This is week #26 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read. I’ve made some tweaks to the format of the newsletter this week, following some feedback. I hope it makes it easier to find the information you want.

My ‘if you only read two’ recommendations for the week are:

• Court orders maker of Pegasus spyware to hand over code to WhatsApp by Stephanie Kirchgaessner

• Planes, Ferries and Automobiles - How I Hacked Free Travel Across Iceland by Stefán Orri Stefánsson

Laters,

Lawrence

Meme of the Week:

Subscribe now

News 🎭

Here Come the AI Worms by Matt Burgess

Security researchers demonstrated a new cyber threat: an AI worm capable of spreading between generative AI systems, potentially enabling data theft and malware deployment. This worm, named Morris II, exploits vulnerabilities in AI email assistants, showing significant security risks within interconnected, autonomous AI ecosystems. The findings, which emphasise the worm's ability to bypass some security measures in ChatGPT and Gemini, call for heightened awareness and improved security designs among developers and tech companies to mitigate future risks of AI-driven cyberattacks.

So What?

I doubt that anyone who works in cybersecurity is surprised that we’re starting to see abuse of ‘AI’ in more complex ways. Conversely, we’re seeing a number of excellent efforts to improve baseline security in this area, such as the OWASP top 10 for LLMs and the formation of bodies like the UK’s AI Safety Institute and U.S. AISI and AISIC. However, things are moving so fast it’s likely to be the wild-west for some time to come.

Zscaler CEO: Palo Alto Playing Defense as Firewall Sales Ebb by Michael Novinson

The article outlines Zscaler CEO Jay Chaudhry's view on the cybersecurity landscape, specifically focusing on the decline in firewall sales and the shift towards zero trust security. Chaudhry criticises Palo Alto Networks' strategy of offering free products to new platform customers, predicting this approach will not be sustainable. He emphasises the critical nature of cybersecurity, suggesting that customers will invest in leading solutions over cheaper, less effective products. Zscaler's financial success, with a significant increase in revenue and decrease in net loss, underscores Chaudhry's confidence.

So What?

The announcement by Palo Alto Networks on their strategy change has really garnered a lot of mainstream and industry attention to the ‘platformisation’ debate. I’m totally shocked that the CEO of a direct competitor thinks their approach is wrong and his is better (although his main argument seems to be that people don’t want firewalls anymore). I really enjoyed this article by Francis Odum on the topic. He dives into an analysis of the share price dip at Palo (buy the dip?), and unpicks their strategy in detail. I’ll definitely be following how this continues to unfold over the coming months.

The Invisible $1.52 Trillion Problem: Clunky Old Software by Christopher Mims (WSJ)

The article sheds light on the overlooked issue of 'technical debt', where companies' reliance on outdated software systems leads to security risks and hinders innovation. Technical debt, costing the U.S. $2.41 trillion annually, results from quick fixes and obsolete systems that weren't designed for current uses. Highlighted examples include system failures and security breaches affecting major corporations. The article stresses the importance of management empowering IT departments to prioritise updating existing systems over new developments, to mitigate risks and future-proof organisations.

So What?

This is a long-known issue across IT, and a significant threat to cyber resilience. It’s interesting that a monetary figure has been estimated, and I have to say, it ‘feels’ in the right order of magnitude. It’ll be interesting to see if this raises the profile of the issue, and whether strategies for paying down technical debt will be more openly discussed.

Cybersecurity Disclosure Report by Neil McCarthy, James Palmiter, and G. Michael Weiksner

The article examines early 2023 10-K filings to identify trends in cybersecurity disclosures as mandated by new S-K Item 106. It reveals varied approaches to risk management, governance, and incident management across companies. Many align with frameworks like NIST CSF, indicating a trend towards industry-standard practices. The analysis suggests that while there's a common ground in adopting standardised frameworks, companies also exhibit unique strategies tailored to their operational needs and business objectives.

So What?

This is a nice analysis, despite quite a small dataset. I’m not sure the outcomes are that surprising, in that PLCs are aligning to frameworks and strategies are quite disparate. Longer term, I hope that they consider overlaying a ‘success’ meta-analysis on these data, looking at which companies fare better.

Cyber Threat Intelligence 👹

Millions of Undetectable Malicious URLs Generated Via the Abuse of Public Cloud and Web 3.0 Services by Resecurity

The article discusses the emergence of Fully Undetectable (FUD) Links generated by phishing-as-a-service tools exploiting public cloud services and Web 3.0 platforms like GitHub and IPFS. Resecurity highlights the massive scale of these operations, generating thousands of malicious URLs monthly. These URLs evade detection by leveraging the legitimate infrastructure of widely used cloud platforms, making them particularly challenging for anti-spam and anti-phishing solutions to identify due to their inherent low-risk scores by email security filters.

So What?

A pretty interesting vector, and one to keep an eye on in CTI / SOC teams.

The Global Dimension of Ukraine’s Cyber Defense: A conversation with Ambassador Nathaniel C. Fick and Director Jen Easterly by The GMF

The German Marshall Fund are hosting a discussion featuring Ambassador Nathaniel C. Fick and CISA Director Jen Easterly on Ukraine's cyber defense against Russian cyberattacks. The conversation will be focused on international efforts to bolster Ukraine's capacity to detect and defend against these threats, the importance of cybersecurity for the nation's stability, and the broader implications for global cyber resilience. The link takes you to a registration page for the upcoming webinar on 15th February.

So What?

This webinar looks like it’s going to be fascinating! If you’re interested in Cyber-war strategies, it’s worth considering signing up.

Send Lawrence Feedback

Technical 🔣

Don't Gamble with Risk (DGWR) by Daniel Bloom

This GitHub repository introduces "Don't Gamble with Risk (DGWR)," a Monte Carlo simulation system for quantitative risk modeling. Inspired by the FAIR model, it aids in quantifying risk probabilities and impacts, offering a robust framework for risk analysis. DGWR is beneficial for organisations seeking data-driven decision-making, prioritisation of risks, and efficient resource allocation. It uses the PERT distribution for modeling and is designed for flexibility, supporting future integration of other distributions for broader applicability.

So What?

This one is definitely for the cyber risk quantification geeks. I had a quick play with the tool and although it’s a bit unintuitive in places, it does the job.

Planes, Ferries and Automobiles - How I Hacked Free Travel Across Iceland by Stefán Orri Stefánsson

This article recounts Stefánsson's adventures in exploiting vulnerabilities in Icelandic travel companies' IT systems to obtain free travel. It started with a bug in an airline's booking system and expanded to hacking bus and ferry systems, demonstrating significant flaws in their security protocols. Stefánsson emphasises the ethical aspect by ensuring all exploited tickets were cancelled and not used, highlighting the importance of robust IT security in the travel industry.

So What?

This is just a great story and a fun read. *Disclaimer* Stay in school kids, and on the right side of the law.

Hacking Terraform State for Privilege Escalation by Daniel Grzelak

This article explores how attackers can exploit Terraform state files to escalate privileges within cloud environments. It details methods for manipulating the Terraform state to initiate unauthorised actions, such as deleting resources or executing arbitrary code. Grzelak underscores the importance of securing Terraform state files and offers mitigation strategies, including provider pinning, state file security, and enabling state locking, to prevent such attacks.

So What?

This is a really well-documented and well-reasoned post. If you’re not Terraform literate though, you won’t get much value. It’s worth passing on to your cloud infrastructure colleagues though.

The Offensive ML Playbook by threlfall

This resource serves as a comprehensive guide on offensive machine learning (ML) tactics, techniques, and procedures (TTPs), focusing on practical attacks against ML systems. It categorises attacks into offensive ML, adversarial ML, and supply chain attacks, offering a variety of strategies for red teamers. The playbook emphasises tools and code for immediate use rather than theoretical research, aiming to facilitate quick learning and application of adversarial ML techniques without deep technical expertise in data science or ML.

So What?

