We know that plugins can be used to extend the functionality of WordPress. But what if you can do some smaller things in WordPress without installing them? Say, you dislike the admin bar at the top and wish to eliminate it? Yes, that can be accomplished by means of code snippets for WordPress.
Basically, code snippets for WordPress are used to do certain actions that might otherwise require a dedicated smaller plugin. Such code snippets are placed in one of the WordPress core or theme files (generally the functions.php file of your theme).
As you might have guessed, code snippets for WordPress, while really useful, tend to alter the default functionality. There can be a small margin of error with each snippet. Generally, such issues tend to arise due to incompatible plugins and/or themes and tend to disappear once you eliminate the said theme/plugin or decide not to use the said snippet.
However, to be on the safer side, be very sure to take proper backups of your WordPress website before making any changes by means of snippets. Also, if you encounter any error or performance issues, rollback your site and check for any plugins or incompatible theme issues.
Now, on to the code snippets for WordPress users!
1. Allow Contributors to Upload Images
By default, WordPress does not permit contributor accounts to upload images. You can, of course, promote that particular account to Author or Editor and this will give them the rights to upload and modify images, However, it will also grant them additional rights, such as the ability to publish their own articles (as opposed to submission for review).
This particular code snippet allows contributor accounts to upload images to their articles, without granting them any additional privileges or rights. Paste it in the functions.php file of your theme:
if ( current_user_can('contributor') && !current_user_can('upload_files') )
add_action('admin_init', 'allow_contributor_uploads');
function allow_contributor_uploads() {
$contributor = get_role('contributor');
$contributor->add_cap('upload_files');
}
2. Show Popular Posts Without Plugins
This one is a little trickier. However, if you are not too keen on installing an extra plugin to showcase popular posts (say, you have limited server memory or disk space), follow this snippet.
The search feature of WordPress has been around for a long time. However, if your website does not need it, or you do not want users to “search” through your website for some reason, you can use this code snippet.
Essentially, it is a custom function that simply nullifies the search feature. Not just the search bar in your sidebar or the menu, but the entire concept of native WP search is gone. Why can this be useful? Again, it can help if you are running your website on low spec server and do not have content that needs to be searched (probably you aren’t running a blog).
There are various ways to secure your website. You can install a security plugin, turn on a firewall or opt for a free feature such as Jetpack Protect that blocks brute force attacks on your website.
The following code snippet, once placed in your functions.php file, rejects all malicious URL requests:
global $user_ID; if($user_ID) {
if(!current_user_can('administrator')) {
if (strlen($_SERVER['REQUEST_URI']) > 255 ||
stripos($_SERVER['REQUEST_URI'], "eval(") ||
stripos($_SERVER['REQUEST_URI'], "CONCAT") ||
stripos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
stripos($_SERVER['REQUEST_URI'], "base64")) {
@header("HTTP/1.1 414 Request-URI Too Long");
@header("Status: 414 Request-URI Too Long");
@header("Connection: Close");
@exit;
}
}
}
5. Paginate Your Site Without Plugins
Good pagination is very useful for allowing users to browse through your website. Rather than “previous” or “next” links. This is where another one of our code snippets for WordPress comes into play – it adds good pagination to your content.
In functions.php:
global $wp_query;
$total = $wp_query->max_num_pages;
// only bother with the rest if we have more than 1 page!
if ( $total > 1 ) {
// get the current page
if ( !$current_page = get_query_var('paged') )
$current_page = 1;
// structure of "format" depends on whether we're using pretty permalinks
$format = empty( get_option('permalink_structure') ) ? '&page=%#%' : 'page/%#%/';
echo paginate_links(array(
'base' => get_pagenum_link(1) . '%_%',
'format' => $format,
'current' => $current_page,
'total' => $total,
'mid_size' => 4,
'type' => 'list'
));
}
6. Disable the Admin Bar
The WordPress Admin Bar provides handy links to several key functions such as the ability to add new posts and pages, etc. However, if you find no use for it and wish to remove it, simply paste the following code snippet to your functions.php file:
// Remove the admin bar from the front end
add_filter( 'show_admin_bar', '__return_false' );
7. Show Post Thumbnails in RSS Feed
If you wish to show post thumbnail images in your blog’s RSS feed, the following code snippet for WordPress can be useful.
Place it in your functions.php file:
// Put post thumbnails into rss feed
function wpfme_feed_post_thumbnail($content) {
global $post;
if(has_post_thumbnail($post->ID)) {
$content = '' . $content;
}
return $content;
}
add_filter('the_excerpt_rss', 'wpfme_feed_post_thumbnail');
add_filter('the_content_feed', 'wpfme_feed_post_thumbnail');
8. Change the Author Permalink Structure
By default, WordPress shows author profiles as yoursite.com/author/name. However, you can change it to anything that you like, such as yoursite.com/writer/name
The following code snippet needs to be pasted in the functions.php file. Then, it changes the author permalink structure to “/profile/name”:
add_action('init', 'cng_author_base');
function cng_author_base() {
global $wp_rewrite;
$author_slug = 'profile'; // change slug name
$wp_rewrite->author_base = $author_slug;
}
9. Automatically Link to Twitter Usernames in Content
This is especially useful if you are running a website that focuses a lot on Twitter (probably a viral content site, etc.) The following code snippet for functions.php converts all @ mentions in your content to their respective Twitter profiles.
For example, an @happy mention in your content will be converted to a link to the Twitter account “twitter.com/happy” (“happy” being the username):
If you are using the PayPal Donate function to accept donations from your website’s visitors, you can use this code snippet to create a shortcode, and thus make donating easier. First, paste the following in your functions.php file:
function donate_shortcode( $atts, $content = null) {
global $post;extract(shortcode_atts(array(
'account' => 'your-paypal-email-address',
'for' => $post->post_title,
'onHover' => '',
), $atts));
if(empty($content)) $content='Make A Donation';
return '<a href="https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business='.$account.'&item_name=Donation for '.$for.'" title="'.$onHover.'">'.$content.'</a>';
}
add_shortcode('donate', 'donate_shortcode');
As mentioned with each code snippet, you just need to add the said snippet to the required file. Mostly, you would only need to add code snippets to the functions.php file (in some cases, it can differ).
However, what if you are just not comfortable editing your theme’s files? If that is the case, have no fear. The Code Snippets plugin can help you out!
It is a simple plugin that lets you add code snippets to your functions.php without any manual file editing. It treats code snippets as individual plugins of their own – you add the code and hit save … and the rest is handled by the Code Snippets plugin.
Once you activate the plugin, you will find a Snippets menu right under “Plugins.” Head to Snippets » Add New:
Add a name for your snippet, paste the snippet in the code area, and then provide a description for your own reference. Once done, activate the snippet and you’re good to go! Even if you change the theme, the code snippet remains functional.
Last updated: June 14, 2023 James Saturnio Security Unified Endpoint Management
With remote work now commonplace, having a good cyber hygiene program is crucial for organizations who want to survive in today’s threat landscape. This includes promoting a culture of individual cybersecurity awareness and deploying the right security tools, which are both critical to the program’s success.
Some of these tools include endpoint patching, endpoint detection and response (EDR) solutions and antivirus software. But considering recent cybersecurity reports, they’re no longer enough to reduce your organization’s external attack surface.
Here are three solid reasons, and real-world situations, that happened to organizations that didn’t take this threat seriously.
1. AI generated polymorphic exploits can bypass leading security tools
Recently, AI-generated polymorphic malware has been developed to bypass EDR and antivirus, leaving security teams with blind spots into threats and vulnerabilities.
These exploits achieved this by mutating its code slightly with every iteration and encrypting its malicious code without a command-and-control (C2) communications channel.
This mutation is not detectable by traditional signature-based and low-level heuristics detection engines. This means that security time gaps are created for a patch to be developed and released, for the patch to be tested for effectiveness, for the security team to prioritize vulnerabilities and for the IT (Information Technology) team to rollout the patches onto affected systems.
In all, this could mean several weeks or months where an organization will need to rely on other security tools to help them protect critical assets until the patching process is completed successfully.
2. Patching failures and patching fatigue are stifling security teams
Unfortunately, updates breaking systems because patches haven’t been rigorously tested occur frequently. Also, some updates don’t completely fix all weaknesses, leaving systems vulnerable to more attacks and requiring additional patches to completely fix.
The Suffolk County government in New York recently released their findings from the forensic investigation of the data breach and ransomware attack, where the Log4j vulnerability was the threat actor’s entry point to breach their systems. The attack started back in December 2021, which was the same time Apache released security patches for these vulnerabilities.
Even with updates available, patching never took place, resulting in 400 gigabytes of data being stolen including thousands of social security numbers and an initial ransom demand of $2.5 million.
The ransom was never paid but the loss of personal data and employee productivity and subsequent investigation outweighed the cost of updated cyber hygiene appliances and tools and a final ransom demand of $500,000. The county is still trying to recover and restore all their systems today, having already spent $5.5 million.
Real world example: An errant Windows server update caused me to work 24-hours straight
From personal experience, I once worked 24 hours straight because one Patch Tuesday, a Microsoft Windows server update was automatically downloaded, installed which promptly broke authentication services between the IoT (Internet of Things) clients and the AAA (authentication, authorization and accounting) servers grinding production to a screeching halt.
Our company’s internal customer reference network that was implemented by our largest customers deployed Microsoft servers for Active Directory Certificate Services (ADCS) and Network Policy Servers (NPS) used for 802.1x EAP-TLS authentication for our IoT network devices managed over the air.
This happened a decade ago, but similar recurrences have also occurred over the next several years, including this update from July 2017, where NPS authentication broke for wireless clients and was repeated in May of last year.
At that time, an immediate fix for the errant patch wasn’t available, so I spent the next 22 hours rebuilding the Microsoft servers for the company’s enterprise public key infrastructure (PKI) and AAA services to restore normal operations. The saving grace was we took the original root certificate authority offline, and the server wasn’t affected by the bad update.
However, we ended up having to revoke all the identity certificates issued by the subordinate certificate authorities to thousands of devices including routers, switches, firewalls and access points and re-enroll them back into the AAA service with new identity certificates.
Learning from this experience, we disabled automatic updates for all Windows servers and took more frequent backups of critical services and data.
3. Endpoint patching only works for known devices and apps
With the pandemic came the shift to Everywhere Work, where employees worked from home, often connecting their personal devices to their organization’s network. This left security teams with a blind spot to shadow IT. With shadow IT, assets go unmanaged, are potentially out-of-date and cause insecure personal devices and leaky applications.
