Horizon3.ai - Automated Pen Testing as a Service

In the News

Big Tech and Government Agencies Collaborate To Put an End to Ransomware Payments

CPO Magazine: 5/11/21
Anthony Pillitiere, Co-Founder and CTO at Horizon3.AI, sees this as a particularly important component as the ransomware market peaks and transitions to a “shovel seller’s” economy: “While I believe this is a great step, it’s a bit late in the game. Criminals are already seeing that the “don’t pay” message is starting to stick, as only 27% of victims are paying. As the money dries up, a new tactic of “breach-as-a-service” is growing in popularity. Criminals are taking a lesson from the gold rush – once the peak is hit, you can generate a longer term revenue stream from selling pickaxes to the laggards. The 2021 DBIR analysis shows that credential and brute force attacks are the source of 80% of breaches.”

World Password Day: Experts Share Best Practices to Keep Data Protected

AIThority: 5/6/21
Never Ignore The Importance and The Value of Password Variance and Length Monti Knode, Director of Customer & Partner Success at Horizon3.AI Attackers don’t hack in…they log in. Annual security reports illustrate this trend across industries, exploding this past year. In more than 500 pentest operations in the last six months, we’ve seen this as well, with weak or default credentials topping our top-10 findings lists for the second quarter in a row, averaging over 90 credentials exploited per operation. This topic is so top-of-mind in cybersecurity that it was the inspiration for our first Tech Talk webinar earlier this year. We can’t understate the value of password variance and length. Credential stuffing and reuse is a real problem; people will use the same password for their streaming service, their bank and their domain admin account. In a recent operation, we found one password was in use by 152 accounts, ~20% of the enterprise. We also saw a steep decline in our ability to crack passwords as the password length increased from the 8-character minimum set by policy. Credentials are the new perimeter, so if celebrating a World Password Day inspires people to reconsider their easily cracked P@$$w0rd, buy me a shiny hat and let’s have a party.

Best Practices During World Password Day

Security Magazine: 5/6/21
Monti Knode, Director of Customer & Partner Success at Horizon3.AI: Attackers don't hack in...they log in. Annual security reports illustrate this trend across industries, exploding this past year. In more than 500 pentest operations in the last six months, we’ve seen this as well, with weak or default credentials topping our top-10 findings lists for the second quarter in a row, averaging over 90 credentials exploited per operation. This topic is so top-of-mind in cybersecurity that it was the inspiration for our first Tech Talk webinar earlier this year. We can’t understate the value of password variance and length. Credential stuffing and reuse is a real problem; people will use the same password for their streaming service, their bank and their domain admin account. In a recent operation, we found one password was in use by 152 accounts, ~20% of the enterprise. We also saw a steep decline in our ability to crack passwords as the password length increased from the 8-character minimum set by policy. Credentials are the new perimeter, so if celebrating a World Password Day inspires people to reconsider their easily cracked P@$$w0rd, buy me a shiny hat and let’s have a party.

Get Expert Advice During World Password Day 2021

VM Blog: 5/6/21
Monti Knode, Director of Customer & Partner Success at Horizon3.AI "Attackers don't hack in...they log in. Annual security reports illustrate this trend across industries, exploding this past year. In more than 500 pentest operations in the last six months, we've seen this as well, with weak or default credentials topping our top-10 findings lists for the second quarter in a row, averaging over 90 credentials exploited per operation. This topic is so top-of-mind in cybersecurity that it was the inspiration for our first Tech Talk webinar earlier this year. We can't understate the value of password variance and length. Credential stuffing and reuse is a real problem; people will use the same password for their streaming service, their bank and their domain admin account. In a recent operation, we found one password was in use by 152 accounts, ~20% of the enterprise. We also saw a steep decline in our ability to crack passwords as the password length increased from the 8-character minimum set by policy. Credentials are the new perimeter, so if celebrating a World Password Day inspires people to reconsider their easily cracked P@$$w0rd, buy me a shiny hat and let's have a party."

#WorldPasswordDay: Five Tips to Make Passwords Secure AND Convenient

Infosecurity Magazine: 5/6/21
Monti Knode, director of customer & partner success at Horizon3.AI, commented: “Attackers don't hack in . . . they log in. Annual security reports illustrate this trend across industries, exploding this past year. In more than 500 pentest operations in the last six months, we’ve seen this as well, with weak or default credentials topping our top-10 findings lists for the second quarter in a row, averaging over 90 credentials exploited per operation.”

