Report: Security teams take an average of 6 days to resolve alerts

Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More

Today, Palo Alto Networks released the Unit 42 Cloud Threat Report Volume 7, which examined over 1,300 organizations and analyzed the workloads in 210,000 cloud accounts, subscriptions and projects across CSPs. The analysis found that security teams take an average of 145 hours — approximately six days — to resolve a single security alert. 

The research indicates that most security teams aren’t able to process alerts at the speed they need to protect their organizations against threat actors. 

“Organizations need to be as fast as the attackers they’re defending against. Typically, Unit 42 sees attackers exploiting newly disclosed vulnerabilities within a few hours — if not minutes. Resolving security alerts with speed and urgency is critical for organizations, and there’s technology that if configured properly, will help cut down the alert noise as well,” said Jay Chen, cloud security researcher, Prisma Cloud and Unit 42 at Palo Alto Networks. 

In any case, the report highlights that many security teams are making the same mistakes, which are leading to alert generation. For instance, 80% of alerts are triggered by just 5% of security rules in most organizations’ cloud environments.


Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.

Register Now

Lack of MFA a common security weakness

The report also revealed that most organizations were failing to enforce multifactor authentication (MFA) among cloud users, with 76% of enterprises not implementing MFA for users who can log in to the cloud management web portal on the public internet and 58% not enforcing MFA for root/admin users. 

This is a serious oversight given that if any of these privileged identities were accessed by an attacker, the entire cloud infrastructure would be at risk of compromise.

Above all, the Palo Alto Networks research suggests that organizations need to enhance user access controls in the cloud and find new ways to streamline alert resolution to survive in the current threat landscape.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

European Commission Proposes Devoting $1.2 Billion to New Cybersecurity Initiatives

The European Commission has proposed devoting 1.1 billion euros (about $1.2 billion) to new cybersecurity initiatives.

The proposal of the European Union Cyber Solidarity Act comes at a time when cybersecurity incidents pose a growing threat, driven in part by cyberattacks related to Russia’s invasion of Ukraine, the commission said in a Tuesday (April 18) press release.

“The Cyber Solidarity Act establishes EU capabilities to make Europe more resilient and reactive in front of cyber threats, while strengthening existing cooperation mechanism,” the commission said in the release. “It will contribute to ensuring a safe and secure digital landscape for citizens and businesses and to protecting critical entities and essential services, such as hospitals and public utilities.”

The proposed regulation will now be examined by the European Parliament along with the commission, according to the release.

One element of the act is the proposed establishment of a European Cyber Shield composed of national and cross-border entities tasked with detecting cyber threats, sharing warnings about threats and incidents, and enabling authorities to respond more quickly and effectively, the release said.

Security Operations Centres (SOCs) contributing to the European Cyber Shield are to be established across the EU and are expected to be operational by early 2024, per the release.

Another part of the EU Cyber Solidarity Act is the creation of a Cyber Emergency Mechanism that will test the preparedness of entities in highly critical sectors, create a reserve of pre-contracted providers who can respond to large-scale cybersecurity incidents, and enable EU member states to provide financial support to other member states, according to the release.

The proposed regulation also establishes a Cybersecurity Incident Review Mechanism that will help the EU improve its resilience to cyberattacks by reviewing and drawing lessons from past incidents, the release said.

“With the proposed EU Cyber Solidarity Act, the commission responds to the member states’ call to strengthen EU cyber resilience, and delivers on its commitment expressed in the recent Joint Cyber Defence Communication to prepare an EU Cyber Solidarity Initiative,” the commission said in the release.

As PYMNTS reported in September, the EU has developed a string of regulatory instruments to enhance the bloc’s cyber resilience, and these acts may set new global standards.

For all PYMNTS EMEA coverage, subscribe to the daily EMEA Newsletter.

It’s Tax Day… Here’s how to spot fake IRS calls, texts and emails

It’s Tax Day… Here’s how to spot fake IRS calls, texts and emails

It’s Tax Day… which means scammers are out to steal your money. Here’s how to spot fake IRS calls, texts and emails

The deadline for filing your taxes is just hours away – but that is still plenty of time for scammers to pose as the IRS and demand payments from victims. 

Government officials warn Americans that the IRS will never first contact taxpayers by phone or email – the initial communication is always in a written letter.

Fake texts have also become widespread, in which bad actors bombard phones with messages that demand payments or threaten legal action over unpaid taxes.

These phony messages will request immediate payment, sometimes with a gift card, or threaten people with arrest, which are actions the IRS says it will never take to collect payments.

