BitDam Blog

How to Protect Yourself From The Lumin PDF Data Breach?
Roy Rashti
Roy Rashti
2 minutes & 3 seconds read · October 17, 2019

How to Protect Yourself From The Lumin PDF Data Breach?

If you’re reading this, you’ve probably heard about the recent data breach from Lumin PDF, exposing sensitive information of millions. Keep reading to learn more about this breach and what actions you should take to protect yourself.

What’s Lumin PDF?

Lumin PDF is a cloud-based platform to view, edit and share PDF files. Lumin owes a portion of its success to Google, who offers Lumin as a third-party application to open PDF files directly from Google Drive.

What happened?

Last month, a hacker published the details of over 24 million Lumin PDF users.

Unlike other breaches that find their way into the headlines, this breach lacked zero-day and sophisticated phishing attacks. The hacker who published the database claimed, Lumin sorted this information in an online, non-password-protected MongoDB database. This allowed any basic crawler to access the information.

The leaked information contained fields such as name, gender, hashed passwords and Google access tokens – a gold mine for hackers.

What exactly is a hashed password?

Hash is a function that uniquely maps a password into a value. Luckily, a well-defined hash function cannot be reversed. It would take an extensive amount of time and compute to reverse a hash to the original password.

What are the risks here? And how to protect?

  • The most sensitive data exposed in this breach were the hashed passwords and the access tokens. Although the leaked passwords were not the originals, but rather the hashed value of those passwords, making the risk is still high. Why? Attackers can use the hashed Lumin password to authenticate and access other services where the user uses the same password and applies the same hashing algorithm. This depends on how the application is implemented.

To protect yourself, it is highly recommended to use different passwords for different services. In the case you used your Lumin credentials elsewhere, you should change your password.

  • Lumin claims the leaked Google access tokens are expired. To avoid any uncertainty, you can revoke Lumin’s access to your Google account.


Keep in mind, most data leaks do not happen as a result of an unsecure database, rather following a successful cyber attack. This is typically seen as a trojan or a credential harvesting phishing website, most commonly delivered via email.

To ensure your data is protected, you should constantly test your security posture. There are some great online tools available. One of them, focusing on email breach and attack simulation can be launched here.

Read more
Rotem Shemesh
Rotem Shemesh
4 minutes & 40 seconds read · September 23, 2019

The Ins and Outs of Securing Your Enterprise OneDrive

OneDrive’s 115 million monthly active users agree; the accessibility to all your work-related assets at any time from anywhere is an invaluable productivity boost.

However, with all their benefits, OneDrive and competing platforms are quickly becoming a breeding ground for vulnerabilities and attacks. Businesses tend to mistakenly assume that OneDrive, Box, Google, DropBox, and other enterprise-grade cloud sharing platforms are very safe. And although all those cloud services have top-notch, stringent cybersecurity checks and policies in place, they cannot cover all bases. In other words, their security is not bullet-proof.

The Irresistible Appeal of Cloud-based File-sharing Systems

The ability to work from anywhere, at any time, makes companies more global and connected than ever before. Forty-two percent of organizations believe that providing access to data at anytime is the main driver for cloud adoption. To support this claim:

The Pros and Cons of Working from OneDrive

The advantages of using OneDrive in a business environment are pretty well known. To recap:

  • Easy organization: Employees can store any files (including documents, photos, and video) and access them from any device
  • Close collaboration: Multiple people can collaborate in real-time from anywhere in the world, at any given time
  • Synchronization: automatically backed up and synchronized on any device
  • Integration with office tools: OneDrive easily integrates with the entire enterprise technology stack
  • Policy enforcement: Having everything on a single platform enables centralized management and policy enforcement
  • Data governance: Data is stored and managed from a centralized platform
  • Visibility: Storage management is easy, with full visibility into what is going on


Despite the many pros, the ability of enterprises to keep their files safe in a cloud storage platform such as OneDrive is often questioned. According to Cloud Security Alliance, over 50% of IT and security professionals believe cloud storage is the riskiest cloud app category. Most commonly voiced concerns include:

  • External sharing: OneDrive for Business has the built-in functionality of sharing documents, folders, and other content with external users. If sharing with external users is enabled, an organization’s security team loses control over what shared files contain, exposing the enterprise to potential attacks.
  • User error: Cloud sharing platforms remain the number one targeted platform for hackers, and user error in global security settings can easily lead to a breach.
  • Violation of trust: According to Verizon, 28% of security attacks involved individuals with authorized access to company data. Cloud sharing makes insider threat ever more dangerous since the whole point of those platforms is ease of access to enterprise assets and resources.


But there is plenty to be done to make your OneDrive more secure.

How to Secure your OneDrive

Step 1: Cover the Basics

In cybersecurity, the most trivial and “obvious” measures often prove themselves to be the most effective. As a matter of policy, ensure that everyone in your organization:

        1. Creates a unique and robust password.
        2. Enables 2FA authentication, preferably with the use of a secure factor such as biometrics.
        3. Adds additional security and recovery info to their Microsoft account: users can add password recovery and security information, such as a phone number, an alternate email address, and a security question. That way if the user’s account ever gets hacked, Microsoft can use security info to verify your identity and help resolve the issue.

Step 2: Carry out Frequent Breach and Attack Simulations

Breach and attack simulations (BAS) take the saying “if you want to stop a hacker, think like a hacker” to the next level. BAS goes beyond pentesting and threat hunting. By automatically and continuously simulating attacks on an enterprise, IT teams can catch misconfigurations, errors, and security holes that would otherwise be missed.

The new generation of BAS tools make it possible to continuously test your security posture in a fully-automated and systematic way, ensuring that a real hacker doesn’t catch you off guard.

Step 3: Invest in a Content-Centric Cybersecurity Tool

To ensure that anything that is shared through your enterprise’s OneDrive is safe for your users to click, it is imperative to have a security tool built specifically for that purpose.

Most security tools are only capable of catching known exploits and vulnerabilities, and are only able to intercept an attack when it is already well underway. In addition, these tools typically offer a limited ability to guard against Zero Day exploits and unknown threats.

