AI-driven cyber threats are not just a fact; they are an ever-evolving issue for many industries. In the span of three years, Artificial Intelligence (AI) has evolved from a budding concept to a monumental force, revolutionizing industries and paving new pathways for innovation. However, with every digital stride we take, the underbelly of the cybersecurity world reveals more complexities. The same AI, which stands as a beacon of progress, is now being weaponized by nefarious minds, leading to the creation of threats more sophisticated than ever before.

ai-driven threats


The AI Threat Landscape:

The digital underworld is abuzz with cybercriminals harnessing the power of AI, amplifying their hacking prowess. Whether it’s the automation of cunning phishing schemes or the deployment of machine learning for relentless password attacks, the malicious use of AI is not just a concern—it’s an alarming reality. These AI-infused threats are not just multiplying; they evolve, learn, and outpace traditional defense mechanisms.

For a deeper understanding of defense against AI-driven threats and to equip your organization with the right tools and knowledge, explore this free Risk Assessment.

The Ripple Effect on Key Industries:

While the digital age offers boundless opportunities, it also brings unprecedented challenges, especially with AI-driven cyber threats. With its treasure troves of sensitive data, the Financial Services sector finds itself in the eye of the storm. The surge of AI in cyber warfare means these institutions are grappling with new threats daily.

Life Sciences entities, guardians of invaluable intellectual property, aren’t spared either. They, too, are prime targets for AI adversaries. Any entity handling confidential data, especially those with deep pockets, is in the line of fire. Life Sciences entities, guardians of invaluable intellectual property, aren’t spared either. They too are prime targets for AI adversaries. Simply, any entity handling confidential data, especially those with deep pockets, is in the line of fire.

Proactive Defense Strategies:

Over the past several years, the world has seen numerous case studies on how these AI-driven cyber threats can impact a business, even Fortune 500 companies. In the face of these threats, businesses must adopt a comprehensive and proactive defense strategy. Here are a few of the most recommended strategies and how companies could have better utilized them.

Continuous Monitoring and Real-time Threat Detection:

Implementing systems that continuously monitor network traffic and user behavior can help in early detection of any anomalies. Real-time threat detection can alert IT teams immediately, allowing them to act before significant damage occurs.

For example, T-Mobile experienced data breaches in May and January 2023. Had a more robust real-time threat detection system existed, the breaches might have been detected and mitigated sooner.

Advanced AI Defense Strategies:

Utilizing AI to counteract AI-driven threats can be an effective strategy, but too few companies are taking the time to implement these tools proactively. AI can predict potential attack vectors and strategies that hackers might use, preparing businesses for the next big attack.

In another case, Latitude Financial experienced a massive breach in March of 2023, compromising over 14 million records. Advanced AI defense strategies could have predicted the attack vectors used against the company.

Employee Training and Awareness:

Regularly training employees to recognize potential AI-driven cyber threats like phishing emails or suspicious links can prevent the most sensitive area of cybersecurity, the human element. While typos and grammatical mistakes were once a clear indicator of phishing, AI can quickly fix these issues and even make the phrasing more compelling to act. That’s why informed and vigilant employees are often the first line of defense.

Case in point: MailChimp faced a data breach in 2023. Hackers obtained employee credentials, allowing them access to Mailchimp’s support and admin platforms. Such breaches often start with a single employee clicking on a malicious link. However, social engineering tactics can be much more effective. Regular training could reduce such risks.

There are two other examples: MGM and Ceasar’s, who faced a similar breach that occurred earlier this year, both of which started with a simple phone call to the support desk.

State-of-the-art Cybersecurity Tools:

Employing the latest cybersecurity tools that offer multi-layered protection, including firewalls, intrusion detection systems, and encrypted/blockchain communication, can form a robust defense against some of the more common threats.

A lesson Verizon learned after having records of over 7 million users posted on a hacker forum in March 2023. Using state-of-the-art tools could have prevented unauthorized access since, according to their year’s report, 74% of breaches began through human error, social engineering or misuse.”

Incident Response Plan:

A well-documented and practiced incident response plan ensures that when a breach occurs, the organization can swiftly mitigate damage, communicate with stakeholders, and recover data.

