Information Technology

At Next 21′ this year, Google announced a new Jira integration for Google Chat and Spaces alongside other improvements to Workspace.

Google Cloud

Google said it decided to invest in the underlying platform after seeing 4.8 billion apps installed in Google Workspace and more than 5,300 public apps in the Google Workspace Marketplace.”Developers have been able to build applications that integrate with Gmail, Drive, and Docs for years. And today, we’re announcing significant enhancements to the Google Workspace platform by making it just as easy for developers to build applications and integrate with Google Meet, Chat and Spaces,” Google explained.The Jira integration allows users to create new tickets quickly, see actionable previews and monitor issues as they come into the space they’re already using for collaboration. Joff Redfern, chief product officer at Atlassian, explained that modern work requires people to switch contexts and tools faster than ever before. “We believe an open ecosystem and tight integrations among the tools that users rely on every day is vital to their success. Since 2017, our Trello integration with Gmail has been installed by more than 7 million people,” Redfern said. “Today, we are excited to build on the partnership between Atlassian and Google to propel work collaboration further with the integration of Jira with Google Chat and Spaces.”

Google released a no-code development platform called AppSheet that they want to promote “collaboration equity.” The tool allows any team member to access certain documents and collaborate instantly with team members who are not in the field. The tool was built with frontline workers in mind, according to Google. “This new integration allows anyone — regardless of their coding experience — to reclaim time with custom, no-code apps and automations. Budgets and vacation requests can be approved, inventories and asset management systems can be updated, and much more — all with AppSheet and directly from your inbox,” Google explained. There will also now be client-side encryption (CSE) available to Google Meet users after the feature was unveiled for Drive, Docs, Sheets, and Slides users in June. Google is also announcing the beta of its Key Access Service Public APIs, which helps organizations manage their encryption keys. Data Loss Prevention (DLP) for Chat is also in beta right now as well. Google users will now be able to mark certain files under different classifications depending on their sensitivity level. The labels allow Drive users to classify documents and makes it easier for people to manage whether a document can be downloaded, shared or printed. Other protections against abusive content and behavior are also among the announcements released on Tuesday. “If a user opens a file that we think is suspicious or dangerous, we’ll display a warning to the user to help protect them and their organization from malware, phishing, and ransomware. This functionality is now available in Google Docs and will be rolling out soon for Google Sheets and Slides,” Google said.  More

Google announced the creation of a new security program and a group called the Google Cybersecurity Action Team as a way to offer organizations and regular users more robust cybersecurity protection.

Google Cloud

The Work Safer tool was built to provide a secure way for teams to communicate through email, meetings, messages, documents, and more.At Next ’21, the company said it melds Google’s cloud-native, zero-trust tools within Workspace with cybersecurity platforms from CrowdStrike and Palo Alto Networks.The Google Cybersecurity Action Team will bring together experts from across Google to help provide assistance to government entities, critical infrastructure and businesses. Phil Venables, CISO at Google Cloud and founder of the Google Cybersecurity Action Team, said their customers need a consistent approach to preparing for and defending against cybersecurity threats.”Our comprehensive suite of security solutions delivered through our platform and amplified by the Google Cybersecurity Action Team will help protect organizations against adverse cyber events with capabilities that address industry frameworks and standards,” Venables said. Google designed both initiatives to understand that many small and medium-sized businesses still use legacy hardware and need help securing tools that are often at the end of their rope. 