New Ransomware Task Force Seeks to Disrupt Ransom Payments

Security Magazine: 4/30/21
Anthony Pillitiere, Co-Founder and CTO at Horizon3.AI: This hits at the heart of the matter in cybersecurity...the economics of an attack. While I believe this is a great step, it's a bit late in the game. Criminals are already seeing that the "don't pay" message is starting to stick, as only 27% of victims are paying. As the money dries up, a new tactic of "breach-as-a-service" is growing in popularity. Criminals are taking a lesson from the gold rush - once the peak is hit, you can generate a longer term revenue stream from selling pickaxes to the laggards. The 2021 DBIR analysis shows that credential and brute force attacks are the source of 80% of breaches. Organizations need to focus on the fundamentals of security, which includes good IDAM hygiene, continuous assessment, and the adoption of a purple culture - using offensive actions to inform defensive actions and focus efforts on the issues most likely to impact business first.

Top Security Vendors Join DOJ, Europol and U.K. National Crime Agency to Fight Ransomware

Enterprise Security Tech: 4/29/21
Anthony Pillitiere, Co-Founder and CTO at Horizon3.AI: "This hits at the heart of the matter in cybersecurity...the economics of an attack. While I believe this is a great step, it's a bit late in the game. Criminals are already seeing that the "don't pay" message is starting to stick, as only 27% of victims are paying. As the money dries up, a new tactic of "breach-as-a-service" is growing in popularity. Criminals are taking a lesson from the gold rush - once the peak is hit, you can generate a longer term revenue stream from selling pickaxes to the laggards. The 2021 DBIR analysis shows that credential and brute force attacks are the source of 80% of breaches. Organizations need to focus on the fundamentals of security, which includes good IDAM hygiene, continuous assessment, and the adoption of a purple culture - using offensive actions to inform defensive actions and focus efforts on the issues most likely to impact business first."

DoD Study Shows Why WFH and Hybrid Work Remains Difficult

DICE Insights : 4/28/21
Monti Knode, director of customer and partner success at security firm Horizon3.AI, notes the Defense Department and its workers experienced many of the same issues as its private sector counterparts, with the added burden of remaining combat-ready. “At a massive scale, the DoD is struggling with the same aspects of work-from-home as the rest of the country, but in addition to being productive, the DoD must ask: ‘How can we continue to be combat effective?’ Being combat effective is a binary answer; either you are, or you aren’t,” Knode told Dice.

Use of Defensive AI Against Cyberattacks Grows

Security Boulevard: 4/22/21
Snehal Antani, co-founder and CEO at Horizon3.AI, said thanks to open source attack tools, stolen compute resources and automation, the cost to attack is far cheaper than the cost to defend. “We must assume that every cyberattack over the past 10 years has generated training data from which attack algorithms can be developed and tested,” he said. “These attack algorithms, which employ machine learning and AI, enable ransomware, APTs and other threat actors to efficiently discover, evade and succeed at attacking their targets.” In short – never before has the economics of cybersecurity been so imbalanced in favor of bad actors. Shifting the Balance of Power With AI Antani noted there has been “moderate success” in the application of machine learning and AI for user behavior analytics and other emerging defensive techniques. “As an industry, we need to accept that humans are the inefficiency in cyber defense and double down on algorithmic cyber warfare,” he said. “We must quickly shift from ‘humans-in-the-loop’ to ‘humans-on-the-loop’, with a vision for ‘humans-out-of-the-loop’,” he said. He explained that human-based penetration testing, human-powered security operations centers, and human-based threat hunting must be the exception in order to keep pace with adversaries.

FBI Clears ProxyLogon Web Shells from Hundreds of Orgs

Threat Post: 4/14/21
Monti Knode, director of customer and partner success at Horizon3.AI, noted that the action illuminates just how dangerous the bugs are. “Government action is always predicated by an authority to act,” he said via email. “By specifically calling out ‘protected computers’ and declaring them ‘damaged’, that appears to have been enough to give the FBI a signed warrant to execute such an operation without notifying victims ahead of the operation execution. While the scale of the operation is unknown (redacted in court order), the fact that the FBI was able to execute in less than four days, and then publicly release this effort, demonstrates the potential national security risk posed by these exploited systems and the prioritized planning involved. This isn’t a knee-jerk reaction.”

