“CrowdStrike is capable of catering to the diverse customer needs across industry verticals, with its comprehensive capabilities, compelling customer references, comprehensive roadmap and vision, cloud-native platform, and product suite with high scalability, have received strong ratings across technology excellence and customer impact.” – Quadrant Knowledge Solutions: 2022 SPARK MatrixTM for Digital Threat Intelligence Management
(Click to enlarge)
We are excited to announce Quadrant Knowledge Solutions has named CrowdStrike as a 2022 technology leader in the SPARK Matrix analysis of the global Digital Threat Intelligence Management market. Among all 28 vendors in the report, CrowdStrike received the highest score in the Technology Excellence category.
The SPARK Matrix evaluates top vendors in the Digital Threat Intelligence Management space on a variety of criteria and groups them into Leaders, Challengers and Aspirants. The criteria are broken down into two categories:
Technical Excellence: Sophistication of Technology, Competitive Differentiation Strategy, Application Diversity, Scalability, Integration & Interoperability, and Vision & Roadmap
Customer Impact: Product Strategy & Performance, Market Presence, Proven Record, Ease of Deployment & Use, Customer Service Excellence and Unique Value Proposition
How CrowdStrike Falcon X Threat Intelligence Stands Apart
The SPARK Matrix analysis takes a deep look into the 28 most significant threat intelligence providers. This broad set of vendors illustrates the diversity of the threat intelligence market and the many use cases customers demand — including dark web monitoring, intelligence automation, machine-readable intelligence, finished intelligence, threat research and threat intelligence platforms.
CrowdStrike joins only a few select vendors in this report that provide a comprehensive solution to address all of these use cases. Our customers benefit from access to intelligence using a single workflow with the ability to pivot into intelligence across all use cases — leading to smarter, faster decision making.
You may know CrowdStrike as a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, but you may not know the full extent of how our offerings differ from those of pure-play threat intelligence companies. Here, we take a closer look at the capabilities that set CrowdStrike’s technology apart.
Raw Intelligence Collection to Bolster Defense
CrowdStrike’s raw intelligence collection strategy is a critical differentiator. Each vendor’s collection plan forms the foundation that determines the intelligence solutions they can deliver. If a collection plan is too narrow — for example, if it only pulls data from the dark web — it will only address a limited number of customer use cases. If it only collects low-fidelity data, such as publicly available information, the resulting intelligence will be similar across vendors because open-source data is the easiest to obtain. (This isn’t to say the data isn’t valuable, or there aren’t valuable solutions built in these areas.)
We can deliver across multiple use cases and provide unique intelligence due to our comprehensive collection strategy. This starts with the trillions of events per day collected by the CrowdStrike Security Cloud, which powers the protection of millions of endpoints across the globe and provides visibility into real-time and zero-day attacks. In addition, CrowdStrike Intelligence collects raw intelligence from several other sources including:
CrowdStrike Services engagements for incident response and compromise assessments, which drive visibility into adversary activity in victims across the globe
Open-source intelligence, which is collected in dozens of languages using linguistically capable collectors and analysts to ensure proper comprehension and analysis of the collected material
Billions of objects collected from the deep and dark webs, criminal forums and markets, and social media and messaging apps
Processing millions of malware samples per day that are interrogated for actionable information such as command and control, persistence, campaign identification and other indicators, which are instantly published to our customers
Maintaining honeypots across the internet, which provide visibility into threats propagating via remote exploitation as well as early warning for things that may affect customers
Operating freely available sandbox technology, which is utilized by tens of thousands of security personnel and researchers
Maintaining a special collection of data that enables visibility into botnet command and control payloads, spam email and distributed denial of service (DDoS) activity
This comprehensive collection strategy, with the Falcon platform at its core, underscores CrowdStrike’s ability to collect data that no one else can, resulting in threat intelligence that no other vendor can provide.