The resurgence of bring your own device (BYOD) policies and the lack of company-sanctioned secure remote access quickly expanded the organization’s external attack surface, exposing other attack vectors for threat actors to exploit.
The second incident leveraged data stolen during the first breach to target four DevOps engineers, specifically, their home computers. One senior software developer used their personal Windows desktop to access the corporate development sandbox. The desktop also had an unpatched version of Plex Media Server (CVE-2020-5741) installed.
Plex provided a patch for this vulnerability three years ago. Threat actors used this vulnerability to deliver malware, perform privilege escalation (PE), then a remote code execution (RCE) to access LastPass cloud-based storage and steal DevOps secrets and multi-factor (MFA) and Federation databases.
“Unfortunately, the LastPass employee never upgraded their software to activate the patch,” Plex said in a statement. “For reference, the version that addressed this exploit was roughly 75 versions ago.”
If patching isn’t enough, how can organizations reduce their external attack surface?
Cyber hygiene
Employees are the weakest link to an organization’s cyber hygiene program. Inevitably, they’ll forget to update their personal devices, re-use the same weak password to different internet websites, install leaky applications, and click or tap on phishing links contained within an email, attachment, or text message.
Combat this by promoting a company culture of cybersecurity awareness and practice vigilance that includes:
· Ensuring the latest software updates are installed on their personal and corporate devices.
· Recognizing social engineering attack techniques including the several types of phishing attacks.
· Using multi-factor authentication whenever possible.
· Installing and automatically updating the databases on antivirus software for desktops and mobile threat defense for mobile devices.
Continuing education is key to promoting great cyber hygiene within your organization, especially for anti-phishing campaigns.
Cyber hygiene tool recomendations
In cybersecurity, the saying goes, “You can’t protect what you can’t see!” Having a complete discovery and accurate inventory of all network-connected hardware, software and data, including shadow IT assets, is the important first step to assessing an organization’s vulnerability risk profile. The asset data should feed into an enterprise endpoint patch management system.
Also, consider implementing a risk-based vulnerability management approach to prioritize the overwhelming number of vulnerabilities to only those that pose the greatest risk to your organization. Often included with risk-based vulnerability management solutions is a threat intelligence feed into the patch management system.
Threat intelligence is information about known or potential threats to an organization. These threats can come from a variety of sources, like security researchers, government agencies, infrastructure vulnerability and application security scanners, internal and external penetration testing results and even threat actors themselves.
This information, including specific patch failures and reliability reported from various crowdsourced feeds, can help organizations remove internal patch testing requirements and reduce the time gap to patch deployments to critical assets.
A unified endpoint management (UEM) platform is necessary to remotely manage and provide endpoint security to mobile devices including shadow IT and BYOD assets.
The solution can enforce patching to the latest mobile operating system (OS) and applications, provision email and secure remote access profiles including identity credentials and multi-factor authentication (MFA) methods like biometrics, smart cards, security keys, certificate-based or token-based authentication.
The UEM solution should also integrate an AI machine learning-based mobile threat defense (MTD) solution for mobile devices, while desktops require next-generation antivirus (NGAV) with robust heuristics to detect and remediate device, network, and app threats with real-time anti-phishing protection.
And finally, to level the playing field against AI-generated malware, cyber hygiene tools will have to evolve quickly by leveraging AI guidance to keep up with the more sophisticated polymorphic attacks that are on the horizon.
Adding the solutions described above will help deter cyberattacks by putting impediments in front of threat actors to frustrate them and seek out easier targets to victimize.
About James Saturnio
James Saturnio is the Technical Product Marketing Director for the Technical Marketing Engineering team at Ivanti. He immerses himself in all facets of cybersecurity with over 25 years’ hands-on industry experience. He is an always curious practitioner of the zero trust security framework. Prior to Ivanti, he was with MobileIron for almost 7 years as a Senior Solutions Architect and prior to that, he was at Cisco Systems for 19 years. While at Cisco, he started out as a Technical Assistance Center (TAC) Engineer and then a Technical Leader for the Security Technology and Internet of Things (IoT) business units. He is a former Service Provider and Security Cisco Certified Internetworking Expert (CCIE) and was the main architect for the IoT security architecture that is still used today by Cisco’s lighthouse IoT customers.
Last updated: June 20, 2023 Robert Waters Security Unified Endpoint Management DEX
Increases in attack surface size lead to increased cybersecurity risk. Thus, logically, decreases in attack surface size lead to decreased cybersecurity risk.
While some attack surface management solutions offer remediation capabilities that aid in this effort, remediation is reactive. As with all things related to security and risk management, being proactive is preferred.
The good news is that ASM solutions aren’t the only weapons security teams have in the attack surface fight. There are many steps an organization can take to lessen the exposure of its IT environment and preempt cyberattacks.
How do I reduce my organization’s attack surface?
Unfortunately for everyone but malicious actors, there’s no eliminating your entire attack surface, but the following best practice security controls detailed in this post will help you significantly shrink it:
As noted in our attack surface glossary entry, different attack vectors can technically fall under multiple types of attack surfaces — digital, physical and/or human. Similarly, many of the best practices in this post can help you reduce multiple types of attack surfaces.
For that reason, we have included a checklist along with each best practice that signifies which type(s) of attack surface a particular best practice primarily addresses.
#1: Reduce complexity
.
Digital attack surface
Physical attack surface
Human attack surface
X
X
.
Reduce your cybersecurity attack surface by reducing complexity. Seems obvious, right? And it is. However, many companies have long failed at this seemingly simple step. Not because it’s not obvious, but because it hasn’t always been easy to do.
Research from Randori and ESG reveals seven in 10 organizations were compromised by an unknown, unmanaged or poorly managed internet-facing asset over the past year. Cyber asset attack surface management (CAASM) solutions enable such organizations to identify all their assets — including those that are unauthorized and unmanaged — so they can be secured, managed or even removed from the enterprise network.
Any unused or unnecessary assets, from endpoint devices to network infrastructure, should also be removed from the network and properly discarded.
The code that makes up your software applications is another area where complexity contributes to the size of your attack surface. Work with your development team to identify where opportunities exist to minimize the amount of executed code exposed to malicious actors, which will thereby also reduce your attack surface.
#2: Adopt a zero trust strategy for logical and physical access control
.
Digital attack surface
Physical attack surface
Human attack surface
X
X
.
The National Institute of Standards and Technology (NIST) defines zero trust as follows:
“A collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
Taking a zero trust approach to logical access control reduces your organization’s attack surface — and likelihood of data breaches — by continuously verifying posture and compliance and providing least-privileged access.
And while zero trust isn’t a product but a strategy, there are products that can help you implement a zero trust strategy. Chief among those products are those included in the secure access service edge (SASE) framework:
And though it’s not typically viewed in this manner, a zero trust strategy can extend beyond logical access control to physical access control. When it comes to allowing anyone into secure areas of your facilities, remember to never trust, always verify. Mechanisms like access cards and biometrics can be used for this purpose.
#3: Evolve to risk-based vulnerability management
.
Digital attack surface
Physical attack surface
Human attack surface
X
.
First, the bad news: the US National Vulnerability Database (US NVD) contains over 160,000 scored vulnerabilities and dozens more are added every day. Now, the good news: a vast majority of vulnerabilities have never been exploited, which means they can’t be used to perpetrate a cyberattack, which means they aren’t part of your attack surface.
In fact, a ransomware research report from Securin, Cyber Security Works (CSW), Ivanti and Cyware showed only 180 of those 160,000+ vulnerabilities were trending active exploits.
Comparison of total NVD vulnerabilities vs. those that endanger an organization
Only approximately 0.1% of all vulnerabilities in the US NVD are trending active exploits that pose an immediate risk to an organization
A true risk-based approach is needed. Risk-based vulnerability management (RBVM) — as its name suggests — is a cybersecurity strategy that prioritizes vulnerabilities for remediation based on the risk they pose to the organization.
With the intelligence from their RBVM tool in hand, organizations can then go about reducing their attack surface by remediating the vulnerabilities that pose them the most risk. Most commonly, that involves patching exploited vulnerabilities on the infrastructure side and fixing vulnerable code in the application stack.
#4: Implement network segmentation and microsegmentation
.
Digital attack surface
Physical attack surface
Human attack surface
X
.
Once again, borrowing from the NIST glossary, network segmentation is defined as follows:
Splitting a network into sub-networks, for example, by creating separate areas on the network which are protected by firewalls configured to reject unnecessary traffic. Network segmentation minimizes the harm of malware and other threats by isolating it to a limited part of the network.
From this definition, you can see how segmenting can reduce your attack surface by blocking attackers from certain parts of your network. While traditional network segmentation stops those attackers from moving north-south at the network level, microsegmentation stops them from moving east-west at the workload level.
More specifically, microsegmentation goes beyond network segmentation and enforces policies on a more granular basis — for example, by application or device instead of by network.
For example, it can be used to implement restrictions so an IoT device can only communicate with its application server and no other IoT devices, or to prevent someone in one department from accessing any other department’s systems.
#5: Strengthen software and asset configurations
.
Digital attack surface
Physical attack surface
Human attack surface
X
.
Operating systems, applications and enterprise assets — such as servers and end user, network and IoT devices — typically come unconfigured or with default configurations that favor ease of deployment and use over security. According to CIS Critical Security Controls (CIS Controls) v8, the following can all be exploitable if left in their default state:
Basic controls
Open services and ports
Default accounts or passwords
Pre-configured Domain Name System (DNS) settings
Older (vulnerable) protocols
Pre-installation of unnecessary software
Clearly, such configurations increase the size of an attack surface. To remedy the situation, Control 4: Secure Configuration of Enterprise Assets and Software of CIS Controls v8 recommends developing and applying strong initial configurations, then continually managing and maintaining those configurations to avoid degrading security of software and assets.
Here are some free resources and tools your team can leverage to help with this effort:
CIS Benchmarks List – Configuration recommendations for over 25 vendor product families
CIS-CAT Lite — Assessment tool that helps users implement secure configurations for a range of technologies
#6: Enforce policy compliance
.
Digital attack surface
Physical attack surface
Human attack surface
X
X
.
It’s no secret that endpoints are a major contributor to the size of most attack surfaces — especially in the age of Everywhere Work when more employees are working in hybrid and remote roles than ever before. Seven in 10 government employees now work virtually at least part of the time.
