Skip to main content

PinnacleOne ExecBrief | The New Global Disorder

In our previous brief, PinnacleOne brought executive attention to the likely future developments of AI’s application to offensive cyber operations.

This week, we focus decision-makers on the ten strategic challenges that will define a new global disorder.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: This email address is being protected from spambots. You need JavaScript enabled to view it.

Insight Focus | The New Global Disorder

Classifying AI like nuclear physics secrets. Banning sales of foreign chip products that only tangentially touch U.S. tech. Adding more Chinese chipmaking firms to the Restricted List. Cajoling allies to cut-off more chipmaking tool sales. These are just a few of the recent signs that the Tech War is heating up as the economic and national security stakes drive U.S. policymakers to escalate in the face of increasing strategic challenges.

Continue reading
484 Hits

The Good, the Bad and the Ugly in Cybersecurity – Week 29

The Good | Interpol-Led Operation Cracks Down on West African Cybercrime Syndicates

The axe has fallen hard on West African crime syndicates as part of Operation Jackal III, a months-long law enforcement effort run across 21 countries. This week, Interpol reported some 300 arrests, the identification of over 400 suspects, 720 blocked bank accounts, and the seizure of $3 million in illicit funds, all to dismantle multiple criminal networks globally.

Amongst the affected crime syndicates, Black Axe has been a prominent plague within Africa and across the world. Their operations span human trafficking, drug smuggling, violent crimes, and significant cases of cyber fraud where victims were forced to sell their homes as a result of the scams. Believed to have been in operation for decades, Black Axe is closely linked to business email compromise (BEC) schemes, ‘romance’ fraud, and other identity scams.

Source: Interpol

In Argentina, authorities cracked down on a Nigerian-based transnational criminal infrastructure using millions in ‘supernotes’, counterfeit banknotes of very high quality, to open bank accounts in various countries in South America. Portuguese authorities similarly dismantled another Nigerian group that was laundering funds from online scam victims all across Europe. The data found on the seized devices revealed a mass network of cryptocurrency transactions indicative of a sophisticated money laundering operation.

The financial fraud industry is a dangerous and extensive one in West Africa, highlighting the success of the operation in reducing the ability for organized crime leaders to develop and extend their reach. Cross-border collaboration continues to be instrumental in combating deep-rooted criminal networks. Interpol currently has 196 member countries and works with national police forces to exchange intelligence and provide real-time access to databases leading to more efficient arrests.

The Bad | Flaws in SAP AI Core Expose Sensitive Customer Data & Allow Service Takeovers

Cybersecurity researchers this week reported on five critical security flaws in SAP AI Core, a cloud-based platform for creating and deploying AI workflows, which could be exploited to access tokens and customer data. The flaws, dubbed “SAPwned”, could allow attackers to infiltrate customers’ data and contaminate internal artifacts, potentially spreading to other services and environments.

Continue reading
554 Hits

What Is the Most Secure Way to Share Passwords with Employees?

Elevate Technology: Enhance Security with Advanced Password ManagementBreached or stolen passwords are a significant cybersecurity issue, contributing to over 80% of data breaches. Hackers exploit weak, stolen, or reused passwords to gain unauthorized access, making secure password management crucial. In an era where passwords are integral to our d...

Continue reading
424 Hits

PinnacleOne ExecBrief | AI’s Potential for Hacking

In our previous brief, PinnacleOne highlighted the flashpoint risk in the South China Sea between the Philippines, its treaty allies – the U.S. and China.

This week, we focus executive attention on the likely future developments of AI’s application to offensive cyber operations.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: This email address is being protected from spambots. You need JavaScript enabled to view it.

Insight Focus | AI for Offensive Cyber Operations Isn’t Here…Yet

The hand of AI used in offensive cyber operations won’t have obvious fingerprints. Defenders are unlikely to find a fully autonomous agent on their network hacking away. Not only would attackers be risking a (currently) incredibly valuable system to discovery, but such a maneuver lacks something very important to the people executing attacks: control. Governments use many different legal frameworks, organizational structures, and oversight mechanisms to ensure that hacking operations are run intentionally, with acceptable risks, and (sometimes) deniability. Deploying a fully autonomous agent into a hostile environment creates so many unacceptable risks that it may only ever happen if innovations in defense compel it. Currently, it’s sufficiently easy to achieve most offensive objectives without AI.