To protect the enterprise in the hyper-connected cloud world, security experts need tools capable of proactively detecting attacks. The approach should be pre-delivery, not post-exploit. Preventing exploits, ransomware, spear-phishing, and Zero Day attacks contained in files and URLs before they reach the end-user is the only way to keep enterprise environments secure.

Stay Safe in the Cloud

As organizations are increasingly relying on OneDrive and other cloud sharing platforms, the wider the possible attack surface becomes. As content-bourne attack vectors proliferate, organizations need a holistic solution capable of guarding their assets in the cloud against advanced cloud-based threats.

BitDam’s solution was built to detect advanced content-bourne attacks and therefore provide remarkably higher protection for cloud-based sharing platforms. Based on an advanced application whitelisting technology, and requiring no configuration, BitDam determines whether a given file or web link is safe to click, regardless of the specific malware it may contain. As such, it does not require security updates, feeds, reputation, or intelligence services in order to detect never-seen-before attacks.

Start a free BitDam trial for OneDrive!

Read more
How to Set Up a Breach and Attack Simulation
Roy Rashti
Roy Rashti
4 minutes & 2 seconds read · September 12, 2019

How to Set Up a Breach and Attack Simulation

How easy is it for a threat actor to get into your network? Well, many IT security pros will have to reluctantly admit that they don’t really know how well their security is actually working.

Until recently, enterprise security teams had limited tools for assessing the potential damage of a cyberattack. Even with regular pentesting, vulnerability assessments, security audits, red team testing, and threat hunting, it isn’t always possible to get an ongoing and comprehensive picture of your organization’s overall security posture. That’s why the new generation of security tools, incorporating Breach and Attack Simulation (BAS) technology, were developed.

BAS technology tests a network’s cyber defenses by simulating cyber attacks. It deploys hacker breach methods and tactics in a business context, eliminating guesswork from a network’s cybersecurity defenses. BAS solutions are fully automated and ensure that cybersecurity controls are working as expected by continually monitoring networks and systems.

What are the Advantages of BAS?

Modern enterprise networks are complicated. While manual penetration testing and threat assessments have their place, an automated BAS that looks at your network from the hacker perspective is invaluable in assessing the effectiveness of an organization’s security posture.

By simulating a real attack on a network and deploying threat actor tactics to breach an organization’s defenses, BAS technology continually monitors and tests the robustness of security controls. It doesn’t sleep, rest or stop, unlike other security testing methods and threat assessment techniques that typically rely on manual methods, and are deployed to identify vulnerabilities in a specific timeframe. BAS, on the other hand, continuously highlights critical exposures in a network, ensuring zero time-lapses between testing.

Cyber attack simulation can provide actionable and prioritized remediation to address any identified weaknesses. By having a clear set of priorities, your security team can patch the critical vulnerabilities first, before moving on to lower priority maintenance issues.

Enter BitDam’s Email-Centric Breach and Attack Simulation

What if there was a BAS tool that could help you assess how vulnerable your organization is to email cyberattacks and have a centralized dashboard that helps you gain full visibility into your results? Moreover, what if it was capable of identifying the most sophisticated and camouflaged attacks that bypass most other security solutions?

  • BitDam Breach & Attack Simulation identifies the most sophisticated attacks that are out there, including the ones that might show up next
  • BitDam’s dashboard, helps users gain visibility into the Breach & Attack Simulation results within a few minutes of signing in
  • View the current level of email protection, the types of cyberattacks to which you are vulnerable, and the type of threats that you are protected from
  • BitDam’s BAS tool is easy, and fast to set up; it only needs a single email address to successfully run an attack simulation on an entire organization
  • And the best part? BitDam’s Breach & Attack Simulation is a free tool that offers the most advanced email malware simulation IP across the industry

How to Set Up BitDam’s BAS Tool

BitDam’s BAS tool is easy to set up in just a few simple steps.


      1. Pick an email address that you would like to simulate an attack on.
      2. Configure the forwarding rule in your inbox from the configuration screen.
      3. Hit the ‘Play’ button, and BAS tool will start working.
      4. The attack simulation tool will send out emails containing malicious attachments from different attack categories and risk levels, including:
      • Sandbox evasion techniques: malware and malicious programs can recognize if it’s inside a sandbox and won’t execute their malicious code until they’re outside of the controlled environment.
      • Formula injection: embedding untrusted input inside CSV files, and the malicious code will execute when the CSV file is opened by the user
      • Obfuscation techniques: a technique that tries to obscure the presence of malware in the system by making binary and textual data unreadable or hard to understand
      • Process launch: attacks that base their initial malicious execution on launching processes outside the application space
      1. Once the simulation is complete, a short overview of your security posture will be given along with the option to view dashboard where you can access a more detailed report.

How BitDam’s Email-Centric BAS Tool Can Help

Malware and attack methods are constantly evolving, and it is extremely difficult for security teams to ensure ongoing protection. That’s why having a BAS tool that simulates attacks automatically and evaluates security gaps quickly and continuously, is invaluable.

BitDam changes the way cybersecurity solutions operate. BitDam’s Email-Centric Breach & Attack Simulation lets you assess your vulnerability to email based cyber attacks.The tool features easy, fast deployment with no need to modify existing processes, policies, or rules, and provides full visibility and actionable information on a centralized, easy to read dashboard.

Try it now for free!

Read more
Roy Rashti
Roy Rashti
6 minutes & 24 seconds read · August 21, 2019

5 Ways to Prevent Ransomware Attacks on Your Enterprise

The notorious WannaCry outbreak that affected over 200,000 endpoints across 150 countries in 2017 was the first time that a ransomware attack made international news. But it wasn’t the last.

Ransomware attacks have increased by over 97% over the past two years alone. New, sophisticated strains of ransomware are released on an ongoing basis.

With the number of new variants increasing by 46% this year, it is safe to say that ransomware attacks are not going to slow down any time soon.

Types of Ransomware

Ransomware remains to be a top threat for enterprise security. The 2019 Verizon Data Breach Investigations Report (DBIR) ranked ransomware as one of the most prevalent threats of last year with over 24% of malware exhibiting ransomware functionality.