Tax Day has come in the US, and that means scammers will pose as the IRS to demand money from victims

Tax Day has come in the US, and that means scammers will pose as the IRS to demand money from victims

IRS Commissioner Danny Werfel said in a statement: ‘Scammers are coming up with new ways all the time to try to steal information from taxpayers.

‘People should be wary and avoid sharing sensitive personal data over the phone, email or social media to avoid getting caught up in these scams. 

‘And people should always remember to be wary if a tax deal sounds too good to be true.’ 

More than 3,000 reported tax scams in 2022 resulted in $6.23 million in losses, according to data from the Federal Trade Commission (FTC).

The agency hopes to minimize these numbers for this year by making the public aware of the types of scams.

Phishing and smishing seem to be the go-to attack among scammers.

The former involves fake emails claiming to come from the IRS or another legitimate organization, including state tax organizations or a financial firm.

These communications can include a phony tax refund to trick people into handing over banking details or false charges for tax fraud.

Some phishing emails may also ask the victim to call a telephone number. In these cases, the scammer will pose as an IRS officer and take the person’s details over the phone. 

Scammers are sending text messages posing as the IRS. These include numbers to call or links that direct users to a fake website that demands payments

Scammers are sending text messages posing as the IRS. These include numbers to call or links that direct users to a fake website that demands payments

Smishing is a text message that uses the same technique as phishing but provides a link for users to click, which is usually a fake website designed to look like an official IRS site.

Scammers often use alarming language like, ‘Your account has now been put on hold,’ or ‘Unusual Activity Report’ with a bogus ‘Solutions’ link to restore the recipient’s account. Unexpected tax refunds are another potential target for scam artists. 

Beware of these scams 

Phishing: Scammers will create fake emails that look like they came from the IRS.

These messages will demand payment through a link or ask people to submit their information.

Phishing schemes may also tell people they need to provide banking details to receive their refund.

Smishing: This is phishing by SMS and text message.

Messages are often threatening and claim a lawsuit has been filed against the target by the IRS. Sometimes they claim a warrant has been issued for the person’s arrest.

The text will then prompt the victim to call a number or click a link.

Phone calls: The caller will say the victim is eligible for a tax refund, then ask for personal information and bank details to make the payment.

If it seems suspicious, or you had no reason to suspect a call, dial the hotline to report a scam.


The crooks set up a fake phone number and then send out text messages en masse to hundreds, and sometimes thousands, of unsuspecting targets. 

There are several ways scammers obtain the cell numbers of their victims – but usually, they’re scraped from huge online databases. 

‘Email and text scams are relentless, and scammers frequently use tax season as a way of tricking people,’ Werfel said.

‘With people anxious to receive the latest information about a refund or other tax issue, scammers will regularly pose as the IRS, a state tax agency or others in the tax industry in emails and texts. 

‘People should be incredibly wary about unexpected messages like this that can be a trap, especially during filing season.’ 

Taxpayers will also start to see scam calls ring in throughout the day and while it seems archaic, this method has been a very successful attack.

A voice on the other end will state they are with the IRS, demanding immediate payment through a specific method such as a credit or gift card.

These fraudsters may even go as far as to threaten arrest, driver’s license revocation and even deportation if victims do not hand over the desired payment or provide personal information.

Christopher Brown, an attorney at the FTC, told NPR that the IRS would never threaten taxpayers with arrest or demand immediate payment over the phone.

This is because citizens can appeal or question how much they owe in taxes, and payments are usually set up through written communications.

‘That newer tactic of luring people with promises of a tax refund or rebate is more often employed over email or text as a phishing or smishing scam,’ said Brown.

And officials warn not to trust Caller ID, which can also be altered to display any name or organization.

‘Individuals should never respond to tax-related phishing or smishing or click on the URL link,’ the IRS shows on its website.

‘Instead, the scams should be reported by sending the email or a copy of the text/SMS as an attachment to [email protected]

‘The report should include the caller ID (email or phone number), date, time and time zone, and the number that received the message.’

This powerful email malware attack uses PDF and WSF files to break your defenses

Cybersecurity researchers have discovered a new hacking campaign that distributes the dreaded Qbot malware.

Qbot is used by some of the world’s biggest ransomware operators, such as BlackBasta, REvil, Egregor, and others. 

Faltering against Ukraine, Russian hackers resort to ransomware: Researchers

Faltering against Ukraine, Russian hackers resort to ransomware: Researchers


A Russian flag in computer code. (Graphic by Breaking Defense, original images via Pexels)

UPDATE 4/18/23 at 6:45pm ET: This article has been updated to reflect clarifications from Mandiant regarding Russia’s purported use of ransomware.

