Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
Threat Advisories
The latest threat research report from ReliaQuest Threat Research research team.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Roll up roll up, it’s that time of the month again, where our team of analysts provide the articles and literary pieces that kept them burning the midnight oil. This month we’ve got a report identifying supply chain security risks, methods by which threat actors exploit your psychological biases, and of course, ransomware. Check out these articles below.
One thing that caught my attention this month was Anchore’s annual report on software supply chains, identifying trends regarding supply-chain attacks. According to Anchore, the proportion of organizations impacted by supply-chain incidents was as high as 62%, a remarkable figure that really demonstrates the massive risk facing businesses in 2022. The report was constructed following responses provided by 428 business executives, with the survey conducted between December 3 and December 22, 2021; the majority of the responses received by Anchore were conducted on or following the Log4j incident, which also will likely have influenced the scoring.
One issue identified in the report was an increased use of software containers within businesses. The term containers refers to packages of software that contain all of the necessary elements to run in any environment. In this way, containers virtualize the operating system and run anywhere, from a private data center to the public cloud, or even on a developer’s personal laptop. Containers benefit their users with workload portability and overall efficiency. Anchore’s report identified that 88% of respondents planned to increase container use, while 31% of that number planned to increase it significantly.
An area of development that could greatly assist with supply-chain risk, is implementation of software-bill of materials (SBOMs). SBOMs were a key part of President Biden’s Executive Order on improving cybersecurity, which you might remember from May 2021. SBOMs refers to a formal record containing the details and supply chain relationships of various components used in building software. Essentially it enumerates the components within a product, much in the same way you get a list of ingredients in food packaging. Within the survey, Anchor identified that only 18% of respondents had complete SBOMs for all of their applications, which makes it much more difficult to respond to a plethora of threats, including supply-chain attacks and zero-day vulnerabilities. How can you assess your risk, if you don’t know if you use the susceptible component? SBOMs are likely to become much more of a hot topic and commonplace in the future, which was identified by 74% of respondents expecting to increase their use of SBOMs within the next 12 months.
Overall the report was a useful insight in the current landscape of supply-chain risk and how businesses plan to tackle the many problems associated with suppliers. Check out Anchore’s report here.
As the cybersecurity of computer systems evolves and advances, one part remains lacking—the human component. In a paper issued on November 2021, authors Chelsea K Johnson, Robert S Guzwiller and Kimbley Ferguson-Walter illuminate how threat actors are mindful of the cognitive biases and heuristics (mental shortcuts) in our decision-making, exploiting them to achieve their goals. One such example is the default effect, which suggests that people will revert to previously made decisions when making a choice in a familiar situation to reduce the amount of mental processing needed.
This can be reflected in users’ choice of passwords, which are often the same as or variants of previous passwords; you might have heard us refer to this problem before. Hackers exploit this tendency to conduct automated credential stuffing, whereby variations of a known password can be mass tested to gain access to accounts where credentials have been reused. The default choice can be influenced by choice architecture—how the options are presented. For example, regarding the creation of a new password, user ID, and password fields can be designed so that they do not allow the user to repeat their default ID or password, in order to reduce the success of credential stuffing.
However, these psychological pitfalls can also be harnessed to obstruct and deter threat actors. Current research has suggested overwhelming malicious actors with distracting information to bolster security; this is known as “honeypotting tarpits”. Through generating appealing, yet falsified, documents and data within a secured network, attackers could be made to sift through large volumes of information which they must subsequently verify. This slows down the decision-making process of attackers, making them more vulnerable to detection and could even be used to misdirect their efforts.
The underlying psychology of this tactic involves the exploitation of the sunk cost fallacy and loss aversion. Costs already spent, in terms of time and effort, are seen as ‘sunk’ and carry less weight than current investments of hacking efforts. Likewise, loss aversion relates to the notion that avoiding losses is preferable to acquiring gains when deciding between the two. An example of this might be an attacker spending too much time in an element of key terrain, such as the domain controller, rather than going through another route. The idea of changing terrains appears costly, particularly as a lot of time and effort has already been spent and a new terrain might be riskier. Ultimately, understanding errors in human decision-making processes is key to the evolution of defensive techniques in cybersecurity. This can inform industrial practice to improve employee decision-making and reduce the effectiveness of cyberattacks.Check out the report on cognitive bias here and layer 8 tarpits here.
In a new article written by Sophos, the IT security company revealed detailed information about attacks conducted by the “Alphv” (aka “BlackCat”) ransomware group, including their tactics, techniques, and procedures (TTPs); you might also remember our recent blog detailing Alphv. Sophos observed that Alphv has followed a consistent pattern of attacks in the past few months, which consisted of the threat group breaking into victim’s networks by exploiting unpatched or outdated vulnerabilities in virtual private networks (VPNs) and firewall devices.
In two cases observed by Sophos, the Alphv group exploited two vulnerabilities that dated back to 2018, and in another two cases, vulnerabilities from 2021 were exploited. The vulnerabilities allowed the threat actors to obtain VPN credentials from the memory of firewall devices, and then these credentials were used to log in the VPN as an authorized user. The researchers also noted that most targeted VPN accounts did not use multifactor authentication, and in one case the credentials were stolen via a spearphishing email attack.
When inside the network, Sophos reported that the group used remote desktop protocol (RDP) to move laterally between devices and brute-force attacks over the VPN to target Admin accounts. Much of the lateral movement by Alphv was allegedly built into the ransomware executable, allowing it to spread itself to windows machines. The group also used “Brute Ratel” in its attacks, a penetration testing tool that has become a popular alternative to Cobalt Strike for cybercriminals.
This article was very interesting, and it highlights some of the key, but often overlooked, risks we see in security today. Many of the vulnerabilities exploited by Alphv likely had patches available, and accounts targeted did not have two-factor authentication; if you’re getting DeJa’Vu, we’ve talked about the importance of vulnerability intelligence at length before. Patch management and strong password policies that enforce two-factor would also have helped mitigate some of these risks. In addition, password policies should also require users to change password frequently, as leaked credentials can also be used to access VPNs. Other mitigation techniques that would have helped to minimize the effects of Alphv attacks include network segmentation, applying the principle of least privilege, and monitoring of remote-access tools that are often used or abused by threat actors.
Since the release of Alphv, the group has posted more than 140 victims to its data-leak site, and over the past two quarters (Q1 and Q2 2022), Alphv has been one of the top 4 most active ransomware groups. With the recent closure of large groups like “Conti”, it is likely that Alphv will rise to become one of the top ransomware groups active today, which could result in the group attracting many more skilled affiliates. Alphv highlights that many common attack vectors still remain highly effective and regular security best practices can go a long way in preventing large cyber attacks like ransomware incidents.
Check out the blog from Sophos here.