Likewise, MOVEit, a File Transfer and Automation Software company faced a significant data breach in June of 2023. The breach impacted over 200 companies that utilized the platform, including the Department of Energy and schools across the US. The result is a security vulnerability in their software. These vulnerabilities can be impossible to predict. However, an effective incident response plan could have minimized the impact and duration of the breach.


The integration of AI in cybersecurity is a double-edged sword. While it offers enhanced protection mechanisms, it also presents new challenges as cybercriminals harness its power for malicious intent. As we navigate this new frontier, the importance of continuous learning, adaptation, and proactive defense cannot be overstated.

Concerned about AI-driven cyber threats? Contact Coretelligent today and fortify your defenses.

What is cyber hygiene and cyber hygiene best practices?

Cyber HygieneWhat is Cyber Hygiene?

The consistent implementation of cybersecurity best practices to ensure the security and handling of your networks and critical data is what is known as cyber hygiene. Coretelligent will be sharing information and resources to help you fortify your cyber hygiene and keep your business safe from  threats.

7 Cyber Hygiene Best Practices

We have put together a list of cybersecurity tips as a quick introduction to persuade your team to assess your firm’s current security readiness from a cyber attack.

  1. Double (or triple) up on login protection.

    Enable multi-factor authentication (MFA) across your organization for all accounts and devices to ensure that only authorized users gain access to your secure data. CISA’s Multi-Factor Authentication (MFA) How-to-Guide is a good resource for more information.

  2. Shake up your password protocol.

    According to the NIST guidance, users should consider using the longest password or passphrase permissible. Encourage end-users to switch up passwords across applications, accounts, and websites. Using unique, strong passwords can make it more difficult for cybercriminals to gain access and protect your organization in the event of a breach.

    A password manager and online password generator can be employed to generate and for remembering different, complex passwords. Another solution is to employ SSO to control passwords centrally and avoid user password sprawl across various platforms, which can lead to poor password choices, reuse, and insecure safekeeping.

  3. If you connect, you must protect.

    Whether it’s a laptop, smartphone, or another networked device, the best defense against viruses and malware attacks is to perform updates on a regular basis to verify that the latest software updates get applied to your software, browser, and operating systems.

    A plan that includes the automatic security update is a critical layer of security and part of a multi-layered defense strategy.

  4. Don’t get hooked.

    Cybercriminals use phishing tactics, hoping to fool their victims. So, if you’re unsure who an email is from—even if the details appear accurate— or if the email looks phishy, do not respond, and do not click on any attachments or suspicious links in emails.

    Instead, report the phishing attempt to help your IT team and email provider block other suspicious fake emails before they arrive in your inbox. In addition, the use of random phishing simulations is a valuable exercise to help end-users spot phishing attempts.

  5. Beware of social engineering traps.

    Many people don’t realize that many of the posts seen on social media asking for seemingly random details are created by criminal networks. They use these posts to gather data that can be mined for potential passwords and other secure information.

    For example, posts like, “What car do you wish you still had?” or “Tag your childhood best friend” can be used to help criminals work out the answers to your security questions.

    Not only can these tactics impact personal data but are used to target employees in order to gain access to corporate networks. Read CISA’s Social Media Cybersecurity Tip Sheet for more information about good social media and cybersecurity practices.

  6. Don’t forget about mobile.

    Most connected Internet of Things devices are supported by mobile applications. Mobile devices are often filled with suspicious apps running in the background, or using default permissions users never realized they approved, which are gathering personal information and login credentials without the user being aware.

    A robust cybersecurity posture should include a plan for protecting data from employees using compromised mobile devices to access to corporate networks.

  7. Stay protected while connected.

    Using Virtual Private Network (VPN) for employees remotely connecting is the best way to protect networks. A VPN creates a secure connection that encrypts information so that it’s hidden as it travels. This connection makes it harder for attackers to see and access data.

    VPNs are essential when accessing sensitive data like personally identifiable information (like social security numbers) or protected health information, especially when using public wi-fi networks. In today’s hybrid workplace, VPNs are a must to protect against suspicious activity.

From a phishing attack to a ransomware attack, cyber threats are constantly evolving. If you are unsure whether your firm employs good cybersecurity hygiene best practices or not, then it may be time for a security check-up.

Remember, cybercriminals will use any security vulnerabilities they can find to gain access and steal data. You can start with these cybersecurity tips and move on to using our free Cybersecurity Checklist to review your security measures.