Just like any other form of malicious software, ransomware comes in many shapes and sizes.

  1. Crypto malware: The most popular form of ransomware that encrypts the victim’s data and requires a ransom payment to release the decryption key. WannaCry is an example of this ransomware type.
  2. Crypto Lockers: This type of ransomware works by infecting an endpoint at the operating system level to completely lock the victim out, making it impossible to access any of the files or applications on an infected machine.
  3. Scareware: Software that relies on scare tactics to trick users into payment by pretending to be a legitimate antivirus tool.
  4. Doxware: Commonly referred to as leakware, this is a ransomware version of blackmail that threatens to publish private information online if the victims don’t pay up. Many users panic and pay the ransom when they suspect that their files have been hijacked.
  5. RaaS: Otherwise known as “Ransomware as a Service,” RaaS is subscription-based model. Under this service, cyber criminals provide a full-service malicious kit capable of launching a ransomware attack to novice hackers in exchange for a fee. RaaS packages are widely available on the dark web and on hacker forums.

The Main Effects Ransom Attacks Can Have on your Enterprise

The severity of ransomware attacks differ, however these attacks can have wide-ranging and devastating effects, such as:


  • Lost or damaged data: Since data is a key enterprise asset, data loss can have wide-reaching effects; from temporary disruption to permanent business failure. Only 26% of US companies that paid ransomware attackers had their files unlocked, so biting the bullet and paying the ransom is not advised.
  • Downtime: Downtime affects businesses regardless of sector or size, but the cost of restricted system access can be especially severe for an enterprise. According to an IHS study, outages cost enterprises $700 billion a year. With 34% of businesses hit with malware taking over a week to resume operations, downtime caused by ransomware can result in millions of dollars in lost revenue as well as a decrease in consumer trust.
  • Financial loss: According to Sentinel One, the average estimated business cost of a ransomware attack (including ransom, work-loss, and time spent responding) is over $900,000. To add insult to injury, in the aftermath of an attack enterprises are often forced to pay hefty fees for forensic consultants and lawyers to ensure that their networks are now secure and claims against the organization for the loss of private data are properly handled.
  • Reputation: Cyber attacks can severely damage your business’ reputation. And let’s face it, in business, reputation is everything. If your business suffers from a ransomware attack and your customers feel the effects of downtime, or if you lose your customers’ data as a result, your organization is unlikely to escape unscathed.

Preventing Ransomware Attacks

Here are our five tips to prevent ransomware attacks:

1. Have a Backup and Recovery Plan

The importance of regular backups for organizations of all sizes cannot be overestimated, and when it comes to ransom attacks, backups are still the best remedy. With the exponential increase in enterprise data volumes, losing valuable data can easily end up costing millions of dollars in damage. For that reason, enterprise-grade backup and recovery solutions powered by Artificial Intelligence (AI) are becoming increasingly popular, as they help security teams to identify cyberattacks, predict system failure, and automate backup and recovery processes.

An alarming 73% of businesses are not ready to respond to a cyberattack. While backups won’t stop ransomware attacks from happening, they will make the aftermath significantly less painful for your organization. However, the major drawback is that having backups still won’t help you to completely avoid downtime and some data loss is inevitable.

2. Timely Patching and Updates

Patching has become something of a truism in cyber security. And yet, about 3/4 of organizations still dedicate inadequate resources to updating their systems, significantly increasing ransomware risk. To prevent content-borne attacks, such as ransomware, make sure that all your enterprise apps, including email software, are patched and updated frequently.

Crucially, keep your entire IT stack up to date. Timely updates and regular patching can significantly lessen the possibility of ransomware wreaking havoc on your data.

Running old software which is no longer supported by vendors means there are no longer patches available. Despite the fact that we should know better, a tremendous number of enterprise endpoints still runs on outdated OS versions, such as Windows 7, Windows 2008 and Windows Mobile. These systems are vulnerable, particularly because they can’t be patched against critical vulnerabilities. And that is one of the reasons why the WannaCry outbreak is still with us; research estimates that 145,000 devices worldwide continue to be infected.

3. Train your Employees

No one is immune to a well-executed social engineering attack. But training your employees to recognize schemes such as phishing emails and fake websites that are filled with malware links, is an important piece of the puzzle in preventing ransomware attacks from succeeding.

As threat actors constantly update their tactics and find new and innovative ways to trick even the savviest of users into clicking on malicious links to initiate content-borne attacks, it is important to stay up to date on the latest developments in the field.

4. Install Threat Detection Tools

Implementing a threat detection tool can significantly decrease the chances of ransom attacks. Ransomware attacks don’t happen in an instant; once threat actors infiltrate an organization, they move laterally through the network or lay in wait and collect data until they are ready to strike. Detecting threats early, preferably before they reached the end-point, can save a lot of headaches down the road.

Enterprise-grade threat detection tools ensure that your security posture is proactive rather than reactive in protecting your networks. In addition, advanced threat protection technology doesn’t rely on trends or past attacks to detect them but identifies attacks as they continue to evolve.

5. Use Email Security Tools

Phishing remains to be the main ransomware delivery method, with nearly 60% of these attacks still delivered through email and content-borne attacks. Enterprise ransomware protection is unthinkable without a sophisticated email security tool that is up to the task.

It is important to monitor all emails for content-borne attacks with an advanced security tool, but you should still be wary of any email attachments, especially those that require the user to enable macros.

It is estimated that 2-4% of all emails contain some type of malware, so even with the best security tools in place, it is important to stay vigilant. Spam email campaigns and social engineering through email remain a common method for attackers to use. Do not click on unfamiliar links and emails that might contain malicious links and attachments.

Ransomware is Here to Stay

Ransomware is not going anywhere. If anything, it becomes smarter and more devastating as time goes by. The overall cost can be huge; for example, the cost of the ransomware attack on Norsk Hydro has reached $75m (and counting.)

Faced with an evolving threat landscape, businesses need an updated approach instead of doing more of the same.


