Jeff Finn, zvelo: “2022 is going to be another banner year for Team Ransomware”

Cybercrime is gaining momentum, costing companies increasingly more time, money, and resources. But cyber threat intelligence providers are also taking no breaks, working on consistently improving their protection services.

In 2021, a single average data breach costs a business $4.24 million, according to the recent IBM Report - the most significant value in 17 years. This comes as a result of many factors, including the shift to remote work and even poor cyber hygiene practices, such as operating with reusable weak passwords. In these circumstances, the need for comprehensive threat detection services will continue to increase, forcing more enterprises to look for reliable providers.

Jeff Finn, CEO of zvelo, and Brad Rhodes, their Head of Cybersecurity, discussed with us what the current cybersecurity landscape looks like and shared insights about the role of zvelo’s AI-based threat detection technologies in helping tackle cybercrime.

Since you have been in the industry for almost four decades, could you tell us about how zvelo evolved over the years?

zvelo has been in the network security business for over 20 years. In the mid-2000’s, zvelo identified a market opportunity to focus on performing threat detection for web protocols. At that time, most of the cybersecurity industry was focused on email protocols. Developing the ability to do near real-time detection of malicious and phishing web threats, as well as identifying and classifying objectionable content in real-time at scale, provided a unique offering in the market. This allowed zvelo to get considerable traction and adoption amongst many of the market’s leading secure web gateway, web filtering, DNS providers, ISPs, and other vendors who provide services to 600+ million users across nearly every enterprise, business, and consumer market segment in more than 200 countries.

You mention the importance of website categorization quite a lot. Why is it so essential?

zvelo’s “why” is to make the web safer and more secure. To achieve that mission, it’s critical that you have a comprehensive and in-depth understanding of the entire lifecycle of a website — from the time the site is procured, through the registration of the site, when content is loaded onto the site, any changes/updates to the site, the type of content, whether the site poses a threat, what type of threat, even following the site through to it being taken offline.

It requires this type of holistic approach to website categorization, enabling our clients to truly provide for a safer and more secure web to their end users worldwide. We achieve that by filtering and blocking not just malicious and phishing threats from cyber criminals, but also unsafe and objectionable content which varies depending on things like age group, country, culture, and more. In addition to being crucial to cybersecurity, website categorization is also essential to applications for brand safety and contextual targeting, as well as mobile and subscriber analytics.

zvelo takes great pride in its Cyber Threat Intelligence service. Can you tell us more about how it works?

zvelo Cyber Threat Intelligence (CTI) covers the activities of Malicious Cyber Actors (MCA) in the malicious and phishing spaces. Our CTI offering currently has two feeds: the Malicious Detailed Detection Feed (MDDF) and PhishBlockList (PBL). MDDF and PBL deliver highly accurate and curated intelligence that can be consumed as a regular feed or via application programming interface (API).

zvelo leverages a mix of external feeds, internal information, and real-time clickstream to assess current malicious and phishing threats. Both leverage our initial expertise in assessing Uniform Resource Locators (URL) (web addresses) with MDDF focusing on malware and potentially malicious files, and PBL looking at almost 200 well-known brands to determine whether potential cases of phishing can be confirmed or not. For readers who would like to see the type of threat intelligence data that zvelo can offer, we publish an annual Malicious Trends Report. The report offers some high level conclusions, but it is really focused more on the data that we observe. Because every organization has a different set of needs and perspectives unique to their own environment, readers must draw their own specific conclusions when it comes to how to apply zvelo's findings to their environment. The 2021 Malicious Trends Report has just recently been released and may be downloaded here.

You have recently published research about old-school phishing techniques regaining popularity. What are these attacks like?

Imagine that you are getting ready to sign a big contract with a supplier, and you are waiting for the electronic document from one of the well-known digital signing providers. Then, the document you were waiting for pops into your email inbox. The message looks okay, but it asks you to enable editing and content. You are not an expert on the things required to make this digital signature thing work, so you press the buttons.

Next thing you know, your organization is on the ten o’clock news as the latest cyberattack victim. Today’s MCAs are getting better and better at crafting phishing messages that look realistic and use the capabilities built into the current office and productivity solutions. The challenge is to avoid falling victim to these scams and to verify everything before deciding to enable content. Better yet, organizations should not allow this type of feature to be user-controlled in the first place. For readers who would like additional information or background on how MCAs are using these old-school tactics, please check out the following links for the 3 part series.

Part 1: Malicious Office Documents: What is Old is New Again

Part 2: Malicious Office Documents: Going Old School with Symbolic Link Files

Part 3: Excel 4.0 Macros: Another Old School Attack Method

It seems like the pandemic put the global cybersecurity industry to the test. In your opinion, what are the main takeaways?