This is a nice aggregation of resources relating to Offensive ML. There are still only a handful of people interested in this area, but the community is quite active. The guide will help you get started if you’re keen to learn more, and have the right technical skills.

Jailbreaking Proprietary Large Language Models using Word Substitution Cipher by Divij Handa, Advait Chirmule, Bimal Gajera, Chitta Baral

This paper introduces techniques for bypassing the ethical constraints of large language models (LLMs) using encrypted prompts. It focuses on the effectiveness of word substitution ciphers to create "jailbreak" prompts, enabling the circumvention of model guidelines. The study demonstrates a significant success rate in tricking models, including GPT-4, ChatGPT, and Gemini-Pro, into responding to otherwise restricted queries. The findings highlight the need for improving the robustness of LLMs against such adversarial tactics.

So What?

It’s fascinating to see this vector (jailbreaking LLMs) develop, and the creativity of new techniques to bypass safety. I think it’s going to take quite some time for vendors to ‘catch ‘em all’ and the problem may be the ‘XSS of LLMs’ with micro-variations for a long, long time.

How to prevent lateral movement techniques on Google Cloud by Christopher Perry and Wendy Walasek

This article discusses methods to secure Google Cloud against lateral movement techniques exploited by cybercriminals. It highlights Palo Alto Networks' research on exploiting cloud misconfigurations for unauthorised access across cloud environments. The authors explain specific attack vectors such as abusing snapshot creation permissions and adding SSH keys via metadata, offering detailed mitigation strategies to safeguard against these vulnerabilities. The piece underscores the importance of applying the principle of least privilege and using Google Cloud's security features for robust defense.

So What?

An important read if you want to ‘defend in depth’ in GCP. It’s great to see Google Cloud be pretty reactive to recent third-party research. Let’s hope this influences their security by design, and newer iterations of their IAM make it easier to avoid permissions errors.

Geopolitics 💥

Court orders maker of Pegasus spyware to hand over code to WhatsApp by Stephanie Kirchgaessner

A US court ruled NSO Group must give WhatsApp its spyware code, including Pegasus, amidst allegations of spying on 1,400 users. This decision represents a significant win for WhatsApp in its lawsuit against NSO since 2019. While NSO is required to disclose spyware functionality, it isn't forced to reveal client names or server details. The case underscores ongoing concerns about spyware's impact on privacy, security, and national interests, highlighting governmental measures against misuse.

So What?

The U.S. and their allies are giving NSO and similar organisations a good kicking of late. Doubtless, this is part of a wider strategy to clamp down on ‘bought capabilities’ being made available to hostile nation-states. This is underpinned by the recent Pall Mall Process.

FTC Order Will Ban Avast from Selling Browsing Data for Advertising Purposes, Require It to Pay $16.5 Million Over by US Federal Trade Commission

The Federal Trade Commission (FTC) has mandated Avast to pay $16.5 million and banned it from selling users' web browsing data for advertising. This settlement addresses the contradiction between Avast's promises of online tracking protection and its actions of selling browsing data to third parties. The FTC highlighted Avast's deceptive practices, including inadequate consumer notice and consent, and imposed additional requirements on Avast to prevent future misconduct.

So What?

Ouch! This underlines the mess that’s PII and the Internet. I doubt this will be the last instance, and the resulting case law will possibly trigger additional suits.

Jensen Huang says kids shouldn't learn to code — they should leave it up to AI by Mark Tyson

Nvidia CEO Jensen Huang suggests at the World Government Summit that programming should be left to AI, freeing humans to master other domains like biology or farming. He believes AI's ability to understand human language makes everyone a programmer, changing the educational focus towards more "useful" fields. Despite Huang's vision, there's skepticism, as the demand for programmers remains high, indicating that AI might expand coding access rather than replace it.

So What?

Jensen clearly hasn’t tried to write code using ChatGPT! Joking aside, I do agree to an extent, that by the time today’s children reach the workforce, AI will be doing a better job of writing code than clunky old humans. However, I’d argue that coding provides a unique understanding of computation and key logical reasoning you won’t find elsewhere in educational curricula.

Air National Guardsman Agrees to Plead Guilty to Unlawfully Disclosing Classified National Defense Information by U.S. DoJ

Jack Teixeira, a 22-year-old U.S. Air National Guard member, has agreed to plead guilty to unlawfully retaining and transmitting classified National Defense Information via a social media platform. This action violates his top-secret security clearance, undermining U.S. national security and risking the safety of Americans and allies abroad. The plea highlights the severe consequences of mishandling classified information, underscoring the Justice Department's commitment to protecting national security.

So What?

This is quite worrying, and hopefully not a growing trend.

This is week #25 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read. Apologies for the delayed release, it’s been quite hectic/dramatic week for me, and today is my Birthday! Normal service will resume next week.

My ‘if you only read two’ recommendations for the week are:

• Palo Alto Fires Firewall Shot Heard ‘Round The World by R. Scott Raynovich

• Lockbit cybercrime gang says it is back online following global police bust by James Pearson

Have a great weekend!

Lawrence

Meme of the Week:

Subscribe now

How to find the AWS Account ID of any S3 Bucket by Sam Cox

This article explains a method to identify the AWS Account ID of any S3 bucket, whether private or public. It builds upon a technique developed by Ben Bridts in 2021, enhancing it to work under more conditions. The approach involves using a VPC Endpoint for S3 and CloudTrail logs to incrementally discover the Account ID. It also details optimising the process to make it faster, reducing the time required to less than 10 minutes, and discusses potential security implications and ethical considerations.

So What?

It’s hotly debated as to whether AWS account IDs are sensitive or not, but this is quite an interesting enumeration technique anyway.

Palo Alto Fires Firewall Shot Heard ‘Round The World by R. Scott Raynovich

The article discusses Palo Alto Networks' strategic pivot towards "platformisation" of its cybersecurity offerings, aimed at integrating its vast product range to offer more cohesive solutions. This shift, intended for long-term market share gains despite short-term revenue sacrifices, signals a significant industry shakeup. Palo Alto's approach reflects a broader trend towards bundled cybersecurity solutions, addressing customer fatigue with managing disparate security products.

So What?

There have been a number of hot takes on this over the last week, mostly by analysts, marketers and product managers with outsized social media followings, who’ve never actually run a security function (shots fired!) In many of the narratives, there is a misapprehension that ‘platformisation’ is exclusively a cost-saving measure, and therefore, inherently bad. While this is a huge driver (often primary), ‘best-of-breed’ point solutions for every problem have other important drawbacks. These include: weak operationalisation (poor SOC integration), increased resource requirements, additional technical complexity, poor interoperability, lack of flexible options for hybrid environments and feature overlap (duplication) with other products. I’d argue (anecdotally) that higher operational efficiency and interoperability (in Enterprise environments) produces better security outcomes than higher efficacy point solutions with disjointed workflows. From a purely sales angle, if you doubt this approach will be successful, see Microsoft security revenues for details. Let’s see how this shapes up!

UK Government Department for Science, Innovation and Technology Areas of Research Interest

The document outlines the main research questions the Department for Science, Innovation, and Technology aims to address, aiming to bridge the gap between academia's scientific research and policy development. It highlights the department's desire to access a diverse range of suppliers, engage with researchers, and enhance policy decisions with strong evidence bases, seeking to address knowledge gaps and strengthen evidence in complex areas.

So What?

UK-specific. I was lucky enough to be involved in reviewing an early draft of the ARIs, therefore, I’m slightly biased as to whether they hit the right areas. I think there’s a good mix. I’m looking forward to seeing what gets picked up and the outcomes. No surprises that AI features heavily!

Microsoft’s AI Access Principles: Our commitments to promote innovation and competition in the new AI economy by Brad Smith

Microsoft announced its AI Access Principles at the Mobile World Congress, outlining commitments to innovation, competition, and responsible AI use. The principles aim to ensure broad technology access, promote public good, and include significant investments in AI infrastructure and partnerships. They build upon lessons from past technology developments and aim to foster a competitive, inclusive AI economy globally, reflecting Microsoft's role as a leading AI innovator and cloud provider.