An Adversary-Focused Approach to Security
Behind every attack is a human being with motivation and intent. As pioneers in actor profiling and attribution, CrowdStrike uses an adversary-focused approach to threat intelligence. We track more than 180 nation-state, cybercrime and hacktivism adversaries to expose their activities and tradecraft and then enable customers to take proactive steps to protect their organization.
Falcon X intelligence provides information on the malware adversaries use, vulnerabilities they exploit, tactics for accessing systems and indicators of compromise (IOCs) that identify them. An adversary-focused approach shrinks the problem set for you to manage. By filtering adversaries to those most likely to target your business (e.g., by region or business sector) you can focus on the most likely attacks, expose attacker tradecraft, degrade their ability to attack, increase the cost to the adversary and deploy your resources more effectively.
Threat Intelligence for Everyone
“Threat intelligence for everyone” was one of our core principles when going to market with the Falcon X solution. Threat intelligence has different meanings to different organizations, typically based on the size and skills of their security team. For many organizations early in their intelligence journey, “threat intelligence” may simply describe IOCs to block or open-source news alerts when a new cyberattack happens. As organizations mature, intelligence morphs to include enriched context for detections, help in hunting and investigating threats, then dark web monitoring and malware sandboxing. As intelligence becomes more strategic, it may mean access to finished intelligence or threat research.
It is critical to find a vendor that meets your definition of intelligence, supports where you are, and provides room for your team to grow. Further, it should challenge you to take the next step into a new use case so you can better protect your business and gain an advantage on today’s sophisticated cyberattacks. CrowdStrike Falcon X threat intelligence solutions are designed to meet you where you are in your threat intelligence journey. Thousands of our customers are implementing intelligence for the first time, and many of the most advanced Global 2000 and government entities rely on the superior collection, tradecraft and analysis of Falcon X.
If you are a CrowdStrike Falcon customer, or would like to become one, Falcon X threat intelligence is built directly into the platform, supporting your daily workflow by providing additional detection context and defensive strategies at your fingertips. If you are not a Falcon platform customer, our CrowdStrike Falcon X intelligence solutions are available separately, cloud-delivered and operational on Day One. We believe we met our goal to provide “intelligence for everyone.” For the first time, all organizations, regardless of size or expertise, can easily operationalize intelligence within the security operations center (SOC), gain visibility into the cybercriminal underground to protect their brand and executives, and receive best-of-breed intelligence reporting and technical analysis backed by a dedicated team of intelligence professionals.
Defend Against Threats with Falcon X Intelligence
CrowdStrike Falcon X Intelligence solutions include:
FALCON X: Enriches the events and incidents detected by the CrowdStrike Falcon platform, automating intelligence so security operations teams can make better, faster decisions
FALCON X RECON: Provides visibility into the cybercriminal underground so customers can effectively mitigate threats to their brands, employees and sensitive data
FALCON X PREMIUM: Delivers world-class intelligence reporting, technical analysis, malware analysis and threat hunting capabilities; Falcon X Premium enables organizations to build cyber resiliency and more effectively defend against sophisticated nation-state, eCrime and hacktivist adversaries
FALCON X ELITE: Expands your team with access to an intelligence analyst with the expertise to help you better defend against threats targeting your organization
We already know that the entire Linux operating system is written in C. And not just the operating system, but many binaries that run on it are written in C. Although there are multiple reasons for this, the main reason is that C is a very fast and powerful language.
In April and May 2022, NCC Group Cryptography Services engaged in a security and cryptography assessment reviewing Microsoft’s contributions to the go-cose library, a Go library implementing signing and verification for CBOR Object Signing and Encryption (COSE), as specified in RFC 8152. This library focuses on a minimal feature set to enable the signing and verification of COSE messages using a single signer, aka “sign1”. The purpose of this assessment was to identify cryptographic vulnerabilities and application-level security issues that could adversely affect the security of the go-cose library.