WASHINGTON — Moscow’s military hackers may be spread thin, new research suggests. Russian cyberattacks on Ukraine and its allies surged last fall only to decline again in early 2023, said experts at cybersecurity shop Mandiant, part of Google Cloud.

What’s more, not only was the fall campaign smaller than the initial cyber onslaught before and after the ground invasion in January-April 2022, Mandiant said, it used different software, relying more on criminal-style ransomware and less on the specialized “wipers” that had characterized earlier attacks.

The research shows that the time period from October to December 2022 “was characterized by a resurgence in disruptive cyber attacks in Ukraine,” says the report.

“Though some of the attacks appeared similar to disruptive attacks seen in previous phases, this new wave of disruptive attacks appeared to deviate from the historical norm. Earlier attempts relied on quick turnaround operations using CADDYWIPER variants, but the attacks undertaken in October to December saw GRU clusters deploying ransomware variants on targeted networks,” says a Mandiant report published today, referring to Russian military intelligence. Specifically, Russian-backed hacker group IRIDIUM deployed a form of ransomware called Prestige in a series of attacks on Ukrainian and Polish networks, focusing on the transportation and logistics sectors crucial to shipping Western arms to the front line.

“GRU’s shift to using ransomware may be a sign they are undergoing tooling shifts and don’t have the resources to rely on writing or modifying custom malware,” the report says.

Mandiant Intelligence VP Sandra Joyce, however, emphasized that the appearance of ransomware could also have been an unsuccessful, one-off attempt to make the attacks look like they were coming from a criminal group rather than Russia intelligence.

RELATED: State Dept wants ‘cyber assistance fund’ to aid allies and partners against hackers

Overall, Mandiant Intelligence senior manager Nick Richard was cautiously optimistic about the current threat picture.

“While ongoing and new investigations continue to be analyzed through the first quarter of 2023, to date Mandiant has not observed tracked threat actors mustering the same level of disruptive activity that was observed in the last quarter of 2022,” he said in an email to Breaking Defense. In other words, the Russian surge has subsided since the timeframe covered in the report.

Ironically, Russia’s resort to ransomware occurs as the tidal wave of ransom hacks may finally be falling back worldwide. Now, Mandiant doesn’t claim to track every attack, just those that came up in the company’s own investigations, which have increasingly focused on supporting Ukraine. But with that caveat, the report says, “Mandiant experts note a decrease in the percentage of global intrusions involving ransomware between 2021 and 2022,” from 23 percent in down to 18.

There’s probably no single cause, Richard told Breaking Defense, but rather multiple factors working together. Government agencies have systematically targeted ransomware hackers; the conflict in Ukraine has disrupted Eastern Europe-based cybercrime and consumed the energy of many Russian and Ukrainian hackers; and potential victims are getting better at preventive measures, such as disabling the mini-algorithms known as macros as a shortcut in many software programs.

In fact, the global cybersecurity picture is looking brighter overall. “Attacks are being detected faster than ever before,” the report says. The “dwell time” between a breach occurring and it being detected now averages 16 days. While that’s still plenty of time for an attacker to do damage, it’s still almost 25 percent better than the 21-day median in 2021 and almost 85 percent better than the 101-day median just five years before.

Mandiant breaks its dwell-time figures down to look separately at “internal” detections, when the victim finds the breach itself, and “external,” when the victim is notified by an outside organization, such as law enforcement or an intelligence agency. The number of external notifications is rising faster than internal discoveries, the report finds, and victims’ response time to those external warnings is getting dramatically faster. (Internal discovery timelines are improving too, but the improvement there isn’t as marked, so it’s not driving most of the overall trend.) This improvement in external notifications is especially pronounced in Europe. Richard acknowledges some of that uptick might be a fluke rather than a trend, driven in part by Mandiant and other cybersecurity companies rallying to the defense of Ukraine.

“A noted increase in external notifications for the EMEA [Europe/Middle East/Africa] region has some correlation to Mandiant’s investigative support to and significant cybersecurity industry interest in threat activity in Ukraine,” he acknowledged. “Some metrics may revert next year based on the current reporting period distinctions.”

Overall, however, the improvement suggests “improved collaboration across the public and private sectors,” Richard said. “As this cooperation and the notification framework evolves and refines, providing victim organizations timely and critical information, organizations are able to ingest information more rapidly to respond effectively to a diverse array of cyber threats.”