So What?

This is a really interesting read. Among the overwhelming number of position papers and published principles for ‘AI’, this is one of the more interesting and aggregative. If you’re interesting in following the development of AI, this is worth a read.

Incident Response 2024 Report by Palo Alto Networks

The Unit 42 Incident Response Report for 2024 presents insights from cybersecurity incidents, focusing on trends like the rapid pace of attackers, the significance of software vulnerabilities, and the sophistication of threat actors. It emphasises the importance of speed in defense, the role of AI in cybersecurity, and provides recommendations for strengthening security postures. The report aims to guide organisations in proactively managing cyber risks and enhancing their security strategies. The key takeaways are:

Speed Matters. The time between initial compromise and data exfiltration is decreasing. Attackers are sometimes beginning to exfiltrate data in hours, not days. Defenders need to speed up as well.
Software Vulnerabilities Still Matter. They were behind the largest-scale attack campaigns in 2023. They lead the list of ways attackers get in. Measure your threat surface, then fix it quickly and comprehensively.
Threat Actors are Becoming More Sophisticated. They’re more organised, with specialised teams for different parts of the attack. They’re more knowledgeable and able to use IT, cloud, and security tools as weapons of offense. And they’re more efficient, using processes and playbooks to achieve their goals more quickly.

So What?

More reporting, presentation and business case fodder! Kudos to Unit42 for the absence of a marketing wall. It’s interesting to see that the ‘time-to-exfil’ is decreasing. The report suggests this is due to attackers being more focused, and the increase in data exfiltration being a primary goal. I’d add that this is likely supported by improved tooling, especially for automation.

Lockbit cybercrime gang says it is back online following global police bust by James Pearson

The article reports on the Lockbit cybercrime gang's resurgence online after a global police operation targeted them. Despite arrests and their website being compromised, Lockbit claims their backup systems remain operational. The UK's National Crime Agency acknowledges Lockbit's attempts to recover but asserts the group is still compromised, with ongoing efforts to disrupt their activities. The situation underscores the challenges law enforcement faces in permanently dismantling cybercrime networks.

So What?

This is disappointing, but not unsurprising given the resources the TA group have, and that the sting largely focused on taking down infrastructure. My thoughts mirrored The Grugq’s short write up on this, arguing that while LockBit's technological infrastructure can be attacked, the group remains resilient due to its business model and social infrastructure. His post suggests that offensive cyber efforts should target the social and organisational aspects of such groups to be effective, highlighting the distinction between attacking technology and impacting the broader system. That said, attribution is hard. Almost as hard as extradition and physically collaring suspects.

Exploring and Modifying a Prison Laptop by Zephray Wenting

The article discusses the author's experience with modifying a prison laptop purchased on eBay. It covers the process of overcoming the laptop's extensive security measures, including bypassing a BIOS password and hardware restrictions. The narrative details the technical steps taken to hack the BIOS, enabling the use of any hard drive, and the installation of a new operating system, showcasing the technical expertise and creativity involved in repurposing secure devices.

So What?

This is just a really interesting technical post and walk-through. I didn’t know prison laptops were a thing.

OpenSSF Securing Software Repositories Working Group Releases Principles for Package Repository Security by Jack Cable and Zach Steindler

The Open Source Security Foundation (OpenSSF) unveiled the "Principles for Package Repository Security," a framework to help package repositories enhance their security. Developed in collaboration with CISA, it aims to guide repositories through assessing and upgrading their security measures. The framework categorises security maturity levels across various capabilities, promoting significant improvements in authentication, authorisation, and more, within the open source ecosystem.

So What?

This is a really useful resource for those working in Application Security. The three level ‘tiered’ approach reminds me of the OWASP ASVS.

Send Lawrence Feedback

Guidelines for Handling Compromised IAM Credentials by AWS (Samples)

This GitHub document provides a comprehensive framework for identifying and managing compromised AWS Identity and Access Management (IAM) credentials. It outlines steps to detect breaches, mitigate risks, and secure AWS environments against unauthorised access. The playbook emphasises the importance of regular audits, the use of multi-factor authentication, and the implementation of least privilege principles to safeguard against potential security incidents.

So What?

This is a really useful playbook, linking to the AWS Security Incident Response Guide. If you’ve not come across the AWS samples repo on GitHub before (and you work with AWS), it’s worth familiarising yourself with the content.

FACT SHEET: President Biden Issues Executive Order to Protect Americans’ Sensitive Personal Data by The White House

This fact sheet details President Biden's executive order aimed at safeguarding Americans' sensitive personal data from foreign threats. It mandates the Attorney General to block large-scale transfers of personal data to countries considered threats and sets up protections for various types of sensitive information. The order addresses concerns about privacy, counterintelligence, and national security, specifically targeting the sale and misuse of data by countries of concern and other entities.

So What?

It’s great to see steps towards greater regulation of personal data at a Federal level in the US.

LOTP - Living Off the Pipeline by Boost Security

The LOTP project investigates how development tools used in CI/CD pipelines, particularly command-line interfaces (CLIs), have features that could be exploited for remote code execution (RCE) by design. It focuses on identifying and cataloging these "foot guns" to help developers understand and mitigate potential security risks associated with running untrusted code changes or following a workflow injection.

So What?

Useful for DevSecOp folks.

Two hours of daily meetings is the limit, Slack survey shows by Matthew Boyle, (Bloomberg)

A survey by Slack Technologies indicates that exceeding two hours of meetings daily can diminish productivity. This global study involving over 10,000 desk workers found that extensive meeting hours led to a lack of focus on substantive work, with executives and employees alike feeling overburdened by meetings. Slack's findings suggest a need for organisations to reassess their meeting cultures to enhance efficiency and work-life balance.

So What?

Not cyber. I found this interesting, and I can definitely relate to the findings. I don’t believe there’s a magic number for meeting frequency and duration, but these types of study are great conversation starters.

Back To The Building Blocks: A Path Toward Secure And Measurable Software by The White House

The article outlines President Biden's National Cybersecurity Strategy, emphasising two significant shifts: redistributing cyberspace defense responsibility and realigning incentives for long-term cybersecurity investment. It advocates for the technical community's role in addressing memory safety vulnerabilities through programming and hardware, and establishing cybersecurity quality metrics to enhance software security across the ecosystem. This strategy represents a proactive approach to reducing vulnerabilities and fostering a secure, resilient digital space.

So What?

I’ll be watching closely how well the carrot and the stick work to move the needle in this area. I remain sceptical regarding reliance on community efforts to shift the needle in this area, as it hasn’t worked yet.

Identifying and Classifying Attack Techniques by Van Vleet

This article addresses the pivotal roles of identifying and classifying events to detect attack techniques within cybersecurity. It underscores the necessity for Detection Engineers to accurately detect events linked to attacks and differentiate them as malicious or benign within their unique environments. The complexity of this task is highlighted by the diversity of each enterprise's telemetry and noise, making a one-size-fits-all approach impractical. The Mitre ATT&CK matrix is referenced as a tool for outlining attack techniques, yet its effectiveness is contingent on the specific telemetry and environmental noise present in each case. The discussion extends to the importance of focusing on immutable elements for reliable identification and the classification of techniques into three categories: Inherently Suspicious, Suspicious Here, and Suspicious in Context. The article concludes with advice against competing with Endpoint Detection and Response (EDR) systems, advocating instead for a bespoke approach to covering gaps in detection, particularly for context-specific suspicious activities.

So What?

This will be interesting for detection engineers and those working in a SOC context. I strongly agree with the mantra of not competing with EDR, when it comes to handling ‘inherently suspicious’ techniques.