The Public Report for this review may be downloaded below:
By Jon Munshaw.
Welcome to this week’s edition of the Threat Source newsletter.
Given the recent tragedies in the U.S., I don’t feel it’s appropriate to open by being nostalgic or trying to be witty — let’s just stick to some security news this week. The one big...
[[ This is only the beginning! Please visit the blog for the complete entry ]]
An adversary’s ability to live off the land — relying on the operating system’s built-in tooling and user-installed legitimate software rather than tooling that must be brought in — may allow them to navigate through a victim organization’s network relatively undetected. CrowdStrike Falcon OverWatch threat hunters are acutely aware of adversaries’ love of these living off the land binaries (LOLBins) and build their hunts accordingly. In recent months, OverWatch Elite, a part of CrowdStrike’s Falcon OverWatch managed threat hunting service, has seen an increase in the use of JScript in hands-on-keyboard intrusions.
JScript vs JavaScript
JScript is a Microsoft-dialect of standard JavaScript, a scripting language that can be used in a web browser setting to add custom functionality to web pages. JScript, however, is an Active Scripting language, meaning it is more integrated into the operating system. JScript can be executed as a standalone file. It is often used to write files to disk, make registry changes, make network connections, execute commands and more.
While JScript and JavaScript are distinct scripting mechanisms, they both use the same file extension: .js. By default, double-clicking on a .js file in Windows Explorer will cause it to open the file with Windows Script Host executable wscript.exe, which will execute the code. Because wscript.exe is signed by Microsoft and is included in every Windows installation, it is often considered trusted by more traditional security solutions. Although when a .js file is downloaded from the internet an extra warning dialog is displayed prior to execution, our telemetry shows that this does not stop users from proceeding with the execution.
The relative ease with which .js files can be opened provides attackers with an attractive initial access vector, as tricking a user into executing their malicious scripts can be easy. Moreover, the limited logging that is provided by Windows Script Host (WSH) allows adversaries using malicious JScript files to evade some defense mechanisms and go unnoticed for longer.
Figure 1: A proof-of-concept JScript execution that upon double clicking spawns calc.exe. (Click to enlarge)
JScript as an Entry Point for Hands-on-Keyboard Activity
Unsurprisingly, OverWatch threat hunters regularly see intrusions that involve, or even start with, malicious JScript executions.In the first quarter of 2022, OverWatch identified several Fake Browser Update (FBU) infections — two of which led to the delivery of Cobalt Strike beacons followed by hands-on-keyboard activity. The actor likely used hijacked WordPress websites to host fake warnings about outdated browsers or plugins, asking the user to click a button to download the latest version. A malicious .js payload was then packed in a .zip archive, which the user was lured into opening by giving it names such as ChromeUpdate.js. This file connected to a command-and-control (C2) channel, executing various reconnaissance commands (e.g., leveraging whoami, net, nltest and cmdkey) before dropping and running a Cobalt Strikebeacon. The actor was then observed using this beacon for hands-on-keyboard activity.
In another instance, OverWatch observed the use of malicious .js files in financial services-themed phishing lures. The victim organization was sent an email with a .zip file containing a file called agreement.js. Upon opening, the JScript file reached out to an attacker-controlled domain, setting up a PowerShell implant that allowed the actor to perform further hands-on-keyboard activity. This activity included creating persistence, running various discovery commands and executing BloodHound. OverWatch quickly alerted the victim organization about the malicious activity, enabling them to contain the affected machines.
Detecting and Preventing Malicious JScript Executions in Your Environment
Because of how JScript works, there is not a straightforward way to detect malicious executions. While JScript is considered a legacy technology, it is still relied upon by a vast array of software and admin automation solutions. This can make distinguishing benign behavior from potentially malicious behavior challenging.