Read more
Best Practices for Detecting and Preventing Email-borne Malware in Your Enterprise
Rotem Shemesh
Rotem Shemesh
4 minutes & 7 seconds read · August 15, 2019

Best Practices for Detecting and Preventing Email-borne Malware in Your Enterprise

Email is ubiquitous. There isn’t a home office or global enterprise that doesn’t use multiple email addresses. For hackers, this deluge of emails is a treasure trove. Each one is a potential (and easy) entry point for mischief, which is why 92% of malware attacks gain entry through email.

Malware attacks can inflict severe damage; from sensitive customer or company data being publicly released and put up for sale, to hackers stealing other valuable proprietary digital assets. Any serious loss of data or interruption of service can stop operations cold.

One calculation has estimated the direct cost of a malware attack is $157 per user, and yet the toll due to loss of goodwill and trust within an organization can be even costlier. Upping your game by understanding current best practices for email-borne malware detection and prevention is key to protecting your organization.

Email-Borne Malware Attacks Come in Many Guises

As the variety of email attack options increase, so does their frequency and sophistication. The challenge for enterprises to defend against these content-borne attacks only grows more difficult. Your defense begins by understanding how to detect what email-borne malware looks like.

Emotive subject lines. If it sounds too Buzzfeed-y (“You’ll Never Guess What Happened Next?!!”) or intimidating (“Invoice Past Due”), it can be a bad actor motivating clicks by raising emotions. Once the email is opened, it unleashes a whole new world of malware risks with the goal of taking your sensitive information

Unexpected or unknown sender address. Emails from domains you don’t recognize or that don’t make sense (would the IRS really email you?) are red flags.

Suspicious links within emails. Hackers often embed links that download malware or open up a malicious website. These tactics create an opening for the hacker to capture sensitive data or install small programs that can steal information for as long as they remain undetected. If the link has been shortened or is basically gibberish, it’s suspicious.

Malicious attachments. Email attachments function like suspicious links, they’re just a different delivery system. It’s important to remember that it’s not just .exe files you need to be aware of, the file extensions can seem innocuous enough, like .docx or .pdf. Malicious attachments are popular because they minimize the steps needed to give the hacker entry to your machine or network. A malware attack using a suspicious link often requires you to take action on the malicious website before the attack succeeds. A malicious attachment cuts out that step.

Information verification requests. As Angel Grant, Director of Identity, Fraud and Risk Intelligence at RSA Security comments, “data has really become the new currency.” There’s a bustling market for stolen personal and corporate data; any email that’s asking readers to confirm, review, or provide information should be treated with suspicion.

Instead of leaving it for the end-user to decide, the goal of your enterprise should be to keep these emails from ever reaching the inbox. That’s where the systems-grade defense comes in.

4 Best Practices for Preventing Email Malware Delivery

The following presents five best practices your IT department can implement to reduce the risk of email malware getting to the inboxes of employees.

  1. Stay current with all security updates and patches. The flow of OS and software version updates never ends, nor the security updates and patches. Set processes to regularly check for updates and install them as soon as they become available.
  2. Implement a breach and attack simulation (BAS) tool on your network. BAS tools go beyond penetration testing and vulnerability assessments. They continuously simulate attacks so you can see what kinds of cyberattacks would be successful and the scope of damage they might do. Here is an example for a BAS which you can try.
  3. Set up IP and email address blacklists and whitelists. A blacklist blocks emails from certain domains or IP addresses, while a whitelist holds addresses that your network can trust.
  4. Take advantage of available protection, remediation, and endpoint protocols. Develop a process of protocols that includes regular installation and updates for all of your software, not just antivirus programs. Avivah Litan, Vice President and Distinguished Analyst at Gartner Research sets out a concise checklist of these protocols here. Litan explains, “The bad guys are much less likely to get through multiple layers and their chances of success decrease proportionately to the number of layers that an organization deploys.”

Smooth and Seamless Email Security

When your organization develops formal plans based on best practices to detect and prevent email-borne malware, you’re going a long way to address known, detectable cybersecurity threats. But what about those threats that aren’t yet known?

New Cloud-based Advanced Threat Protection (ATP) tools are available to block both known and unknown threats contained in any type of file or URL, protecting your email, cloud drive, and messaging apps. Platforms such as BitDam integrate with your security infrastructure, delivering robust and advanced protection while running quietly in the background and not disturbing the workflow in an organization.

Read more
Risks and Rewards in Breach and Attack Simulations
Maor hizkiev
Maor hizkiev
3 minutes & 47 seconds read · August 13, 2019

Risks and Rewards in Breach and Attack Simulations

According to the OTA 2018 Cyber Incident and Breach Trends Report, 2018 saw a 126% increase in the amount of sensitive personally identifiable information (PII) exposed by breach attacks. The report specifies that 95% of these attacks could have been prevented.

Nowadays, the question is not if company assets will be attacked, but rather if, when attacked, it can maintain its integrity. Therefore, frequent cyber security testing is mandatory for compliance with the internationally recognised ISF standards of good practice. In addition, hackers are constantly improving their attack methods, so you need up-to-date security. By running frequent cyber security tests, you can find and fix vulnerabilities before hackers can exploit them.

What is a Breach and Attack Simulation (BAS)

BAS technology tests a network’s cyber defenses by simulating cyber attacks, thereby continuously exposing vulnerabilities and uncovering misconfigurations. BAS is fully automated, so you can safely assess your cyber defenses continuously, in a real production environment.

BAS technology:

  • Uses real attack methods: It emulates a hacker’s thinking, and uses attack methods used by real hackers.
  • Is continuous: Hackers are tenacious, and run continuous, automated attacks. BAS does the same.
  • Is safe: In order to work, attack simulations run in real production environments, but your data and sensitive information stay safe and unharmed throughout the entire process.

Why BAS?

One significant advantage of BAS is its ability to provide continuous testing at limited risk without harming your environment, and do that automatically. Pentesting, on the other hand, involves high human touch which needs to be repeated each time..