Continue reading
453 Hits

Managed Detection and Response (MDR) Beyond the Endpoint

Endpoint Detection and Response (EDR) has been the foundational technology of effective detection and response programs for many years, providing security teams with unparalleled visibility and response capabilities across end user systems, cloud workloads, and servers. While this remains true today, security operation centers (SOC) and incident response (IR) teams need additional capabilities ‘beyond the endpoint’ to protect modern enterprise environments.

In this blog post, learn how SentinelOne is extending the scope of our MDR service to provide 24×7 detection and response coverage across endpoint, cloud, identity, email, network, and beyond.

The Evolution of Endpoint Detection

In the early days of security monitoring and incident response, security teams relied primarily on network telemetry to identify and investigate cyber attacks. Direct visibility into activity on endpoints and servers was extremely limited, requiring SOC analysts and incident responders to infer what was happening within their environment based on network traffic to and from these systems.

This network-focused approach was reasonably effective – primarily because most network traffic was unencrypted, adding to the amount of alert ‘noise’ and making real threats hard to miss. However, as threats continued to evolve and encrypted network traffic became the norm, defenders struggled to maintain visibility into the infrastructure they were responsible for protecting.

Effective endpoint protection and endpoint detection and response (EPP/EDR) changed everything. Defenders gained full visibility into endpoint activity, such as detection of malware and other malicious activity, process execution, file system access, and network telemetry. Once a threat was identified, defenders could pivot quickly to incident response, collecting additional forensic artifacts, terminating malicious processes, and isolating compromised systems from the network thus limiting further incident scope and impact.

Continue reading
458 Hits

The Good, the Bad and the Ugly in Cybersecurity – Week 28

The Good | Feds Dismantle Major GenAI-Based Bot Farm Spreading Pro-Russian DisInformation Campaigns

In a joint international operation led by the FBI, law enforcement have seized two domain names and nearly a thousand social media accounts all controlled by a large bot farm dedicated to spreading Russian propaganda. Under the management of a Russian FSB officer and a deputy editor-in-chief at news organization Russia Today (RT), the bots have spread disinformation campaigns globally through a generative AI-based software called Meliorator since 2022. Based on the FBI’s findings, RT leadership have been focused on expanding their information dissemination beyond traditional television.

Meliorator allowed the bot farm operators to create highly convincing X (formerly Twitter) profiles and personas designed to amplify Russian foreign interest as well as false narratives in order to sway public opinion and fuel discord online. As of June 2024, the functionality of the generative AI software was limited to X, but the FBI are predicting its expansion into other social networks with time. Use of Meliorator has been seen across Germany, Israel, the Netherlands, Poland, Spain, Ukraine, and the United States.

Source: Department of Justice

As part of the joint operation, the two domains mlrtr[.]com and otanmail[.]com used to register the bots were seized alongside 968 X accounts directly linked to RT’s bot farm. This is a first major action in disrupting Russian state-sponsored social media bot farms. A joint advisory between all involved global law enforcement agencies provides a technical breakdown of the Meliorator software, recommended mitigation measures, and a list of resources on combating malign influence and disinformation campaigns. X has since suspended the remaining bot accounts listed in court documents for violating the platform’s terms of service.

The Bad | Scammers Leverage Over 700 Domains to Sell Fake Tickets to Olympic Events

As anticipation for the Olympics mounts, threat actors are ramping up their large-scale fraud campaigns designed to target hopeful buyers seeking tickets to the Paris Summer games. Security researchers tracking the activity have dubbed the campaign ‘Ticket Heist’ where threat actors offer fake tickets to Olympic events and other major sports games, concerts, and music festivals.

Researchers found that the threat actor began registering domains in 2022, averaging 20 new registrations each month since. With online hype surrounding the Olympic games and discussion about the International Olympic Committee’s ban on Russian and Belarusian athletes rising, analysts tuned in to monitor increasingly suspicious activities. They uncovered 708 domains hosting convincing websites all selling fake tickets and accommodation options for the summer games.