It’s hard enough getting employees to follow IT and security policies when they’re inside the office, let alone when 70% of them are spread all over the globe.
Unified endpoint management (UEM) tools ensure universal policy compliance by automatically enforcing policies. This fact should come as no surprise to IT and security professionals, many of whom consider UEM a commodity at this point. In fact, Gartner predicts that 90% of its clients will manage most of their estate with cloud-based UEM tools by just 2025.
Nonetheless, UEM is the best option for enforcing IT and security policy compliance, so I’d be remiss to omit it from this list.
Additionally, beyond compliance, modern UEM tools offer several other capabilities that can help you identify, manage and reduce your attack surface:
Have complete visibility into IT assets by discovering all devices on your network — a key ASM capability for organizations without a CAASM solution.
Provision devices with the appropriate software and access permissions, then automatically update that software as needed — no user interactions required.
Manage all types of devices across the entire lifecycle, from onboarding to retirement, to ensure they’reproperly discarded once no longer in use.
Support zero trust access and contextual authentication, vulnerability, policy, configuration and data management by integrating with identity, security and remote-access tools. For example, UEM and mobile threat defense (MTD) tools can integrate to enable you to enact risk-based policies to protect mobile devices from compromising the corporate network and its assets.
#7: Train all employees on cybersecurity policies and best practices
Thus, it should come as no surprise when you review the data from Ivanti’s 2023 Government Cybersecurity Status Report and see the percentages of employees around the world that don’t believe their actions have any impact on their organization’s ability to avert cyberattacks:
Do employees think their own actions matter?
Many employees don’t believe their actions impact their organization’s ability to stay safe from cyberattacks.
In the immortal words of Alexander Pope: “To err is human…” In cybersecurity terms: until AI officially takes over, humans will remain a significant part of your attack surface. And until then, human attack surfaces must be managed and reduced wherever possible.
Thus far, the best way to do that’s proven to be cybersecurity training, both on general best practices and company-specific policies — and definitely don’t forget to include a social engineering module.
To once again borrow from CIS Controls v8, Control 14: Security Awareness and Skills Training encourages organizations to do the following: “Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.”
CIS — the Center for Internet Security — also recommends leveraging the following resources to help build a security awareness program:
Security and IT staff — not just those in non-technical roles — should also be receiving cybersecurity training relevant to their roles. In fact, according to the IT and security decision-makers surveyed by Randori and ESG for their 2022 report on The State of Attack Surface Management, providing security and IT staff with more ASM training would be the third most-effective way to improve ASM.
Ensuring partners, vendors and other third-party contractors take security training as well can also help contain your human attack surface.
#8: Improve digital employee experience (DEX)
.
Digital attack surface
Physical attack surface
Human attack surface
X
X
.
No matter how much cybersecurity training you provide employees, the more complex and convoluted security measures become, the more likely they are to bypass them. Sixty-nine percent of end users report struggling to navigate overly convoluted and complex security measures. Such dissatisfied users are prone to distribute data over unsecured channels, prevent the installation of security updates and deploy shadow IT.
So what do you do? Ivanti’s 2022 Digital Employee Experience Report indicates IT leaders — with support from the C-suite — need to put their efforts toward providing a secure-by-design digital employee experience. While that once may have seemed like an impossible task, it’s now easier than ever thanks to an emerging market for DEX tools that help you measure and continuously improve employees’ technology experience.
One area in which organizations can easily improve both security and employee experience is authentication. Annoying and inefficient to remember, enter and reset, passwords have long been the bane of end users.
On top of that, they’re extremely unsecure. Roughly half of the 4,291 data breaches not involving internal malicious activity analyzed for the 2023 Verizon DBIR were enabled through credentials — about four times the amount enabled by phishing — making them by far the most popular path into an organization’s IT estate.
Passwordless authentication software solves this problem. If you’d like to improve end user experience and reduce your attack surface in one fell swoop, deploy a passwordless authentication solution that uses FIDO2 authentication protocols. Both you and your users will rejoice when you can say goodbye to passwords written on Post-it Notes forever.
Ivanti’s suggested best practices for reducing your attack surface combine learnings from our firsthand experience plus secondhand knowledge gleaned from authoritative resources.
And while these best practices will indeed greatly diminish the size of your attack surface, there’s no shortage of other steps an organization could take to combat the ever-expanding size and complexity of modern attack surfaces.
Check out the following free resources — some of which were referenced above — for additional guidance on shrinking your attack surface:
So, you’ve implemented all the best practices above and you’re wondering what’s next. As with all things cybersecurity, there’s no time for standing still. Attack surfaces require constant monitoring.
You never know when the next unmanaged BYOD device will connect to your network, the next vulnerability in your CRM software will be exploited or the next employee will forget their iPhone at the bar after a team happy hour.
On top of tracking existing attack vectors, you also need to stay informed about emerging ones. For example, the recent explosion of AI models is driving substantial attack surface growth, and it’s safe to say more technologies that open the door to your IT environment are on the horizon. Stay vigilant.
About Robert Waters
Robert Waters is the Lead Product Marketing Manager for endpoint security at Ivanti. His 15 years of marketing experience in the technology industry include an early stint at a Fortune 1000 telecommunications company and a decade at a network monitoring and managed services firm.
Robert joined Ivanti in November of 2022 and now oversees all things risk-based vulnerability management and patch management.
The old saying goes, “practice what you preach.” When Ivanti started its “Customer Zero” initiative, Bob Grazioli, Chief Information Officer, saw it as a perfect opportunity to test the products and services consumed by customers.
For example, during Ivanti’s move to the cloud, Grazioli and the team experienced the same issues that customers would’ve experienced in their migration process. This first-hand experience allowed them to make improvements along the way. Listen to Grazioli go into detail about other crucial findings in the Customer Zero initiative and how expanding ITSM helps elevate the employee experience.
Key learnings from Ivanti’s “Customer Zero” program
“That’s great to call out our Customer Zero program because we’re really proud of it, actually. We are the first customer in Ivanti. We take every one of our tools that are obviously applicable to IT or SaaS and we implement them first, before the customer,  to provide the feedback to our product managers, our engineering team and make sure that that feedback either makes it into the product or eliminates any potential problems that our customers might experience if something obviously wasn’t discovered during our testing.  
But having said that, we have learned an awful lot about actually moving from on-prem to SaaS. If you look at what we’ve done with Customer Zero, our focus now has been to take a look at the Ivanti on-prem products and move ourself to the cloud. Obviously, I manage SaaS, so I’m very biased towards being in the cloud and that is our focus right now. So, we’ve taken patch, we’ve moved that from on-prem to cloud.
We now have taken our ITSM converged product with workflow management, with all of low-code, no code, we moved that into IT for ITSM. We have our own CMDB that we’re running against Discovery. Going out to our data centers, we have close to what, 40 different geos globally that we manage — thousands and thousands of assets across all of those data centers. Those are all being discovered placed in our own CMBD and managed.  
We’re now deploying GRC for our compliance. We were like a lot of, you know, companies struggle through our SOC 2, SOC 2 type 2, where artifacts are put into certain repositories. We managed those assets. Now we have GRC, where all those artifacts get managed to ITSM. They’re linked to the proper controls. It makes the audit process so much simpler, so much easier for us to get through every year for compliance.   
We’re learning that through the efficiency of moving to cloud from on-prem to SaaS, we’re learning those efficiencies do save us time, have a great ROI in terms of the OpeEx – CapEx equation, if most of you CIOs that go through that, there is a big advantage on the Capex-Opex side.”
“And then, just having all of our data in the cloud in ITSM, as I said earlier, becoming a single source of truth for Patch, Discovery, RiskSense [now known as Risk-Based Vulnerability Mangement] vulnerabilities. And obviously, the main focus, all the tickets that are created on the customer facing side, giving us insight into the customer, into what they’re using or what they’re not using. So really, adoption, big part of obviously what you need in SaaS to manage, the real true user experience.  
It really has been eye opening, moving all of our products from on-prem to SaaS, leveraging those SaaS products in our own cloud, gaining that experience, pushing it back to product managers, pushing it back to engineering to produce a better quality product and a better service for all of our customers as they migrate to the cloud.  
So, we kind of blunt any particular problems that our customers would have experienced when they move from on-prem to cloud. Customer Zero – it’s definitely eliminating a lot of issues that customers would have had if they move on-prem to SaaS. And we’re providing valuable telemetry to help improve our product and improve the quality and service to our customers.”
Important takeaways from Ivanti’s Customer Zero initiative
“Well, so we’ve improved our catalog for service requests and so on. That is the evolution of what ITSM should do. But DEX is the key. Having all of those tickets in ITSM that show customer issues or customer successes or what they’re using in our product, etc.
That is the game changer because now, as I said earlier, having DEX out there, looking at all those tickets, analyzing the tickets and then proactively either anticipating a problem with their device or potentially the way a customer is adopting certain technologies that we pushed out into the environment.
Those tickets are gold for that level of telemetry that allows us to gain the insights we need to provide the customer with a better experience. I think ticket management is really, it’s tough — you don’t want a lot of tickets, obviously, because sometimes that’s not a good thing. But what these tickets represent in terms of knowledge of the customer, it really is instrumental in us making things better, making the service better and having the customer have a better experience.”
“I mean, we use the word culture, but let’s face it, the generation of customers that are out there today growing up with technology and having the ability to control a lot of that technology right at their fingertips, that’s really what you’re trying to accommodate.
You don’t want someone to come into your company as an employee and have them not have that same experience. Not have them engaged with technology the same way they can engage at home or anywhere else out in the market. That’s what we’re trying to get to and be for that customer.  
And we’re doing that because today, with the proactive nature that we’re creating within our products. Proactive nature, that’s DEX.
That’s having all that intelligence to engage the customer with empathy and with a proactive approach to giving them a solution to whatever issue they have. It’s empathy to what they’re going through and then proactively providing them with a fast, reliable solution to whatever experience they’re calling in on.
I think that’s our goal and I think ITSM is evolving to that because again, of the amount of information it’s able to collect and use with all of the AI and ML that we’re applying to it, to really create that more proactive experience with a very intelligent, very tech savvy customer that we have both in and outside our company.  
And that’s happening. That’s the culture, if you will, that I see, that I’m engaged with, and we want to make sure our products can satisfy. ”
Broadening ITSM to support other areas brings with it new levels of proactive troubleshooting and empathy, helping you drive a better digital employee experience.