BAS tools are also cheaper to use and more efficient than training an in-house team or outsourcing one. In addition, BAS can run hundreds of tests a day and simulates attacks from different network segments, and across multiple attack vectors.

BAS software is being constantly improved and upgraded, so it can simulate attacks on new vulnerabilities, new attack patterns, and new malicious files. It exposes vulnerabilities in your IT infrastructure, systems, software and processes, and gives easy to read results so you can see where your defenses are weak, and understand how to make them stronger.

The Risks and Rewards of BAS

BAS has many advantages over traditional pentest methods, but it’s not perfect.

Rewards of BAS:

  • Exposing weak spots: BAS technology simulates attacks on every file, every user, every bit of information on your network, to find and expose vulnerabilities other technologies can’t.
  • Endpoint testing: BAS provides sophisticated endpoint testing, to find known and unknown vulnerabilities and protect against advanced zero-day and N-day attacks.
  • Finding invisible malware: Invisible malware is a new breed of threat, which doesn’t exist in any file on your network. It may be resident in memory or in the BIOS (basic input/output system). BAS software exposes this potential threat to your network.
  • Knowing your enemy: BAS lets you look at your network and apps from the hacker’s point of view, so you can understand your vulnerabilities and strengthen your defenses. It also helps you learn how hackers exploit technologies and find new ways into your network.

Risks of BAS:

  • BAS finds vulnerabilities, but it doesn’t fix them: BAS is designed to expose vulnerabilities, not fix them. If vulnerabilities aren’t fixed or users and security teams aren’t trained to react properly when a breach occurs, your network and apps are still vulnerable.
  • BAS might sometimes be mistaken for a real attack: Since BAS runs in a real-world environment, the network being tested may think it’s really under attack, and react by shutting down all or part of its operations or blocking users. You need to make sure that you’re using reliable BAS software that runs invisibly, without disrupting your network operations.
  • BAS is cheaper than other methods, but it’s not free: BAS costs less, is less risky and more effective than outsourcing to “white hat” hackers or running in-house penetration testing, but you still need to pay for the technology, and have someone to monitor the tests and then prioritize and fix the vulnerabilities.

How BitDam’s Email-Centric BAS Tool Can Help

BitDam changes the way cyber security solutions and BAS operate:

          • Seamless application: Using BitDam’s BAS tool is a matter of a few clicks. It features easy, fast deployment, with no need to modify existing processes, policies, or rules.
          • Visibility and actionable information: BitDam’s Email-Centric Breach & Attack Simulation lets you assess your vulnerability to email based cyber attacks. Results are displayed on an easy to read dashboard, within minutes from starting the simulation.


Contact us to schedule a demo or click here to use our free online SOC tools.

Read more
G-Suite Security Checklist: Are you Protected?
Maor hizkiev
Maor hizkiev
5 minutes & 17 seconds read · August 5, 2019

G-Suite Security Checklist: Are you Protected?

When it comes to enterprise attack vectors, email is still king.

Your employees are receiving, opening, and forwarding hundreds of emails a day, making emails an attractive vehicle for threat actors of all kinds. According to Verizon, an astounding 96% of attacks are still delivered via email.

Email threats might not be new or exciting, but all organizations, regardless of size, should be shifting email security to their highest priority.

The Era of Perimeter-based Security is Passé

Despite the prevalence of email attacks, enterprises often lack the proper safeguards when it comes to email security. It is not uncommon for organizations to rely on perimeter-based security, focusing on firewalls and intrusion detection to protect them from hackers. Unfortunately, this is not enough; research shows that secure email gateways (SEGs) consistently fail to protect against phishing attacks and 76% of infosec professionals claim their organizations experienced them in 2017.

In some cases, organizations don’t have any protection for their email at all, and only start taking preventative measures post-breach. Even for a large enterprise, the cost of a breach can be fatal. In 2018 alone, there were over 2 million cyber incidents that created a whopping $45 billion in losses, a number high enough to exceed a GDP of several European countries.

Cloud-based Emails Opened up the Floodgates

G-suite has taken the enterprise world by storm; its convenience, availability and simplicity makes it irresistible to businesses and private users. However, despite the significant efforts to raise awareness of cybersecurity threats, employees are often still not savvy enough to check links and attachments before clicking.

The growing sophistication of attacks, combined with the increased use of cloud-based email services, means that enterprises need to step up their email security efforts.

The Three Levels of Cloud-based Email Security

Broadly speaking, there are three layers of cloud-based email security that an organization can opt for to protect their corporate emails.

Level 1: Basic Security

These are the security measures that come built-in with an email platform. G-suite has some level of security protection out-of-the-box.

Organizations’ email admins can set up custom rules for the appropriate actions based on the type of threat that is detected. For example, they can move all suspicious emails directly to the spam filter (i.e., an email service feature designed to block spam from a user’s inbox) or opt for leaving such emails in the inbox with a warning.

As a result, the organization is aware of every problematic email, but the users will still receive or see potentially harmful emails, ultimately leaving security in the hands of the end-users.

Level 2: Middle-level Security

At this level, the organization can identify unauthenticated emails potentially spoofing their domain and choose to quarantine or delete such messages using the three pillars of email authentication: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC):

  • – SPF is an email validation protocol that detects and restricts emails from your domain.
  • – DKIM is used to create an encrypted signature that ensures the content of emails remain trusted and haven’t been tampered with.
  • – DMARC is an added authentication method that uses both SPF and DKIM to verify whether or not an email was sent by the owner of the domain that the user sees.

Level 3: Highest Level of Security

At this level, organizations are able to approach the cloud email security in a much more comprehensive manner by adding the ability to conduct advanced threat protection, such as:

  • – Protection against suspicious attachments: Identify attachments from untrusted senders or uncommon to the domain. Organizations can also Identify emails with unusual attachment types and choose to automatically display a warning banner, send them to spam, or quarantine the messages.
  • – Scan links and external images: Admins control how warnings work in Gmail when a person clicks on a link to an untrusted domain.
  • – Spoofing and authentication: This is an added protection against domain spoofing based on similar domain names.