Industry Reactions to FBI Cleaning Up Hacked Exchange Servers: Feedback Friday

Security Week: 4/16/21
Monti Knode, Director of Customer & Partner Success, Horizon3.AI: “Government action is always established by an authority to act. By explicitly calling out 'protected computers' and declaring them 'damaged', that appears to have been enough to give the FBI a signed warrant to execute such an operation without notifying victims ahead of the operation execution. While the scale of the operation is unknown (redacted in court order), the fact that the FBI was able to execute in less than four days, and then publicly release this effort, demonstrates the potential national security risk posed by these exploited systems and the prioritized planning involved. Ultimately we are digitally interconnected, and given the risk for supply chain attacks, it’s in each of our best interest to know our own cyber risk and act on them, hopefully before our government must.”

Hackers Leak Hacker Data in Swarmshop Breach

Security Boulevard: 4/12/21
Naveen Sunkavally, chief architect at Horizon3.ai, is more concerned about the proliferation of user credit card information, as well as online banking credentials, than hackers turning on their own. “Attackers can use these credentials against a variety of systems, rarely triggering any security events, because they look like legitimate users,” Sunkavally said. “In the end, regular users are the ones who lose the most.”

FBI Hacks Compromised Exchange Servers as More Stories of Companies Being Targeted Emerge

SiliconANGLE: 4/14/21
“While the scale of the operation is unknown (redacted in court order), the fact that the FBI was able to execute in less than four days and then publicly release this effort, demonstrates the potential national security risk posed by these exploited systems and the prioritized planning involved,” Monti Knode, director of customer & partner success at pentesting company Horizon3.AI Inc. told SiliconANGLE. “This isn’t a knee-jerk reaction.”

Biden Seeks to Boost CISA's Budget by $110 Million

Info Risk Today: 4/12/21
"The cost to attack is far cheaper than the cost to defend, and organizations are struggling to protect themselves," says Monti Knode, director of customer and partner success at the security firm Horizon3.ai, who's the former commander of the Cyberspace Operations Group at the U.S. Air Force. "Agencies like CISA must play a critical role in helping secure not only our federal government, but U.S. businesses and people - all part of a vital public-private supply chain - from cyberthreats. $110 million is a nominal down payment for what will be a long and expensive endeavor."

Swarmshop Breach: 600K+ Payment Card Records Leaked

Security Magazine: 4/9/21
Naveen Sunkavally, Chief Architect at Horizon3.AI, agrees this is nothing new. "This breach continues to show that no one is immune from cyberattacks, including cybercriminals themselves. What's most concerning is the proliferation of user credit card information and online banking credentials. Attackers don't need to hack in using zero days like in the movies; often they can just log in with credentials they've stolen from efforts like this. Now, factor in that many people reuse their credentials across different systems and all the open source information attackers have at their disposal. Attackers can use these credentials against a variety of systems, rarely triggering any security events, because they look like legitimate users. In the end, regular users are the ones who lose the most."

User and Credit Card Data Stolen from Darknet Marketplace Swarmshop

SiliconANGLE: 4/8/21
Naveen Sunkavally, chief architect at pentesting firm Horizon3.AI Inc., noted that the breach show that no one is immune from cyberattacks, including cybercriminals themselves. “What’s most concerning is the proliferation of user credit card information and online banking credentials,” Sunkavally added. “Attackers don’t need to hack in using zero-days like in the movies; often they can just log in with credentials they’ve stolen from efforts like this.”

Hackers Hit Nine Countries, Expose 623,036 Payment Card Records

SC Magazine: 4/8/21
This breach shows that no one is immune from a cyberattack, including the cybercriminals themselves, said Naveen Sunkavally, chief architect at Horizon3.AI. “What’s most concerning is the proliferation of user credit card information and online banking credentials,” Sunkavally said. “Attackers don’t need to hack in using zero days like in the movies. They often can just log in with credentials they’ve stolen from efforts like this. Now, factor in that so many people reuse their credentials across different systems and all the open source information attackers have at their disposal. Attackers can use these credentials against a variety of systems, rarely triggering any security events, because they look like legitimate users. In the end, regular users are the ones who lose the most.”