Coretelligent is here to help with advice from our cybersecurity experts. Protect your business and learn more about our enhanced managed cybersecurity services designed specifically for small-to-mid-sized companies. Reduce your risk from security incidents – contact us today for help responding to your cybersecurity gaps.

What is the CIA Triad?

CIA Triad

What is the CIA Triad?

The CIA Triad is a fundamental cybersecurity model that acts as a foundation in the development of security policies designed to protect data. The three letters in CIA Triad stand for Confidentiality, Integrity, and Availability.

In theory, the CIA Triad combines three distinct means of interacting with data to create a model for data security. First, the principle of confidentiality requires that only authorized users have access to data within a system.

The second tenet of integrity imparts the necessity of the trustworthiness and veracity of data. The final component of availability dictates that data must be accessible where and when users need it. The intersection of these three concepts is a guiding framework for protecting digital information.

What Are the Origins of the Triad?

As much as the name implies, the CIA Triad is not related to the Central Intelligence Agency; although, their cyber security program almost assuredly utilizes the model.

The individual principles have existed since even before computer data became a reality in the mid-twentieth century. And they were independently utilized in data security since then, but it is not known when the tenets were first thought of as a triad.

The term is mentioned in the 1998 book Fighting Computer Crime, and it appeared to be the standard among security practices at that time. No matter when the idea of the Triad was first conceptualized, the principles have long been in use by security professionals who understood the need to make information more secure.

Where Does the CIA Triad Fit into Cybersecurity?

Effective protection of digital assets begins with the principles of the CIA Triad. All three tenets are necessary for data protection, and a security incident for one can cause issues for another. Although confidentiality and integrity are often seen as at odds in cybersecurity (i.e., encryption can compromise integrity), they should be balanced against risks when designing a security plan.

The CIA Triad forces system designers and security experts to consider all three principles when developing a security program to protect against modern data loss from cyber threats, human error, natural disasters, and other potential threats. It is a springboard for conceptualizing how information should be protected and for determining the best way to implement that protection within a given environment.

Related Content →  The Future of Analytics is in Data Governance: Are You Prepared?

A Deeper Look at the Three Pillars in Action

Remember that the CIA Triad is made up of the core tenets: confidentiality, integrity, and availability. CIA Triad

  1. Confidentiality refers to protecting information such that only those with authorized access will have it.
  2. Integrity relates to the veracity and reliability of data. Data must be authentic, and any attempts to alter it must be detectable.
  3. Availability is a crucial component because data is only useful if it is accessible. Availability ensures that data can be accessed when needed and will continue to function when required.

That’s the theory behind the Triad. Now, we will take a look at how Triad is put into action cyber security strategy with some real-life examples.

→ Putting Confidentiality into Practice:

  1. Data encryption is one way to ensure confidentiality and that unauthorized users cannot retrieve data for which they do not have access.
  2. Access control is also an integral part of maintaining confidentiality by managing which users have permissions for accessing data.
  3. Life science organizations that utilize patient data must maintain confidentiality or violate HIPAA.

→ Putting Integrity into Practice: 

  1. Event log management within a Security Incident and Event Management system is crucial for practicing data integrity.
  2. Implementing version control and audit trails into your IT program will allow your organization to guarantee that its data is accurate and authentic.
  3. Integrity is an essential component for organizations with compliance requirements. For example, a condition of the SEC compliance requirements for financial services organizations requires providing accurate and complete information to federal regulators.

→ Putting Availability into Practice:

  1. Employing a backup system and a disaster recovery plan is essential for maintaining data availability should a disaster, cyber-attack, or another threat disrupt operations.
  2. Utilizing cloud solutions for data storage is one way in which an organization can increase the availability of data for its users.
  3. As the reliance on data analytics expands, the need for data to be available and accessible grows for sectors like financial services and life sciences.

Is the CIA Triad Limited as a Cyber Security Strategy?

As the amount of data explodes and as the complexity of securing that data has deepened, the CIA Triad may seem to be an oversimplification of the reality of modern-day cyber security strategy. However, it is critical to remember that the Triad is not actually a strategy; but instead, it is a starting place from which a security team can create a strategy.

It is a foundational concept on which to build a full-scale, robust cyber security strategy. It cannot eliminate risk, but it can help prioritize systemic risks to address them better. Additionally, the CIA Triad cannot prevent all forms of compromise, but it helps reduce the likelihood of unnecessary exposure and can help decrease the impact of a cyber attack.