As seen in the examples above, to abuse JScript for initial access means, the attacker need only convince a user to open a malicious .js file, which is often provided to the user in an archive file. One approach for hunting in your environment for this malicious needle in your environment’s haystack is to hunt for JScript executions that originate from a user’s download folder or temporary archive locations (e.g., ZIP, RAR or 7Zip files).
In the CrowdStrike Falcon® platform’s Event Search function, the following query will surface such executions:
event_simpleName=ProcessRollup2 FileName IN ("cscript.exe", "wscript.exe")
| search CommandLine = "*.js*" (CommandLine="*\\downloads\\*" OR (CommandLine="*\\Appdata\\Local\\Temp\\*" AND (CommandLine="*.zip\\*" OR CommandLine="*\\7z*" OR CommandLine="*\\Rar*")))
| rex field=CommandLine "(?i)(?<ArchiveType>\.zip\\\|\\\7z|\\\Rar)"
| eval ArchiveType=case(ArchiveType=".zip\\", "ZIP", ArchiveType="\\7z", "7Z", ArchiveType="\\Rar", "RAR")
| eval isFromArchive=if(ArchiveType!="","Yes", "No")
| eval isInDownloads=if(match(CommandLine, ".*\\\Downloads\\\.*"),"Yes", "No")
| eval ProcExplorer="https://falcon.crowdstrike.com/investigate/process-explorer/" .aid. "/" . TargetProcessId_decimal . "?_cid=" . cid
| convert ctime(_time)
| table _time aid ComputerName UserName isInDownloads isFromArchive ArchiveType FileName CommandLine ParentBaseFileName ProcExplorer
| sort + _time
| rename _time as Time, aid as "Falcon AID", ComputerName as Endpoint, isInDownloads as "In Downloads folder?", isFromArchive as "From Archive?", FileName as ProcessName, CommandLine as ProcessCommandLine, ParentBaseFileName as ParentProcessName, ProcExplorer as "Process Explorer Link"
The output generated by this hunting query may look something like this:
Figure 2: Sample output of the above Event Search query, surfacing suspicious JScript executions. (Click to enlarge)
A next step would be to use the Process Explorer Link to see the process execution and dive deeper into what actions were performed by the JScript file.
Figure 3: Falcon’s Process Explorer reveals the suspiciously-named invoice_2022-03-21.js spawned calc.exe. (Click to enlarge)
The above example shows the execution of calc.exe, which may be considered unusual in a given environment. This would provide for further hunting opportunities, such as analyzing unusual children spawned by wscript.exe.
If the given hunting query produces too many results, it is possible to narrow the search further — for example, by limiting it to wscript.exe executions that involve spawning new processes, writing certain file types to disk, or manipulating sensitive registry locations.
From a prevention perspective, there are a few things that can be done. A key weakness in how JScript is set up in Windows is that double clicking a .js file quickly leads to execution. Removing the file association of .js files with wscript.exe may reduce the chances of success. Without the file association, a user would have to use the command line prompt to execute the file. Thus, an unsuspecting user double clicking a link in a phish would not result in a successful phish. Further,partially disabling JScript could reduce the attack surface. Microsoft also offers an option tocompletely disable Windows Script Host (although in most corporate environments this would not be a feasible option).
The Value of OverWatch Elite
Hunting for malicious .js executions can prove difficult due to high data volumes, legitimate use of JScript files and the variety of ways in which attackers can abuse JScript. To effectively defend against this requires deep knowledge of your environment, insights as to how attackers operate and experience with regards to detecting follow-on behavior. Managing this and other day-to-day responsibilities can easily overwhelm an in-house security team.
OverWatch’s preeminent managed threat hunting service protects customer environments on a 24/7/365 basis. OverWatch’s primary mission is to pinpoint malicious activities at the earliest possible stage, providing customers with timely, high-fidelity and, most importantly, actionable notifications and context that inform a swift and decisive response.