Why Out-of-the-box Email Protection is Not Enough

As things stand, there are serious issues with even the highest level of protection offered by cloud-based email service providers. These include:

Choosing “rules” in advance: This approach leaves a higher chance of error if there’s an element the admins haven’t considered. As a result, a malicious email will look “legit” to the system, as it is indeed “legit” according to the rules set. This can lead to phishing and malicious emails getting through; if there’s a configuration, there is a chance that mistakes will be made.

Vulnerable to Account Takeover (ATO): Hackers can bypass even the highest levels of security by utilizing the ATO attack. By sending an email from an ostensibly trusted source such as a colleague, a supplier or a client, a hacker can override any rules set. This is a common way of spreading malware that bypasses the mechanisms of SPF\DMARC, since the protections can’t identify such emails as malicious. Usually, after ATO, the attacker replies to an existing thread with a malicious attachment, making the email appear completely legitimate.

Only protect against known or similar threats: Such measures only protect against already encountered and known threats. Since the threat landscape is always evolving, organizations need a system in place that will detect brand-new threats that do not meet pre-set criteria.

The Need for Comprehensive Email Security

Methods that were effective yesterday are simply no longer relevant today. For example, detecting attacks based on metadata and external features is something that used to be effective, but can easily be bypassed today.

As the threat landscape continues to evolve, organizations need comprehensive tools to protect against known threats, but even more so against the unknown ones. Rule-based security can be easily bypassed by a novel threat that you didn’t know existed, and therefore didn’t set up rules against. The standard measures deployed by cloud-email providers are not robust enough to withstand the onslaught of sophisticated threat actors. This is where BitDam comes in.

The BitDam cloud-based Advanced Threat Protection (ATP) blocks both known and unknown threats contained in any type of file or URL, protecting your Email, Cloud Drive, and Instant Messaging. The platform offers the highest detection rates of advanced attacks from within the communication stream, with no configuration, updates or patches needed. In addition, BitDam sits on top of your existing systems with no changes necessary to the existing security infrastructure.

Read more
Top 14 Cyber Security Influencers to Follow
Rotem Shemesh
Rotem Shemesh
7 minutes & 12 seconds read · July 29, 2019

Top 14 Cyber Security Influencers to Follow

When it comes to cyber security, the only constant is change. Both the number and the sophistication of cyberattacks is growing across the board, and the security industry is quickly evolving to address these challenges with innovative solutions. 

Email remains a major vector for cyberattacks of all kinds with content-borne attacks being very common, while email security is a fast-moving field. Knowing the right thought leaders to follow is crucial to staying current on the latest trends and developments. Check out our list of top 14 cyber security influencers to follow on Twitter, LinkedIn and conferences and never miss out on an important update again.

1. Jeremiah Grossman 

Followers: 60K

Posting Frequency: 1-2 a day

Favorite topics: Ransomware, Cyber attacks, Ethical Hacking

Jerimiah is the CEO of Bit Discovery and a founder of WhiteHat Security, the biggest ethical hacker collective on the planet. Jerimiah amassed a number of industry awards and recognition from companies like Microsoft, Mozilla, Google and Facebook for uncovering critical vulnerabilities and security flaws in their systems. He is one of the world’s top experts when it comes to ethical hacking, and releases a lot of educational content on hacking and security. 

Over the span of his career, Jeremiah has discovered new ways to sidestep corporate firewalls, abuse online advertising networks to take any website offline, hijack email and bank accounts, and many other innovative cyberattack techniques. Thank god, he is one of the good guys!

2. Mikko Hypponen

Followers: 194K

Posting Frequency: 1-2 a day

Favorite topics: IoT, Viruses, Retro Technology

Mikko is a global security expert. He has worked at F-Secure since 1991, and his research and articles have been published in the New York Times, Wired, and Scientific American. A frequent guest on international TV, Mikko has lectured at the universities of Stanford, Oxford and Cambridge. He frequently tweets and talks about old-time technology from decades ago, the latest developments of today, and how the two connect to create the current complex landscape.

3. Andy Ellis

Followers: 19K

Posting Frequency: Daily

Favorite topics: Authentication, Cloud, Crypto, Malware

Andy Ellis is Akamai’s CSO on a mission of “making the internet suck less.”  A heavy Twitter user, Andy tweets about pretty much everything, from personal pet peeves to the latest updates on email security: “The real problem of links is that, for all intents and purposes, email clients are the trusted core of enterprises, and accept unsanitized inputs from just about anyone.”

4. Omar Santos

Followers: 10.5K

Posting Frequency: 1-2 a day

Favorite topics: Vulnerability research, Threat intelligence

Omar is an active member of the ethical hacking community who has amassed over 7,000 references on GitHub related to ethical hacking, penetration testing, digital forensics and incident response (DFIR), vulnerability research, and more. Omar releases a lot of educational content, including online courses on hacking and cybersecurity, and tweets frequently on the latest bugs, malware and vulnerabilities.

5. Troels Oerting 

Followers: 6K

Posting Frequency: 1-2 a day

Favorite topics: Privacy, Security

Troels is Head of the Centre for Cybersecurity at the World Economic Forum, with an extensive background in policy and a long career fighting cybercrime as Head of European Cybercrime Centre and Acting Head of the Counter Terrorist and Financial Intelligence Centre at Europol. His tweets are focused on macro trends and societal impact of technology on everyday life. By following him you will always stay up to date on the latest developments in cyber crime.

6. Joseph Blankenship

Followers: 1.5K

Posting Frequency: Daily

Favorite topics: Trends, Industry Research

Joseph is a leading research analyst at Forrester focusing on security infrastructure and operations, AI for cybersecurity, email security, distributed denial of service (DDoS), and network security. Joseph has over 12 years of hands-on industry experience including product marketing roles at Solutionary (NTT Security), McAfee (Intel Security), Vigilar, and IBM. He frequently tweets about the latest research, findings and developments in cybersecurity.