There are several browsers compatible with DNS over HTTPS (DoH). This protocol lets you encrypt your connection to 1.1.1.1 in order to protect your DNS queries from privacy intrusions and tampering.
Some browsers might already have this setting enabled.
There’s a powerful tool hiding in your browser: Inspect Element.
Right-click on any webpage, click Inspect, and you’ll see the innards of that site: its source code, the images and CSS that form its design, the fonts and icons it uses, the JavaScript code that powers animations, and more. You can see how long the site takes to load, how much bandwidth it used to download, and the exact color in its text.
Or, you could use it to change anything you want on the page.
Inspect Element is a perfect way to learn what makes the web tick, figure out what’s broken on your sites, mock up what a color and font change would look like, and keep yourself from having to Photoshop out private details in screenshots. Here’s how to use Inspect Element—your browser’s secret superpower—to do all the above and more.
Most web browsers include an Inspect Element tool, while Microsoft’s Edge browser includes a similar set of Developer Tools. This tutorial focuses on Inspect Element tools for Google Chrome, Mozilla Firefox, and Apple Safari, but most of the features work the same in other browsers like Brave.
If you’ve never peeked at a website’s code out of curiosity, you might wonder why you should learn how to use Inspect Element. Below are just a few reasons why different roles can benefit from learning this trick of the trade.
Designer: Want to preview how a site design would look on mobile? Or want to see how a different shade of green would look on a sign-up button? You can do both in seconds with Inspect Element.
Marketer: Curious what keywords competitors use in their site headers, or want to see if your site’s loading too slow for Google’s PageSpeed test? Inspect Element can show both.
Writer: Tired of blurring out your name and email in screenshots? With Inspect Element, you can change any text on a webpage in a second.
Support agent: Need a better way to tell developers what needs to be fixed on a site? Inspect Element lets you make a quick example change to show what you’re talking about.
Web developer: Need to look for broken code, compare layouts, or make live edits to a page? Inspect Element does that, too.
For these and dozens of other use cases, Inspect Element is a handy tool to keep around. For now, let’s see how to use the main Elements tab to tweak a webpage on your own.
How to inspect elements with Google Chrome
There are a few ways to access Google Chrome Inspect Element. Just open a website you want to try editing (to follow along with this tutorial, open the Zapier blog post What is AI?), then open the Inspect Element tool in one of these three ways:
Method 1: Right-click anywhere on the webpage, and at the very bottom of the menu that pops up, click Inspect.
Method 2: Click the hamburger menu (the icon with three stacked dots) on the far-right of your Google Chrome toolbar, click More Tools, then select Developer Tools.
Method 3: Prefer keyboard shortcuts? Press command + option + I on a Mac, or Ctrl + Shift + Con a PC to open Inspect Element without clicking anything.
Once you take your preferred route to opening the Developer Tools pane, by default, it will show the Elements tab—that’s the famed Inspect Element tool we’ve been looking for.
If you want to change the orientation of the Inspect Element pane, click the three vertical dots on the top-right side of the Inspect Element pane near the “X” (which you’d click to close the pane). Now, you’ll see options to move the pane to the bottom, left, or right side of your browser or to open the pane in a completely separate window (undock view).
For this tutorial, let’s dock the pane on the right side of our browser window to give us more space to work. You can make the Developer Tools panel wider or narrower by hovering over the left-side border. Once the ↔ cursor appears, drag the pane left to widen it or right to narrow it.
How to inspect elements with Firefox
To get to Inspect Element on Firefox, like Chrome, you have three options.
Method 1: Right-click anywhere on the page and click Inspect at the bottom of the menu.
Method 2: Click the hamburger menu(three horizontal lines at the top-right corner of the window), select More tools, then click Web Developer Tools.
Method 3: The keyboard shortcut on Firefox is command + option + I for Macs and Control + Shift + C for PCs.
The Element pane in Firefox likes to pop up at the bottom of the window, which doesn’t give you much room to work with. To move that pane to the side and free up more room, click the hamburger menu (three horizontal dots, next to the “X” in the top-right corner) and click Dock to Right (or left, if you prefer).
If you like, you can also move the pane into a separate window in this menu. You can also expand the pane further or narrow it by hovering over the edge until your cursor changes, and then drag it to the left or right.
How to inspect elements with Safari
To launch Inspect Element with Safari, you’ll need to activate the developer capabilities in the advanced settings first. Here’s how.
Click the Safari dropdownin the top navigation bar above the Safari window, and then click Preferences.
Navigate to Advanced,and check the box at the bottom of the window by Show Develop menu in the menu bar. Close the window.
Now, you should be able to right-click anywhere on the page and click Inspect Elementto open the Elements pane.
The pane should appear along the bottom of your window. To move it to a side alignment and give yourself a little more space to look at the code, click the Dock to right of window (or left of window) option on the top-left corner of the pane, next to the “X.”
I prefer right, but you can easily switch this to the other side or detach the pane into its own separate window if you prefer. To make the pane wider or narrower, just hover over the edge until the cursor changes to the dragger, then drag to move the edge.
Tools you can access through Inspect Element (+ tutorials)
Now that we’re in Inspect Element, there’s an array of useful tools at our fingertips that we can use to make any site look exactly how we want. For this tutorial, we’ll focus on the Search, Elements, and Emulation tabs. These aren’t the only useful tools Inspect Element opens up—not by a long shot—but they’re extremely helpful ones that beginners can start putting to use right away.
Note that, for simplicity, I’ll be using Chrome to demonstrate, but the instructions should be essentially the same for all three browsers.
Find anything on a site with Inspect Element Search
Wondering what goes into your favorite sites? Search is your best tool for that, aside from reading a site’s entire source code.
You can open the default Elements view, press Ctrl + F or command + F, and search through the source code. But the full Search tool will also let you search through every file on a page, helping you find text inside CSS and JavaScript files or locate an icon image you need for an article.
To get started, open Zapier’s blog article on “What is AI?” in Chrome, then open Inspect Element, click the hamburger menu, and select Search. The Search tab will appear on the bottom half of the Developer Tools pane.
In the search field, you can type anything—anything—that you want to find on this webpage, and it will appear in this pane. Let’s see how we can use this.
Type meta name into the search field, press Enter, and you’ll immediately see every occurrence of “meta name” in the code on this page. Now, you can see this page’s metadata, the SEO keywords it’s targeting, and whether or not it’s configured to let Google index it for search. That’s an easy way to see what your competitors are targeting—and to make sure you didn’t mess anything up on your site.
Search is an effective tool for designers as well since you can search by color, too. Type #ff4a00 into the search field and press Enter (and make sure to check the box beside Ignore case to see all of the results). You should now see every time the color #ff4a00, Zapier’s shade of orange, appears in this site’s CSS and HTML files. Then, just click the line that reads “color: #ff4a00;” to jump to that line in the site’s HTML and tweak it on your own (something we’ll look at in the next section).
This is a handy way for designers to make sure a site is following their brand’s style guide. With the Search tool, designers can easily check the CSS of a webpage to see if a color is applied to the wrong element, if an incorrect font family is used on a webpage, or if you’re still using your old color somewhere on your site.
The Search tool is also the perfect way to communicate with developers better since you can show them exactly where you’ve found a mistake or exactly what needs changing. Just tell them the line number where the problem exists, and you’ll get your fix that much quicker.
Or you can change the webpage yourself with Elements, the core part of Chrome’s Developer Tools.
Change anything with Elements
Front-end developers use the Inspect Element tool every day to modify the appearance of a webpage and experiment with new ideas—and you can, too. Inspect Element lets you tweak the appearance and content of a webpage by adding temporary edits to the site’s CSS and HTML files.
Once you close or reload the page, your changes will be gone; you’ll only see the changes on your computer and aren’t actually editing the real website itself. That way, you can feel free to experiment and change anything—and then copy and save the very best changes to use later.
Let’s see what we can do with it.
Click the Elements tab in the Developer Tools pane—and if you want more room, tap your Esc key to close the search box you had open before. You should see the HTML for this page—now you know how the sausage gets made.
In the top-left corner of the Developer pane, you’ll see an icon of a mouse on top of a square. Click it, then you can select any element on the page you want to change. So let’s change some things!
Change the text on a webpage
Ever wanted to change text on a site? Perhaps to see how a new tagline would look on your homepage or to take your email address off a Gmail screenshot? Now you can.
Click the icon of a mouse cursor on a square in the top-left corner of the pane.
Click any text on the page (like the copy on our “What is AI?” blog), which will correspond with a blue highlight over the related code.
Double-click the highlighted text in the Developer Tools pane (not the text on the live page) to turn it into an editable text field.
Type anything you want in this text field (“Auri is a genius” should work just fine), and press Enter.
Voila! You’ve just (temporarily) changed the text on the webpage.
Refresh the page, and everything will go back to normal.
Fun? Let’s try another way to change some things on this page by closing out of the Developer pane altogether. You can then highlight any part of the live webpage you want to edit, then right-click it and hit Inspect.
When your Developer Tools pane opens, it should automatically highlight that sentence. Pretty neat, huh? It’s the little things that count.
Now that we’ve selected a sentence to change on our blog, let’s change how it looks.
Change the color and font of elements
On the lower half of the Developer Tools pane, you’ll see a sub-pane with a few additional tabs that allow you to change how this text looks on the page. Let’s get started on the Styles tab.
You may notice that some things are crossed out. This means that these styles are not active for the element we’ve selected, so changing these values will have no effect.
Let’s try changing something.
Look through the code for the “font-size” field and click into it. Let’s change it from 34px to 42px.
Now scroll down to “color” and change it to Zapier’s signature #ff4a00.
This will look a bit cramped, so let’s finish by changing the “line-height” to 44px.
Now check the blog post to see the difference.
Now let’s try something really cool.
Change element states
Want to see how a button or link will look once someone interacts with it? Inspect Element can show that, too, with force element state tools. You can see how the element will look once a visitor hovers over the element (hover state), selects the element (focus state), and/or has clicked that link (visited state).
As with the other examples, you’ll need to click the mouse cursor/box icon. For this example, we’ll select the “Artificial Intelligence (AI)” tag on the “What is AI” article to try a color change.
In the Developer Tools pane, right-click on that code in the Elements tab, hover over Force state, and click the :active: option. Do this one more time, but click the :hover: option this time.