Related Content → Is Your Security Posture Negligent? Not with Multi-layered Cybersecurity.

Why the CIA Security Triad is Essential

The Triad is essential because it is a reliable and balanced way to assess data security. It weighs the relationship between confidentiality, integrity, and availability from an overarching perspective. The framework requires that any attempt to secure digital information will not weaken another pillar of defense.

Additionally, the CIA Triad effectively identifies risk factors in IT systems. It is also a gateway for even more advanced risk assessment and management tools, such as the Common Vulnerabilities and Exposures (CVE) list and the National Vulnerability Database.

How Does Coretelligent Utilize the CIA Triad?

Coretelligent incorporates the core tenets of the CIA triad into our cybersecurity, managed IT services, cloud solutions, and more. In addition, we practice defense in depth strategy, which is a system of overlapping layers of protection that range from easy-to-implement controls to complex security measures.

These layers are designed to create an interlocking barrier, not unlike the security system at your home.

We guide our clients on how best to balance making their data secure, available, and reliable. To learn more about our solutions, reach out for a consultation with our team.

Related Content →  Evaluate your security readiness with our  Cybersecurity Checklist.

Russian Cyber Attacks

 Russian Cyber AttacksPresident Biden released a statement Monday warning about “evolving intelligence that the Russian Government is exploring options for potential cyberattacks” on U.S. targets. He is urging the private sector to “harden your cyber defenses immediately by implementing the best practices.”

This warning about Russian cyber attacks comes on the heels of recent alerts about the possibility of increased cyber threats, but this is the first time the U.S. government has mentioned specific intelligence around cyberattacks.

“Today, we are reiterating those warnings, and we’re doing so based on evolving threat intelligence that the Russian government is exploring options for potential cyberattacks on critical infrastructure in the United States,” said Deputy National Security Advisor Anne Neuberger in a press briefing Monday.

Specific details about the cyber threat intelligence were not shared. However, during Monday’s White House briefing, Deputy Advisor Neuberger said that Russia had been conducting “preparatory activity,” which could mean scanning websites and hunting for vulnerabilities. She went on to say, “There’s a range of activity that malicious cyber actors use, whether they’re nation state or criminals.”

The Cybersecurity and Infrastructure Agency (CISA) and other government agencies have been urging private sector organizations to prepare for potential cyber incidents resulting from Russia’s invasion of Ukraine. They issued a Shield’s Up alert earlier this month but mentioned that there had been no specific threats uncovered at that point.

However, with this latest statement from the White House, the threat landscape has changed. As a result, there is no longer time to delay hardening your cyber defenses.

How to Prepare Your Organization for Possible Russian Cyber Attacks?

We have put together this checklist to help your organization evaluate its current level of preparedness considering these latest threats.

Follow Good Cyber Hygiene and Stay extra vigilant

  • Think before you click a link or open an email attachment.
  • Be wary of new social media requests.
  • Encourage employees to report suspicious emails, links, or requests.
  • Review and update passwords to ensure they are unique and complex—including home devices for those working remotely.

Reduce the likelihood of a damaging cyber intrusion

  • Institute Multi-Factor Authentication (MFA).
  • Utilize a Virtual Private Network (VPN).
  • Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities.

Take steps to quickly detect a potential intrusion

  • Utilize antivirus and antimalware software to protect devices and networks.
  • If working with Ukrainian or Russian connections, take extra care to monitor, inspect, and isolate traffic from those organizations.

Ensure that your organization is prepared to respond if an intrusion occurs

  • Assure business continuity by designating a crisis-response team.
  • Review policies and procedures around incident response.
  • Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.

Maximize your resilience to a destructive cyber incident

  • Test backups to ensure data can be restored within acceptable point and time objectives.
  • Identify critical vendors and understand how their services disruptions could impact your business.

To find out how you can further protect your organization, reach out to our security experts to learn more about our multi-layered security solutions.

increased cyberattacks

Shields Up increased cyberattacksThe Cybersecurity & Infrastructure Security Agency (CISA), the U.S. Intelligence Community, law enforcement, and other agencies recently issued a Shields Up alert regarding a potential increase in cyberattacks related to Russia’s military action against Ukraine and subsequent sanctions against the Russian government and related entities.

