If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680
If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680

War Stories and Other Helpful Information

The Blog

Home » Blog

10 Ways to Secure Your Network and Prepare For an Attack

Password management Strong passwords are crucial when it comes to network protection. Attackers frequently try to steal employee credentials or use leaked passwords found on the dark web to gain network access. Companies should require employees to use strong and complex passwords or passphrases with capital letters, numbers, and special characters because they are much harder to crack with brute force. Using a different password for each system decreases the likelihood of attackers successfully reusing leaked passwords or stolen credentials. Using a password manager is a great way to keep track of your different passwords. Multifactor Authentication (MFA) Multifactor authentication

Read More »

Why Incident Response Experience Makes for Great Pen Testing

Cybersecurity incidents provide responders with valuable cybercrime threat intelligence. Unlike penetration (pen) testers who only do testing, testers with incident response experience are familiar with trending attack tactics, and this real-world experience is invaluable. Traditionally, incident response and penetration testing utilize two different skill sets. Typically, cyber experts specialize in either red team (role of the attacker) or blue team (role of the defender). Purple team (people who can do both) are rare and very special. Think of it like chess: those who can see both sides of the board can anticipate the next move. They know where their opponent

Read More »

Why Cyber Criminals Love the Holidays and What to do About It

Why do attacks increase over the holidays?  In a joint cybersecurity advisory, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) warn that cyberattacks increase significantly during the holidays and encourage businesses to be aware of the heightened risks and be vigilant with network defenses.   Like weekends, cybercriminals target the US specifically during holidays because it’s a busy time of year and employees are often distracted, leaving companies vulnerable to attack. With business slowing, people on vacation and kids out of school, it’s not surprising that employees across the board pay less attention to security. Threat actors know this and aim to

Read More »

ProxyNotShell Advisory – Microsoft Exchange Zero-day Vulnerabilities

Executive summary On September 30th, 2022, GTSC, a Vietnamese cybersecurity company, released a warning stating, “while providing SOC service to a customer, GTSC Blueteam detected exploit requests in IIS logs with the same format as ProxyShell vulnerability.” This vulnerability would allow attackers to formulate a specially crafted HTTP request to the on-prem exchange server over port 443, enabling the attacker to execute malicious remote code on the system as the “SYSTEM” user. Microsoft confirmed both zero-day vulnerabilities late the evening of September 29, 2022 and said they were aware of “limited, targeted attacks using the two vulnerabilities to get into

Read More »

Bi-annual State of Ransomware

Ransomware in the first half of 2022 Compared to 2021, the amount of publicly reported ransomware attacks has increased across most months according to BlackFog’s 2022 state of ransomware report. These numbers are significantly higher than in 2020 and could be a result of the specific sectors being attacked. Certain industries, like education and government, don’t have the luxury to pause operations, and are sometimes have no choice but to pay ransoms if they don’t have proper data backups. In addition, industries like technology and healthcare are seeing a rise in ransomware attacks, likely due to the sensitive nature of

Read More »

The Zero Trust Model

What is zero trust? Zero trust (ZT) is a security model wherein nothing is trusted; all users must be authenticated at each log-in to ensure their legitimacy. Full zero trust should be employed across every part of the infrastructure, endpoints, and stacks for services that a company runs. Consider a standard website with databases—each individual server or service by default does not trust anyone or anything. To be trusted, you need to be completely verified and identifiable. Another element of zero trust involves least privileged access, which is only giving access on a need-to-know basis to reduce a user’s digital

Read More »

What Should Financial Institutions Know About LockBit 3.0? 