They also acknowledged that most companies are short-staffed and need assistance managing increasingly complicated technology, particularly now that many people work remotely. “For customers who want secure devices, Work Safer includes Pixel phones managed with Android Enterprise, Chrome Enterprise Upgrade, and HP Chromebooks. Customers can also leverage Google’s Titan Security Keys for account protection, reCAPTCHA Enterprise for website fraud prevention, Chronicle for security analytics, and a variety of migration services for a seamless transition,” Google explained. CrowdStrike and Palo Alto Networks will provide endpoint protection and network protection, respectively.”As daily headlines attest, threats are increasing, and vulnerabilities in older communication and collaboration systems continue to be exploited,” said Sunil Potti, vice president and general manager of Google Cloud Security. “Legacy productivity tools designed in the PC era were not architected for the new reality of real-time collaboration across a hybrid, highly-distributed and mobile-first workforce. With Work Safer, every small business, enterprise, and public sector institution can have access to the cutting edge  security protections to make hybrid work safer.” CrowdStrike CEO George Kurtz said businesses are in a cybersecurity arms race against adversaries and noted that the partnership with Google is centered on delivering “defense-in-depth, cloud-first security” that allows users to identify and remediate threats before they turn into attacks. He said pairing the CrowdStrike Falcon platform — which leverages cloud-scale AI for real-time protection and visibility — with Google Workspace’s architecture provides a natural fit for any organization implementing Zero Trust. The Google Cybersecurity Action Team will be providing blueprints, customer and engineering solutions, and programs for deploying Google technologies like those offered with Work Safer to help solve organizations’ most pressing security challenges. The team will offer organizations specific security strategies, workshops and educational content to help train their workers on how to stay safe. They will also provide threat briefings, preparedness drills, incident support and rapid response engagements alongside help with regulatory requirements. CISA Director Jen Easterly said it was good to see a large company like Google Cloud orient itself to support all organizations’ cybersecurity through its Cybersecurity Action Team and noted that Google will be part of the recently-created Joint Cyber Defense Collaborative. “Cybersecurity is at the top of every C-level and board agenda, given the increasing prominence of software supply chain exploits, ransomware, and other attacks. To address these unprecedented security challenges facing organizations in every industry today, we are announcing the creation of the Google Cybersecurity Action Team,” said Thomas Kurian, CEO of Google Cloud. “The Google Cybersecurity Action Team is part of our ongoing commitment to be the best partner for our enterprise and government customers along their security transformation journey.” Government entities and infrastructure organizations have faced a barrage of attacks in recent years, including incidents involving USAID, Colonial Pipeline and dozens of government agencies through the SolarWinds issue.  More

Cybersecurity company Cybereason is partnering with Google Cloud on an effort to provide Extended Detection and Response (XDR) tools to organizations looking for protection of their endpoints, networks, clouds and workspaces.

Google Cloud

The companies explained that Google Cloud’s Chronicle cybersecurity analytics platform “ingests, normalizes, and analyzes petabytes of data from the complete IT environment on planetary-scale infrastructure.”Cybereason claims it examines 23 trillion security-related events per week and said the combination of their work with Google Cloud’s tool “automates prevention for common attacks, guides analysts through security operations and incident response and enables threat hunting with precision at a pace never before achieved.”Thomas Kurian, CEO of Google Cloud, said Cybereason “continues to disrupt the market and deliver on their vision for a future-ready extended detection and response defense platform.””Google Cloud is dedicated to delivering the industry’s most trusted cloud to accelerate customers’ digital transformation efforts with security products that meet them wherever they are,” Kurian said. “We’re excited to partner with Cybereason to help customers quickly secure their hybrid and cloud environments with the combined capabilities of Google Cloud and Cybereason’s XDR services.”Yonatan Striem-Amit, Cybereason’s CTO, told ZDNet that Google Cloud and Cybereason connected over an initiative to create a “truly open” XDR set of offerings. He specifically cited Cybereason’s MalOp Engine, which is a patented tool that examines the “full attack story across every device, user identity, application and cloud deployment.”

Striem-Amit said the first focus of the company is to drive innovation in the XDR space, noting that the ability to transform security data into threat prediction and incident response guidance is necessary. The tool is different from other XDR solutions on the market, according to Striem-Amit, because most XDR solutions “are little more than a single console which displays individual alerts from multiple sources.” “Cybereason and Google Cloud relentlessly focus on ending ‘malicious operations.’ By bringing Cybereason’s MalOp Engine with Google Cloud’s log analytics capabilities, we provide customer with a holistic view of the entire attack chain, prevention of the threat regardless of what system it is running on, and single-click response across the entire IT stack on computers, networks, cloud infrastructure, identity, and SaaS solutions. The combined technology becomes easy to deploy within minutes,” Striem-Amit said. “Many organizations are looking at XDR to provide meaningful incident response to fight ransomware, identity, and business email compromise. Most of today’s offerings are siloed, expensive, and fail to catch threats.”According to the company, the Cybereason Defense Platform combines AI-powered detection and response (EDR and XDR), next-gen antivirus (NGAV), Anti-Ransomware Protection and other tools. More

Microsoft says 250 Office 365 customers in the US and Israeli defense technology sector have been targeted with ‘password-spraying’ attacks, where attackers try to access many accounts with commonly used passwords. The technique relies on people using variations of common passwords. The password attacks focussed on critical infrastructure companies operating in the Persian Gulf and were carried out by a group Microsoft is tracking as DEV-0343 – most likely a new group from Iran.  