While no specific cyber threats against U.S. targets have been identified, U.S. agencies and security experts recommend that all public and private sector organizations adopt a heightened cyber security posture.

They are warning about increased data breaches and ransomware attacks, and other types of attacks, not unlike what was seen in 2017 with the NotPeyta malware. Recent weeks saw distributed denial-of-service attacks (DDoS) on government websites and the discovery of HermeticWiper malware in Ukraine. In the past, Homeland Security and the FBI have accused what they called “Russian government cyber actors” of targeting energy, healthcare, and other critical infrastructure sectors in the U.S.

“From this point forward, military conflicts will extend into cyberspace,” shares Gregory H. Winger, assistant professor of political science, School of Public and International Affairs, and faculty fellow at the Center for Cyber Strategy and Policy at the University of Cincinnati in a recent article in CSO. He goes on to say about Wiper malware, “I have not seen any indications yet that this current campaign or malware has spread much beyond Ukraine. However, there are elements that appear to be patterned on NotPetya, which did go global.”

Guidance for Organizations

CISA is recommending U.S. businesses take a variety of actions considering the current situation, including, but not limited to:

Reduce the likelihood of a damaging cyber intrusion

Take steps to quickly detect a potential intrusion

    • Utilize antivirus/antimalware software to protect your entire network.
    • If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations.

Ensure that the organization is prepared to respond if an intrusion occurs

    • Assure business continuity by designating a crisis-response team.
    • Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.

Maximize the organization’s resilience to a destructive cyber incident

    • Test backup procedures to ensure rapid restoration of critical data.
    • Test manual controls industrial control systems and operational technology to ensure that essential functions remain operable.

Additional recommendations from Coretelligent’s security experts include:

Stay extra vigilant

    • Think before you click a link or open an email attachment.
    • Be wary of new social media requests.

Prepare for further equipment delays

    • An already stressed global supply chain is vulnerable to the U.S. chip industry’s reliance on Ukrainian-sourced neon and other exports.

Ensure readiness to respond to a cyber incident

    • Review policies and procedures around incident response.

How to Protect Your Organization?

If you are concerned that your organization’s current cybersecurity posture is not robust enough to sufficiently handle the intensified conditions, reach out to learn more about Coretelligent’s multi-layered cybersecurity solutions.

CoreArmor is a customizable cybersecurity platform that provides a solid foundation of cybersecurity protections and can resolve specific security concerns and issues based on your business needs. Powered by AlienVault’s enterprise-class Unified Security Management® (USM) platform, CoreArmor delivers the following:

  • Managed Detection and Response (MDR) – End-to-end, round-the-clock expert monitoring and threat response.
  • 24x7x365 US-based Security Operations Center (SOC) – Intrusion detection monitoring and response in real-time.
  • Security Automation and Orchestration – Provides accelerated reaction time and extended protection.
  • Cloud Protection – Real-time monitoring of cloud infrastructure.
  • Geolocation – Identity suspicious login activity.
  • Behavioral Monitoring and Endpoint Detection & Response (EDR) – Monitor, collect, respond, and analyze endpoint data to identify threats and threat patterns.
  • SIEM and log management – Allows for expert human analysis and remediation.
CISA alert

Critical Cyber Threats - CISAYesterday, the Cybersecurity Infrastructure & Security Agency (CISA), the federal agency charged with protecting the nation’s cyber infrastructure, released a notice from the National Cyber Awareness System. Based on recent malicious cyber incidents in Ukraine, CISA urges organizations across all sectors and of any size to be on alert for malicious cyber activity. The agency also provided a checklist of actions to take immediately.

To reduce the likelihood of destructive cyber intrusions, CISA recommends that business leaders immediately:

  1. Institute multi-factor authentication
  2. Ensure that software is up to date
  3. Disable all ports and protocols that are not essential for business purposes
  4. Review and implement strong controls for cloud services
  5. Conduct vulnerability scanning

CISA also advises that organizations take the following steps to detect potential intrusions:

  1. Identify and assess unusual network behavior. Enable logging to investigate issues better.
  2. Protect networks with antivirus and antimalware software and that these tools are up to date.
  3. Closely monitor traffic and review access controls if dealing with Ukrainian organizations

Additional recommendations can be found at CISA Insights: Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats.