7. Mike Rothman

Followers: 9.7K

Posting Frequency: 1-2 a week

Favorite topics: Cloud Security, DevSecOps 

Mike specializes in cornerstone aspects of security, such as protecting networks and endpoints, security management, and compliance. He is a sought out speaker and the author of the highly regarded, “The Pragmatic CSO” book that you should definitely add to your reading list. His tweets focus on cloud security and DevSecOps, and he frequently talks about the way enterprises can achieve security maturity in the cloud.

8. Dr. Magda Chelly

Followers: 8K

Posting Frequency: 2-3 a day

Favorite topics: Cybersecurity, Privacy, Risk Management

Magda Lilia Chelly is a “CISO on demand” for a wide array of companies, from medium size enterprises to top Fortune 500 companies. Magda is passionate about human interaction with technology, diversity and cultural impacts on privacy and security controls.

Magda frequently tweets on women in security, diversity and inclusion, as well as the latest developments on the cyberfront and retweets interesting posts by other pros in the field.

9. Shira Rubinoff

Followers: 51K

Posting Frequency: Daily

Favorite topics: Blockchain, Cyber, Social Media, Human Factors of Cybersecurity

Shira is a world-renowned cybersecurity expert specializing in the human factors of information technology and security. A seasoned keynote speaker, influencer and serial entrepreneur, Shira holds several patents in areas related to the application of psychology in cybersecurity. Follow her for the latest updates on how humans fit into the cybersecurity puzzle.

10.  Raj Samani 

Followers: 9.6K

Posting Frequency: Daily

Favorite topics: Cybercrime, Malware

Raj Samani is Chief Scientist at McAfee. He specializes in cybercrime and has assisted multiple law enforcement agencies in a variety of cybercrime cases. Currently, he serves as a special advisor to the European Cybercrime Centre in The Hague. 

Samani has been recognized for his contribution to the computer security industry through numerous awards, including the Infosecurity Europe Hall of Fame. He is also a prolific writer and  co-author of “Applied Cyber Security and the Smart Grid” and the “CSA Guide to Cloud Computing,” as well as technical editor for numerous other publications. Samani tweets on anything that deals with malware and ransomware and common attack vectors, including email and social media.

11. Samy Kamkar

Followers: 9.6K

Posting Frequency: 1-2 a week

Favorite Topics:

Samy Kamkar is an American privacy and security researcher, a celebrity computer hacker, and a famous whistleblower and entrepreneur. He is best known for high-profile hacking exploits, especially as the creator of the fastest spreading virus of all time, the MySpace worm Samy, and SkyJack, a method for hijacking drones. If that’s not enough, he also created Evercookie, a tool that was used by the National Security Agency (NSA) to track anonymous Tor users. 

In addition to Twitter, Samy writes a highly regarded cybersecurity blog where he publishes detailed research about the latest malware and vulnerabilities he discovers.

12. Kevin David Mitnick

Followers: 253K

Posting Frequency: 3-4 a week

Favorite Topics: Hacking, Vulnerabilities, PenTesting

Kevin Mitnick is probably the world’s best known hacker whose career is worthy of a Hollywood Blockbuster. He is a highly controversial figure within the cybersecurity space and notorious for his high-profile 1995 arrest and consequent sentence for various computer-related crimes.

Nowadays, Mitnick is a top paid security consultant, public speaker and author. In addition, Mitnick serves as a security consultant for a wide array of Fortune 500 companies and the FBI. He performs pentesting services for the world’s largest companies, and teaches Social Engineering classes to dozens of enterprises and government agencies all over the world. 

Kevin also created the world-leading cybersecurity awareness training. Follow him for the latest updates on spam, content-borne and email attacks, phishing, spear phishing, malware, ransomware and social engineering.

13. Adam Levin

Followers: 253K

Posting Frequency: 3-4 a day

Favorite Topics: Identity Theft, Phishing, Social Engineering, Hacking

Adam is an expert on identity management and identity theft resolution. He writes a weekly column for the Huffington Post and, and frequently contributes to other major media outlets. Adam has over 40 years of experience in security, privacy, personal finance, real estate and government service. Adam’s speaks and writes on a wide array of subjects, including a broad range of security and personal finance topics, privacy issues and the “Internet of Things,” protecting data in a world of connected devices and identity theft.  

14. Chuck Brooks

Followers: 10K

Posting Frequency: 3-4 a day

Favorite Topics: AI, IOT, Homeland security, cyber security

Named a “Top 50 social influencer in risk and compliance” by Thomson Reuters, Chuck is a recognized thought leader, influencer and technology evangelist. His articles are frequently published in Forbes, Huffington Post, InformationWeek, MIT Sloan Blog, and Computerworld. On Twitter, Chuck frequently shares articles from all over the web on cybersecurity topics, as well as his opinions on the latest developments in the field.

Can you think of someone who should be added to our list? Let us know in the comments below!



Read more
Rotem Shemesh
Rotem Shemesh
1 minute & 37 seconds read · July 23, 2019

The Hits Just Keep on Coming

Just when you thought your endpoints and data were safe, along comes a repeat performance of last year’s exploit.

Everybody understands that talented hackers will continue to create innovative malware that will attempt to exploit new vulnerabilities in our operating systems and third-party software. That’s a given. But isn’t it just a little bit mindboggling to think that well-known attacks from years ago, already included in all the leading threat intelligence and AVs, are still actively piercing our cyber defense armor and pilfering our data?

How is that even possible?

BitDam’s latest research explains the economics behind new types of hacker attacks and shows why yesteryear’s major malware hits continue to plague us. In our latest whitepaper, Still Vulnerable After All These Years, you will learn why hackers often prefer to tweak old and proven attack methods again and again rather than invent new techniques.

In Still Vulnerable, we will show you how observant hackers find the tiniest cracks in the security wall of the most tried and tested software. Even if you QA it a thousand times, hackers can still find a way in.

Which software packages are the most attractive hacker magnets? You might be surprised at what we have discovered.

Is there any connection between the number of attacks and actual data breaches? We present you with the numbers and trends over the last decade. The correlation is critical, and we do the math for you.

Did you ever wonder how attacks are identified, catalogued and distributed globally via public threat intelligence? Here is an opportunity to obtain an easy-to-understand background on the CVE system, how it is used and how it helps you.