ZDNet Recommends

The ‘DEV’ tag indicates that the group is not a confirmed state-sponsored attack group, but it could become one eventually. SEE: BYOD security warning: You can’t do everything securely with just personal devicesThe Microsoft Threat Intelligence Center (MSTIC) said it had observed DEV-0343 “conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.”Microsoft said “less than 20″ of the targeted tenants were successfully compromised.The risk of compromise from password-spraying attacks is significantly reduced for organizations that roll out multi-factor authentication.    

The hacking group targeted companies that support US, European Union and Israeli organizations producing military radars, drones, satellite systems, and emergency response communication systems, as well as geographic information systems (GIS), spatial analytics, Persian Gulf ports, and maritime and cargo transportation companies in the region.”Microsoft assesses this targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans. Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program,” Microsoft said. Microsoft last week raised a red flag over Russian state-sponsored hacking, labelling Russia’s intelligence hackers the most active cyber threat in the world. Not only are Kremlin-backed hackers more prolific, they’re also increasingly effective, according to Microsoft. It also flagged a significant uptick in Iranian hacks against Israeli organizations. “This year marked a near quadrupling in the targeting of Israeli entities, a result exclusively of Iranian actors, who focused on Israel as tensions sharply escalated between the adversaries,” Microsoft noted in its latest Digital Defense Report.Its latest warning to US and Israeli organizations operating in the Middle East says they should be on the lookout for suspicious Tor connections to their networks. 

“DEV-0343 conducts extensive password sprays emulating a Firefox browser and using IPs hosted on a Tor proxy network. They are most active between Sunday and Thursday between 7:30 AM and 8:30 PM Iran Time (04:00:00 and 17:00:00 UTC) with significant drop-offs in activity before 7:30 AM and after 8:30 PM Iran Time. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization,” Microsoft warned in a blogpost. SEE: Microsoft’s Windows 11: How to get it now (or later)DEV-0343 frequently targets the Exchange endpoints, including Autodiscover and ActiveSync, with password-spraying attacks. This allows DEV-0343 to validate active accounts and passwords, and further refine its password-spray activity, Microsoft said.Microsoft’s primary recommended defense is enabling multi-factor authentication since this should block remote access to accounts with compromised credentials. It also recommends admins check and enforce Exchange Online access policies and to block all incoming traffic coming from services like the Tor network.  More

Image: Getty Images
Every now and then, someone in power has a sook about a bad experience on social media. Then, as regular as a cuckoo clock, there’s a call for every social media user to be identified, because they reckon anonymity is the problem. Right now the cuckoo is the Australian government, and boy are they ramping up the rhetoric. Last Thursday, Prime Minister Scott Morrison and two other senior ministers called on the tech giants to identify their users, telling them that if they didn’t do so then they were no longer platforms, immune from prosecution. They would be publishers, subject to Australia’s tough defamation laws. Social media is a “coward’s palace”, Morrison said. First out the little wooden door had been Deputy Prime Minister Barnaby Joyce who was, quite understandably, angry that rumours about his daughter had been published. Joyce told ABC Radio that the government and others around the world now have the motivation to say, “We’ve had enough, you can’t treat us like fools”. “We spend billions of dollars in Australia on mental health issues — Facebook, Twitter and other online platforms make billions of dollars profit from selling a product that I believe in many instances, if it was a food product, it would be taken off the shelf,”