Experts have highlighted better cooperation between cybersecurity firms, potential targets, and government agencies as one of the biggest lessons-learned from the cyber war in Ukraine.

Cybersecurity: Why The C-Suite Should Care

More From Forbes

Spyware Company NSO Exploits Find My iPhone Flaw In Zero-Click Hack“,”scope”:{“topStory”:{“index”:1,”title”:”Spyware Company NSO Exploits Find My iPhone Flaw In Zero-Click Hack”,”image”:”×0.jpg”,”isHappeningNowArticle”:false,”date”:{“monthDayYear”:”Apr 18, 2023″,”hourMinute”:”07:00″,”amPm”:”am”,”isEDT”:true,”unformattedDate”:1681815656000},”uri”:””}},”id”:”8hc2egegb6og00″},{“textContent”:”

Platforms Issue ‘Urgent’ Warning Against UK Online Safety Bill“,”scope”:{“topStory”:{“index”:2,”title”:”Platforms Issue ‘Urgent’ Warning Against UK Online Safety Bill”,”image”:”×0.jpg”,”isHappeningNowArticle”:false,”date”:{“monthDayYear”:”Apr 18, 2023″,”hourMinute”:”05:08″,”amPm”:”am”,”isEDT”:true,”unformattedDate”:1681808903197},”uri”:””}},”id”:”7328g824oamg00″},{“textContent”:”

Why Your Tech Stack Isn’t Enough To Ensure Cyber Resilience“,”scope”:{“topStory”:{“index”:3,”title”:”Why Your Tech Stack Isn’t Enough To Ensure Cyber Resilience”,”image”:”×0.jpg”,”isHappeningNowArticle”:false,”date”:{“monthDayYear”:”Apr 17, 2023″,”hourMinute”:”09:53″,”amPm”:”am”,”isEDT”:true,”unformattedDate”:1681739594607},”uri”:””}},”id”:”2f8d2rrch8kk00″},{“textContent”:”

New iPhone Threat—What Is Reign Spyware?“,”scope”:{“topStory”:{“index”:4,”title”:”New iPhone Threat—What Is Reign Spyware?”,”image”:”×0.jpg”,”isHappeningNowArticle”:false,”date”:{“monthDayYear”:”Apr 14, 2023″,”hourMinute”:”11:07″,”amPm”:”am”,”isEDT”:true,”unformattedDate”:1681484843421},”uri”:””}},”id”:”8rnhlhfcf56o00″},{“textContent”:”

Almost Human: The Threat Of AI-Powered Phishing Attacks“,”scope”:{“topStory”:{“index”:5,”title”:”Almost Human: The Threat Of AI-Powered Phishing Attacks”,”image”:”×0.jpg”,”isHappeningNowArticle”:false,”date”:{“monthDayYear”:”Apr 11, 2023″,”hourMinute”:”01:16″,”amPm”:”pm”,”isEDT”:true,”unformattedDate”:1681233408438},”uri”:””}},”id”:”3n64e8j0dl0o00″},{“textContent”:”

Indian Government Starts ‘Fact Checking’ Social Media; Twitter Accused Of Caving In“,”scope”:{“topStory”:{“index”:6,”title”:”Indian Government Starts ‘Fact Checking’ Social Media; Twitter Accused Of Caving In”,”image”:”×0.jpg”,”isHappeningNowArticle”:false,”date”:{“monthDayYear”:”Apr 11, 2023″,”hourMinute”:”05:47″,”amPm”:”am”,”isEDT”:true,”unformattedDate”:1681206473050},”uri”:””}},”id”:”d36qp0rmf6dk00″},{“textContent”:”

iOS 16.4.1—Update Now Warning Issued To All iPhone Users“,”scope”:{“topStory”:{“index”:7,”title”:”iOS 16.4.1—Update Now Warning Issued To All iPhone Users”,”image”:”×0.jpg?cropX1=0&cropX2=1116&cropY1=2&cropY2=630″,”isHappeningNowArticle”:false,”date”:{“monthDayYear”:”Apr 8, 2023″,”hourMinute”:”02:03″,”amPm”:”pm”,”isEDT”:true,”unformattedDate”:1680977005977},”uri”:””}},”id”:”4n6of0i41o2c00″}],”breakpoints”:[{“breakpoint”:”@media all and (max-width: 767px)”,”config”:{“enabled”:false}},{“breakpoint”:”@media all and (max-width: 768px)”,”config”:{“inView”:2,”slidesToScroll”:1}},{“breakpoint”:”@media all and (min-width: 1681px)”,”config”:{“inView”:6}}]};