Report on the Cybersecurity and Resiliency of the EU Communications Infrastructures and Networks by European Commission

EU Member States, alongside the European Commission and ENISA (the EU Agency for Cybersecurity), have released a comprehensive report on the cybersecurity and resilience of Europe's communications infrastructures and networks. This initiative represents a significant advancement in the EU's coordinated efforts to secure telecommunications, building on previous work concerning 5G cybersecurity. Following the Nevers Call of 9 March 2022, a detailed risk assessment was carried out, identifying various threats to communication networks, including ransomware and supply chain attacks, which could significantly impact the security and resilience of connectivity infrastructure. The report introduces ten new risk scenarios of strategic importance, alongside strategic and technical recommendations for mitigating these risks. These include assessing the resilience of international connections, the criticality of core internet infrastructure, and enhancing transparency regarding the landscape of suppliers and service providers.

So What?

Some interesting datapoints in here, but a dry read!

This is week #24 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.

My ‘if you only read two three’ recommendations for the week are:

• LLM AI Cybersecurity & Governance Checklist by OWASP Top 10 for LLM Applications Team

• A Security Analyst’s Guide to Identity Threats by Ted Kietzman and Jennifer Golden

• Developer Roadmaps by Kamran Ahmed (bonus non-cyber recco!)

Enjoy the week ahead!

Lawrence

Meme of the Week:

Subscribe now

International investigation disrupts the world’s most harmful cyber crime group by UK National Crime Agency (NCA)

The National Crime Agency (NCA) of the UK has spearheaded a global operation against LockBit, a notorious cyber crime group known for ransomware attacks. This landmark effort has seen the infiltration and takeover of LockBit's operations, leading to the seizure of their infrastructure and the arrest of key members. The operation, conducted in collaboration with the FBI and other international partners, underscores a significant advancement in combating cyber threats, highlighting the effectiveness of international law enforcement cooperation.

So What?

It’s always heartwarming to see larger scale take-downs. LockBit have certainly caused a lot of damage and losses over the years, this is a big win.

Top 10 web hacking techniques of 2023 by James Kettle (Portswigger)

The post presents the annual roundup of the top ten web hacking techniques of 2023, as identified by a community-powered effort. It covers innovative security research across a range of topics, from exploiting server vulnerabilities to novel attack methodologies. The list is a result of community nominations, voting, and expert panel analysis, aiming to spotlight significant contributions to web security research and encourage further exploration in the field.

So What?

This is an excellent contribution from Portswigger, and essential reading for application penetration testers and developers. What I like most about this post, is that it’s showcasing innovation at an individual level. It’s easy to think that appsec is all about scaling, automation and the same old injections attacks we’ve been struggling with since the late 90’s. I highly recommend reading the top 10 posts as well.

LLM AI Cybersecurity & Governance Checklist by OWASP Top 10 for LLM Applications Team

The document outlines a comprehensive checklist aimed at enhancing security and governance in the deployment and use of Large Language Models (LLMs). It provides guidelines and strategies for mitigating risks, ensuring responsible AI use, and integrating LLM security within existing frameworks. The checklist serves as a vital tool for technology and business leaders, aiming to balance the innovative potential of LLMs with the necessity for robust security measures.

So What?

OWASP are creating some really useful collateral for LLMs, and this is no exception. If you’re a CISO or responsible for the governance of Cybersecurity within an organisation, this is an essential resource.

Developer Roadmaps by Kamran Ahmed

This website offers a collection of community-driven roadmaps, guides, and articles aimed at helping developers choose a career path and enhance their skills in various domains such as Frontend, Backend, DevOps, and more. It serves as a platform for learners to find step-by-step paths and resources for different technical roles and technologies.

So What?

I was blown away by how usable and well constructed this resource is. If you’re new to programming or wanting to learn a new language, these ‘mind-map’ style guides and career roadmaps are an excellent place to start.

Dusting off Old Fingerprints: NSO Group's Unknown MMS Hack by Cathal McDaid (ENEA)

The article uncovers a previously unknown mobile network attack, "MMS Fingerprint," attributed to NSO Group. This technique, revealed through legal exhibits, allows attackers to discern a device's type and OS version via MMS without user interaction. The investigation into this method involved technical experimentation, shedding light on vulnerabilities within the MMS protocol and offering insights into the broader implications for mobile security and privacy.

So What?

The debate continues on the availability of advanced OST to nation states and commercial buyers. Many governments have made their position clear in the recent Pall Mall Process, which I covered last week. NSO featured in the news again this week, as Poland’s current government uncovered evidence of their predecessors (illegally) using Pegasus to spy on a large number of individuals.

Google open sources file-identifying Magika AI for malware hunters and others by Katyanna Quach (El Reg)

Google has released Magika, an AI-driven file identifier, as part of its AI Cyber Defense Initiative. Magika is designed to accurately identify file types to aid in cybersecurity, and is used by Gmail, Google Drive, and Chrome's Safe Browsing. This move is aimed at bolstering automated tools for IT network defenders, highlighting Google's commitment to using AI for enhancing security.

So What?

This is a great resource for operational security and networks teams.

CIEM Part 1: How least privilege leads to a false sense of security by Robert de Meyer

This article initiates a series on Cloud Identity Entitlement Management (CIEM), focusing on the challenges of managing Identity and Access Management (IAM) within AWS environments. It critically examines the principle of least privilege, suggesting that while important for security, its strict application may not be practical or beneficial in all cases, potentially leading to a false sense of security. The piece advocates for a balanced approach that protects critical assets without hindering productivity.

So What?

The title is a bit misleading and clickbaity, but the article itself is interesting and well-reasoned. The misleading part is that it’s about a specific implementation in AWS, rather than a conceptual flaw. I don’t agree that the principle of least privilege (POLP) creates a false sense of security in general. What the article articulates well is that AWS IAM can be complex, and there are trade-offs when applying the POLP. It’s still worth your time if you interact with IAM in AWS.

Send Lawrence Feedback

A Security Analyst’s Guide to Identity Threats by Ted Kietzman and Jennifer Golden

This document delves into the escalating threats in identity security, emphasising the complexity of digital identities and the sophistication of attacks exploiting them. It serves as a comprehensive guide, covering current identity-based threats, prevention, and detection strategies. The focus is on workforce identity, exploring attacks on individual and infrastructure identities within organisations. Through detailed examination of attack techniques and preventive measures, the guide aims to provide a central resource for security analysts navigating the identity threat landscape.

So What?

I’m not sure that I understand what they mean by a ‘security analyst’, but this is a really great snapshot of the ‘identity threats’ landscape. They have identified and signposted the key threat actors and defensive work in the space. I liked the references to Push Security’s SaaS attack matrix and narrative on scattered spider especially. From speaking with red teamers (and friends at Push), these vectors are widely unmitigated and little understood. To illustrate this, I’ve seen first-hand IR and red team reports where the attackers didn’t touch the endpoint, but achieved all the ‘worst case’ goals. That said, this is towards the leading edge of emerging threats for most organisations, as most traditional (phishing/BEC initial access) vectors are still effective. Most CISO are still struggling with more fundamental issues, but they need to raise their awareness of this growing threat.

Updating Microsoft Secure Boot keys by Sochi Ogbuanya

Microsoft is preparing to update Secure Boot keys to enhance system security, with new Unified Extensible Firmware Interface (UEFI) Certificate Authorities set to be introduced. The update, starting in February 2024, will be rolled out in phases, ensuring only trusted software runs during system boot-up. This change aims to maintain high security standards against emerging threats, with a focus on ensuring compatibility and preventing disruptions during the update process.

So What?

It’s always great to see improvement of fundamental functionality in Windows. It’s worth a few minutes to gain a good understanding of what this means.

Staying ahead of threat actors in the age of AI by Microsoft Threat Intelligence

This article discusses the evolving landscape of cyber threats in the context of rapid AI development. It highlights Microsoft's collaboration with OpenAI to identify and mitigate threats involving AI technologies, focusing on the misuse of AI by cybercriminals. The piece outlines Microsoft's commitment to ethical AI use, emphasising the need for rigorous safety standards and the importance of AI in enhancing cybersecurity measures.