Probing Restrictions May Stilt Pentagon’s Vulnerability Disclosure Program for Contractors

SC Magazine: 4/6/21
“What is going to be interesting with this formal process is how fast industry partners and government can and are willing to fix a reported finding,” said Monti Knode, director of customer and partners success at penetration testing company Horizon3.AI.

Fortinet FortiOS VPN Likely Exploited by Hackers, Feds Say

Channel Futures: 4/5/21
Zach Hanley is senior red team engineer at Horizon3.AI. “Attackers are increasingly targeting critical external applications,” he said. “VPNs have been targeted even more this last year. These three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass multifactor authentication (MFA), and man-in-the-middle (MITM) authentication traffic to intercept credentials. The common theme here is once they are successful, they will look just like your normal users.”

Hackers are Actively Targeting FortiOS Vulnerabilities, Warn FBI and CISA

Silicon Angle: 4/5/21
“Attackers are increasingly targeting critical external applications, and VPNs have been targeted even more this last year,” Zach Hanley, senior Red Team engineer at pentesting company Horizon3.AI Inc., told SiliconANGLE. “These three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass MFA and man-in-the-middle authentication traffic to intercept credentials. The common theme here is: Once they are successful, they will look just like your normal users.”

FBI and CISA: APT Groups Targeting Government Agencies

Gov Info Security: 4/3/21
Zach Hanley, senior red team engineer at security firm Horizon3.ai, adds that the attackers can use the vulnerabilities to obtain valid credentials to perform man-in-the middle attacks, which will then help them to intercept authentication traffic. "The common theme here is: Once they are successful, they will look just like your normal users."

FBI and CISA Warn About APTs Targeting FortiOS VPN Vulnerabilities

Tech Nadu: 4/3/21
Zach Hanley, Senior Red team engineer at Horizon3.AI told us: “Attackers are increasingly targeting critical external applications – VPNs have been targeted even more this last year. These three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass multi-factor authentication (MFA), and man-in-the-middle (MITM) authentication traffic to intercept credentials. The common theme here is: once they are successful, they will look just like your normal users.”

FBI: APTs Actively Exploiting Fortinet VPN Security Holes

Threat Post: 4/2/21
“Attackers are increasingly targeting critical external applications – VPNs have been targeted even more this last year,” said Zach Hanley, senior red team engineer at Horizon3.AI, via email. “These three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass multifactor authentication (MFA), and man-in-the-middle (MITM) authentication traffic to intercept credentials.” Hanley added, “The common theme here is: once they are successful, they will look just like your normal users.”

Agency Issues 2nd Alert for Instant Quote Website Schemes

Data Breach Today: 4/2/21
Anthony Pillitiere, co-founder and CTO of security firm Horizon3.AI, notes that instant quote websites for financial services companies and auto insurers fail to offer basic security for information that can easily be gleaned by fraudsters with rudimentary skills. "People already give up enough information on their own through social media and the rest of their digital footprint," Pillitiere says. "The last thing they need is someone giving it away without them knowing about it. Criminals use any and all data available to them, from social media to receipts in their trash. … The relationships between that data create a picture that enables attackers to reach their goal."

CISA Orders Action Against Exchange Vulnerabilities

Security Boulevard: 4/2/21
There will be “a significant increase in serious cyberattacks throughout 2021 using ubiquitous software like Exchange and SolarWinds as the attack vector,” warned Anthony Pillitiere, co-founder and CTO at Horizon3. Pillitiere stressed that “organizations that lack a strong cybersecurity foundation will suffer, but organizations that have invested in the right talent, tools, processes and partners will weather the storm.” In special operations, he said, “we learned to master the fundamentals” and the same holds “true in cybersecurity – focus on getting the fundamentals right.” That way, organizations “can assess, detect, and respond to security threats faster.”

CISA Releases Supplemental Direction On Emergency Directive for Microsoft Exchange Server

Security Magazine: 4/2/21
According to Anthony Pillitiere, Co-Founder and CTO at Horizon3.AI, “We will continue to see a significant increase in serious cyber attacks throughout 2021 using ubiquitous software like Exchange and SolarWinds as the attack vector. Organizations that lack a strong cyber security foundation will suffer, but organizations that have invested in the right talent, tools, processes, and partners will weather the storm.”