If your organization requires assistance with implementing these and other cybersecurity initiatives, reach out to our security experts.


Why are Phishing Emails so Dangerous and How Can You

Though it’s been around for a while, phishing attacks continue to be one the most common attacks and a favorite among hackers for their effectiveness and simplicity. These types of malicious attacks account for 90% of all data breaches.

Phishing schemes target the weakest link in the security chain–individual users. Phishing messages usually look like legitimate emails and include suspicious links or a malicious attachment made to look like legitimate links or a document from a trusted source. Use these resources to educate yourself and your end-users on better recognizing fraudulent emails.

7 Ways to Combat Phishing Emails

  1. Humans play a critical role in data breaches. Phishing scammers look for human errors to exploit and use social engineering tactics to obtain sensitive information and login details. Learn more by reading Cybersecurity and the Human Element.
  2. With email being the primary communication tool of business, it’s no surprise that it remains a top security risk. Attackers favor email messages because they can go around technical security measures by focusing their efforts on end-users. Discover more about how scammers use the phishing technique in Email Security Threats: You’ve Got Malware.
  3. Ransomware attacks are on the rise for financial services, according to the SEC’s OCIE. Attackers use phishing scams to gain access to your organization’s systems or data. Once they have access, they lock you out by encrypting your data, demand a ransom for the return of control, and may threaten to publish sensitive data if payment is not made. Read more in Ransomware on the Rise for Financial Services.
  4. Read Top 10 Cybersecurity Recommendations for a list of ten recommendations and best practices that can help better protect your business from fraudulent activities and evolving cyber threats.
  5. Does your organization know how to identify a spear phishing attempt? 6 Steps to Take to Reduce Phishing describes potential scammers’ strategies and the tell-tale signs of email phishing.
  6. In Most Common Types of Cyber Attacks & How to Prevent Them, we share cybersecurity tips to prevent some of the most common types of cyberattacks by proactively managing your risk profile.
  7. The End-User Awareness Training guide makes a case for end-user awareness training to mitigate human error and help users recognize suspicious activity. In addition, you will learn how to spot types of phishing attacks and other social engineering attacks.

Cybersecurity Awareness Month is a great time to reevaluate your security risk profile, reinforce your posture with additional security measures, and educate your team on. We hope these resources will help increase awareness and prevent future data breaches. Reach out to learn how Coretelligent can help protect your business with our robust cybersecurity solutions.

Kaseya Ransomware Attack

Kaseya Ransomware Attack A breakdown of the Kaseya ransomware attack and how Coretelligent successfully evaded any impacts.

The July 4th weekend Kaseya ransomware attack should be a warning to all organizations from small- and mid-sized businesses to multinational corporations. Not only did the attack compromise and exploit the Kaseya VSA product itself, but the hackers’ true focus and intention were to access as many downstream customers through the platform as possible to maximize the potential earnings from their ransomware attack. This kind of attack is referred to as a supply chain ransomware attack. In the Kaseya/REvilware ransomware incident, the hackers responsible for the attack hoped to magnify their results by targeting a service provider and gaining access to client’s systems. Unfortunately, in the eyes of cybercriminals, many ransomware victims are better than just one victim. More victims increase their chances of collecting on a significant cryptocurrency ransom demand, particularly within the realm of managed service providers and their downstream customers.

Shots Fired

While this is the most massive ransomware attack on record, it could have been much worse. Considering that the company is one of the largest in the remote monitoring landscape, the thousands of victims affected could have been tens of thousands. Today, Kaseya VSA users were the targets, but tomorrow it could be the customers of an even more popular vendor or Software-as-a-service (SaaS) provider. There is no enterprise in the world that does not utilize service providers as a regular part of their business—not to implicate any specific company, but think about the prevalence of Microsoft, Adobe, Amazon Web Services, Salesforce, Zoom, and many others. This incident indicates an escalation by cybercriminals, and we should all be paying attention. Sorry to say, but this is the proverbial shot fired across our bow, and now is the time is now to batten down the hatches for the next potential attack.

What Made Coretelligent Different?