OverWatch Elite builds on the 24/7/365 threat hunting operations provided as a part of OverWatch standard and includes additional services, such as: 60-minute call escalation for critical threats, quarterly threat briefings, tailored threat hunting and more. OverWatch Elite customers are also invited to a private Slack channel where they can reach an OverWatch Elite analyst to respond with speed and confidence.
For more information, please visit the OverWatch Elite page on CrowdStrike’s website.
The authentication bypass depends on the error value getting ignored. It was ignored on line 1121, but it's still stored in the error parameter, so it also needs to be ignored by the caller. The block of code above has a temporary variable named implied_error, which is ignored when implied_result isn't null. That's the crucial step that makes the bypass possible.
<?xml version="1.0" encoding="UTF-8"?> <!--*-nxml-*-->
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
<vendor>The systemd Project</vendor>
<vendor_url>http://www.freedesktop.org/wiki/Software/systemd</vendor_url>
<action id="org.freedesktop.systemd1.manage-unit-files">
<description gettext-domain="systemd">Manage system service or unit files</description>
<message gettext-domain="systemd">Authentication is required to manage system service or unit files.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.systemd1.reload-daemon org.freedesktop.systemd1.manage-units</annotate>
</action>
<action id="org.freedesktop.systemd1.reload-daemon">
<description gettext-domain="systemd">Reload the systemd state</description>
<message gettext-domain="systemd">Authentication is required to reload the systemd state.</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
</policyconfig>
** (polkitd:186082): DEBUG: 00:37:29.575: In authentication_agent_response for cookie '3-31e1bb8396c301fad7e3a40706ed6422-1-0a3c2713a55294e172b441c1dfd1577d' and identity unix-user:root
** (polkitd:186082): DEBUG: 00:37:29.576: OUT: Only uid 0 may invoke this method.
** (polkitd:186082): DEBUG: 00:37:29.576: Authentication complete, is_authenticated = 0
** (polkitd:186082): DEBUG: 00:37:29.577: In check_authorization_challenge_cb
subject system-bus-name::1.6846
action_id org.freedesktop.timedate1.set-timezone
was_dismissed 0
authentication_success 0
00:37:29.577: Operator of unix-process:186211:9138723 FAILED to authenticate to gain authorization for action org.freedesktop.timedate1.set-timezone for system-bus-name::1.6846 [python3 agent.py] (owned by unix-user:dev)
可见我们的 Authentication Agent 已经正常工作了,可以接收到 PolicyKit 发送的 BeginAuthentication 方法调用,并且PolicyKit 会提示 Only uid 0 may invoke this method,是因为我们的 AuthenticationAgentResponse 发送用户为 dev 用户而非 root 用户。
** (polkitd:186082): DEBUG: 01:09:17.375: In authentication_agent_response for cookie '51-20cf92ca04f0c6b029d0309dbfe699b5-1-3d3e63e4e98124979952a29a828057c7' and identity unix-user:root
** (polkitd:186082): DEBUG: 01:09:17.377: OUT: RET: 1
** (polkitd:186082): DEBUG: 01:09:17.377: Removing authentication agent for unix-process:189453:9329523 at name :1.6921, object path /org/freedesktop/PolicyKit1/AuthenticationAgent (disconnected from bus)
01:09:17.377: Unregistered Authentication Agent for unix-process:189453:9329523 (system bus name :1.6921, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
** (polkitd:186082): DEBUG: 01:09:17.377: OUT: error
Error performing authentication: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying (g-dbus-error-quark 4)
(polkitd:186082): GLib-WARNING **: 01:09:17.379: GError set over the top of a previous GError or uninitialized memory.
This indicates a bug in someone's code. You must ensure an error is NULL before it's set.
