearly impossible to go outside of 30-90 days to find the breach. Huge dilemma for the hosting providers. This incident happened March – August ( some now say October of 2019 ) which makes sense…..

3. Without multiple layers of security with long term storage, these attacks would have gone unnoticed or unrecallable/reconstructable since like 99% went unnoticed.

4. Solutions without HEX make it really hard to see Certificate Infections

5. Updates don’t always make you less vulnerable

6. The whole industry and our customers of this industry have problems with implementing and managing controls and the checks and balances behind them. ( think of an airplane here, someone is always double and triple checking, lives are on the line, why is this not the case in cyber)

7. Supply chain risk is not going away

8. Using technology or partially implementing technology can be a huge risk… understand what you are putting in your environment

9. Beacons can tell the story, don’t leave a beacon uncovered

10. Malware and forms of it CAN LIVE ANYWHERE!

Solarwinds Breach Information

Cyber security firm FireEye recently disclosed an incident that was reported to have resulted in the inadvertent disclosure of various internally developed offensive security tools (OSTs) that were used across FireEye red-team engagements.

Some of these tools appear to be based on well-known offensive frameworks like Cobalt Strike. This is even evident in the naming convention used in the coverage designated by FireEye.

The use of Cobalt Strike beacons is popular among red teams and adversaries. In 2020, Cisco Talos released a research paper detailing the large amount of coverage for the Cobalt Strike framework. We have concluded the coverage is still applicable and can reliably detect FireEye red team beacons and other activity.


360 SOC Announces the 6 PILLARS to 360 SOC’s MDR SUCCESS!



6 Pillars:  Alert Ingested, Advanced Alert Enrichment, Automated Triage, SOC Team Triage, Advanced Threat Hunting and Reporting

Cybersecurity experts come together to fight coronavirus-related hacking

An international group of nearly 400 volunteers with expertise in cybersecurity formed on Wednesday to fight hacking Called the COVID-19 CTI League, for cyber threat intelligence, the group spans more than 40 countries and includes professionals in senior positions at such major companies as Microsoft Corp (MSFT.O) and Amazon.com Inc (AMZN.O).


One of four initial managers of the effort, Marc Rogers, said the top priority would be working to combat hacks against medical facilities and other frontline responders to the pandemic. It is already working on hacks of health organizations.


Also key is the defense of communication networks and services that have become essential as more people work from home, said Rogers, head of security at the long-running hacking conference Def Con and a vice president at security company Okta Inc OKTA.


The group is also using its web of contacts in internet infrastructure providers to squash garden-variety phishing attacks and another financial crime that is using the fear of COVID-19 or the desire for information on it to trick regular internet users.


“I’ve never seen this volume of phishing,” Rogers said. “I am literally seeing phishing messages in every language known to man.”  Phishing messages try to induce recipients to enter passwords or other sensitive information on websites controlled by the attackers, who then use the data to take control of bank, email or other accounts.


Rogers said the group had already dismantled one campaign that used a software vulnerability to spread malicious software. He declined to provide details, and said that in general the group would be reluctant to reveal what it was fighting.


Rogers said law enforcement had been surprisingly welcoming of the collaboration, recognizing the vastness of the threat.


Rogers is a UK citizen based in the San Francisco Bay Area. Two other group coordinators are American, and one is Israeli.


“I have never seen this level of cooperation,” Rogers said. “I hope it continues afterwards, because it’s a beautiful thing to see.”




Coronavirus Is a New Challenge for Cybersecurity

By Silviu Stahie on Apr 20, 2020

If you think the COVID-19 epidemic means a respite from cyberattacks against companies, you’d be wrong. If anything, the situation is worse, as organizations divert resources to other parts of the business, leaving their infrastructure exposed. And the proof of that is the flurry of attacks against hospitals.


It’s unhealthy for a company to believe hackers will pass up the opportunity to attack infrastructures or to compromise valuable data. Even if other concerns might seem more important right now, protecting a company’s assets has never been more vital, especially when cybercriminals lack any scruples.