Then on Sunday, the baton was handed to Communications Minister Paul Fletcher. “We expect a stronger position from the platforms,” Fletcher told ABC TV’s Insiders on Sunday. “For a long time, they’ve been getting away with not taking any responsibility in relation to content that’s posted on the sites,” he said. The attorneys-general around Australia are already leading an “existing process” to look at these issues. “Commonwealth Attorney-General, my colleague Michaelia Cash, just this week wrote to the state attorneys-general wanting to accelerate that process,” Fletcher said. “Tell me who you are” is a flexing of power Back in March, forcing social media users to identify themselves was one of the 88 recommendations in a report by a parliamentary inquiry into family, domestic and sexual violence. “In order to open or maintain an existing social media account, customers should be required by law to identify themselves to a platform using 100 points of identification, in the same way as a person must provide identification for a mobile phone account, or to buy a mobile SIM card,” it said. The platforms would have to provide those details when requested by the eSafety Commissioner, law enforcement, or as directed by a court. But while anonymity is certainly used as a cover for abusive behaviour, at least some of the time, would demanding ID actually solve the problem? According to Elise Thomas, an open-source intelligence analyst at the Institute for Strategic Dialogue, that’s far from clear. After all, Facebook for one already has a real-names policy. “A cursory glance through Facebook comments on any controversial topic will indicate that many people are only too happy to make cruel comments under their own names,” Thomas wrote at The Strategist. “It’s not clear how a requirement to provide a driver’s licence or other ID to open an account would change that behaviour.” Nor would it necessarily be a “proportionate or effective” policy response. “A high bar for evidence of necessity, safety and effectiveness should be required before the government asks Australians to accept a measure which almost no other country has imposed,” Thomas said. As she notes, there have been criticisms that real-names policies disproportionately impact marginal communities and endanger victims of domestic violence and stalking. In the US, the Electronic Frontiers Foundation has documented a variety of harms that real-names policies can cause. It’s sometimes argued that while the platforms could demand ID, the users could still post under a pseudonym. But the platforms would hardly push back against demands from government, or from powerful people with expensive lawyers. Shielding users’ privacy against legal demands costs money and antagonises governments that are already keen for tighter regulation. Moreover, just as in every other aspect of society, the platforms are more likely to respond to complaints from the powerful and the privileged, rather than the marginalised. Just ask any woman who’s been the subject of abuse, or a person of colour, or someone from the LGBTQI+ communities. As always, “I need to know your name” only works to allow the powerful to exert power. Thomas also noted the human rights aspects of all this. Concerned about election misinformation, South Korea in 2004 demanded ID before posting on election websites. That was later extended to all sites with more than 300,000 daily visitors. “Studies show that during the time the policy was in operation, there was no significant decrease in online abuse,” she wrote. “What did happen, however, was a massive hack in which 35 million South Koreans national identification numbers were stolen.” South Korea’s policy was ruled unconstitutional. Anonymity, or using a pseudonym, allowed people to “voice criticism on majority opinion without giving into external pressure,” the court said. Meanwhile in Europe, a German court ruled Facebook’s policy illegal. “In 2021, the only country imposing a requirement for government identification on social media users is China, where privacy rights and the effects on democratic free speech are clearly not a concern,” Thomas wrote. That should tell you something. Logical fallacies, and another Morrison government rush job Like so much of the government’s internet-related policy, this demand for identification feels like another instance of that old logical fallacy: Something must be done. This is something, therefore this must be done. Joyce said that if social media companies were smart enough to make so much money, then they were smart enough to make their products safer. That’s a bit like saying that if you’re smart enough to design an apartment building then you’re smart enough to perform open-heart surgery. Or turn lead into gold. Then there’s the sudden rush, with multiple ministers on the message within days. Fletcher was pushing the message that efforts to regulate Facebook and Twitter would be like the News Media Bargaining Code, where work started back in 2018 and led to a result. Joyce, however, is as usual on a different page. “This time, something’s going to happen,” he said, legislation would be coming “soon”. Victims of anonymous abuse who have been calling for action might be happy, but they might also wonder “Why now?” That’s easy to explain. The attack on Joyce’s daughter kicked them in the politicals, and there’s an election coming up. Related Coverage More

Quest Diagnostics has informed the SEC about a ransomware attack in August that hit ReproSource, a fertility clinic owned by the company. The ransomware attack led to a data breach, exposing a significant amount of health and financial information for about 350,000 ReproSource patients. In a statement to ZDNet, Quest said ReproSource provided notice that it experienced a data security incident in which an unauthorized party may have accessed or acquired the protected health information and personally identifiable information of some patients. “On August 8, 2021, an unauthorized party accessed the ReproSource network. ReproSource discovered ransomware on the morning of August 10, and in less than an hour severed all network connection activity and contained the incident,” a company spokesperson explained.”ReproSource immediately launched a comprehensive investigation to determine the cause and scope of the incident. ReproSource retained leading cybersecurity experts to assist with our investigation, confirmed containment of the ransomware, and quickly and securely recovered operations. Additionally, ReproSource promptly notified law enforcement.” Quest added that ReproSource began sending out breach notification letters to victims on September 24. The letters tell victims that the personal information leaked during the ransomware attack includes names, addresses, phone numbers, email addresses, dates of birth and billing information.