The overwriting error message was: Failed to open file ?/proc/0/cmdline?: No such file or directory
Error opening `/proc/0/cmdline': GDBus.Error:org.freedesktop.DBus.Error.NameHasNoOwner: Could not get UID of name ':1.6921': no such name
** (polkitd:186082): DEBUG: 01:09:17.380: In check_authorization_challenge_cb
subject system-bus-name::1.6921
action_id org.freedesktop.timedate1.set-timezone
was_dismissed 0
authentication_success 0
** (polkitd:192813): DEBUG: 01:42:29.925: In authentication_agent_response for cookie '3-7c19ac0c4623cf4548b91ef08584209f-1-22daebe24c317a3d64d74d2acd307468' and identity unix-user:root
** (polkitd:192813): DEBUG: 01:42:29.928: OUT: RET: 1
** (polkitd:192813): DEBUG: 01:42:29.928: Authentication complete, is_authenticated = 1
(polkitd:192813): GLib-WARNING **: 01:42:29.934: GError set over the top of a previous GError or uninitialized memory.
This indicates a bug in someone's code. You must ensure an error is NULL before it's set.
The overwriting error message was: Failed to open file ?/proc/0/cmdline?: No such file or directory
Error opening `/proc/0/cmdline': GDBus.Error:org.freedesktop.DBus.Error.NameHasNoOwner: Could not get UID of name ':1.7428': no such name
** (polkitd:192813): DEBUG: 01:42:29.934: In check_authorization_challenge_cb
subject system-bus-name::1.7428
action_id org.freedesktop.timedate1.set-timezone
was_dismissed 0
authentication_success 1
同时系统时区也已经成功更改。
0x07. Before The Exploit
相比于漏洞作者给出的 Account Daemon 利用,我选择了使用 org.freedesktop.systemd1。首先我们摆脱了必须使用 org.freedesktop.policykit.imply 修饰过的方法的限制,其次因为这个 D-Bus Service 几乎在每个 Linux 系统都存在,最后是因为这个方法存在一些高风险方法。
$ gdbus introspect --system -d org.freedesktop.systemd1 -o /org/freedesktop/systemd1
...
interface org.freedesktop.systemd1.Manager {
...
StartUnit(in s arg_0,
in s arg_1,
out o arg_2);
...
EnableUnitFiles(in as arg_0,
in b arg_1,
in b arg_2,
out b arg_3,
out a(sss) arg_4);
...
}
...
同时,作为一个 Web 漏洞的安全研究员,我自是将所有的东西都类型转换到 Web 层面去看待。D-Bus 和 Web 非常相似,在挖掘提权的过程中并没有受到特别大的阻力,却收获了非常多的成果。希望各位安全从业者通过 D-Bus 来入门二进制,跳出自己的舒适圈,也可以增加自己在漏洞挖掘中的视野(什么,内存破坏洞?想都不要想了,开摆.jpg)。
May 25, 2022, marked four years since the European Union’s General Data Protection Regulation (GDPR) went into effect. Although the scope of the law is limited to personal data originating from activities in the European Economic Area, the ensuing requirements have had a global impact. This is evident in similar laws that have been proposed or passed and measures multinational organizations have taken to comply with privacy requirements. In parallel, there has been a convergence of a principles-based approach to cybersecurity in many jurisdictions worldwide.
In light of the trends of the past four years, there are four clear takeaways for organizations seeking to meet their GDPR obligations.
1. GDPR Is not a Static Set of Requirements
During the past four years, organizations around the globe have adapted to comply with GDPR requirements, while those requirements and the threats posed to privacy have been anything but static. The European Data Protection Board (EDPB), the GDPR-era successor to the Article 29 Working Party, has issued updated guidance on a variety of areas. These include privacy-by-design guidelines as well as breach notification examples and response guidelines. Simultaneously, as shown in the CrowdStrike 2022 Global Threat Report, threats to data protection continue to evolve, requiring organizations to assess their GDPR compliance programs in the context of today’s security risks and GDPR requirements, rather than those of 2018.