From a security point of view, having most or all employees working from home is a challenge. Once a terminal leaves the protective shell of the corporate infrastructure, it becomes more exposed. Sure enough, all emails still flow through the same filters, but much network security is absent.


People still need to work and, in some situations, they need to use VPN and RDP connections (remote desktop protocol) — not a happy scenario for security teams. RDP is the preferred infiltration vector for ransomware, followed by phishing.


Don’t think you’re out of the woods


Since pretty much everyone in the world is now focused on the global Covid-19 pandemic, it’s easy to lose sight of other aspects. Where feasible, people have started to work from home, but people are usually a weak link in the cyberchain and prone to making bad security decisions.


The global pandemic has proven a useful carrier for phishing, with emails touting messages from officials, selling high-quality protections masks, or promoting so-called advice to people looking for more information.


This is just one scenario: Someone is tricked by a phishing email and either offers a user name and a password for some bogus website or inadvertently installs a piece of malware that starts syphoning data.. Now, with all that information, possibly even legitimate credentials, in the hands of attackers, they can start going after the corporate network. For instance, they could even try dialing in using RDP connections and then easily move inside the corporate network.


Cybercriminals won’t back down just because a global crisis is in the making. If anything, they will attack the more vulnerable industries to capitalize on the urgency of the situation. Healthcare is obviously on the frontlines now.


Just recently, the University Hospital Brno was hit by an unspecified cyberattack, forcing to shut down their IT network. For hospitals, an inability to treat incoming or existing patients in critical condition would be the absolute worst-case scenario, which makes healthcare all that much more valuable than it already was. Now more than ever, it’s essential to have the proper protection in hospitals and all other healthcare-related facilities.


Just because it’s not healthcare, doesn’t mean you’re safe


Right now, the bulk of attacks seem focused on healthcare providers and adjacent verticals, and they involve all sorts of Coronavirus phishing scams. But the masses of people or employees now working from home will soon become a focus for attackers.


Just because the Coronavirus appears to be the only affliction today, it doesn’t mean that all other illnesses and diseases are taking a break. By the same token, just because everyone is watching ransomware and hospitals right now, doesn’t mean that all the other attackers looking to steal databases, infiltrate critical infrastructure, or simply to create mayhem will take a breather.


If cybersecurity wasn’t on many companies’ agendas, especially in a work from home scenario, it’s becoming a growing priority. The challenges of keeping all employees safe, wherever they may be in the world, mustn’t be taken lightly, and measures need to be undertaken before it becomes a real problem.



Cybersecurity company Webroot has released its third annual Nastiest Malware list which shows ransomware making a comeback in addition to other threats.

Phishing and botnets are still popular attack methods and threats across the board are also becoming more sophisticated and harder to detect.
Topping the list of worst ransomware threats is Emotet, Trickbot and Ryuk (dubbed the ‘Triple Threat’) delivered via the Emotet botnet. This is one of the most successful of 2019 in terms of financial damage. These strains have shifted their focus to more reconnaissance-based operations. They assign a value to the targeted network post infection and then send the ransom for that amount after moving laterally and deploying the ransomware.
Ryuk is the second stage payload for Emotet, infections that are typically delivered by Trickbot resulting in the mass encryption of entire networks. Dridex is also now being used as an implant in the Bitpaymer ransomware infection chain and is also being delivered as a second stage payload of Emotet.
Phishing attacks continue to impersonate big brands including Microsoft, Facebook, Apple, Google and PayPal. But campaigns have also become more personal, with extortion emails using compromised passwords claiming to have captured inappropriate behavior.
The growth of cryptominers has slowed, thanks to a drop in currency values, but they haven’t gone away. Major campaigns in 2019 include Hidden Bee — which has now evolved into payloads inside JPEG and PNG images through stenography and WAV media formats flash exploits. There’s also Retadup — a cryptomining worm with over 850,000 infections, Retadup was removed in August by Cybercrime Fighting Center (C3N) of the French National Gendarmerie after they took control of the malware’s command and control server.
“It comes as no surprise that we continue to see cybercriminals evolve their tactics. They may be using the same strains of malware, but they are making better use of the immense volume of stolen personal information available to craft more convincing targeted attacks,” says Tyler Moffitt, security analyst at Webroot. “Consumers and organizations need to adopt a layered security approach and not underestimate the power of consistent security training as they work to improve their cyber resiliency and protection.”