But that’s not all.

What is the ultimate defense against recurring attacks against your standard Microsoft, Adobe and other packages? We have the answer and you can have it, too.

Download Still Vulnerable After All These Years to find out how to stop the hits that keep on coming.

Read more
Macro Obfuscation in Office Files
Alex Livshiz
Alex Livshiz
5 minutes & 33 seconds read · July 8, 2019

Macro Obfuscation in Office Files

In the world of cyber-security, some patterns never change. However, that doesn’t mean that they’re easy to detect. One of them is code obfuscation.

The typical reasons attackers use code obfuscation include:

  1. Evasion techniques – hiding their code from static analysis solutions
  2. Making their code harder to reverse engineer

At BitDam, we have encountered various types of obfuscated code, ranging from obfuscated strings in a malicious DLL dropped to the machine, all the way to obfuscated JavaScript in a pdf file. In this blog post, I’m going to focus on obfuscated macros in Office files.

Why Office Macros?

To understand why this is one of the most interesting issues, in my opinion, I’ll have to take you back to BitDam’s approach towards detecting malicious files. Generally speaking, there are three steps that take place in the process of malicious file exploitation:

    1. Identifying a vulnerability
    2. Exploiting that vulnerability
    3. Running the malicious code

Today, most security solutions focus on detecting the malicious code / Advanced Persistent Threat (APT). Why is that? Because it’s relatively easy to create static and dynamic signatures that would catch known APTs.

Why isn’t that good enough? Because this method works well for known APTs, but it is useless against zero-day exploits and unknown APTs.

How does BitDam do things differently? Unlike many other solutions, BitDam focuses on the most interesting phase – the exploitation – that leads to code execution.

Now that we have this in mind, we can move on to “why are Office macro interesting?”

Many Office macro attacks do not include the vulnerability and exploitation phases and start straight out running the malicious code. This way, attackers can do pretty much whatever they want. For example, an attacker can simply drop an EXE file to the %TEMP% folder and execute it. This in turn causes current cyber solutions to focus on static analysis to detect malicious macros. To deal with that, attackers obfuscate their macros and make them harder to find using a static scan.

They Get More and More Sophisticated

Macros were first introduced way before the concept of cyber-security existed, and were mainly used for running functions on Excel sheets. That changed when attackers started exploiting macros to their own advantage. According to the Microsoft Defender ATP Research Team, 98% of the Office-targeted threats in 2016 used macros, which is a crazy number! And to be honest, I don’t see a reason for this number to decrease.

The reason hackers to use this attack vector is that it allows them to do whatever they want in a scope of a macro. They can achieve code execution and persistency on the attacked machine, by using macro features such as:

  • Writing to the file system
  • Writing to the registry
  • Using Windows Management Instrumentation (WMI)

Some of today’s macro attacks are also known as fileless attacks – attacks that do not require the installation of a malicious program or writing a file to the file system. Instead, they inject their code into other processes so that the malware exists only in memory.

Obviously, Microsoft had to deal with this attack vector. As with every problematic feature the easiest solution is to disable it by default. Today, Office integrates mitigations to prevent macros from running by default. For example:

This may help in some cases, but attackers use social engineering to trick the user to approve the macro (which actually works):

In other cases, organizations with older Office versions are more in danger of being attacked by such files.

Diving into Macro Obfuscation

Let’s start with a basic example, which is also a very popular one. An attacker can simply create a WScript.Shell object and execute a powershell / cmd script. This can be used to fetch a payload from a remote server and execute it.

Have look at the following macro:

Sub Document_Open()
FileName = Environ("temp") & "\malicious.exe"
fileNo = FreeFile 'Get first free file number
textData = "My malicious content"
Open FileName For Output As #fileNo
Write #fileNo, textData
Close #fileNo
Set WshShell = CreateObject("WScript.Shell")
Set WshShellExec = WshShell.Exec(FileName)
End Sub

This code basically creates an EXE file and runs it. Note that the EXE can’t actually run, since its content is a simple text string. And yet, by uploading a .docx file that contains this macro to VirusTotalhalf of the vendors marked it as malicious.

If I were an attacker, I would not be happy, as that is a very miserable result. I definitely don’t want my malware to be detected by 50% of the end points. Luckily for attackers, there are ways to bypass security solutions and get under their radar. Not surprisingly, this drives attackers to become very creative with their string obfuscations.

Let’s explore another example, this time it’s something that we’ve recently seen in the wild (SHA-256 f5c51cff409b074e9aeb97d999a3e78bbd99a3b3b8ee3821018a4759670e845a). It demonstrates how sneaky attackers can be. Here’s how the file works:

First, there’s a creation of a powershell command. You can see the letters of the “powershell” marked in red.

Then, the macro runs the command line generated using WMI. It uses the winmgmts object to create a process, and does it differently from my sample earlier:

This obfuscated macro got a much lower VirusTotal score:

Obfuscation Detection: Why, Challenges and How

Now that we understand why attackers use obfuscation, and we have seen a real-life example, it’s pretty clear why BitDam, as a cyber-security vendor, would like to automatically detect obfuscated macros:

  • For our customers – by labeling obfuscated macros, we provide our users (SOC teams) with data that would help them further investigate malware blocked by BitDam
  • Internally for product enhancements – our detection engine utilizes this data as part of its file scoring mechanism.

While obfuscated code is quite simple to identify with the human eye (any developer or researcher who sees the code can immediately tell that it’s obfuscated), it isn’t that straightforward for machines to detect. Looking for suspicious keywords in a macro is not an option. As you can see in the example above, even detecting the keyword “powershell” is not simple. And let’s not forget that attackers get more and more creative as time goes on.

To overcome this, and automatically determine if a macro is obfuscated or not, we at BitDam came up with a unique technique, that uses dynamic scanning (and a bit of static) of the file. This helps our customers’ SOC teams investigate such attacks, and it helps our solution to detect sneaky attacks.

Want to check if we detect your obfuscated macro? Scan it now for free and let us know the result.

Read more