Not all of Kaseya’s customers were impacted, however. Neither Coretelligent nor any of our clients were affected. At the same time, other MSPs and their customers were caught up in the Kaseya ransomware attack and locked out of their systems, awaiting backup restoration efforts or a decryption key. We credit this outcome to the fact that we do not rely on any single tool to provide our only means of security, and we have robust incident response planning and workflows to handle such an event. We have multiple layers of protection in place to protect our critical systems and data. Additionally, we were able to mobilize our team immediately upon news breaking of this event to take swift action to mitigate and protect until further information was available.

While not directly impacted, Coretelligent immediately enacted our Incident Response Plan out of an abundance of caution upon learning of the attack in progress on July 2nd. Doing so allowed us to eliminate any potential issues and keep all customers protected until further information on the attack became available. As leaders in the MSP space, we must follow the very same incident response guidance that we offer as recommendations to our clients.

Coretelligent’s robust, multi-layered approach to cybersecurity, also referred to as defense-in-depth, protected us—and, more importantly, our clients.

Here are some of the key provisions that make up this layered defense model:

  • Perimeter Security – Strong firewall policies to allow only necessary services access, security scanning (antimalware, antivirus), DNS/web filtering, Intrusion Detection and Prevention (IDS/IPS), and geo-blocking all help reduce the ability of malicious actors to access services such as Kaseya that were public-facing.
  • Multi-Factor Authentication – All critical services are secured with multi-factor authentication to reduce the possibility of unauthorized access due to compromised credentials.
  • Role-Based Access Controls (RBAC) – Coretelligent operates a tiered and segmented permission structure within our environment. Employees are granted the appropriate level of access to systems based on their role, responsibility, and seniority. This process helps to govern and restrict full administrative access to key systems and infrastructure to a select group of senior internal resources; as such, there are fewer accounts and avenues for attackers to gain access and do damage.
  • Endpoint Protection – Coretelligent leverages SentinelOne Endpoint Protection for all our corporate servers and workstations. This platform, along with others, can detect/block these types of exploit attacks.
  • Security Logging and Monitoring – All critical infrastructure is monitored in real-time via our CoreArmor platform. Logs and data are aggregated from all our critical systems to look for anomalous or suspicious behavior and immediately alert our team.

As Coretelligent’s infrastructure was protected with the provisions noted above, our customers were also still protected via endpoint security software from our other partner providers, SentinelOne and Webroot.  In addition, subscribers to our CoreArmor service benefitted from additional real-time alerting and protections against this attack as the indicators of compromise (IOC) used in this attack were discovered and reported. This coverage allowed for security products to better detect and protect against this attack from further spreading or infection of new targets. All our key security vendors provided security updates and tracking information throughout this event to help block the ransomware and additional infected files to reduce further spread and infections.

The Plan You Hope You Never Have to Use

An Incident Response Plan is a set of guidelines and procedures put into effect during a security incident. Generally, this type of plan includes guidelines for the initial response, escalation, containment, and recovery or post-incident activities.

As our Incident Response Plan recommends, we quickly shut down all activity from the Kaseya compromised servers. In addition, we followed the additional steps outlined in our plan to safeguard our resources and those of our clients. As a result, neither Coretelligent nor any of our customers experienced any impacts—excluding inconvenience—as we proceeded through our Incident Response Plan. Additionally, to honor Coretelligent’s commitment to transparency, our team provided twice-daily email updates to our customers, which are also available in this blog post.

As the attack unfolded, Kaseya shared that the hackers were able to gain access through a zero-day. A zero-day is a previously unknown vulnerability discovered in software or system design that cyber criminals can exploit to gain entry to networks. A patch was released on July 13th to address the vulnerabilities, and after careful review of the fix, our Coretelligent engineers begin implementing the patch on July 14th.

Future Plans

Moving forward, Coretelligent will address any concerns we may have with Kaseya and provide an update and recommendation to our clients.

Kaseya Ransomware AttackFrequently Asked Questions About the Kaseya Ransomware Attack

What is Kaseya?

Kaseya is a leading provider of cloud-based IT management and security solutions for small, medium, and large businesses. The Kaseya VSA platform is just one tool that Coretelligent uses to help manage, access, and maintain customer servers and workstations.

How does Coretelligent use Kaseya?

Coretelligent uses Kaseya to remotely access, troubleshoot, monitor, and manage servers and endpoints of our customers and perform automation and maintenance activities for customers who subscribe to that service. Additionally, Coretelligent uses a combination of tools (Kaseya and LogicMonitor) to monitor customers who have signed up for proactive monitoring services.