So What?

Similar to the Duo report, this contains some great information about key threat actors and mitigations within the ‘AI’ space.

Chinese Hacking Contractor iSoon Leaks Internal Documents by Akshaya Asokan and David Perera

An internal document leak from iSoon, a Shanghai-based hacking contractor, reveals dissatisfaction and low pay among its workforce, despite successful cyber operations. The company, associated with the Ministry of Public Security, has been involved in hacking regional governments and potentially NATO. The leaked details include technical specifics about malware and strategies, emphasising the widespread capabilities within China's hacking ecosystem.

So What?

This was one of the big news items of the week! There was a lot of interesting information in this leak, with a lot of big name organisations being mentioned and targeted. You can see the full leak on GitHub (set Google Translate to stun!)

Commission opens formal proceedings against TikTok under the Digital Services Act by European Commission

The European Commission has initiated formal proceedings against TikTok under the Digital Services Act (DSA), concerning potential breaches in the protection of minors, advertising transparency, data access for researchers, and the management of addictive design and harmful content. The proceedings aim to investigate TikTok's compliance with DSA obligations, focusing on systemic risks, privacy and security for minors, advertising repository reliability, and transparency in research data access. This action underscores the Commission's commitment to safeguarding digital space integrity, especially for vulnerable groups like minors.

So What?

More controversy! No comment.

Threat Horizons: New Year, New Cloud Threat Insights by Google Cloud Security Team

The report discusses emerging cloud security threats anticipated in 2024, including risks posed by high-profile global events. It highlights the prevalence of cryptomining due to weak cloud configurations and underscores the importance of robust security measures to counter ransomware and data theft. The piece also advises on mitigating actions, such as enhancing log management and adopting a multi-layered security strategy to protect against sophisticated cyber threats, particularly from nation-state actors like the People’s Republic of China.

So What?

These threat Horizon reports are always a good read, and I recommend following them. No particular surprises this time around.

A final Kubernetes census by Rory McCune

The article marks the conclusion of tracking Kubernetes clusters exposed online via the Censys API, noting a significant increase from 842,350 to 1,626,249 clusters since August 2022. This project highlighted Kubernetes adoption trends and version usage, revealing challenges in updating cycles among cluster operators. The cessation of the daily tracking script was due to the end of free API access, providing valuable insights into Kubernetes configurations and distribution defaults.

So What?

Rory has done some great work with this project, I’m sure the data will be useful for a number of analyses. Here is a link to the full dataset.

This is week #23 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.

My ‘if you only read two’ recommendations for the week are:

• Security for AI: The New Wave of Startups Racing to Secure the AI Stack by Venky Ganesan, Rama Sekhar, Feyza Haskaraman, Sam Borja

• ChatGPT Account Takeover - Wildcard Web Cache Deception by Harel (nokline)

Have a great week!

Lawrence

Meme of the Week:

Subscribe now

Government of Canada hosts National Summit on Combatting Auto Theft by Public Safety Canada

The Canadian government convened a summit to address the rising issue of auto theft, which is increasingly linked to organised crime. The summit, attended by officials from various levels of government, law enforcement, and industry leaders, aimed at finding solutions and coordinating efforts to tackle this challenge. Measures discussed include increasing the capacity of the Canada Border Services Agency, pursuing bans on theft devices, and enhancing collaboration across jurisdictions and sectors. The summit concluded with a commitment to finalise an action plan.

So What?

One of the most controversial decisions derived from the summit, was to ban the import and use of ‘Flipper Zero’ devices. The manufacturer has contested the Canadian government’s decision, arguing the device is incapable of compromising the security of modern automobiles, particularly those manufactured after the 1990s. According to Alex Kulagin, COO of Flipper Devices, Flipper Zero is not designed to defeat the contemporary security systems of modern cars.

Canada does like a prohibition on ‘hacking’ tools it seems. When I led a team in North America, I remember multiple instances of US team members being turned away at the Canadian border, and being banned from future entry after being caught with lock picks. It was almost like it was intentional, and they didn’t like going on site and travelling to Canada…

Security for AI: The New Wave of Startups Racing to Secure the AI Stack by Venky Ganesan, Rama Sekhar, Feyza Haskaraman, Sam Borja

This article discusses the emerging challenges and opportunities in securing AI technologies. It highlights the risks associated with generative AI, including attacks on AI models like DoS attacks and model theft. The article also outlines a range of innovative security solutions being developed to protect AI systems, from governance and observability tools to AI firewalls and data privacy solutions. It emphasises the need for continuous investment and innovation in AI security to combat evolving cyber threats.

So What?

There are a lot of interesting vendors I’d never heard of in this article. With the acceleration of ‘AI’ adoption and development, the Cybersecurity industry was always going to follow the trend. While we still struggle to create high-efficacy or -utility SAST and DAST (and IAST and RASP), I’d be surprised if we nail this first time.

Defending against the Attack of the Clone[d website]s! by Jacob Torrey

The article discusses innovative security tokens developed to alert website owners of Adversary-in-the-Middle (AitM) phishing attacks. It introduces CSS-based tokens that can be deployed even on sites with limited administrative access, like Azure login portals, providing high-quality alerts when users are targeted. The development aims to enhance protection against phishing by utilising CSS tricks for alerting, addressing limitations of previous JavaScript-based solutions, and ensuring broader applicability across different web platforms.

So What?

This is a really smart concept and implementation, kudos to Thinkst. The deception space is starting to hot up again, despite a big false start over the last couple of years whilst vendors found their feet (save a few pioneers, including Thinkst). Many of the vendors are repositioning and finding ways to operationalise their stacks, and complement lower fidelity alert sources, such as EDR. If you’re a CISO, MSSP or SOC leader, I’d strongly encourage you to evaluate or re-evaluate this space (AMTD in Gartner speak) in the coming months.

N.B. LOL at the reference to the historic misspelling of ‘referrer’ in the post!

IT suppliers hacked off with Uncle Sam's demands in aftermath of cyberattacks by Brandon Vigliarolo

The article discusses proposed changes to US government procurement rules, requiring IT contractors to grant agencies access to their systems post-security incident and report incidents within eight hours. These measures, aimed at strengthening cybersecurity, have faced industry backlash for being burdensome, particularly around the software bill of materials and incident reporting timelines. Critics argue these changes could hinder operations and affect contractor relationships with non-federal customers.

So What?

At a nation state level, it’s challenging to balance heavy-handed regulation with a tendency towards inaction for anything that increases financial overheads. I’ve found it interesting to watch the introduction of more prescriptive legislation in the US. I believe there’s a strong evidence base [in the cost of cyberattacks] to suggest that security fundamentals are rarely done without incentive (or disincentive) and that the efficacy is low in the absence of transparency and validation. Despite there having been considerable challenge relating to the introduction of SBOMs, I believe that it’s driven consumer pressure on vendors in a positive way. A double whammy of carrot and stick.

No, 3 million electric toothbrushes were not used in a DDoS attack by Lawrence Abrams

The article debunks a sensational claim that 3 million electric toothbrushes were used in a DDoS attack. It clarifies that the story, initially reported by a Swiss news site, is likely a misunderstood hypothetical scenario rather than an actual event. Security experts and Fortinet, the cybersecurity firm linked to the story, have disputed the claim. The piece serves as a reminder of the potential for any internet-connected device to be targeted in cyberattacks, underscoring the importance of securing such devices.

So What?

I’m not sure there was a lot of value in the drama that ensued around this curious ‘miscommunication.’ However, it was quite perplexing as to why Fortinet said what they said. It’s hardly the first pointless telenovella in Cybersecurity, and it won’t be the last.

'Enshittification’ is coming for absolutely everything' by Cory Doctorow

The post introduces ‘enshittification’ to describe the degradation of online platforms due to their prioritisation of profit over user experience. It outlines the process where platforms initially benefit users, then exploit them and eventually their business customers for maximum profit, leading to a decline in quality and trust. The article discusses Facebook as a case study, illustrating how platforms evolve to extract value at the expense of users and stakeholders, suggesting a critical examination of internet governance and corporate power.