Who is LockBit? LockBit is a multimillion-dollar ransomware group that offers ransomware as a service. It treats ransomware as a business and even has affiliate marketing, bug bounty, and HR programs. Using its revenue, it hires individuals to write its ransomware software. LockBit is one of the most active ransomware groups.  At LockBit, “employees” do not execute the initial exploit themselves; instead, they place ads on the dark web to offer initial access. In these ads, LockBit states it will provide everything you need to deploy ransomware, and then splits the ransom profits with the threat actor. LockBit 3.0 This

Read More »

SOC 2® Assessment: Type 1 vs. Type 2 and Why a Company Should Have One

SOC 2 Type 1 and Type 2 Commonalities A SOC 2 – Type 1 and SOC 2 – Type 2 Report have many things in common – system description, management’s assertion, and a description of controls as they relate to the Trust Service Criteria. Both reports analyze and report on the design and implementation of the system description and the suitability of control design. The differentiator between the two reports is operating effectiveness. What are Controls in a SOC 2 Assessment? “Controls operating effectively provide reasonable assurance of achieving the service organization’s service commitments and system requirements based on the

Read More »

Penetration Testing: What is it? How is it Priced?

Penetration (pen) testing is a method of testing network or application security. Executed by a third-party service, experienced testers attempt to access a network utilizing the same tools and attack vectors as threat actors to identify any gaps in a company’s cyber defenses. Their findings are then reported back to the company in detail.  Types of Penetration Testing Internal This type of pen testing focuses on assessing any internal network weaknesses.   One kind of internal pen testing is blackbox testing. This is when a company provides the pen tester an IP address. They attempt to use that address to gain

Read More »

Manufacturing’s Biggest Cybersecurity Issues

Manufacturing has several unique problems when it comes to cybersecurity and the threat landscape, namely a distinct lack of funding and personnel that contributes to an excess of vulnerable, outdated legacy systems.    The Manufacturing Industry’s Biggest Security Problems  Downtime  As an industry, manufacturing is acutely vulnerable to downtime. While some industries can somewhat work around network downtime, those in manufacturing cannot because they rely on these networks to operate their machines. No working machines cause a hard, immediate stop to operations. This halt in operations then creates a heightened sense of urgency to resolve the issue. Unfortunately, this degree of

Read More »

Red Team Vs. Blue Team: Differences and Benefits

Red team vs. blue team exercises are a valuable learning tool for security teams. In these scenarios, the red team simulates an attack that the blue team needs to defend against. By doing this, the blue team has the opportunity to test their skills in an active environment and better prepare for real attacks.  What is the Red Team?  The red team is a group of individuals experienced in penetration testing and vulnerability scanning that are tasked with simulating a cyber attack. By utilizing the same tools, techniques, and tactics that criminals use, these team members can launch a highly

Read More »

U.S. Passes Two New Cybersecurity Bills Into Law

On Tuesday June 21, 2022, President Biden signed two cybersecurity bills into law. This was a bipartisan effort, with approval from both Democratic and Republican senators and representatives, which shows the importance of improving the United States’ cybersecurity strategies.   These new laws are the Federal Rotational Cyber Workforce Program Act of 2021 and the State and Local Government Cyber Security Act of 2021, per a White House press release.  Federal Rotational Cyber Workforce Program Act of 2021 The Federal Rotation Cyber Workforce Program (bill S. 1097) establishes a rotational cyber workforce program within the Federal Cyber Workforce Strategy, under which

Read More »

What Motivates a Hacker?

Cyber attacks happen every day, and it’s no secret that they are increasing in frequency and sophistication. While threat actors generally don’t discriminate based on company size or type of organization, the criminal’s motivation for attack generally points to the victim. Understanding the why behind a cyber attack is critical in developing effective cybersecurity strategies to protect your organization.   4 Common Motivations Monetary Motivations  Monetary gain is perhaps the most common reason for hackers to attack an organization or an individual. In these cases, threat actors (often affiliated with cybercrime gangs) target companies they believe will pay a ransom to

Read More »

How Do IT Directors Communicate to CFO’s the Value of Cybersecurity?