Continue reading
422 Hits

Why People Join & Love SentinelOne’s Sales Organization

I have been working in technology sales for over 25 years, starting out as a sales rep carrying a bag and a quota. The industry landscape looks radically different today than it did early in my career, but one thing will forever remain unchanged. The organization you choose to work for is paramount to your happiness and long-term success.

SentinelOne is a global leader in AI-powered security. Our Singularity Platform detects, prevents, and responds to cyberattacks at machine speed, empowering organizations to secure endpoints, cloud workloads, containers, identities, and mobile and network-connected devices with speed, accuracy, and simplicity. Leading enterprises, including Fortune 10, Fortune 500, Global 2000 companies, and prominent governments trust us to Secure Tomorrow.

There’s never been a better time to join SentinelOne. We are looking for talented, experienced sales people to join our team who are hungry for a life-changing career opportunity. I am incredibly fired up about where we are going, and I’d like to share more about what makes SentinelOne so special. For me, it’s the PEOPLE, PLATFORM, PERFORMANCE, AND POTENTIAL at our company that makes this a great place to work.

The PEOPLE Are Behind the Magic at SentinelOne

It starts at the top. Our CEO, Tomer Weingarten, is a true visionary. We enjoy the full support of his strategic engagement as a customer-first leader. Since founding SentinelOne 11 years ago, Tomer has not slowed his relentless pursuit of what’s next in a competitive landscape that changes by the second.

I joined SentinelOne eight months ago and reinforced our strong sales leadership team by hiring proven leaders with growth at scale to guide our teams to their full potential. These industry-leading experts have the experience we need during this next stage of hypergrowth as we continue to enhance our GTM prowess – this includes expanding our partner ecosystem, rapidly evolving our speed to market and ongoing investment in sales specialists and support functions. Their fresh perspectives blended with the excellence, effort, and experience of our tenured Sentinels are the perfect recipe for sustained growth.

Continue reading
400 Hits

The Impact of AI in Accelerating Autonomous Security Operations

Autonomous vehicles have captured the imagination of humans for decades. There are few examples of fully autonomous vehicles available today, designed for limited commercial use, but there is international consensus on what fully autonomous vehicles are and the standards by which they are measured. Autonomous flight is also quickly becoming one of the most popular, and controversial topics in aviation, known as “continuous autopilot engagement”, where machine learning-based algorithms are handling all necessary flight tasks from engine start through full navigation, landing, and shutdown.

In every case, security and safety are paramount due to the potential of harm to life and limb; therefore, we see that automation in transportation usually starts with features that increase security and enhance safety. The goal, however, is to make travel inexpensive and accessible to everyone while increasing efficiency and lowering cost. Whether referring to it as autonomy or automation, the truth is that artificial intelligence (AI) is progressively making these seemingly science fiction-based notions a reality.

There are many parallels that can be drawn between autonomous driving cars and what can be referred to as the Autonomous Security Operations Center (ASOC). Although it is still quite far off, this blog takes a deep dive into the key characteristics that would make the ASOC a reality and what this could mean in accelerating autonomous security operations based on well-defined levels of autonomous driving (Level 0-5).

From Autonomous Vehicles to Autonomous SOC

In traditional travel, it is typical to see one driver for one vehicle and one pilot for one aircraft. The same goes for cybersecurity – there is typically one analyst for one investigation or incident. Nowadays, one driver can monitor many highly automated vehicles with no steering wheels and no brake pedals. A single pilot can control and monitor many aircrafts. Soon, the information security community will see one security analyst handling many concurrent investigations or incidents through the use of AI-powered tools and agents.

Here are the key characteristics apparent within each level of the SAE international standards of driving automation:

Continue reading
412 Hits

Singularity Operations Center | Unified Security Operations for Rapid Triage

SentinelOne recently launched Singularity Operations Center, the new unified console, to centralize workflows and accelerate detection, triage, and investigation for an efficient and seamless analyst experience. This pivotal update includes integrated navigation to improve workflows and new and enhanced capabilities such as unified alerts management. Providing a deeper look into the Operations Center, this blog post focuses on how unified alert management enables faster and more comprehensive investigations for today’s security teams.

