Welcome to the first edition of Dellfer Insights, a series curated by our VP of Channels, Shawn Lorenz. The series focuses on highlighting notable industry news, key takeaways and why it matters to combat the next cyberattack.
💡 Dellfer Insight #1: Mind the Gap
News and updates from the Project Zero team at Google in November included research reports concluding that “approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched (22% are variants of in-the-wild 0-days from 2021).
“This finding is consistent with our understanding of attacker behavior: attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones.”
This conclusion is further validated when you review the team’s 0-day tracking spreadsheet for recording publicly known cases of detected 0-day exploits, showing only 34 exploits in 2022 versus 68 last year. In other words, inventing new attacks is unnecessary when the old ones have not yet been fixed.
Attackers can take the path of least resistance by looking for unfixed exploits because the payoff is high compared to developing a new attack. However, even if root-cause analysis is applied, this will never end.
Why It Matters:
Dellfer evens the playing field by removing all known and unknown threats (with or without the root-cause analysis.). Leave the software engineers to the creative tasks of writing new applications without worrying about security. Let Dellfer protect these applications from inside the source code.
💡Dellfer Insight #2: Whitehouse IOT Labeling Proposal for Consumer IOT Devices
The Whitehouse recently announced a labeling program for IOT devices that would give American consumers the peace of mind that the technology being brought into their homes is safe and incentivize manufacturers to meet higher cybersecurity standards and retailers to market secure devices.
Carnegie Mellon University’s CyLab has developed a prototype security and privacy “nutrition label” based on consumer studies. Curiously, their label looks very similar to Singapore’s Cyber Security Labelling Scheme, which is being used today and assigns almost every Internet-connected consumer device in that country a rating on a four-star scale. The system is recognized by Finland and, as of today, Germany. The U.S. labeling is expecting voluntary use in 2023.
A consumer-focused IOT labeling system does have good intentions, assuring users that they can compare devices in terms of levels of security testing completed when new. However, labels are not security. While the label makes people feel better, the label is outdated if the firmware updates are not applied or discontinued.
Why It Matters:
Dellfer’s team has accumulated over 100 years of practical cyber security. We know that no device should be trusted regardless of what the label says unless you “Dellferize” the device. Is there a zero-day vulnerability in every device? Most likely. Is the label-reading public disciplined enough to keep the device updated? Probably not. Dellfer was purpose-built for these scenarios of securing devices for known and unknown attacks.
💡Dellfer Insight #3: Big Money in Commercial Spyware and the Government-Wide Effort to Counter the Proliferation and Misuse of Such Commercial Spyware
Google’s Threat Analysis Group (TAG) is sharing findings on an exploitation framework with alleged ties to Variston IT, a company in Barcelona, Spain, that claims to be a provider of custom security solutions. Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device. And although the team has not detected active exploitation, researchers added, “it appears likely these were utilized as zero-days in the wild.”
Cyberscoop reported that “the revelations land as the White House prepares to deploy policy initiatives, including an executive order, that would limit the U.S. government’s ability to use commercial spyware, CyberScoop’s Tonya Riley reported on Nov. 18.” This report is based on a letter to Representatives Himes and Speier from the Departments of State and Commerce.
From a best practices perspective, Google, Microsoft, and Mozilla fixed the relevant vulnerabilities in 2021, and early 2022, the Heliconia framework exploited n-day vulnerabilities left unchecked in production systems. From a U.S. security policy perspective, enforcement must be stringent as advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition, and dissidents do not align with our national interests.
Why It Matters:
Commercially available security attacks are too profitable for some otherwise legitimate IT solution companies to not sell to anyone with money; this problem will not disappear overnight. “Zero-trust” is the Groundhog Day moment that industry and governments circle back to when another n-day vulnerability is discovered. Dellfer eliminates this cycle by devices for known and unknown attacks at the source code level.
Stop threat actors who target the execution integrity of cyber-kinetic critical infrastructure with Zero Day Guard.