A trove of health information was also leaked during the attack, including CPT codes, diagnosis codes, test requisitions and results, test reports and/or medical history information, health insurance or group plan identification names and numbers and other information provided by individuals or by treating physicians. The company admitted that an undisclosed number of people also had driver’s license numbers, passport numbers, Social Security numbers, financial account numbers, and/or credit card numbers leaked in the attack.News of the breach came to light after a regulatory filing by Quest, which said the larger company was not affected by the incident at ReproSource but confirmed that it was a ransomware attack. Quest noted that it has cybersecurity insurance and does not believe it will have a severe effect on the company’s finances as other ransomware attacks have. ReproSource is providing victims with free credit and identity monitoring services from Kroll but did not say how long these services would last. ReproSource is the second fertility clinic this year to send out breach notifications after a ransomware attack. Georgia-based Reproductive Biology Associates, and its affiliate My Egg Bank North America, notified about 38,000 patients that their medical information and other data like social security numbers had been accessed by cybercriminals during a ransomware attack in April.Healthcare facilities continue to face the brunt of ransomware attacks across the world, specifically because of the sensitive data they are forced to collect on patients, employees and visitors. Hundreds have been attacked this year and the problem has shown no signs of slowing down. “Like with other critical infrastructure, healthcare systems face unique vulnerability from ransomware attacks because the exposed data affects not only patients’ privacy, but also their choices about medical treatment. Fertility treatments are a perfect example of this, as they can require up to tens of thousands of dollars in investments from prospective parents, making this sector a perfect target for bad actors looking for a profit,” said Tim Eades, CEO at cybersecurity company vArmour. “It’s a reality that ransomware will continue to target fertility clinics and other health systems for their valuable data.” More

Ransomware is the most significant cybersecurity threat facing organisations ranging from critical national infrastructure providers and large enterprises to schools and local businesses – but it’s a threat which can be countered.In a speech at the Chatham House Cyber 2021 Conference, Lindy Cameron, CEO of the UK’s National Cyber Security Centre (NCSC) warned about several cybersecurity threats facing the world today, including supply chain attacks, the threat of cyber espionage and cyber aggression by hostile nation-states and cybersecurity exploits and vulnerabilities being sold to whoever wants to buy them. But it’s ransomware which is “the most immediate danger to UK businesses and most other organisations” said Cameron, who warned that many businesses are leaving themselves vulnerable because “many have no incident response plans, or ever test their cyber defences”. Drawing on examples of high-profile ransomware attacks around the world including the Colonial Pipeline ransomware attack, the ransomware attack against Ireland’s Health Service Executive and those closer to home like the ransomware attack against Hackney Council, Cameron detailed the “real world impact” that these cyber attacks have had over the last year as cyber criminals encrypt networks and attempt to demand ransom payments of millions for the decryption key. And one of the reasons why ransomware is still so successful is because some victims of the attacks will pay the ransom, perceiving it to be the best way to restore the network as quickly as possible – despite warnings not to pay. SEE: A winning strategy for cybersecurity (ZDNet special report)”We expect ransomware will continue to be an attractive route for criminals as long as organisations remain vulnerable and continue to pay. We have been clear that paying ransoms emboldens these criminal groups – and it also does not guarantee your data will be returned intact, or indeed returned at all,” said Cameron, who also detailed how many ransomware groups are now stealing data and threatening to leak it if the ransom isn’t paid. 

“Their intention is clear: to increase pressure on victims to pay,” she said. In recent months, the impact of ransomware has become so great that world leaders have discussed it at international summits.  “We should not view ransomware as a risk we have to live with and can’t do anything about.  We’ve seen this issue become a leader level G7 topic of conversation this year. Governments have a role, and we are playing our part,” said Cameron. “We are redoubling our efforts to clamp down and deter this pernicious and spreading crime, standing firm with our global counterparts and doing our best to turn this into a crime that does not pay,” she added. But while governments, law enforcement and international bodies have a role to play in helping to fight back against ransomware attacks, businesses and other organisations can also examine their own defences and what plans they have in place, should they fall victim to a ransomware attack. “But victims also have agency here too. Do you know what you would do if it happened to you? Have you rehearsed this? Have you taken steps to ensure your systems are the hardest target in your market or sector to compromise? And if you would consider paying a ransom, are you comfortable that you are investing enough to stop that conversation ever happening in the first place,” said Cameron. Actions like applying security patches and updates promptly and using multi-factor authentication can help protect networks from cyber attacks – and the NCSC has published much advice on how businesses can help protect their networks, emphasising that cybersecurity must be a board level issue. “One of the key things I have learnt in my time as NCSC CEO is that many – in fact the vast majority –  of these high-profile cyber incidents can be prevented by following actionable steps that dramatically improve an organisation’s cyber resilience”, said Cameron. “Responsibility for understanding cyber security risks does not start and end with the IT department. Chief executives and boards also have a crucial role,” she said. “No chief exec would get away with saying they don’t need to understand legal risk because they have a general counsel. The same should be true of cyber risk”. MORE ON CYBERSECURITY More