Accelerate Investigation with Centralized Alerts

Traditionally, security analysts must deploy multiple security tools to protect their organizations. Each individual tool manages alerts differently in addition to disconnected workflows among the tools themselves. With this approach, analysts are unable to correlate alerts across disparate solutions. This fragmented approach complicates the triage process, leading to an increased mean time to respond (MTTR) and potential oversight during an investigation.

To combat these challenges, SentinelOne developed the unified console to provide broader visibility and management across the security ecosystem. The Operations Center empowers teams to consolidate and centralize all security alerts into a single cohesive queue, including those from SentinelOne native solutions and industry-leading partners. This approach eliminates the need to pivot among disconnected consoles and work within disjointed workflows, providing seamless SOC workflows and facilitating rapid response to threats.

Use Case | Investigating a Lockbit Ransomware Infection

Engineered for speed and efficiency, LockBit is an advanced and pervasive ransomware strain. It leverages sophisticated encryption algorithms to rapidly lock down critical data within targeted networks. LockBit employs double extortion techniques, where attackers exfiltrate sensitive data before encryption and threaten to publish it on dedicated leak sites if their demands are unmet. It operates under a Ransomware-as-a-Service (RaaS) model, enabling affiliates to deploy the malware in exchange for a portion of ransom proceeds. Its attack vectors often include exploitation of vulnerabilities, phishing, and lateral movement within compromised networks, making it a versatile and potent threat. Continuous updates and modular capabilities allow LockBit to bypass traditional security measures, emphasizing the need for advanced detection and response strategies in defending against this threat.

Let’s explore how to investigate a LockBit infection in the Singularity Operations Center. After logging into the console, the Overview Dashboard provides a broad view of security alerts and related assets. There are multiple open alerts, ten of which are of high or critical severity. From the numerous open alerts, this example will focus on the critical alerts.

Continue reading
412 Hits

The Good, the Bad and the Ugly in Cybersecurity – Week 27

The Good | International Joint Operation Takes Down Over 600 IP Addresses Abusing Cobalt Strike Tool

Hundreds of IP addresses abusing Cobalt Strike have been shut down in a joint effort involving law enforcement across several nations. Codenamed “Morpheus”, the joint operation resulted in flagging 690 IP addresses and domains used to infiltrate victim networks. So far, 593 of them have been taken offline.

The servers flagged in Operation Morpheus used old, unlicensed versions of Cobalt Strike – a popular penetration testing tool used by red teams to simulate cyberattacks in order to evaluate the security posture of a network. Over the years, cracked, stolen, or reverse-engineered versions of the tool have made their way into the hands of malicious actors, enabling them to carry out a host of complex and damaging attacks.

Although the tool is legitimate and designed for threat emulation exercises and supporting offensive security operations, Cobalt Strike continues to be a double-edged sword being widely exploited and gaining a reputation on the dark web as a ‘go-to’ network intrusion tool. Illicit versions of Cobalt Strike, often accompanied by free training guides and tutorial videos, have lowered the barrier for entry into cybercrime, allowing criminals with limited funds or technical expertise to launch sophisticated attacks.

The success of Operation Morpheus is the result of collaboration between the United Kingdom’s National Crime Agency, authorities from Australia, Canada, Germany, the Netherlands, Poland, the United States, and various industry partners providing analytical and forensic support.

While acting as a virtual command post for the three-year-long operation, Europol confirmed that over 730 pieces of cyber threat intelligence and close to 1.2 million IoCs were shared between all participating parties. International disruptions like Operation Morpheus are critically effective in removing the tools and services that underpin cybercriminal infrastructure online.

Continue reading
391 Hits

AI-Driven Real-Time Malware and Ransomware Detection for NetApp

Network-attached storage devices like NetApp contain volumes of data which are vital to business operations. With broad access available to so many users, protecting NetApp storage from malware is critical to operational stability and integrity. Organizations worldwide face increasingly sophisticated threat actors. AI-powered threat detection can level the playing field, protect business data, and stop attacks before they begin. With Threat Detection for NetApp, SentinelOne brings proven AI-powered malware protection to NetApp storage.