IT Directors, CIOs, CISOs and Other Non-technical Decision Makers As with any corporate relationship, the one between CIOs and CFOs depends on the organization. When it comes to making cybersecurity decisions, some companies are more IT driven with CIOs and CISOs taking the lead; other companies have CFOS and other leadership making the decisions. Budgeting also has an impact on these decisions. IT teams often have a budget for cybersecurity needs; however, CFOs will usually have the final say. For example, if a CIO needs a vulnerability management provider, they first choose the best-in-class option and then check in with

Read More »
Microsoft Office Zero Day Follina

Microsoft Office Zero Day Follina

Identified: May 27, 2022 Name of Vulnerability: Microsoft Office Zero Day Follina Description of Vulnerability: A new zero-day vulnerability, Microsoft Office Zero Day Follina, was discovered in Microsoft Office when a specially crafted document is downloaded and opened or viewed in explorer preview allowing arbitrary code execution. A security researcher who goes by Nao_sec discovered an odd looking Word document uploaded from an IP address in Belarus. This turned out to be a zero day vulnerability in Office and Windows. The document uses the Word remote template feature to retrieve an HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol

Read More »

VMware Vulnerabilities Patches

Vulnerabilities in VMWARE allow internal attackers to gain unauthenticated administrative access to the entire company’s infrastructure. Who is affected: Anyone using: VMware Workspace ONE Access (Access) VMware Identity Manager (vIDM) VMware vRealize Automation (vRA) VMware Cloud Foundation vRealize Suite Lifecycle Manager Authentication Bypass Vulnerability (CVE-2022-22972)* VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.* A malicious actor with network access to the UI may be able to obtain administrative

Read More »

What Are the Most Critical Cyber Threats of 2022?

Ask the Experts The question: What are the most critical cyber threats of 2022? was posed to a panel that included Blue Team Alpha cyber experts Joe Kingland – CEO; Dan Wolfford – Deputy CISO; Peter Martinson – Director of Incident Response; and Sean Sullivan – Senior Incident Responder. Below is a summary of their responses based on their extensive working experience and knowledge in the field of cybersecurity.  What Are the Most Critical Cyber Threats of 2022?  Complexity of Systems  Computer systems these days are incredibly complicated, and most are comprised of a lot of different parts. Many people

Read More »

11 Ways to Boost the Cyber Defenses of a Small Business

While no business is immune to cybersecurity attacks, small and medium sized businesses are especially vulnerable. In a survey conducted with small to medium business owners in late 2021, 42% of business owners suffered a cyber attack in the last year. Additionally, according to the U.S. Small Business Administration (SBA), 88% of small business owners feel their businesses are vulnerable to cyber attacks. Small to medium businesses remain attractive targets for cyber criminals because they have information criminals want and often have weaker security infrastructure compared to larger businesses. This means it is more important than ever to ensure that SMBs practice good cybersecurity

Read More »

Cultivating a Cybersecurity Culture

The Importance of Making Cybersecurity a Part of Your Company Culture Most organizations are fully aware of the importance of effective cybersecurity strategies and the risks of what can happen without them. Companies have devoted both time and resources to training and educating their staff accordingly, but that isn’t enough. Without a valued culture of cyber awareness in an organization, the higher the risk of an attack.   Often in cybersecurity incidents, the weak link into the network is a person within that organization. That could be someone who clicked the link in a phishing email, used a compromised flash drive,

Read More »

VMware Backdoor Vulnerability

What is the Vulnerability? The VMware Backdoor vulnerability is labeled CVE-2022-22954. By Exploiting the VMware IDM Service, attackers are able to run powershell to create malicious communications to the server. How Hackers Gain Access The adversaries gain initial access to the environment by exploiting CVE-2022-22954, the only one in the RCE trio that doesn’t require administrative access to the target server and also has a publicly available PoC exploit. The attack starts with executing a PowerShell command on the vulnerable service (Identity Manager), which launches a stager. The stager then fetches the PowerTrash loader from the command and control (C2)

Read More »