The COVID-19 pandemic has been challenging in many ways. The rapid transition to remote work and remote learning was precarious for many across the board — from end-users to systems administrators, to security professionals. While organizations may have mentioned the word pandemic in their Business Continuity plans, they certainly did not have the infrastructure for long-term operations as currently constituted. Numerous organizations had to completely retool on the fly leaving their environments with potentially unknown vulnerabilities (for example, hastily rolling out Virtual Private Networking (VPN) solutions).

MCAs took advantage of things like digital meetings and poor password security to interrupt them with inappropriate content just because they could. Another challenge for cybersecurity and organizations that the pandemic amplified is the security and control of corporate data. With the ability to access and do almost everything on a tablet or smartphone, do organizations truly know where their data resides? The short answer is no.

The easy proliferation of corporate data is a problem that has been around since before the pandemic began but unfortunately, it has gotten worse with so many organizations utilizing online office suites and expecting answers to issues from employees practically 24/7/365. Aside from the obvious work-life balance concerns, if employees can access corporate information on a personal smartphone quickly, they are not going to take the time to use a VPN on a corporate laptop.

What kinds of attacks are we going to see more of in 2022? Who is going to be the main target – individual users or large organizations?

Unfortunately, 2022 is going to be another banner year for “Team Ransomware.” As long as organizations are willing to pay ransoms instead of improving security, this will continue to be the trend.

But, there is good news in the cybersecurity space that spans multiple industry verticals! Larger organizations (typically 5000+ employees and above) are improving their cyber defenses. The bad news is that we’re not seeing a corollary improvement in mid-sized and smaller organizations. As larger organizations have hardened themselves, MCAs are turning their attention to smaller and smaller victims.

From a pattern analysis perspective, there is not a particular type of organization that will fall prey to a cyberattack in 2022. The vast majority of attacks are carried out by cyber-criminal entities who are looking for targets of exposed opportunity on the internet. They couldn't care less about which industry vertical they attack. It is all about filling their coffers.

Why do you think certain industries hesitate to upgrade their security defenses despite the growing cyberattack rates?

Two reasons - perceived complexity and money. These two items do not necessarily go hand-in-hand. When it comes to complexity, many industries look at cybersecurity as falling into the “too hard to do” category. Nothing could be further from the truth. If more organizations focused on the basics (complex passwords, multi-factor authentication, solid asset management, minimal network security monitoring, and training), they would prevent or detect many cyberattacks. Just doing the basics would drive MCAs to look for organizations that are easier targets.

Money is the other concern. Organizations believe they need to buy the latest/greatest cybersecurity tool that will answer all of their needs and spend a lot of money doing it. Unfortunately, there is no single tool that does everything. Cybersecurity requires visibility across the defense-in-depth (data, applications, hosts, networks, and “non-perimeter” of today) at a potentially large scale. Instead of starting small with basic logging of their environment and doing that right, many organizations allocate significant funds on tooling that still has blind spots. This lack of return-on-investment frustrates the C-Suite and results in a reduction of the next year’s budget.

What cybersecurity measures do you think should be a must for companies nowadays?

Three things are an absolute must today. The first is multi-factor authentication with no exceptions. There are recent examples of organizations giving administrators easy remote access, only for those accounts to be exploited by MCAs. Make it harder for MCAs to gain access to your systems!

The next is to integrate CTI and tailor it to your organization. Not having CTI today is like not having access to your favorite news outlet. You just do not know what is going on without it. Additionally, CTI can feed other systems such as Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM) capabilities, firewalls, and so on, to help detect and prevent cyberattacks as well as reduce alert fatigue.

Finally, invest in robust cybersecurity training for your organization. Your employees should be your first line of defense in cybersecurity. They are the ones who will receive that phishing email. The fate of your organization could come down to an employee taking the bait and clicking a link or picking up the phone to talk to your cyber defenders.

To learn more about the CTI process and how to begin leveraging CTI in your own organizations, please check out the following links to a 3 part blog series and video presentation:

Part 1: Cyber Threat Intelligence (CTI): Planning & Direction

Part 2: CTI: Collection and Processing

Part 3: CTI: Analysis, Dissemination, & Feedback

Video: Understanding the CTI Process

And finally, what’s next for zvelo?

As described above, our mission is to make the web safer and more secure. Every day, we wake up trying to figure out how to get better at what we do in order to achieve that mission. Hackers are ingenious. Bad code and software bugs are seemingly never-ending. So, there is no shortage of challenges for us to tackle next.

Leave a Reply

Your email address will not be published. Required fields are markedmarked