That will change the button’s background to black, which is what happens when you hover over the button on the live site.
Now, change the “background-color” value to #ff4a00.
You should instantly be able to see what the new hover color will look like.
Try experimenting—change the :hover: color, then uncheck :hover: in the right-click menu and drag your mouse over the button to see the new button color.
Change images
You can easily change images on a webpage with Inspect Element, too. Using the same “What is AI?” blog post as an example, let’s replace the orange solid color background on the “Power your automation with AI” button with a dramatic photo of a solar flare from NASA.
First, copy this link to the image: https://c1.staticflickr.com/9/8314/7931831962_7652860bae_b.jpg
Open Inspect Element on the orange background of the “Power your automation with AI” button and look for the “background-color” code in the pane.
Click “background-color” and replace color with image—this should cause an error. Just replace the color code with url and then paste the URL you copied into the parentheses.
This should automatically replace that boring single-color background with a flashy new image.
Note: You can also change a photo to a GIF or a video—all you need is a link to the file, and you can add it in.
Editing text is handy, swapping out images is fun, and changing colors and styles just might help you quickly mock up the changes you want made to your site. But how will that new tagline and button design look on mobile?
That’s where Emulation comes in—it’s where everything we’ve reviewed so far can be applied even further. Let’s see how.
Test a site on any device with Emulation
Everything has to be responsive today. Websites are no longer only viewed on computers—they’re more likely than ever to be viewed on a phone, tablet, TV, or just about any other type of screen. You should always keep that in mind when creating new content and designs.
Emulation is a great tool to approximate how websites will look to users across various devices, browsers, and even locations. Though this does not replace actual testing on a variety of devices and browsers, it’s a great start.
In the Developer Tools pane, you’ll notice a little phone icon in the top-left corner. Click it. This should change the page into a tiny, phone-styled page with a menu at the top to change the size.
Resize the small browser to see how things look if you were browsing on a tablet, phone, or even smaller screen. Or, click the menu at the top to select default device sizes like Surface Duo or iPhone 12 Pro—let’s go ahead and select the latter.
The webpage screen should shrink down to the device’s size, and you can zoom in a bit by clicking the percentage dropdown next to the dimensions.
If you change the device preset to “Responsive,” you can enlarge the view by dragging the right edge of the webpage emulation right. See what happens? Dragging the screen along the grid allows you to see how the webpage will change as the screen size changes. You can even toggle portrait and landscape views by clicking the little rotation icon at the end of the top menu.
Play around with the other devices to see how the webpage and screen resolution changes. All of the other developer tools we’ve gone over so far will also react to the device view.
Emulate mobile device sensors
When you start interacting with a device preview, you may notice that your mouse now appears as a little circle on the webpage. This allows you to interact with the page as if you’re on your mobile device.
If you click while dragging the page down, it doesn’t highlight text like it normally would in your browser—it drags the screen down like you’re on a touchscreen device. Using this view, you can see how large touch zones are on a webpage. This means you can see which buttons, icons, links, or other elements are easily touchable with the finger.
You can even make your browser act like a phone. Press your Esc key to open the Search pane in Inspect Element again, and this time click the hamburger menu on the top-right. Select More toolsand then Sensors to get four new tools: Location, Orientation, Touch, and Emulate Idle Detector state.
Touch lets you choose whether the circle selector that acts more like a finger than a normal mouse cursor is forced or device-specific.
Orientation lets you interact with motion-sensitive websites, such as online games that let you move things by moving your phone.
Location lets you pretend you’re in a different location.
Emulate Idle Detector state allows you to toggle between different idle user conditions.
Let’s try viewing this site from Berlin. Just click the dropdown and select the city—nothing changes, right?
This is because there isn’t content on this page that changes based on your location. If you change the coordinates on a site like Groupon.com that uses your location to show localized content, though, you would get different results. Go to Google.com in a different location, and you’ll perhaps see a new Google logo for a holiday in another country, or at least will get the results in a different language.
Emulation is a great way to put yourself in your user’s shoes and consider what the user may be seeing on your webpage—and it’s a fun way to explore the international web.
Emulate mobile networks
You can also see what it’s like to browse a site on different networks—perhaps to see if your site will load even if your users are on a slower 3G network.
To give it a try, click the hamburger menu in the top-right corner of the pane, hover over More tools, and select Network conditions.
There, you can choose from fast or slow 3G, or offline to see how the page works without internet. Or, click Add… to include your own testing (perhaps add 56Kbps to test dial-up internet). Now, reload the page, and you’ll see just how long it’d take for the site to load on a slow connection—and how the site looks while it’s loading. That’ll show why you should improve your site to load faster on slow connections.
You can also change your user agent—uncheck Use browser default in the User agent field and select Firefox — Mac perhaps to see if the site changes its rendering for other browsers on different devices. That’s also a handy hack to make webpages load even if they claim they only work in a different browser.
This is by no means a complete list of things you can do with Inspect Element. As you start exploring, you’ll see many more features. My advice: click all the buttons.
By: Peter Girnus, Aliakbar Zahravi June 20, 2023 Read time: 10 min (2790 words)
This is the third installment of a three-part technical analysis of the fully undetectable (FUD) obfuscation engine BatCloak and SeroXen malware. In this entry, we document the techniques used to spread and abuse SeroXen, as well as the security risks, impact, implications of, and insights into highly evasive FUD batch obfuscators.
The remote access trojan (RAT) SeroXen tool can be purchased on the clearnet. During our investigation, we uncovered multiple domains selling not only this nefarious tool but also a cracked version of it hosted on a popular crack forum. We also uncovered individuals on popular video sites such as YouTube and TikTok acting as distributors for this piece of fully undetectable (FUD) malicious software. At the time of writing, many of these videos remain available for viewing.
Distribution methods: SeroXen’s online platforms
In this section, we break down the different platforms that SeroXen uses to spread malware.
Website
Figure 1. SeroXen website
The tool SeroXen sports a sleek website with pages that users might expect from any number of websites selling software on the internet. However, sometime between the last week of May and the first week of June, a new shutdown notice has surfaced on its website due to SeroXen’s popularity and cybercriminal efficacy. Considering the content of the notice, there are strong indications that this shutdown is merely for show and that distribution is still ongoing through other platforms and channels.
Figure 2. SeroXen’s website shutdown notice
Prior to the shutdown notice, we observed the main SeroXen website offering a comprehensive list of features to prospective consumers. Examining some of the core features advertised by SeroXen shows a rich feature selection, including:
A Windows Defender-guaranteed bypass for both scan time and runtime.
FUD scan time and runtime evasion against most antivirus engines.
Hidden Virtual Network Computing (hVNC).
Full modern Windows support.
Figure 3. SeroXen’s features list
In addition to the sophisticated evasion and FUD component, the inclusion of hVNC is concerning as it is often deployed by highly sophisticated types of malware and advanced persistent threat (APT) groups. The hVNC component allows threat actors to operate a hidden or “virtual” desktop rather than the main desktop to keep the malicious sessions in the background running uninterrupted.
Meanwhile, the SeroXen web application provides users with the option to acquire either a monthly license key or a lifetime key using cryptocurrency.
Figure 4. SeroXen monthly subscription (top) and lifetime (bottom) price optionsFigure 5. SeroXen is currently unavailable for purchase at the website
The SeroXen web application also boasts a product support team available from Monday to Friday following a location for a time zone reference in the US. The Telegram account of the developer is also available for messaging, and the relevant channels are still active. At one point, a Discord account might also have been available for contact, although it was already unavailable at the time of this writing.
Figure 6. SeroXen’s product support offers
During our investigation, we encountered the disclosure of the developers and contributors associated with SeroXen’s development. Notably, the list includes the individual who also contributed to the creation of batch obfuscators such as Jlaive, BatCrypt, CryBat, Exe2Bat, and ScrubCrypt. This direct linkage therefore establishes a clear association between these historical FUD batch obfuscators and the SeroXen malware. In June, we also noticed that the website’s acknowledgments included the social media handle of the distributor.
Figure 7. The developers of Jlaive, BatCloak, CryBat, Exe2Bat, ScrubCrypt, and social media distributor’s username acknowledged on the SeroXen website
Social media accounts
While investigating SeroXen’s website, we uncovered a link to a review video hosted on YouTube.
Figure 8. Link to SeroXen review hosted on YouTube
The content is presented as a “review” and facilitated by a reseller. More importantly, it functions not only as an evaluation but also as a promotional advertisement coupled with a tutorial showcasing the capabilities of SeroXen. We found a collection of videos that was also attributed to a reseller of the malware. These videos function to endorse and market SeroXen, reinforcing its presence and appeal within the designated market. Details such as knowledge, discounts offered, and claims of being a distributor indicate the increased likelihood of this user being connected to the owner of the web app.
Figure 9. SeroXen YouTube advertisementsFigure 10. SeroXen distributor selling the malware on YouTube
Certain prospective customers of SeroXen have demonstrated an inclination toward exploring specific aspects associated with illicit activities. Their expressed interest encompasses the use of SeroXen in the context of engaging in potentially unlawful endeavors within the Roblox community.
Figure 11. Prospective customer interested in Roblox cookie theft
For context, Roblox is a widely popular video game with a user base of over 214 million active monthly users across the globe, predominantly comprised of minors, with approximately 67% of the player demographic aged below 16 years. In the US, over half of Roblox players are minors. In Figure 10, the significance of the inquiry lies in the potential risks and impact associated with the theft of the .ROBLOSECURITY cookie from an unsuspecting victim. If successfully stolen, this cookie would grant a threat actor the ability to compromise the targeted Roblox account by overriding two-factor authentication (2FA).
This exchange also highlights the risk associated with highly evasive and modular types of malware — namely, a modular design with the ability to load additional components to create a bigger impact on targeted and unwitting victims. In this instance, the reseller mentions the ability to use SeroXen with Hazard, a stealer with many features, including the capability to steal Discord webhooks.
At one point, the distributor sold SeroXen on Discord, but their accounts have a history of being terminated. In an exchange with a prospective customer on YouTube, a YouTube channel owner shows a clear understanding of how this tool will be used for criminal activity, after which they encourage a prospective customer to get in touch with them since they are a reseller. We also uncovered the reseller’s Twitter profile, which hosted more promotional content for SeroXen.