The Challenge

Legacy AV solutions have long dominated storage security for NetApp. However, security innovation has not kept pace with other sectors like EDR and cloud security, even as threat actors have rapidly evolved. Modern threats from hackers for hire or state-sponsored threat actors easily evade signature-based legacy antivirus. Yes, signatures are useful for identifying known or commodity malware, but they are incapable of detecting novel malware.

Beyond ease of evasion, signatures can create administrative nightmares. Storage security admins can become bogged down in a relentless spiral, making sure their blocklists are always updated with the latest signatures.

Another challenging factor is broad access to the data stored on NetApp arrays. Businesses rely upon ready access to this data to function. Considering the wide access, and the ease with which malicious files can evade signature-based detection, one can readily appreciate how securing the NetApp storage is vital to business continuity.

In addition to business continuity and brand reputation, an additional concern is regulatory compliance. While exact compliance details vary by framework, organizations in various industries are often required to regularly scan their network attached storage for malware. Although regulatory frameworks generally do not specify how this is accomplished, more forward thinking frameworks such as GDPR do stipulate that organizations follow the principle of “data protection by design and by default,” and that data protection measures take into account the technological “state of the art.”

Continue reading
373 Hits

PinnacleOne ExecBrief | Flashpoint in Focus: Israel-Hezbollah

Last week, PinnacleOne revealed three emerging threats to the “deep tech” venture ecosystem underpinning western technological and strategic advantage.

This week, we draw executive attention to the flashpoint risk of war between Israel and Hezbollah, which would change the security environment for most civilians in Israel, disrupt trade in the eastern Mediterranean and potentially pull larger powers into a regional conflict.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: This email address is being protected from spambots. You need JavaScript enabled to view it.

Insight Focus | Flashpoint in Focus: Israel-Hezbollah

The simmering standoff between Hezbollah and Israel is close to boiling over as each side escalates political rhetoric, increases cross-border strikes, and moves military forces into battle positions.

Continue reading
512 Hits

The Good, the Bad and the Ugly in Cybersecurity – Week 25

The Good | Dark Marketplace Operators Face Life Sentences for $430 Million in Illicit Transactions

Two operators of Empire Market, a dark marketplace worth over $430 million in illicit profit, were officially charged this week. Running the marketplace from February 2018 to August 2020, Thomas Pavey (aka “Dopenugget”) and Raheim Hamilton (aka “Sydney” and “Zero Angel”) allegedly facilitated over 4 million transactions involving malware, stolen data, hard drugs, and counterfeit money, using cryptocurrencies like Monero, Litecoin, and Bitcoin.

Before going offline in 2020, thousands of users filtered through Empire Market, their illegal transactions obfuscated through a combination of cryptocurrency and tumbling services in order to evade law enforcement. Pavey and Hamilton profited by retaining portions of the cryptocurrency transactions to compensate themselves and their team of moderators. The DoJ indictment revealed that Pavey and Hamilton had been involved in selling counterfeit currency on another dark marketplace called AlphaBay prior to operating Empire Market.

Now, the men face five charges: conspiracy to sell counterfeit currency on AlphaBay, conspiracy to distribute controlled substances via Empire Market, conspiracy to possess unauthorized access devices, conspiracy to sell counterfeit currency on Empire Market, and conspiracy to launder money to conceal proceeds from illegal activities. Conviction on all counts could result in life imprisonment for the two operators, especially due to the severe penalties linked with drug trafficking.

Stolen data that ends up on dark marketplaces can provide unauthorized access leading to cyberattacks, fraudulent activity, data breaches, and more. Having a comprehensive security solution focused on machine-speed threat detection and advanced analytics can help protect digital identities and sensitive user information from being exfiltrated and sold online.

The Bad | Network Security Zero-Day Flaws Targeted by China-Nexus APT for Cyber Espionage Campaigns

A Chinese-linked threat actor tracked as UNC3886 has been exploiting a combination of zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices to gain and maintain access to compromised systems. Latest findings from cyber researchers detail how this espionage-focused actor employs multiple persistence mechanisms across network devices, hypervisors, and virtual machines (VMs) to ensure continuous access even if initial compromises are detected and removed.

