WIXLIB

ALERT LOGIC & CSI:Threat LandscapeReviewBSA Conference 2022Josh Davies – Product Manager

What does Alert Logic do?Alert Logic is a Managed Detection &Response (MDR) vendor who deliverspeace of mind from threats by combining24/7 SaaS security with visibility anddetection coverage wherever yoursystems reside.2

Who is Alert Logic?Expert-enabledSaaS Securitysince 2002CONFIDENTIALTrusted byover 4,000organizationsOperatingacross multiplegeographiesMarketdefiningleader3

MDR Outcomes4

Building Society Breaches1. Miscellaneous errors2. Web app attacks3. Social engineering38% actor disclosure*Verizon DBIR 202136% Monitoring partner5

Notable emerging threats of 2022 Log4Shell Spring4Shell PwnKit6

China Most 0-days came from Chinalinked actors in 2022 Winnti group stealing IP Don’t forget about China7

Ukraine / RussiaConflict related threats8

2015 - 2017 Ukraine Russia Conflict NotPetya ransomware thatspread globally Data wiping malwaretargeting Ukraine Aimed at critical infrastructureand beyond9

Supply Chain Compromise“Russia has history in acting against western interestsincluding proxy compromises” SolarWinds Orion Software Global Telecoms Networks Global Energy Sector10

Current stateWhile the NCSC is not aware of any current specific threats to UKorganisations in relation to events in and around Ukraine, there hasbeen cyber attacks against Ukraine with a historical pattern ofinternational tions-urged-to-bolster-defencesEvolving intelligence indicates that the Russian Government isexploring options for potential cyberattacks. Every organization—large and small—must be prepared to respond to disruptive cyberincidents.11

Current Significance Sanctions Impact Russia’s economy Orgs pulling out of Russia Potential retaliation Financial motivation willcontinue to be the mostcommon*Verizon DBIR 202112

Re:REvilOctober 2021Tor sites taken downNovember 2021US arrest affiliate and postransomJan 2022Russia hands over 14 affiliatesApril 2022Back13

2022 conflict related threats Conti – infamous ransomware group Chats leaked by Ukrainian associates State sponsored threat actors exploitingknown vulnerabilities Campaigns tracked so far: WhisperGateHermeticWiperMicroBackdoorSaintbot GhostwriterMuddyWaterGamaredon groupStormous RansomwareAnd many more .14

Top vulnerabilities targeted by Russian threatactorsVendorCVEType of VulnerabilityDetectionCitrixPulseFortinetF5- Big ftMicrosoftMicrosoftCVE-2019-19781CVE 2019-11510CVE 2018-13379CVE 2020-5902CVE 0CVE rbitrary code executionArbitrary file readingPath traversalRemote code execution (RCE)RCELocal exploitRCERCERCERCEElevation of privilege (local)Elevation of privilegeVulnerability ScanCISA Advisory: 5

Additional vulnerabilities targeted by Russianthreat rosoftCVE-2021-26855CVE-2021-34527Type of VulnerabilityDetectionCisco routerOracle WebLogic ServerKibanaExim Simple Mail Transfer ProtocolMicrosoft ExchangeOracle WebLogicMicrosoft Exchange (Often used inVulnerability Scanconjunction with CVE-2021-26857, CVE-202126858, and CVE-2021-27065)PrintNightmareCISA Advisory: ttps://www.cisa.gov/uscert/ncas/alerts/aa22-074a16

Tactics & techniques used by Russian threatactorsCISA Advisory: acticTechniqueReconnaissance [TA0043]Active Scanning: Vulnerability Scanning [T1595.002]Phishing for Information [T1598]Resource Development[TA0042]Develop Capabilities: Malware [T1587.001]Initial Access [TA0001]Execution [TA0002]Persistence [TA0003]Credential Access[TA0006]Command and Control[TA0011]Exploit Public Facing Applications [T1190]Supply Chain Compromise: Compromise Software Supply Chain [T1195.002]Command and Scripting Interpreter: PowerShell [T1059.003] and Windows Command Shell[T1059.003]Valid Accounts [T1078]Brute Force: Password Guessing [T1110.001] and Password Spraying [T1110.003]OS Credential Dumping: NTDS [T1003.003]Steal or Forge Kerberos Tickets: Kerberoasting [T1558.003]Credentials from Password Stores [T1555]Exploitation for Credential Access [T1212]Unsecured Credentials: Private Keys [T1552.004]Proxy: Multi-hop Proxy [T1090.003]17