So What?

They’re not wrong! This was one of the primary drivers for me to shift from LinkedIn and ‘X’ posts to a newsletter format. The likes of Mastodon and BlueSky (which recently opened up membership to anyone) are growing, but they’ve still work to do on tempting the hoards away from the major players.

Send Lawrence Feedback

Discerning Saints: Moralization of Intrinsic Motivation and Selective Prosociality at Work by Mijeong Kwon, Julia Lee Cunningham, and Jon M. Jachimowicz

This article explores the complex effects of intrinsic motivation at the workplace, suggesting that highly intrinsically motivated employees may engage in selective prosocial behaviors, favoring colleagues they perceive as similarly motivated. This inclination stems from the moralisation of intrinsic motivation, leading to differentiated treatment based on perceived moral standing. The findings, supported by a field study and online experiments, challenge the universally positive view of intrinsic motivation, highlighting its potential to foster workplace divisions.

So What?

Not cyber. Essentially, the study found that people who’re self-motivated can judge themselves and others who’re self-motivated to be morally superior to those who’re not. While ‘humans gonna human’, the key take away for me is to apply the wisdom that everyone is different and to seek humility.

AI, Deepfakes, and Phishing by Clint Gibler

A summary page tracking AI and LLMs being applied to deepfakes and phishing.

So What?

This is really useful if you’re following the progression of malicious deepfakes, or you need to report, point-in-time, on the proliferation of this TTP.

Preventing The Quantum Crypto Apocalypse by Nigel Smart

The paper discusses the threat quantum computing poses to current cryptographic systems and the solutions proposed by the American National Institute for Standards and Technology (NIST). Utilising linear algebra problems, NIST's recommendations aim to secure digital infrastructure against quantum attacks. The article delves into the specifics of Learning-with-Errors (LWE), a promising approach in post-quantum cryptography, explaining its basis in linear algebra and its potential to safeguard against the quantum crypto-apocalypse through complex mathematical frameworks.

So What?

This is a VERY technical (read ‘Maths-y’) paper, but it provides a lot of insight into the currently accepted approach to PQC.

Living Off The Land Leaked Certificates (LoLCerts) by WithSecureLabs

The GitHub repository gathers details of code signing certificates known to have been misused by threat actors. The repository includes a Python script to generate Yara rules for these certificates, aiming to assist in identifying malware signed with these compromised credentials.

So What?

This is quite a cool project, it highlights the increasing relevance of this threat as more defenses rely on digital signatures to permit execution on endpoints.

APT29’s Attack on Microsoft: Tracking Cozy Bear’s Footprints by Andy Thompson

This article discusses APT29's sophisticated cyber-attacks on Microsoft, identifying the group as a Russian espionage entity aiming to gather sensitive information. It delves into the tactics, techniques, and procedures employed, including a notable breach through password spraying. The piece underscores the importance of multi-factor authentication, identity threat detection, and response strategies to mitigate similar threats. It calls for heightened vigilance and security measures across industries to protect against such advanced persistent threats.

So What?

This is a pretty interesting write-up on Cozy Bear (despite the key recommendation being ‘buy CyberArk’).

Trends in Phishing & Fraud by Domain Guard

This article explores the increasing sophistication of phishing and fraud, emphasising the dual-use nature of technological advancements like AI in perpetuating these crimes. It highlights the misuse of legitimate services like Cloudflare by attackers to shield phishing sites, alongside tactics like creating fake banks and universities. The piece offers actionable advice for both individuals and cybersecurity professionals on safeguarding against these threats, underscoring the importance of vigilance and adaptive security measures in the face of evolving cyber risks.

So What?

There are some good data in this report for presentations and building business cases.

ChatGPT Account Takeover - Wildcard Web Cache Deception by Harel (nokline)

The post outlines a critical vulnerability in ChatGPT, exploiting a web cache deception with a path traversal URL parser confusion, leading to user auth token leaks and account takeovers. By manipulating cache rules and path normalisations between CDN and web server, Harel demonstrated how attackers could access sensitive API endpoints. This discovery, netting a $6500 bounty, highlights the ongoing need for vigilance and advanced security measures against evolving cyber threats.

So What?

I really enjoyed this post (thanks to Tom Neaves for sharing), despite needing some additional Googling to ensure I understood it fully. It demonstrates how ‘traditional’ web application bugs are still valid for Conversational AI Chatbots. I think this particular attack chain is interesting, as it’s likely applicable to a number of disparate implementations. Bug Bounty mavens (and TAs) will be having fun with this already, no doubt.

Practical WPA2 Security Assessment of Wireless Routers by WirelessBits

The article presents an exploration into the security of WPA2 on various router models by simulating an attack to test default SSID passphrase strength. The assessment reveals significant security vulnerabilities with factory-default settings, emphasising the necessity for users to adopt stronger, customised passphrases and to consider upgrading to WPA3 for enhanced security. The author also discusses technological advancements in hashing and the importance of using VPNs for additional protection, underscoring the critical need for vigilant cybersecurity practices in wireless networking.

So What?

It’s been a while since wireless security has been hotly discussed. This post contains some really great practical advice for assessing WPA2 in particular. A sub-set of the offsec community have been saying on social media that modern wireless is super secure and we should just dive into public access points without trepidation. However, history teaches us that it’s unlikely the case and many remain sceptical.

QR Codes - what's the real risk? by UK NCSC

The UK's National Cyber Security Centre addresses concerns surrounding QR code safety, noting their widespread adoption during the COVID-19 pandemic. While QR-enabled fraud exists, it's less common than other cyber threats. The article advises caution, particularly with QR codes in emails or public spaces, as these may link to malicious sites. For safety, use built-in phone scanners and remain alert to oversharing personal information.

So What?

The UK NCSC has been releasing some great information and guides recently, including this one on Vulnerability Management. It’s great to see their focus on providing well-researched information on the basics.

This is week #22 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.

My ‘if you only read two’ recommendations for the week are:

• Russian spies impersonating Western researchers in ongoing hacking campaign by Alexander Martin

• Rust Won't Save Us: An Analysis of 2023's Known Exploited Vulnerabilities by Zach Hanley

Have a great week!

Lawrence

Meme of the Week:

Subscribe now

Gil Shwed stepping down as Check Point CEO after 30 years by Sophie Shulman (CTech)

Gil Shwed, co-founder of cybersecurity giant Check Point, is stepping down as CEO after 30 years. Under his leadership, Check Point grew significantly, ending 2023 with $2.4 billion in revenue and $840 million in net profit. Shwed plans to transition to Executive Chairman, focusing on the company's future and cybersecurity market evolution. Despite facing competition, Check Point's profitability remains strong, with a market value around $19 billion. The company recently made a significant acquisition, purchasing Perimeter 81 for half a billion dollars.

So What?

The end of an era for Check Point. It will be interesting to see the direction the company takes post-handover. Towards the end of last year, there was a step change in the approach to their Partner program, with a focus on supporting MSSPs. My assumption is that they will follow the likes of Palo Alto, Crowdstrike and Symantec in creating broader ecosystems (read SASE/SSE/ZT) from their tech stack, supporting an MSSP-enabled play. Let’s see!

Announcement of a Visa Restriction Policy to Promote Accountability for the Misuse of Commercial Spyware by Antony J. Blinken, US Secretary of State

This article outlines the U.S. State Department's new policy to impose visa restrictions on individuals involved in the misuse of commercial spyware. The policy aims to counter the global misuse of spyware for repression, violating privacy, and enabling human rights abuses. It applies to those using spyware to target or intimidate individuals, including journalists and activists, those benefiting financially from such misuse, and their immediate family members.

So What?