Continue reading
427 Hits

AWS re:Inforce 2024 Recap | Developing Security Culture, Inclusion, and Education

Back on the East Coast in Philadelphia after last year’s AWS re:Inforce in Anaheim, the SentinelOne team took in the cloud security-focused sights and sounds of over 5,000 other attendees from around the world.

Our team had a very busy week filled with great conversations at our booth, in-depth speaking sessions, AWS Partner Day, AWS Security LIVE!, and an exclusive, sold-out bowling event with technology partner, Snyk. We had a great time connecting with and learning from everyone at this event. Here’s a recap of AWS re:Inforce 2024 from the SentinelOne perspective.

“Job Zero” | Security Is Everyone’s Responsibility

As a recurring theme year, the event continued to focus on the technology and culture elements of security – both with a collaborative approach. You’ll often hear AWS team members say “Security is Job Zero”, and the programming and activities at this show backed this up. Though attendees enjoyed many exciting technology-focused announcements around AWS and partner innovation (yes, including many about AI), the event reached beyond the tech, providing several opportunities to explore developing thoughts on security culture, inclusion, and education.

With something for everyone, the event hosted immersive and hands-on labs for the technically inclined, compelling keynotes, and lots of practical customer stories about tackling cloud security for the strategists and practitioners helping us all walk away with something new to consider or apply.

The SentinelOne team at AWS re:Inforce preparing to deliver hundreds of demos for Singularity Cloud Security, Purple AI, and Singularity Data Lake

AI-Powered Cloud Workload Security for Serverless Containers on AWS

During re:Inforce, SentinelOne announced Singularity Cloud Workload Security (CWS) for Serverless Containers, a solution tailored for containerized workloads on AWS Fargate for Amazon ECS and Amazon EKS. This real-time cloud workload protection platform (CWPP) harnesses the power of AI to swiftly identify and respond to a spectrum of threats, including ransomware, zero-day vulnerabilities, and fileless exploits.

Continue reading
522 Hits

How SentinelOne Delivers Results, Not Noise | MITRE Managed Services Engenuity ATT&CK® Evaluations

Organizations are faced with an increasingly sophisticated, constantly evolving threat landscape and limited resources to protect their environments. To keep up, many businesses count on the 24/7 hands-on expertise provided by managed detection and response (MDR) services.

SentinelOne has once again demonstrated industry-leading real world performance in the latest independent MITRE ATT&CK® Evaluation of managed security service (MSS) providers. The attack scenario in this year’s test highlights the importance of speed, visibility, and reduced noise; with SentinelOne’s Vigilance MDR+DFIR delivering:

100% detection of major attack steps – 15 out of 15 steps identified, investigated, and reportedBest signal-to-noise ratio amongst top performers – Providing clear and actionable analysis and not a flood of automated alertsOptimal Mean-Time-to-Detect and Mean-Time-to-Escalate – SentinelOne’s autonomous, AI-powered Singularity Platform balances speed and accuracy to ensure organizations stay ahead of attacksEnriched reporting – Our final incident report was recognized by MITRE for enrichment with contextual analysis – including a key timeline of events, a detailed technical analysis, and clear, actionable recommendations to reduce the likelihood of incident recurrence

These results clearly illustrate how SentinelOne’s Singularity Platform, combined with its Vigilance MDR + DFIR services, provide the most comprehensive, thorough, and efficient real-world protection against sophisticated attacks for every organization.

Measuring Real-World Protection | Understanding MITRE Enginuity’s ATT&CK Evals MSS Round 2

This year’s evaluation emulated the adversary behavior of menuPass (G0045) and an ALPHV/BlackCat ransomware affiliate. Prevention and remediation were not in scope of the evaluation. menuPass (aka APT10) has been active since at least 2006 and is believed to be sponsored by the Chinese Ministry of State Security. The group focuses on the exfiltration of sensitive data such as intellectual property and business intelligence in support of Chinese national security objectives. ALPHV/BlackCat, a prolific Russian-speaking RaaS group that emerged in 2021, is linked to BlackMatter, DarkSide, REvil, and other RaaS groups. ALPHV/BlackCat utilizes ransomware coded in Rust, allowing for enhanced performance, flexibility, and cross-platform capabilities.