2. Achieving Security-by-Design and Privacy-by-Design Is Not “Set and Forget”
As a principles-based regulation, GDPR includes obligations to incorporate privacy-by-design and to implement safeguards appropriate to the risk. EDPB guidelines make clear that privacy-by-design is an evolving standard that imposes on organizations a duty “to take account of the current progress in technology that is available in the market.” Furthermore, the EDPB guidance drives home the point that organizations may find themselves in violation of GDPR Arts. 25 and 32, where “a measure that once provided an adequate level of protection no longer does.”
This evolving standard of GDPR is a reflection of why security approaches, such as legacy antivirus, are mismatched for today’s realities. As workloads and data storage increasingly move from traditional endpoints to cloud offerings, cyber threat actors have expanded their targets. In fact, cyber threat actors often do not discriminate between personal or general, on-premise enterprise environments versus cloud environments. They target resources and data wherever they exist, and frequently move between local and cloud environments in an attempt to achieve their objectives.1 This is one reason why accidental data exposures that happen through, for example, misconfigured cloud storage environments are also increasingly a source of potential privacy issues. Moreover, threat actors use cloud hosting to disguise their intrusions as benign network traffic, and a variety of legitimate software and cloud hosting services to access company networks.
3. Mitigating Risk Can Mitigate Breach Obligations
Like many breach notification obligations, GDPR’s language is designed to reduce breach fatigue by creating an impact-driven duty to notify regulators and, in the most severe of instances, individuals. Recent guidance for the EDPB makes clear not all breaches have the same level of severity. For example, an incident where a threat actor sees a list of user names might have a small or negligible impact on affected parties. Whereas, another incident in which a threat actor exfiltrates complete financial or medical records may have a severe impact.
Some personal data may be considered benign enough that it would not even be considered reportable if a breach was to occur. Whereas, other personal data could pose a risk or high risk to the fundamental rights of data subjects. Such guidance is relevant for cross border data flows as well. Put simply, if certain types of personal data in a data breach would not be reportable, it raises the question as to whether there should be any barriers to data flows in a transfer impact assessment.
As a practical matter, the data breach guidance repeatedly endorses the notion of using centralized logs as a critical component in breach prevention and assessment. This is because security teams demand contextual awareness and visibility from across their entire environments, including within cloud and ephemeral environments. Log management is critical to understanding what happened. Going beyond this, extended detection and response (XDR), can be leveraged to apply order to a sometimes chaotic array of security tools by deriving actionable insights wherever they exist within the enterprise, and generate intelligence from what otherwise may be an information overload. Holistic XDR unifies detection and response across the entire security stack.
4. Threats to Data Protection Aren’t Going Away
Legal guidance related to GDPR is not the only thing that has evolved in the past four years. The threats to privacy that GDPR principles require organizations to protect against have evolved as well. As CrowdStrike’s Global Threat Report highlighted, cyber actors pose a significant threat to organizations and, especially, to data protection compliance. In fact, CrowdStrike observed an 82% increase in ransomware data leaks from 2020 to 2021 alone. Moreover, there is the stark reality that 62% of attacks observed by CrowdStrike did not involve malware but instead were conducted via hands-on-keyboard activity. These realities make clear that using legacy antivirus technologies to protect personal data do not meet GDPR’s standards of implementing state-of-the-art security measures appropriate for today’s risks.
The Future of GDPR
Organizations subject to GDPR should evaluate whether measures put in place four years ago are still sufficient today. Both the legal guidance interpreting GDPR as well as the threats to privacy continue to evolve, and compliance is a moving target. Moreover, there have been significant fines under both GDPR and UK GDPR against organizations that do not implement appropriate safeguards to protect personal data. Consequently, as a practical matter, investing in ENISA endorsed security measures such as XDR, zero trust, log management and threat hunting is a fundamental part of compliance today.
Drew Bagley is Vice President and Counsel, Privacy and Cyber Policy at CrowdStrike.
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 20 and May 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...
[[ This is only the beginning! Please visit the blog for the complete entry ]]