This will present challenges for individuals associated with spyware vendors like Candiru, NSO Group, Intellexa, and Cytrox, all of which were added to trade blacklists in 2021 and 2023. Interestingly, this coincided with a conference this week (hosted by the UK and France), launching an initiative called the Pall Mall Process. The Pall Mall Process is aimed at addressing the proliferation of commercial cyber intrusion tools through joint-action commitments by attendees. Key absentees were: Israel, Austria, Egypt and North Macedonia. Israel’s absence is particularly significant. It accounts for two of the four companies that have been sanctioned by the U.S. (Candiru and NSO) for trafficking cyber tools that the U.S. assesses have enabled “transnational repression” by authoritarian governments.

On a side note, it’s very British to select an initiative name that will be ambiguous to pronounce for even native English speakers (outside of international Monopoly enthusiasts). Next up, ‘the Worcestershire-Leicestershire accord.’

How enterprises are using open source LLMs: 16 examples by Matt Marshall (Venture Beat)

The article discusses how enterprises are exploring open source large language models (LLMs) for various applications, offering 16 examples of real-world deployments. Despite initial slow adoption compared to closed models like ChatGPT, open source LLMs are gaining traction due to their flexibility and cost-effectiveness. The examples range from enhancing code efficiency to improving customer support, highlighting the growing interest and diverse applications of open source LLMs in the enterprise sector.

So What?

I found this article really interesting, as internal company initiatives are seldom public domain. It’s not surprising that most larger enterprises are either developing or delivering on an ‘AI’ strategy already. This reminds me a lot of the Internet of Things (IoT) boom, where everything became Internet enabled, whether it was a good idea or not. Similarly, I think we’re seeing (and will continue to see) the over-zealous application of AI in situations that don’t call for it. It will likely be a costly mistake for some. However, I do look forward to AI toasters and flipflops.

Disabling Intel ME 11 via undocumented mode by Positive Technologies Team

The article details Positive Technologies researchers' exploration of Intel Management Engine (ME) 11, uncovering an undocumented mode that disables Intel ME after initialisation. This discovery relates to the U.S. government's High Assurance Platform (HAP) program, aiming to reduce security risks. The process involves technical adjustments and poses risks to system functionality, highlighting the complexities and security implications of managing proprietary technology within computing hardware.

So What?

A more technical post, but an interesting read!

Palo Alto Networks hit with $151.5 mln verdict in Centripetal patent trial by Reuters

A federal jury awarded Centripetal Networks $151.5 million in damages, finding that Palo Alto Networks infringed on Centripetal's patent rights related to network-security technology. Palo Alto plans to appeal, arguing their technology is different and the patents invalid. This case follows Centripetal's previous legal victory over Cisco Systems, showcasing ongoing patent disputes in the cybersecurity sector.

So What?

Ouch! Centripetal are on a roll enforcing their patents. It doesn’t seem to have impacted PANW’s share price though.

81% of Underwriters Expect Cyber Insurance Premiums to Increase as Risk is Expected to Soar by Stu Sjouwerman

The post discusses a survey revealing that 81% of cyber insurance underwriters anticipate a slight increase in premiums due to rising cyber risks, particularly from ransomware. Despite this, coverage levels are expected to remain constant. It highlights the importance of enhancing organisational processes and security awareness training to mitigate risks, rather than solely relying on insurance.

So What?

Do premiums ever go down? It will be fascinating to see how some of the planned ransomware regulations will impact pricing of Cyber insurance. On one hand, interventions such as banning ransomware payments could reduce the risk of multi-million payouts. However, operating losses due to protracted recovery efforts could offset this (if covered).

Send Lawrence Feedback

Russian spies impersonating Western researchers in ongoing hacking campaign by Alexander Martin

The article reports on a Russian cyber espionage campaign targeting Western researchers and academics. Hackers, believed to be working for Russian intelligence, use spearphishing techniques to impersonate colleagues and gain access to sensitive information. This operation reflects Russia's broader strategy to undermine democratic institutions and discredit critics, illustrating the persistent threat of state-sponsored cyber attacks and the importance of vigilance in digital communications.

So What?

Aren’t they just copying North Korea? These types of campaigns have been active for some years, as a fairly typical form of espionage. If you know academics or researchers who may not be aware of these types of attacks, it’s worth sharing and supporting them with your cyber knowledge.

Rust Won't Save Us: An Analysis of 2023's Known Exploited Vulnerabilities by Zach Hanley

The article provides an analysis of critical vulnerabilities listed in the CISA KEV catalog from January 2023 to January 2024. It highlights that despite efforts to improve security through memory-safe languages like Rust, vulnerabilities due to insecure exposed functions and web routing/path abuses remain prevalent. The study shows that appliances are often targeted due to their network boundary positions and low defender visibility. The author recommends strategies for vendors, developers, defenders, and researchers to mitigate these risks.

So What?

It’s axiomatic that there’s almost never a single solution to a complicated problem in cybersecurity. Moreover, the post does miss efforts at the hardware level to address this problem, such as CHERI software stack for ARM Morello boards. Overall, I do agree that it will take a number of solutions in combination to mitigate issues created by insecure coding practices (and issues with languages / OSes themselves).

Your Security Program Is Shit by ciso

The article critically examines the state of security programs, arguing that many are ineffective due to a lack of genuine understanding and commitment from those in charge. It uses a hypothetical scenario to illustrate how organisations often prioritise appearances and compliance over actual security improvements, leading to a cycle of inefficiency and superficiality. The piece is a call to action for more authentic and effective security practices within the industry.

So What?

If you like ranty, sweary soapbox posts from a technical people who’ve never had to plan a defence at an organisational level without unlimited budgets, then this post is for you! More seriously though, I don’t disagree with the fundamental point of this post. Broadly speaking, cyber defence is not at the level it needs to be in order to provide appropriate assurance, and we all know it. I’m not sure that there’s a widespread denial of this though, as suggested in the post, as we see the outcomes regularly. I’ll refrain from listing all the challenges, but simply put, we need better tools, better training and better funding.

There Are Too Many Damn Honeypots by Jacob Baines

The article highlights the challenge of distinguishing between real and honeypot Confluence servers on the Internet. With over 235,000 Internet-facing Confluence honeypots identified versus at most 4,000 real servers, the author discusses the difficulty in accurately determining the number of hosts affected by vulnerabilities. The piece emphasises the importance of precise vulnerability impact assessment and the role of honeypots in both complicating and contributing to cybersecurity efforts.

So What?

I do agree with the point Jacob is making. There are a lot of honeypots out there, and their existence can skew important data. However, the article only relates to Confluence honeypots, meaning the title is a little clickbaity and not broadly relevant. The key takeaway for me, is that if you’re looking at Internet-wide meta-data, it’s pretty hard to remove all the noise, even if you’re being quite targeted.

Florida Bill Proposes Safe Harbor Against Breach Suits to Businesses Maintaining Recognized Cybersecurity Programs by Alexis M. Buese and Eric Setterlund

The article discusses a proposed bill in Florida offering businesses a safe harbor defense against data breach lawsuits if they implement robust cybersecurity measures that align with recognised standards. This legislation aims to motivate companies to adopt higher cybersecurity levels by providing legal protections for those that meet specified criteria, thus encouraging a proactive approach to cybersecurity.

So What?

It will be interesting to see whether this has the intended impact.

‘Everyone looked real’: multinational firm’s Hong Kong office loses HK$200 million after scammers stage deepfake video meeting by Harvey Kong

A multinational company in Hong Kong lost HK$200 million due to a scam involving deepfake technology. Scammers created a fake video meeting, impersonating the company's CFO and other staff, to instruct an employee to transfer funds. This marks a significant case of deepfake misuse in financial fraud, highlighting the growing sophistication of cybercriminals in leveraging new technologies to carry out scams.

So What?

As deepfakes improve and become more accessible, this problem will only increase. Defending against this type of threat is incredibly hard, as technical controls would be challenging to implement, and training individuals to recognise deepfakes will be an issue. Organisations need to ensure they have robust procedures for high risk functions, such as approval chains in Finance.