SentinelOne has participated in more comprehensive MITRE evaluations than any other cybersecurity leader as the only XDR provider to participate in all ATT&CK Enterprise Evaluations, the Deception evaluation, and the inaugural Managed Services evaluation.

SentinelOne Cuts Through the Noise to Deliver Expert Managed Detection & Response with Speed and Accuracy

It is estimated that security teams receive more than 1,000 events, alerts, or incidents per day, with more than half of these going uninvestigated. While visibility is critical to identifying and understanding threats, it can also lead to information paralysis and alert fatigue. As stated in the MITRE Enterprise Evaluation Round 5: “100% visibility” is not always a positive. AI and automation become critical in ensuring the right information gets to the right hands quickly and with context.

Continue reading
474 Hits

PinnacleOne ExecBrief | Deep Tech In The Crosshairs

Last week, PinnacleOne highlighted how a new turn of phrase by China’s leader will spark efforts across the country to make scientific breakthroughs occur out of thin air (or steal them from the west).

This week, we flag three emerging threats to the “deep tech” venture ecosystem underpinning western technological and strategic advantage.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: This email address is being protected from spambots. You need JavaScript enabled to view it.

Insight Focus | Deep Tech in The Crosshairs

Throughout the 20th century, most strategic technologies were incubated or directly invented by the Federal Government or by contractors and academic institutions under its protective umbrella. Not anymore.

Continue reading
427 Hits

The Good, the Bad and the Ugly in Cybersecurity – Week 24

The Good | Ukrainian Police Arrest Cryptor Specialist Helping Conti & LockBit Ransomware Operations

A Russian national was arrested this week for allegedly working with Conti and LockBit ransomware groups, helping to make their malware undetectable and also conducting at least one attack himself. Ukrainian cyber police apprehended the 28-year-old man in Kyiv during Operation Endgame, a major operation carried out two weeks ago to dismantle an extensive ecosystem of malware droppers.

(Source: Cyber Police of Ukraine)

According to Ukrainian law enforcement, the arrested had expertise in developing custom crypters that encrypted and obfuscated ransomware payloads into what looked like innocuous files. This made them fully undetectable (FUD) to legacy antivirus software. His services were sold to both Conti and LockBit syndicates, which bolstered their success rates in infiltrating networks.

Reports from Dutch police confirm that the man orchestrated at least one of his own attacks using a Conti payload in 2021, indicating his involvement as an affiliate and goals to gain maximum profits from the relationship. His arrest includes seizure of computer equipment, mobile phones, and handwritten notes, all being held for ongoing examination. As it stands, the Russian suspect has already been charged under Part 5 of Article 361 of the Criminal Code of Ukraine for unauthorized interference with information systems. He faces up to 15 years in prison.

This arrest is the latest in a string of actions against LockBit operations, most recently following the distribution of 7000 decryption keys to all affected victims of the Ransomware-as-a-Service (RaaS). Earlier last month, the DoJ unveiled the identity of LockBit’s developer, placing a reward up to $10 million for his arrest or conviction.

The Bad | Hamas-Linked Threat Group Spies on Android Users in Egypt & the Palestinian Territories

An espionage-focused threat actor known as Arid Viper has been linked to an ongoing mobile-based campaign, involving trojanized Android apps delivering ‘AridSpy’ spyware. Based on a recent report, the Hamas-aligned actor is distributing malware through websites that mimic legitimate messaging, job search, and civil registry applications.

Continue reading
435 Hits

Building a Defense Posture | Top 5 Cybersecurity Tips For Small & Medium Businesses (SMBs)

Verizon’s annual Data Breach Investigations Report has historically compared and contrasted small and medium businesses (SMB) against large organizations. Not this year. The reason: Both SMBs and large enterprises are increasingly sharing similar attack surfaces. With much of the same services and infrastructures, the difference between the two boils down to the available resources.

Where larger companies may have entire teams of cybersecurity analysts or full-fledged security operation centers (SOCs), many SMBs rely on a single IT person to manage their security. Or, companies may outsource cybersecurity to managed service providers (MSPs) who may not yet have the required skills or services in place to plan, build out, and manage a full cyber program.