The Diamond ModelThe Diamond Model1 adds another level to the Kill Chain and MITRE.DeliveryExploitInstallCommand & ControlActions on reDeployed viaCapability /TTPitsploExConnectstoVictim181 http://threatconnect.com/files/uploaded files/The Diamond Model of Intrusion Analysis.pdf

Track the Threat & the Threat ActorActivity clusters: Help us detect threats faster Provide better remediationadvice19

Shields Up Reduce the likelihood of a damaging cyber intrusion Take steps to quickly detect a potential intrusion Ensure that the organization is prepared to respond if an intrusion occurs Maximize the organization's resilience to a destructive cyber incidenthttps://www.cisa.gov/shields-up20

Our MDR outcomes21

YOUR PERPETUAL EDGEShared ResponsibilityAPPSThreat DetectionWeb Application FirewallIncident ResponseApp Response MonitoringVulnerability ScanningCompliance ReportingWeb Application ScanningAccess ManagementAccess ManagementTraffic EncryptionCoding Best PracticesConfiguration ManagementThreat DetectionLog AnalysisVulnerability ScanningEndpoint MonitoringCompliance ReportingPatch ManagementHardeningSECURING THE PUBLIC CLOUD –SHARED RESPONSIBILITYHardened HypervisorSystem Image LibraryRole Based AccessAccess ManagementData EncryptionHOSTSPhysical SegmentationPerimeter SecurityDDOS & SpoofingThreat DetectionLog AnalysisConfiguration ScansNetwork MonitoringAccess ManagementLogical SegmentationLog AnalysisIndustry BenchmarksSecure API AccessConfiguration ScanningRole Based AccessLANPLATFORMCOMPUTESTORAGEDATABASECLOUD PROVIDERNETWORKCSI & ALERT LOGICCUSTOMER22

Incident Management & ResponseSOC 15 Minute SLACSI 24/7 Incident Analysis 24/7 SupportSECURITYEXPERTS Managed WAF PCI ASV: Scan DisputeIncidentAnalyzeDetectOrientObserve Threat Hunting Automated IOC/AAsset/AttackerPCAP’s, Logs, etc.TFHDTECHNICALEXPERTDiagnoseDecide Triage & SeverityClassification Attack Narrative RemediationRecommendations False Positive FilteringPhoneAPIEmailUI Leverage AL Experts Escalate to CustomerEscalation SOC Enabled NOCRemediateAct Remediation Tracking & Reporting Proactive Outreach Incident Dwell Time Reduced Policy Decisions Block, Reset,Quarantine, etc.23

Register For Our Upcoming Cybersecurity Webinar On-Stand!Is your Building Society prepared to defend itself from today’s emerging threats?Alert Logic and CSI protect the IT of numerous building societies including Buckinghamshire BuildingSociety, so we’ll be drawing on real life experiences and industry data to provide advice and considerationsyou can take to increase your cyber resiliency.We will be making a 20 donation to the Ukraine appeal for each attendee to our live session, so besure to join us for a productive and informative session!24

Questions?25

Vendor CVE Type of Vulnerability Detection Vulnerability Scan Citrix CVE-2019-19781 Arbitrary code execution Pulse CVE 2019-11510 Arbitrary file reading Fortinet CVE 2018-13379 Path traversal . CLOUD PROVIDER CSI & ALERT LOGIC CUSTOMER APPS HOSTS LAN PLATFORM COMPUTE STORAGE DATABASE NETWORK Web Application Scanning Access Management Patch .