Figure 12. A reseller’s conversation with a prospective buyer on YouTube (top) and the reseller’s YouTube and Twitter profiles (middle and bottom)
As of this blog entry’s week of publishing, we noted that the social media distributor confirmed that SeroXen’s “sale” (referred to only as “offsale” on the website) is now offline. Still, this mainstream availability and exchange raise substantial concerns, given its occurrence outside the boundaries of underground hacking forums. While researchers and ordinary users alike might expect this kind of complacence and leeway on the darknet, they do not expect the same on a popular mainstream platform such as YouTube. This underscores the potential implications of the exchange, as it indicates that cybercriminals have become bolder in infiltrating mainstream platforms online. In turn, malicious activities and discussions related to illicit cybersecurity practices are now able to infiltrate mainstream online platforms.
Figure 13. SeroXen’s social media distributor confirms the RAT as unavailable for interested buyers/users
Additionally, during the investigation of this reseller’s YouTube profile we uncovered a batch-to-dropper file uploaded to Virus Total around the time of the latest SeroXen promotional video. The name of the batch file matches the username of this reseller’s YouTube profile. This batch attempts to download an infected batch file from Discord and run the infected file that leads to a SeroXen infection.
Figure 14. YouTube reseller includes SeroXen developer’s Telegram handleFigure 15. Reseller names file after uploading to a public repository, matching it with their YouTube profile name
SeroXen’s forum presence
We also discovered that the author of SeroXen actively engages with prominent hacking enthusiast forums to promote and distribute the malware. This strategic use of established forums catering to the hacking community serves as an additional avenue for the author to market and sell SeroXen, expanding its reach.
Figure 16. SeroXen advertisement on a popular hacking forum
Upon investigating the post of SeroXen’s developer, we saw that the author of Jlaive, BatCrypt, CryBat, Exe2Bat, and ScrubCrypt was once again acknowledged as playing a part in the development of SeroXen’s FUD capabilities. Additionally, on another forum, we found a cracked version of SeroXen that allows cybercriminals to bypass the payment requirement set up by the malware’s original developers.
Figure 17. Acknowledgement of developers and contributors in a forum postFigure 18. A cracked version of SeroXen
Examining the prevalence and impact of SeroXen
Throughout our investigation of the scope of infections, we discovered a substantial collection of forum posts containing reports from victims who fell prey to the SeroXen infection. This particular strain of malware showed a notable increase in users reporting their infections, with well-meaning individuals advising victims to implement security and antivirus solutions, which all failed to detect any malicious activity. This then perpetuates a distressing cycle of infections driven by the malware’s FUD capabilities.
Understanding SeroXen infections through an analysis of community discussions
We conducted an analysis on Reddit by analyzing reports of SeroXen infections. Many of these posts reported that the users noticed suspicious actions but were powerless to remediate the ongoing infection.
We went through different forum threads and observed a common theme among the scores of individuals whose systems were infected: they were downloading and executing highly suspect pieces of software hosted on Discord and other file-hosting services related to special interests. We also noticed reports of deceptive batch installers (downloaded from GitHub) claiming to be legitimate software installers or tools for highly sought-after applications and interests like Photoshop, image loggers, TikTok, quality-of-life tools, and Tor, among others. The primary intention behind this fraudulent activity is to lure unsuspecting individuals into unintentionally installing malicious programs that lead to compromise.
Figure 19. A user’s system is infected after they download the game Counter Strike: Global Offensive (CSGO).Figure 20. Samples of users reporting infections
Based on our analysis of the collected samples, one of the largest target communities are gamers playing popular titles such as Roblox, Valorant, Counter Strike, Call of Duty, and Fortnite. These multiplayer online games contain a rich ecosystem of desirable, high-value, and in-game items that make a rich in-game economy, making them a viable target of malicious actors using SeroXen. In particular, theft appears to be the primary motive driving these infections. Over the years, a thriving underground ecosystem has been established for the illicit resale of stolen in-game items, with a particular emphasis on the popular game Roblox via beaming.
What is Roblox beaming?
Within the Roblox community, the unauthorized sale of items, referred to as “beaming” in the community, has proven itself to be an immensely profitable venture for nefarious actors. It is worth noting that certain rare items within Roblox, known as “limiteds,” can command significant prices that reach thousands of dollars in real-world commercial values. Discord has served as fertile ground for buying and selling these items, allowing cybercriminals to exploit and profit from unsuspecting children who fall victim to their schemes.
During our investigation, we uncovered a thriving underground community using Discord to post stolen cookies to beam victims. Frequently, the practice of beaming is employed to generate content specifically intended for popular online platforms like YouTube and TikTok. Numerous individuals, often including minors, are subjected to beaming for the purpose of entertainment. Over the course of our investigation, we also uncovered many instances of beaming tutorials and how-to videos on both TikTok and YouTube.
Figure 21. A .ROBLOSECURITY cookie posted on Discord for beamingFigure 22. Roblox beaming videos on YouTube (top and middle) and TikTok (bottom)Figure 23. Roblox beaming tutorials on TikTok
Furthermore, our findings have revealed that these video platforms frequently function as recruitment platforms, funneling individuals into beaming Discord channels to engage in unethical and detrimental activities.
Figure 24. A Roblox beamer recruitment video on TikTok
FUD batch obfuscation techniques coupled with hVNC-capable toolkits provide actors powerful tools not only for stealing content but also for creating significant psychological distress in communities with a significant number of minors.
Examining SeroXen infections with insights from the Microsoft Support community
During our investigation of the prevalence and impact of SeroXen infections, we also examined posts within the Microsoft Support community. We observed striking similarities between the infection chain reported in this community and the discussions in Reddit. Moreover, a deeper understanding of the actions perpetrated revealed two distinct and concerning patterns. The first pattern involved direct extortion tactics, while the second involved the issuance of threats to victims’ lives through swatting.
Figure 25. Samples of reports seeking help against an extortion attempt (top) and a threat of swatting (bottom) after hackers gain control of users’ infected systems through SeroXen
Conclusion
Considering the capabilities and potential damage resulting from this tool, the costs for entry are low to null (given the cracked versions available online). This means that both cybercriminals and script kiddies experimenting with malware deployments can avail of SeroXen. Depending on the goals of cybercriminals — whether they care for arrests and notoriety or simply want to spread the tool — the sophistication of the infection routines does not appear to match with the chosen methods for distribution. The almost-amateur approach of using social media for aggressive promotion, considering how it can be easily traced, makes these developers seem like novices by advanced threat actors’ standards. That being said, the real-life consequences of abusing highly evasive malware as a tool to threaten other users via swatting and other threats to personal safety remain highly concerning especially as these developers might interact with online communities populated by minors.
The addition of SeroXen and BatCloak to the malware arsenal of malicious actors highlights the evolution of FUD obfuscators with a low barrier to entry. This can be considered an upcoming trend for a range of cybercriminals who can use a wide range of distribution mechanisms like Discord and social media platforms and their features (such as YouTube and short-from videos in TikTok) to push their preferred types of destructive software for abuse. Additionally, this trend also highlights the potential of highly evasive malware to proliferate in communities that host a significant number of minors who might be ill-equipped to confront destructive pieces of malware. Considering the low-to-nil detections in public repositories once a piece of malware is armed with these tools, this evolution presents new challenges to security teams and organizations alike, especially since FUD obfuscation can be used to deliver any kind of imaginable threat, including those that are not yet known.
Parents and guardians are encouraged to proactively familiarize themselves with the contemporary digital dynamics their children use regularly. This includes gaining an understanding of the various online communities that their children participate in, as well as communicating essential safe online practices and skills to their children. Adults are also encouraged to familiarize themselves with the colloquialisms minors use online and the platforms they frequent. By becoming familiar with these areas and simultaneously equipping children with such knowledge, guardians can play a pivotal role in ensuring everyone’s online safety and well-being.
Trend Vision One™️ enables security teams to continuously identify the attack surface, including known, unknown, managed, and unmanaged cyber assets. It automatically prioritizes risks, including vulnerabilities, for remediation, taking into account critical factors such as the likelihood and impact of potential attacks. Vision One offers comprehensive prevention, detection, and response capabilities backed by AI, advanced threat research, and intelligence. This leads to faster mean time to detect, respond, and remediate, improving the overall security posture and effectiveness.
When uncertain of intrusions, behaviors, and routines, assume compromise or breach immediately to isolate affected artifacts or tool chains. With a broader perspective and rapid response, an organization can address these and keep the rest of its systems protected. Organizations should consider a cutting-edge multilayered defensive strategy and comprehensive security solutions such as Trend Micro™ XDR that can detect, scan, and block malicious content across the modern threat landscape.
Our commitment to online safety
Trend Micro is committed to digital safety through our Trend Micro Initiative for Education , our outreach program that aims to improve internet safety awareness, digital literacy, and malware defense capabilities for a safer digital world. Our initiatives and participation for security and safety include but are not limited to:
If you receive a swatting threat or information that an individual is planning to engage in swatting activities, please report it to local law enforcement and/or the Federal Bureau of Investigation (FBI) at 1-800-CALL-FBI immediately.
By: Peter Girnus, Aliakbar Zahravi June 15, 2023 Read time: 7 min (2020 words)
We looked into the documented behavior of SeroXen malware and noted the inclusion of the latest iteration of the batch obfuscation engine BatCloak to generate a fully undetectable (FUD) .bat loader. This is the second part of a three-part series documenting the abuse of BatCloak’s evasion capabilities and interoperability with other malware.
The recent rise of highly sophisticated malware’s ability to evade detection through fully undetectable (FUD) capabilities, low-cost financial accessibility, and minimal skill barriers have created a pervasive threat targeting online communities and organizations. One particular malware known as SeroXen has deployed an advanced, fully undetectable (FUD) technique via highly obfuscated batch files to infect victims with hVNC-(Hidden Virtual Network Computing) capable malware.
This entry is the second installment of a three-part series featuring BatCloak engine, its iterations, and inclusion in SeroXen malware as the main loading mechanism. The first entry, titled “The Dark Evolution: Advanced Malicious Actors Unveil Malware Modification Progression,” looked into the beginnings and evolution of the BatCloak obfuscation engine. The third part of this series, “SeroXen Mechanisms: Exploring Distribution, Risks, and Impact,” analyzes the distribution mechanism of SeroXen and BatCloak, including the security impact and insights of FUD batch obfuscation. As of this writing, a quick online search for SeroXen will show top results for an official website and social media and sharing pages with videos on how to use the remote access trojan (RAT) as if it were a legitimate tool. We will go over these dissemination strategies in the subsequent entry.
