360 SOC Announces the 6 PILLARS to 360 SOC’s MDR SUCCESS!



6 Pillars:  Alert Ingested, Advanced Alert Enrichment, Automated Triage, SOC Team Triage, Advanced Threat Hunting and Reporting

Cybersecurity experts come together to fight coronavirus-related hacking

An international group of nearly 400 volunteers with expertise in cybersecurity formed on Wednesday to fight hacking Called the COVID-19 CTI League, for cyber threat intelligence, the group spans more than 40 countries and includes professionals in senior positions at such major companies as Microsoft Corp (MSFT.O) and Amazon.com Inc (AMZN.O).


One of four initial managers of the effort, Marc Rogers, said the top priority would be working to combat hacks against medical facilities and other frontline responders to the pandemic. It is already working on hacks of health organizations.


Also key is the defense of communication networks and services that have become essential as more people work from home, said Rogers, head of security at the long-running hacking conference Def Con and a vice president at security company Okta Inc OKTA.


The group is also using its web of contacts in internet infrastructure providers to squash garden-variety phishing attacks and another financial crime that is using the fear of COVID-19 or the desire for information on it to trick regular internet users.


“I’ve never seen this volume of phishing,” Rogers said. “I am literally seeing phishing messages in every language known to man.”  Phishing messages try to induce recipients to enter passwords or other sensitive information on websites controlled by the attackers, who then use the data to take control of bank, email or other accounts.


Rogers said the group had already dismantled one campaign that used a software vulnerability to spread malicious software. He declined to provide details, and said that in general the group would be reluctant to reveal what it was fighting.


Rogers said law enforcement had been surprisingly welcoming of the collaboration, recognizing the vastness of the threat.


Rogers is a UK citizen based in the San Francisco Bay Area. Two other group coordinators are American, and one is Israeli.


“I have never seen this level of cooperation,” Rogers said. “I hope it continues afterwards, because it’s a beautiful thing to see.”




Coronavirus Is a New Challenge for Cybersecurity

By Silviu Stahie on Apr 20, 2020

If you think the COVID-19 epidemic means a respite from cyberattacks against companies, you’d be wrong. If anything, the situation is worse, as organizations divert resources to other parts of the business, leaving their infrastructure exposed. And the proof of that is the flurry of attacks against hospitals.


It’s unhealthy for a company to believe hackers will pass up the opportunity to attack infrastructures or to compromise valuable data. Even if other concerns might seem more important right now, protecting a company’s assets has never been more vital, especially when cybercriminals lack any scruples.


From a security point of view, having most or all employees working from home is a challenge. Once a terminal leaves the protective shell of the corporate infrastructure, it becomes more exposed. Sure enough, all emails still flow through the same filters, but much network security is absent.


People still need to work and, in some situations, they need to use VPN and RDP connections (remote desktop protocol) — not a happy scenario for security teams. RDP is the preferred infiltration vector for ransomware, followed by phishing.


Don’t think you’re out of the woods


Since pretty much everyone in the world is now focused on the global Covid-19 pandemic, it’s easy to lose sight of other aspects. Where feasible, people have started to work from home, but people are usually a weak link in the cyberchain and prone to making bad security decisions.


The global pandemic has proven a useful carrier for phishing, with emails touting messages from officials, selling high-quality protections masks, or promoting so-called advice to people looking for more information.


This is just one scenario: Someone is tricked by a phishing email and either offers a user name and a password for some bogus website or inadvertently installs a piece of malware that starts syphoning data.. Now, with all that information, possibly even legitimate credentials, in the hands of attackers, they can start going after the corporate network. For instance, they could even try dialing in using RDP connections and then easily move inside the corporate network.


Cybercriminals won’t back down just because a global crisis is in the making. If anything, they will attack the more vulnerable industries to capitalize on the urgency of the situation. Healthcare is obviously on the frontlines now.


Just recently, the University Hospital Brno was hit by an unspecified cyberattack, forcing to shut down their IT network. For hospitals, an inability to treat incoming or existing patients in critical condition would be the absolute worst-case scenario, which makes healthcare all that much more valuable than it already was. Now more than ever, it’s essential to have the proper protection in hospitals and all other healthcare-related facilities.


Just because it’s not healthcare, doesn’t mean you’re safe


Right now, the bulk of attacks seem focused on healthcare providers and adjacent verticals, and they involve all sorts of Coronavirus phishing scams. But the masses of people or employees now working from home will soon become a focus for attackers.


Just because the Coronavirus appears to be the only affliction today, it doesn’t mean that all other illnesses and diseases are taking a break. By the same token, just because everyone is watching ransomware and hospitals right now, doesn’t mean that all the other attackers looking to steal databases, infiltrate critical infrastructure, or simply to create mayhem will take a breather.


If cybersecurity wasn’t on many companies’ agendas, especially in a work from home scenario, it’s becoming a growing priority. The challenges of keeping all employees safe, wherever they may be in the world, mustn’t be taken lightly, and measures need to be undertaken before it becomes a real problem.



Cybersecurity company Webroot has released its third annual Nastiest Malware list which shows ransomware making a comeback in addition to other threats.