In this blog post, we examine the most common types of cybersecurity threats SMBs face today and share a list of top 5 cybersecurity tips that SMBs can follow to start building a more robust cyber posture against modern threats.

Types of Cybersecurity Threats for Small Businesses

In a 2023 Data Breach Investigations Report, researchers found that the top patterns of cybersecurity threats for small businesses (less than 1,000 employees) were system intrusion, social engineering, and basic web application attacks – representing 92% of breaches. Several types of attacks including, phishing, malware, watering hole attacks, and drive-by downloads drive these categories of threats.

Phishing

Phishing attacks continue to grow year-over-year and remain one of the main methods threat actors use to gain entry into their victims’ systems alongside vulnerability exploitation and stolen credentials.

Continue reading
555 Hits

Navigating the NVD Backlog | How to Stay Ahead in Vulnerability Management

The National Vulnerability Database (NVD) is a critical – yet often overlooked – element of an organization’s security defenses. Established to provide a catalog of known software vulnerabilities, it has become an authoritative source of vulnerability intelligence. However, the NVD faces a troubling backlog of vulnerabilities raising existential concerns about its efficacy.

This blog post takes a dive into what this means for organizations, what actions the industry leaders are taking to mitigate the challenges, and how solutions like Singularity Vulnerability Management are set to help businesses identify and prioritize all types of risk across their attack surfaces.

A Brief History of the NVD

Launched in 2005 by the National Institute of Standards and Technology (NIST), the NVD was created as a repository for the U.S. government to standardize and communicate information on publicly disclosed vulnerabilities. Utilizing the Common Vulnerabilities and Exposures (CVE) system, the NVD provides a centralized source for identifying and evaluating security flaws. Over the years, the NVD has evolved, integrating additional metrics such as the Common Vulnerability Scoring System (CVSS) to assess vulnerabilities’ severity and prioritize remediation efforts.

One of the most important benefits of the NVD is standardization, ensuring that all stakeholders from researchers, security teams, and security vendors, are on the same page regarding how they identify and mitigate vulnerabilities. The NVD enables organizations of all sizes to improve their security posture by offering open access to vulnerability data.

This democratization of information allows smaller businesses, which may lack extensive cybersecurity resources, to leverage the same vulnerability data as larger enterprises. To support the dissemination of this information, the NVD offers integration of vulnerability data via public APIs that many vendors integrate into their IT and Security products. The NVD API has its own set of challenges at enterprise scale with API rate limiting and occasional API call failures.

Continue reading
415 Hits

Block Attacks with SentinelOne’s AI-Powered CNAPP

Market research soon to be published in the first annual SentinelOne Cloud Security Report shows that cloud security professionals are drowning in data, yet lacking insights. While many point-specific solutions like cloud security posture management (CSPM), cloud detection and response (CDR), and cloud workload protection platforms (CWPP) are now mainstream, organizations are struggling with data silos as they seek to derive meaning from a long list of cloud security alerts. SentinelOne’s AI-powered CNAPP, Singularity Cloud Native Security (CNS) solves each of these pain points.

In this blog post, learn how Singularity Cloud Security combines the rapid insights and value realization of an agentless CNAPP, with the stopping and forensics power of a runtime agent, to realize AI-powered protection for modern cloud operations. SentinelOne consolidates security data from native and third-party security sources into the Singularity Data Lake.

Agentless CNAPP and The Attacker’s Mindset

Singularity Cloud Native Security (CNS) from SentinelOne is an agentless CNAPP with a unique Offensive Security Engine that thinks like an attacker, to automate red-teaming of cloud security issues and present evidence-based findings. We call these Verified Exploit Paths. Going beyond simply graphing attack paths, CNS finds issues, automatically and benignly probes them, and presents its evidence.

The Offensive Security Engine might indicate something like, “We found this misconfigured Amazon EC2 instance. We were able to curl out to our dummy C2 server and install a random file. Here is the proof.” With this, cloud security practitioners can prioritize their backlog better and focus on what is truly important rather than tread water in a sea of theoretical noise.

Continue reading
619 Hits