SeroXen’s FUD batch patterns
To attain FUD status, the obfuscation patterns employed in SeroXen have shown multilayered tiers in its evolution, evolving from notable predecessors such as Jlaive, BatCloak, CryBat, Exe2Bat, and ScrubCrypt. Notably, the author of these FUD tools is acknowledged as a contributor in various instances, including attributions present on the main SeroXen website and forum posts authored by the individual behind SeroXen.
Examining the SeroXen infection chain
Figure 1. SeroXen infection chain
To successfully initiate the infection process, the targeted user is lured into executing a batch file. These lures are often presented as software-specific to enthusiast groups such as gaming communities. The infection process’ efficiency is enhanced because of the batch file’s FUD capability.
We found a compilation of compromised archives associated with cheats pertaining to prominent game titles. Each of these archives harbors a highly obfuscated batch file that serves as the infection vector initiating a SeroXen infection. Alarmingly, none of the archives exhibited any form of security solution detection. In most instances, these malicious archives are hosted on the Discord CDN (content delivery network) catering to specific interested communities, but they could also be hosted on any number of cloud storage options as well as special interest forums.
Taking a visual representation of a SeroXen sample submitted to a public repository under the false pretense of being a popular online video game cheat, the sample showcases the comprehensive concealment capabilities inherent. Through investigative analysis, we found a consistent pattern in the dimensions of SeroXen’s obfuscated batch files, which commonly exhibit sizes ranging from approximately 10MB to 15MB.
Figure 2. Gaming lures with no detections
Analyzing the obfuscation patterns deployed by SeroXen
To develop a comprehensive understanding of the obfuscation algorithm utilized within SeroXen, we conducted an in-depth examination on a multitude of heavily obfuscated batch files. The figure sample exhibits an obfuscated SeroXen batch payload camouflaged under the guise of a Fortnite hack.
Figure 3. SeroXen obfuscated batch payload
The batch obfuscation patterns implemented by the SeroXen FUD algorithm can be summarized as follows:
Suppression of console output through the inclusion of the directive “@echo off”
Utilization of sophisticated string manipulation techniques to obfuscate the initial “set” command
Assignment of the “set” command to a user-defined variable
Assignment of equal operations (“=”) to a user-defined variable
Utilization of steps 3 and 4 to assign values to the additional user-defined variables
Concatenation of variables at the conclusion of the obfuscation process to construct a command, which is subsequently executed
Furthermore, our investigation showed that the implementation of layered obfuscation techniques alongside the incorporation of superfluous code fragments or “junk code” were employed to impede the analysis of the batch file hindering detections.
Summary of commands executed during the SeroXen infection process
We break down the core commands concatenated and executed in order to infect the victim as follows:
Ensure all batch commands run are suppressed with “@echo off”
Copy the PowerShell executable from System32 to the current directory
Set the current directory
Name this copied PowerShell after the batch filename with an appended .exe, such as <mal_bat>.exe
Use the PowerShell command to decrypt and execute the encrypted payload
Build the final PowerShell command used to decrypt the final payload
Use the static operator to decrypt the final payload
Analyzing the deobfuscated SeroXen batch files
During our technical analysis of FUD-enabled SeroXen batch payloads, we were able to deobfuscate the commands associated with its execution and patch key points in its operation to dump the deobfuscated version.
Figure 4. Deobfuscated SeroXen batch payload
If we compare the deobfuscated sample presented with the highly obfuscated sample (Figure 3), we can demonstrate the core function of the batch script: to generate a series of set commands in an obfuscated manner to evade detection. We see the result of the numerous obfuscated set commands in its deobfuscated equivalent. Throughout the obfuscated batch file, numerous variables are concatenated together to be executed.
The PowerShell command to be executed in the FUD obfuscated batch file is a series of hidden PowerShell commands used to decrypt and deliver the .Net loader.
Figure 6 . Final PowerShell command executed in the SeroXen batch file
The deobfuscated sequence of PowerShell commands decrypt the payload and employ an assembly reflection mechanism to reflectively load it. The essential characteristics of the final sequence of PowerShell commands include:
Decode payload using Base64
Decrypt payload using AES OR XOR algorithm. In the case of AES:
Instantiate an AES decryption object with the cipher block chaining (CBC) mode
Use a Base64 blob for the key and IV
Unzip the payload
Reflectively load the payload
From the next figure, we demonstrate how the C# loader is decrypted from the deobfuscated batch files, after which we unzip the decrypted archive to drop the .Net binary.
We decoded the payload using Base64, which is then AES-decrypted using the deobfuscated Key and IV and finally gunzipped to reveal the .Net loader. This payload is then loaded into memory using reflection.
Figure 7. Using Python to decrypt the .Net loader
Deep dive into SeroXen builder
Figure 8. Obfuscated builder
The SeroXen builder binary file is protected by the Agile .NET. After unpacking the functions and builder resources, this section shows that SeroXen is a modified version of Quasar RAT with a rootkit and other modifications, such as adopting the loader builder Jlaive and BatCloak obfuscation engine to generate a FUD .bat loader. The evolution and technical analysis of Jlaive and BatCloak was discussed in part 1 of this series.
Figure 9 . Unpacked builder resources (left) and builder function names (right) a modified version of Quasar RAT in its arsenalFigure 10. SeroXen builder adopting Jlaive and BatCloak source codes
As of this writing, SeroXen offers monthly and lifetime key options for purchase online, as well as instructions for using the RAT. We go over this in detail in the third installment of this series as part of the cybercriminals’ distribution strategies.
Figure 11. SeroXen builder usage instruction
SeroXen payload generation process
Upon pressing the “build” button, the builder writes the user-given configuration to the pre-compiled file called “client.bin,” and this produces the Quasar RAT payload and passes it to a function called “Crypt.”
Figure 12. SeroXen vs Quasar RAT payload generation
The Crypt function employs the Jlaive crypter multi-stage loader generator and BatCloack obfuscator source code to produce undetectable loaders. This function first reads the Quasar RAT payload content and verifies if it is a valid .NET assembly. Crypt then patches some string and opcode within the binary and encrypts it using the AES algorithm with CBC cipher mode, and saves it as “payload.exe.”
Figure 13. Payload encryption and obfuscation process
Much like a Jlaive crypter, the builder takes in user configuration and produces the first loader. This is achieved using a C# template file, “Quasar.Server.Stub.cs,” found embedded within its resources. The author has integrated an extra functionality in this adapted version of the Jlaive CreateCS function such as API unhooking.
Figure 14. Create C# loader
Apiunhooker.dll is an open-source project called “SharpUnhooker,” which is a C#-based universal API unhooker that automatically Unhooks API Hives (i.e., ntdll.dll, kernel32.dll, advapi32.dll, and kernelbase.dll). This technique is used to attempt evading user-land monitoring done by antivirus technologies and/or endpoint detection and response (EDR) solutions by cleansing or refreshing API DLLs that loaded during the process.
The builder subsequently compiles the C# loader stub, adding necessary files and dependencies such as encrypted Quasart RAT (payload.exe) and SharpUnhooker (Apiunhooker.dll) to its resources.
Figure 15. C# loader compilation
Next, the builder compresses the C# loader, encrypts it using AES/XOR (depending on the configuration), and encodes it in Base64. Finally, it creates a batch file and includes the encoded C# loader binary into it. It also manages the compression, decoding, and decryption processes using an obfuscated PowerShell script, which is also appended to the batch file.
The batch file’s role is to deobfuscate the PowerShell script and execute it. This PowerShell script scans the content of the batch file for the value following “::“, extracts this value, decodes it, decompresses it, decrypts it, and finally executes it in memory.
Figure 16. Creating and writing encrypted data to a batch file, and deleting temporary filesFigure 17. Generating an obfuscated batch loader (top) and PowerShell loader (bottom)
Two PowerShell templates, “Qusar.Server.AESStub.ps1” and “Quasar.Server.XORStub.ps1,” exist in the resource section of the builder. Depending on the configuration, one of these will be loaded and utilized.
Figure 18. PowerShell stub
Conclusion
In this entry, we include a Yara rule that organizations and security teams can use to detect SeroXen obfuscated batch files. Additionally, here’s a PowerShell script that can reveal the final deobfuscated batch file and commands to be run.It is critically important that this PowerShell script be run in an isolated malware sandbox.This script can be used to deobfuscate the SeroXen batch file where security teams can inspect its output file for the PowerShell command to be executed in the deobfuscation routine. By inspecting this deobfuscated payload, the analyst can grab the Key and IV from the PowerShell command to decrypt the final payload.
Overall, SeroXen is a full-feature remote administration tool (RAT) coded in C# and built using a combination of various open-source projects that work together to generate a FUD payload. Reportshaveemerged of SeroXen being abused for several infections and attacks. We foresee the evolved BatCloak engine at the core of SeroXen’s FUD capabilities as the BatCloak obfuscation engine continues to evolve and be used as a FUD tool for future malware attacks.
Individuals are strongly advised to adopt a skeptical stance when encountering links and software packages associated with terms such as “cheats,” “hacks,” “cracks,” and other pieces of software related to gaining a competitive edge. Users, developers, gamers, and enthusiasts are also advised to exercise caution when executing batch files obtained from the internet. Additionally, organizations are encouraged to stay vigilant against phishing attacks that might attempt to entice users to download and run batch installers (e.g., scripting and automation of repetitive tasks).
Organizations should consider employing a cutting edge multilayered defensive strategy and comprehensive security solutions, such as Trend Micro™ XDR, that can detect, scan, and block malicious content such as SeroXen and BatCloak across the modern threat landscape. An extended detection and response capability across endpoint, servers, workloads, email, network, cloud, and identity observed from a single platform like Trend Vision One™️ can mitigate these risks by considering adversarial tactics, techniques, and procedures (TTPs) to profile the entirety of a routine. Learn more about how the Zero Day Initiative (ZDI) bug bounty program rewards researchers for responsible vulnerability disclosure as well as protects organizations globally and stay up to date on the latest news regarding mission critical security patches.
By: Peter Girnus, Aliakbar Zahravi June 09, 2023 Read time: 3 min (681 words)
We look into BatCloak engine, its modular integration into modern malware, proliferation mechanisms, and interoperability implications as malicious actors take advantage of its fully undetectable (FUD) capabilities.