Phishing and botnets are still popular attack methods and threats across the board are also becoming more sophisticated and harder to detect.
Topping the list of worst ransomware threats is Emotet, Trickbot and Ryuk (dubbed the ‘Triple Threat’) delivered via the Emotet botnet. This is one of the most successful of 2019 in terms of financial damage. These strains have shifted their focus to more reconnaissance-based operations. They assign a value to the targeted network post infection and then send the ransom for that amount after moving laterally and deploying the ransomware.
Ryuk is the second stage payload for Emotet, infections that are typically delivered by Trickbot resulting in the mass encryption of entire networks. Dridex is also now being used as an implant in the Bitpaymer ransomware infection chain and is also being delivered as a second stage payload of Emotet.
Phishing attacks continue to impersonate big brands including Microsoft, Facebook, Apple, Google and PayPal. But campaigns have also become more personal, with extortion emails using compromised passwords claiming to have captured inappropriate behavior.
The growth of cryptominers has slowed, thanks to a drop in currency values, but they haven’t gone away. Major campaigns in 2019 include Hidden Bee — which has now evolved into payloads inside JPEG and PNG images through stenography and WAV media formats flash exploits. There’s also Retadup — a cryptomining worm with over 850,000 infections, Retadup was removed in August by Cybercrime Fighting Center (C3N) of the French National Gendarmerie after they took control of the malware’s command and control server.
“It comes as no surprise that we continue to see cybercriminals evolve their tactics. They may be using the same strains of malware, but they are making better use of the immense volume of stolen personal information available to craft more convincing targeted attacks,” says Tyler Moffitt, security analyst at Webroot. “Consumers and organizations need to adopt a layered security approach and not underestimate the power of consistent security training as they work to improve their cyber resiliency and protection.”

The Next Big Step Towards Cybersecurity Incident Prevention

In the 90s, when you thought about computer security, you might have thought first of antivirus programs installed on individual computers. This mindset has persisted to the present day, where even enterprise-level security efforts are heavily focused on individual devices or hosts.

Your average security operations center (SOC) expends a great deal of energy installing endpoint detection and response (EDR) software on devices, and instrumenting computers within enterprise environments to log their activities and share those logs to a central manager or security incident and event management (SIEM) system for analysis.

The idea of individual computers as the optimal unit for observation and protection is sticky, and still valuable, but the next big step in enterprise cybersecurity requires that CISOs think about a bigger, more holistic target for observation and protection: the enterprise network itself.

Network Visibility Is The Missing Piece

In Gartner’s SOC Visibility Triad, the three cornerstones are endpoint visibility, log analysis (SIEM), and network detection and response. While two of these are widely deployed and used in the SOC, the network is too often underutilized as a data source for security analytics.

Recent survey results from the SANS Institute on the state of incident response (IR) and the state of security operations (SecOps) as a whole strongly suggest that network visibility is the biggest gap for modern cybersecurity. For organizations that want to move up the security maturity curve and reduce their chances of hitting the headlines for a data breach, the next step is clear.

This article will highlight a few of the data points from the SANS IR survey indicating why and how enterprises should take the critical step of integrating network visibility into their IR and SecOps initiatives.

Over 50% Of Incident Response Professionals Want, But Have Difficulty Accessing, Network Data

Incident response pros see the value of network visibility, but too often they just can’t get at it. Over half of respondents said they want network data for IR, but that it is difficult or impossible for them to access. This makes it harder to stitch together the sequence of events involved in an incident or data breach, and hinders the IR team’s ability to progress from detection to containment to remediation of an incident.

Organizational Silos And Lack Of Budget For Tools Are Among The Top Impediments To Successful IR
After the always looming skills shortage, two of the top impediments cited by IR professionals were lack of budget for new tools (48%) and organizational silos (28%). These impediments feed and amplify each other in totally unnecessary ways as budget is expended on duplicate efforts for different teams. If teams broke down silos and shared tools, they could see even greater operational efficiencies at no additional cost.

For example, many organizations already have network monitoring tools in use by their IT departments. Sharing that data with the incident response team could fill this visibility gap without biting into the budget. Reducing the organizational siloing between security operations, IR, and network operations teams can offer relief against the budgetary complaint and the lack of network visibility.

Integrating the tools and datasets in use by these teams is rapidly shifting from a nicety to a requirement for forward-thinking enterprises, but moving past decades of divided workflows and distinct team cultures isn’t always easy. You can learn more about how today’s enterprises are bridging the gap between NetOps and SecOps in this strategic report from EMA Research.

Network-Based Detection Tools Get The Highest Satisfaction Rating

In the SANS survey on the state of security operations in 2019, network-based detection tools outranked “host-based tools that depend on agents being present on every endpoint” for satisfaction. This strongly implies that many SecOps teams do have access to network data that could be shared with other teams! For organizations where SecOps and IR are siloed from each other, a huge opportunity exists to share the network visibility wealth.

After reviewing the data gathered from hundreds of incident response professionals and cybersecurity executives, the theme that SANS identified for their report was: “It’s time for a change,” and the change to which they refer is the accelerated adoption of network visibility by IR teams.

We couldn’t agree more. In fact, network visibility forms the foundational level of the SOC Visibility Triad, a framework from Gartner to help enterprises secure their modern environments. Learn about your options for network detection and response (NDR) and how they complement and extend other sources of security visibility in this overview blog.

Published on Forbes.com