The Next Big Step Towards Cybersecurity Incident Prevention

In the 90s, when you thought about computer security, you might have thought first of antivirus programs installed on individual computers. This mindset has persisted to the present day, where even enterprise-level security efforts are heavily focused on individual devices or hosts.

Your average security operations center (SOC) expends a great deal of energy installing endpoint detection and response (EDR) software on devices, and instrumenting computers within enterprise environments to log their activities and share those logs to a central manager or security incident and event management (SIEM) system for analysis.

The idea of individual computers as the optimal unit for observation and protection is sticky, and still valuable, but the next big step in enterprise cybersecurity requires that CISOs think about a bigger, more holistic target for observation and protection: the enterprise network itself.

Network Visibility Is The Missing Piece

In Gartner’s SOC Visibility Triad, the three cornerstones are endpoint visibility, log analysis (SIEM), and network detection and response. While two of these are widely deployed and used in the SOC, the network is too often underutilized as a data source for security analytics.

Recent survey results from the SANS Institute on the state of incident response (IR) and the state of security operations (SecOps) as a whole strongly suggest that network visibility is the biggest gap for modern cybersecurity. For organizations that want to move up the security maturity curve and reduce their chances of hitting the headlines for a data breach, the next step is clear.

This article will highlight a few of the data points from the SANS IR survey indicating why and how enterprises should take the critical step of integrating network visibility into their IR and SecOps initiatives.

Over 50% Of Incident Response Professionals Want, But Have Difficulty Accessing, Network Data

Incident response pros see the value of network visibility, but too often they just can’t get at it. Over half of respondents said they want network data for IR, but that it is difficult or impossible for them to access. This makes it harder to stitch together the sequence of events involved in an incident or data breach, and hinders the IR team’s ability to progress from detection to containment to remediation of an incident.

Organizational Silos And Lack Of Budget For Tools Are Among The Top Impediments To Successful IR
After the always looming skills shortage, two of the top impediments cited by IR professionals were lack of budget for new tools (48%) and organizational silos (28%). These impediments feed and amplify each other in totally unnecessary ways as budget is expended on duplicate efforts for different teams. If teams broke down silos and shared tools, they could see even greater operational efficiencies at no additional cost.

For example, many organizations already have network monitoring tools in use by their IT departments. Sharing that data with the incident response team could fill this visibility gap without biting into the budget. Reducing the organizational siloing between security operations, IR, and network operations teams can offer relief against the budgetary complaint and the lack of network visibility.

Integrating the tools and datasets in use by these teams is rapidly shifting from a nicety to a requirement for forward-thinking enterprises, but moving past decades of divided workflows and distinct team cultures isn’t always easy. You can learn more about how today’s enterprises are bridging the gap between NetOps and SecOps in this strategic report from EMA Research.

Network-Based Detection Tools Get The Highest Satisfaction Rating

In the SANS survey on the state of security operations in 2019, network-based detection tools outranked “host-based tools that depend on agents being present on every endpoint” for satisfaction. This strongly implies that many SecOps teams do have access to network data that could be shared with other teams! For organizations where SecOps and IR are siloed from each other, a huge opportunity exists to share the network visibility wealth.

After reviewing the data gathered from hundreds of incident response professionals and cybersecurity executives, the theme that SANS identified for their report was: “It’s time for a change,” and the change to which they refer is the accelerated adoption of network visibility by IR teams.

We couldn’t agree more. In fact, network visibility forms the foundational level of the SOC Visibility Triad, a framework from Gartner to help enterprises secure their modern environments. Learn about your options for network detection and response (NDR) and how they complement and extend other sources of security visibility in this overview blog.

Published on Forbes.com