UPDATE as of 6/15/2023 7:30PM (PHT): We’ve updated this entry to include indicators of compromise (IOCs) for BatCloak.
In our recent investigation, we discovered the use of heavily obfuscated batch files utilizing the advanced BatCloak engine to deploy various malware families at different instances. Running analysis and sample collection from September 2022 to June 2023, we found that these batch files are designed to be fully undetectable (FUD) and have demonstrated a remarkable ability to persistently evade security solutions. As a result, threat actors can load various malware families and exploits by leveraging highly obfuscated batch files seamlessly. Our initial research titled “The Dark Evolution: Advanced Malicious Actors Unveil Malware Modification Progression” delves into the continuing evolution of BatCloak, uncovering the modifications that have propelled modern malware to new levels of security evasion.
This is the first entry in a three-part technical research series taking an in-depth look at the continuing evolution of the highly evasive batch obfuscation engine BatCloak. The second part of this series, “SeroXen Incorporates Latest BatCloak Engine Iteration,” will look into the remote access trojan (RAT) SeroXen, a piece of malware gaining popularity for its stealth and, in its latest iterations, targets gamers, enthusiast communities, and organizations. Aside from the RAT’s own tools, we will look into the updated BatCloak engine included as SeroXen’s loading mechanism. The third and last part of this series, “SeroXen Mechanisms: Exploring Distribution, Risks, and Impact,” will detail the distribution mechanisms of SeroXen and BatCloak. We also include our security insights on the community and demographic impact of this level of sophistication when it comes to batch FUD obfuscation.
Defying detection: A preview of BatCloak engine’s efficacy
We analyzed hundreds of batch samples sourced from a public repository. The results showed a staggering 80% of the retrieved samples exhibiting zero detections from security solutions. This finding underscores the ability of BatCloak to evade traditional detection mechanisms employed by security providers. Moreover, when considering the overall sample set of 784, the average detection rate was less than one, emphasizing the challenging nature of identifying and mitigating threats associated with BatCloak-protected pieces of malware.
Figure 1. BatCloak detection counts from a public repository; samples and detection results collected from September 2022 to June 2023
Understanding the evolving landscape of advanced malware techniques such as FUD obfuscator BatCloak enables us to develop more effective strategies for combating the ever-evolving threats posed by these sophisticated adversaries. These findings highlight the pressing need for enhanced approaches to malware detection and prevention, such as a cutting-edge multilayered defensive strategy and comprehensive security solutions.
Security teams and organizations are advised to exercise a zero-trust approach. Teams should implement solutions capable of combining multiple rules, filters, and analysis techniques, including data stacking and machine learning to address the need for precise detection, as these tools can analyze individual and dynamic file signatures and observe patterns via heuristics and behavioral analysis. When uncertain of intrusions, behaviors, and routines, assume compromise or breach immediately to isolate affected artifacts or tool chains. With a broader perspective and rapid response, an organization can address these and keep the rest of its systems protected. Multilayered technologies and solutions, such as Trend Micro XDR™️, efficiently monitor, detect, and block tiered threats and attacks, as well as their clones and modified versions.
Instead of marking the end of an infection or an attack prior to the target because of siloed solutions, an extended detection and response capability across endpoint, servers, workloads, email, network, cloud, and identity observed from a single platform like Trend Vision One™️ can mitigate these risks by considering adversarial tactics, techniques, and procedures (TTPs) to profile the entirety of a routine. Trend Vision One also correlates with a connected threat intelligence system and rapidly prioritizes and responds with the necessary security and defensive actions as far left of the routine as possible.
Download the first part of our analysis on BatCloak engine here, and the indicators of compromise (IOCs) here and below :
By: Trend Micro June 29, 2023 Read time: 5 min (1290 words)
Risk Management of Human and Machine Identity in a Zero Trust Security Context
In today’s business world’s dynamic and ever-changing digital landscape, organizations encounter escalating security challenges that demand a more business-friendly and pertinent approach. Conventional security measures frequently lead to adverse effects on business operations.
However, the advent of Zero Trust security offers organizations the opportunity to embrace a risk-based response strategy that effectively mitigates these risks. The concept of identity is central to the effectiveness of security functions, which serves as a critical factor in guaranteeing the precision and security of transactions and data storage.
Identity and the Evolving Role of Humans and Machines
All security functions are fundamentally centered around identity. The statement, “Who did what to what, when,” encapsulates the core significance of identity in security. The accuracy and integrity of this statement rely on the accuracy and integrity of each identity clause. By ensuring the integrity of these identity clauses, organizations can automate the risk management process with high confidence in the outcomes.
Traditionally, security systems were designed assuming that human operators were solely responsible for all decisions made by machines. However, with the advent of computers and the increasing reliance on automated processes, this operator-centric model has become increasingly inadequate.
While humans and their associated accounts are often the primary targets of security measures, they merely represent the activity of the machines they interact with. In a Zero Trust deployment, embracing the concept of “machine as proxy human” becomes crucial. This approach allows organizations to apply security rules and surveillance to all devices, treating them like a malicious human is operating behind them.
By considering machines as proxy humans within the context of Zero Trust, organizations can extend security measures to encompass all devices and systems within their environment. This includes user devices, servers, IoT devices, and other interconnected components. Organizations can enforce strict access controls by treating machines as potential threat actors, applying behavioral analytics, and continuously monitoring for suspicious activities or deviations from expected behavior.
This shift in mindset enables organizations to proactively detect and respond to potential security threats, regardless of whether they originate from human actors or compromised machines. It allows for a more comprehensive and robust security posture, as security measures are applied at the device level, reducing the risk of unauthorized access, data breaches, and other security incidents.
Recognizing the centrality of identity in security and embracing the concept of “machine as proxy human” in a Zero Trust deployment enhances the effectiveness and comprehensiveness of security measures. By treating all devices as potential threat actors and applying security rules and surveillance accordingly, organizations can strengthen their risk management process, automate security controls, and mitigate the risks associated with human and machine-based security threats.
Applying Zero Trust to Machine-Human Approach
Treating all accounts, human or not, as machine/service accounts offer architectural flexibility in a Zero Trust environment. This approach allows organizations to apply consistent security measures to unknown devices, users, networks, and known entities, regardless of how frequently they change.
However, harmonized identity telemetry is crucial for this machine-human approach to be effective. Subscriber Identity Modules (SIM cards) and additional credentials facilitate Zero Trust management in 4G and 5G environments.
Organizations can incorporate a Software Bill of Materials (SBOM) into their Zero Trust solution to address the risks associated with the software. A SBOM is a comprehensive inventory that identifies the software components within an organization’s infrastructure, including internally developed and third-party/vendor-provided software.
By implementing a SBOM in a Zero Trust environment, organizations can establish a baseline for expected software behavior. This baseline includes the software’s version, dependencies, and associated digital signatures. Any deviations from this baseline can be identified as potential security threats or indicators of compromise.
One of the significant advantages of incorporating SBOM into a Zero Trust solution is the ability to monitor unexpected behaviors. Organizations can detect any suspicious activities or unauthorized modifications by continuously monitoring the software components and comparing their actual behavior against the established baseline. This proactive monitoring helps incident responders and risk management teams identify potential threats early and respond effectively to mitigate the risks.
Furthermore, SBOM facilitates supply chain component mapping, crucial for incident response and risk management. With a detailed inventory of software components, organizations can trace the origin of each component and identify potential vulnerabilities or compromised elements within their supply chain. This mapping capability enhances incident response capabilities by providing visibility into the interconnectedness of various software components and their potential impact on the organization’s overall security.
Ultimately incorporating SBOM into a Zero Trust solution helps organizations address software-related risks more effectively. By establishing baselines for expected software behavior and monitoring for any deviations, organizations can detect and respond to potential threats promptly. SBOM also facilitates supply chain component mapping, enabling organizations to enhance their incident response capabilities and mitigate the risks associated with software vulnerabilities and compromises.
Recommendations
Zero Trust security offers a surveillance-based approach that continuously checks and cross-references identity, assesses behavioral risk, and compares it to potential losses and revenue. This approach brings several recommendations for organizations looking to enhance their security posture:
Changes to executive responsibility and board governance require the adoption of Zero Trust security With the increasing importance of cybersecurity in today’s digital landscape, executive leadership, and board members need to prioritize and understand the significance of Zero Trust security. This includes making it a strategic focus and allocating resources for its implementation. By recognizing the value of Zero Trust and incorporating it into governance structures, organizations can ensure a top-down commitment to robust security practices.
Zero Trust can help organizations meet government and customer requirements for supply chain resiliency Supply chains have become more vulnerable to cyber threats, and government regulations and customer expectations emphasize supply chain resiliency. Zero Trust security measures can provide transparency, control, and trust within the supply chain ecosystem. Organizations can demonstrate their commitment to supply chain security and meet compliance requirements by establishing rigorous authentication, continuous monitoring, and granular access controls.
Operational risk management automation tools in Zero Trust can streamline security management and reduce enterprise risk and total cost of ownership Zero Trust security frameworks offer automation tools that streamline security management processes. Organizations can reduce human error and enhance operational efficiency by automating tasks such as identity verification, access controls, and threat detection. This automation minimizes security risks and reduces the total cost of ownership associated with managing complex security infrastructures.
Simplification of security management in Zero Trust can address the security skills gap by enabling reliance on junior or offshore staff for incident diagnoses The shortage of skilled cybersecurity professionals is a significant challenge for many organizations. Zero Trust can alleviate this skills gap by simplifying security management and enabling the reliance on junior or offshore staff for incident diagnoses. With streamlined processes, intuitive security controls, and automated monitoring, organizations can empower less experienced staff to effectively handle security incidents, optimizing resources and addressing the skills shortage.
By prioritizing identity integrity and leveraging the benefits of Zero Trust, organizations can establish a robust security framework that maximizes enterprise functionality while minimizing risk. In an increasingly unstable world where cyber threats continue to evolve, adopting a sophisticated, nuanced, and cost-effective security approach such as Zero Trust becomes essential for organizations to thrive and maintain resilience in the face of emerging challenges.
Ready to take your organization’s security to the next level? Download our comprehensive report on “Zero Trust: Enforcing Business Risk Reduction Through Security Risk Reduction” to gain valuable insights and practical strategies for implementing a business-friendly security approach. Discover how Zero Trust can minimize negative impacts, enhance risk management, and safeguard digital assets. Click here to download the report now!