Ransomware is one of the biggest cybersecurity issues facing the world today with gangs routinely breaking into enterprise networks to encrypt files and networks. Often, victims only realise that they’ve been compromised when files, servers and other systems have been encrypted and they’re presented with a ransom note demanding a payment in cryptocurrency for the decryption key. But even if cyber criminals are already inside the network it’s not necessarily too late to prevent a ransomware attack; if an organisation has a good threat hunting strategy, they can detect strange or suspicious activity and counter the threat before ransomware becomes a major problem.  That’s because criminals can spend weeks in the network before triggering a ransomware attack – and even if protections designed to prevent them from entering the network have failed, this delay can provide an opportunity for preventing a full-blown ransomware attack.  The US Department of Commerce’s National Institute of Standards and Technology (NIST) cybersecurity framework (CSF) lists Identify, Protect, Detect, Respond and Recover as the five functions of securing networks. But many organisations are still attempting to rely on the ‘protect’ aspect as the main line of defence, without a clear strategy, if they have one at all, on how to detect and respond to threats which bypass protections. “When you think about the CSF framework, I think we spend so much in the protect bucket and not enough in detect respond and recover,” said Jason Lewkowicz, Global CISO for Cognizant, speaking during a panel discussion on ransomware at VMware’s VMworld 2021 conference. See also: A winning strategy for cybersecurity (ZDNet special report).

If criminals have already been able to breach the network, it might be difficult to believe that all is not lost, but the way attacks work means it’s still possible to cut them off and prevent a ransomware incident.   For example, it’s common for cyber criminals to gain access to networks and install malware to help examine the environment they’ve compromised – then they’ll often follow a standard routine of actions during the days or weeks they’re in the network. It’s possible to identify this activity and if it’s identified, there’s the opportunity to stop the attackers. “Detection can actually be part of preventing ransomware. There’s a classic ransomware chain of events and it’s almost gut wrenching because it’s predictable and we see it every day,” said Katie Nickels director of intelligence at Red Canary.    “My team will see an initial malware family like QBot – then the adversaries will look around the environment, do some reconnaissance and then they install a tool called Colbalt Strike, then they move laterally. It’s the same playbook – ransomware is coming”. If organisations have a good knowledge of their own network and a threat hunting team which can take knowledge of how these hands-on ransomware attacks work and use it to detect threats, they can be identified, removed and remediated before the problem grows to become a full-scale ransomware attack.  “If you can detect these things – these are very detectable predictable behaviors – if you could detect them early you can actually prevent the encryption, the exfiltration or a really bad outcome,” said Nickels. “It’s interesting, because everyone thinks about prevention and protection, but early detection is actually prevention of ransomware,” she added. Smaller businesses or those without a significant IT or information security budget could struggle to engage in threat hunting themselves, but it can be useful for helping to prevent a ransomware attack and much less costly than falling victim.”It’s so important to have threat hunting capabilities on the team – if you don’t have that in your organization partner up within the ecosystem – because threat hunting really helps to identify those and profile that activities,” said Amelia Estwick, director of threat research at VMware. Being able to find out if cyber criminals have compromised the network can play a major role in actually preventing an incident from taking place, or at least ensuring that the impact is reduced. Keeping a ransomware attack restricted to one part of the network is still better than letting it spread around the entire enterprise environment. It can also help cybersecurity teams learn to prevent additional attacks in future. “We already know they’re in there, so let’s figure out how to do batten down the hatches and how are they moving throughout the system, so we can learn to better provide and develop tools to detect and prevent this from occurring again,” said Estwick. More on cybersecurity: More