Who is behind the ransomware attack?

This attack was perpetrated by the cybercriminal group known as the REvil Ransomware Gang. The threat actors were implicated in the June 2021 hack of the meat-processor JBS. After the JBS attack, the group warned that they would next target U.S. companies. As a result, the White House called for President Vladimir V. Putin to shut down the Russia-linked gang and other ransomware groups targeting the U.S.

How did Kaseya get hacked?

The attackers exploited four vulnerabilities in Kaseya’s VSA product to bypass authentication, upload ransomware, and other payloads, and then execute the malicious code/files. This vulnerability allowed the hackers to upload the malicious software, create Kaseya procedures (scripts) to copy files and execute the ransomware. They then executed these procedures against all customer agents tied to each Kaseya VSA server to start the ransomware attack and deliver a ransom note to downstream customers. They then removed logs and other forensic evidence to cover their tracks.

A more detailed technical breakdown is available at TrueSec.

Why were some Kaseya customers infected and others were not?

This question is not yet fully answered at this point, and more forensic details may still need to be shared from the impacted MSPs with Kaseya, law enforcement, and various security firms that are involved in this incident.

From what we can tell, customers utilizing multiple layers of protection were better protected against this attack. For example, Coretelligent uses perimeter firewalls, DNS filtering, geo-blocking, multi-factor authentication, and other security controls to protect our VSA servers. This practice, commonly referred to as defense in depth, provides multiple hurdles for an attacker to bypass, making for a more challenging target to crack.  This approach may encourage the attacker to move on and works to protect Coretelligent and its customers.

Additionally, it should be noted that only premises customers, meaning those with on-premise VSA servers, were impacted.

Is it safe to use Kaseya now that it has been patched?

YES—our Kaseya VSA environment is safe and secured for use. Coretelligent successfully applied version 9.5.7.a patch, which resolved multiple security vulnerabilities in the product and has made all the necessary configuration adjustments and security recommendations to our Kaseya VSA servers as of July 13th.

Kaseya Help Desk Resources:

Our VSA servers continue to be protected by multiple security layers and restrictions, along with comprehensive security monitoring and alerting, which we believe will continue to keep our environment protected and secure.

Will Coretelligent continue to use Kaseya for Remote Monitoring and Management (RMM)?

Coretelligent will undergo a careful forensic review of this experience and decide whether to continue with Kaseya for remote monitoring and management or switch to a different vendor platform. In the interest of full transparency, we will communicate our decision with you, our customers, and provide background and justification about our decision.

How can we reduce the risk of this kind of supply chain attack?

Partnering with a tested, transparent, and expert managed service provider like Coretelligent is your best defense against ransomware and other cyberattacks. We offer best-in-class services covering a full range of technology needs with specialized expertise in cybersecurity.

What is the official response and guidance from the U.S. government?

The Deputy National Security Advisor Anne Neuberger has provided regular updates about the Kaseya ransomware attack and law enforcement is continuing its investigations to safeguard critical infrastructure and prevent future incidents. In an early statement about the attack, she remarked that President Joe Biden had “directed the full resources of the government to investigate this incident.”

Additionally, the Cybersecurity Infrastructure Security Agency, one of the federal agencies tasked with protecting U.S. assets, released a CISA guidance advisory which included a multitude of recommendations for hardening IT systems, including:

  • Using authentication process controls, like multi-factor authentication, the use of which might have saved the Colonial Pipeline from getting hacked.
  • Adhere to best practices for password and permission management
  • Regularly update software and operating systems
  • Employ a backup solution to automatically and continuously back up critical data and systems. Store backups in an easily retrievable location that is air-gapped from the organizational network.

Comprehensive Cybersecurity Protection

For more recommendations and information about how Coretelligent’s cybersecurity practices and solutions can protect your organization from incidents like the Kaseya ransomware attack, reach out to schedule your complimentary initial consultation. Coretelligent also offers expertise working with specific industries that have cybersecurity compliance requirements like financial services, life sciences, real estate investment, and others.

Think About It with Chris Messer, CTO

Chris Messer, Chief Technology Officer at CoretelligentAs Chief Technology Officer, Chris Messer is a transformational and strategic IT leader who establishes and leads Coretelligent’s technical vision and technological development. Chris shares a post each month called Think About It.

Click here to learn more about Chris.