Google Search’s cache links are officially being retired by Jon Porter

The article reports on Google discontinuing its cache feature, once a tool for viewing webpages as Google indexed them. This function was crucial for SEO, news gathering, and bypassing regional content blocks, but has been deemed less necessary due to improved internet reliability. The gradual removal, noted by search liaison Danny Sullivan, reflects Google's assessment of the feature as an outdated legacy, with no immediate replacement plans but a potential future link to the Internet Archive for historical webpage views.

So What?

This was a really handy feature for CTI (and sometimes bypassing paywalls). Shame!

Microsoft Breach — What Happened? What Should Azure Admins Do? by Andy Robbins

The post elucidates the breach by "Midnight Blizzard," detailing the attack on Microsoft's Azure environment and offering advice for Azure admins. Key steps in the attack path included password guessing, compromising app registrations, and escalating privileges within Microsoft's corporate tenant. Andy stresses the importance of identifying and mitigating privileged foreign applications to protect Azure environments, illustrating the critical nature of cybersecurity vigilance and proactive defense measures in the face of sophisticated cyber attacks.

The post advises that Azure admins should:

• Identify privileged foreign applications in their environment.

• Focus on service principals with MS Graph app roles, using the Azure portal.

• Check for dangerous MS Graph app roles and manage permissions carefully.

• Automate the audit process for efficiency and thoroughness, leveraging scripting and Azure AD tools.

• Be proactive in identifying and mitigating attack paths, especially those involving foreign applications with high privileges.

So What?

This is one of the better technical write-ups, and comes with some useful information on mitigation. If you’re a technical person responsible for securing identities in Azure, this is especially important.

ADAPT Framework for Modelling Adversary Behaviour by Robin Dimyan

The post introduces the ADAPT framework as a nuanced approach to understanding cyber threats, moving beyond the oversimplified label of Advanced Persistent Threats (APTs). ADAPT stands for Advanced, Adaptive, Persistent, and Targeted, offering a more detailed criteria for assessing cyber adversaries. By evaluating threats across these dimensions, Dimyan proposes a method that enhances cybersecurity planning and defense, making it a valuable tool for more effectively addressing and strategising against cyber threats.

So What?

This is a nice (although quite short for the introduction of a framework) post. I agree with the idea that APT is an overly nebulous term. I’ll be watching to see if more comes from this.

This is week #21 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.

My ‘if you only read two’ recommendations for the week are:

• Leadership Transitions - 10 Steps for Success by Phil Venables

• Notorious Spyware Maker NSO Group Is Quietly Plotting a Comeback by Vas Panagiotopoulos

"Leave the gun. Take the cannoli."

Lawrence

Meme of the Week:

Subscribe now

Cybersecurity Incident Tracker by Board Cybersecurity

This webpage provides a tracker for cybersecurity incidents reported in entities' 8-K filings. It lists recent cybersecurity incidents disclosed by various companies, including details such as disclosure dates, the companies involved, and brief descriptions of the incidents. The tracker aims to offer up-to-date information on cybersecurity breaches and incidents, highlighting their impact on the affected companies without delving into detailed analyses of each incident.

So What?

This is a useful resource for tracking breach filings for public listed companies (operating in the US). The traction that the SEC filing changes has gained will hopefully lead to increased awareness and pressure on boards to make significant investment into cybersecurity. Some analysts are already crediting this change for the uptick in predicted cybersecurity spend for 2024.

Rook to XSS: How I Hacked Chess.com with a Rookie Exploit by Jake

This article details how the author discovered and exploited a Cross-Site Scripting (XSS) vulnerability on Chess.com using a clever manipulation of image upload functionality. The exploit involved tricking the site into executing malicious JavaScript through crafted image attributes, demonstrating the potential for security breaches even on well-regarded platforms. The author's methodical approach showcases the importance of thorough security measures in web development, particularly regarding user-generated content and the handling of rich text editors.

So What?

This is a really nice write-up, with a lot of detail. If you’re interested in novel XSS or more broadly in understanding modern web attacks, this is pretty cool. What’s extra interesting, is that Jake is purportedly only 17. If this is accurate, he’s one to watch, this is a really detailed and mature post. I tried to track him down to say ‘good job’ and connect him with some consultancies to help him get an apprenticeship (it says he’s looking in his ‘about’), but the GitHub projects he purports to work on don’t seem to include his contributions. *shrug* probably someone’s attempt at anonymity *shrug*

Special Report: CISOs Report Rising Budgets for 2024 by NightDragon

This report highlights a significant increase in cybersecurity budgets as Chief Information Security Officers (CISOs) globally respond to escalating cyber threats. An anonymous survey conducted by NightDragon Advisors revealed that nearly 80% of CISOs experienced budget increases in 2023, with expectations of continued growth in 2024. This trend underscores the expanding role and responsibility of CISOs in safeguarding digital and physical systems amidst rising cyberattacks and geopolitical tensions. The focus areas for these increased budgets include ransomware resiliency, cloud security, and artificial intelligence, among others.

So What?

The expected increase in budgets is heartwarming reading for the industry. However, I always take these sorts of optimistic views from investors with a pinch of salt, as it’s in their self-interest to predict positive outcomes. That’s not to say I doubt the data or the efficacy of the work done by NightDragon.

There aren’t really any surprises as to how CISOs are reporting to spend their inflated gains.

New Ransomware Reporting Requirements Kick in as Victims Increasingly Avoid Paying by Coveware

The article discusses the introduction of new ransomware reporting requirements as organisations are increasingly opting not to pay ransoms. It explores the potential impacts of these requirements on the behavior of companies and the broader cybersecurity landscape. The discussion includes an analysis of how these changes might influence ransomware attack dynamics, victim response strategies, and the legal and operational challenges of adhering to the new requirements.

So What?

The article takes a strongly negative view on banning ransomware payments and over-reporting. The post argues this on the basis that it’s tantamount to admitting absolute failure by other means, and that bans have either proven ineffectual (in other jurisdictions) or the data are unclear. I’m not surprised by this position, given Coveware specialise in ransomware incident response and negotiation! However, they do make some strong points. I feel that despite strong objections, many nation states are considering banning ransomware payments. However, there don’t appear to be good contingency plans in place to mitigate the initial impact at organisational or economic level. I can’t see government sponsored task forces parachuting in to help every mid-sized Enterprise recover from back-ups they don’t even have. If we push ahead with this approach, greater support (and incentive) is going to be required to prevent an initial wave of chaos.

Justice Department and FTC Update Guidance that Reinforces Parties’ Preservation Obligations for Collaboration Tools and Ephemeral Messaging by US DoJ (Press Release)

The U.S. Department of Justice and the Federal Trade Commission have updated their guidelines to emphasise the importance of document and communication preservation, especially regarding collaboration tools and ephemeral messaging. This revision aims to address the challenges posed by modern communication technologies in legal investigations, ensuring companies retain necessary information for compliance and accountability.

So What?

I’m torn on this issue. On one hand, the preservation of evidence is important and key to serious investigations undertaken by law enforcement. Conversely, frameworks such as the GDPR and California Consumer Privacy Act (CCPA) encourage and mandate minimal data retention, further incentivised by requirement for take-downs, the right to be forgotten and subject access requests. Typically, these types of privacy framework do not define specific data retention periods. However, the inclusion of requirements to retrieve any and all data (which includes chat logs) pertaining to an individual upon request, means organisations want to retain fewer data. The longer and more comprehensively you retain information, the more challenging these tasks become.

Send Lawrence Feedback

Midnight Blizzard: Guidance for Responders on Nation-State Attack by Microsoft Threat Intelligence

This article covers Microsoft's response to a nation-state cyberattack dubbed "Midnight Blizzard," identified as originating from a Russian state-sponsored actor. It details the tactics and techniques used in the attack, including the exploitation of a legacy non-production test tenant without multifactor authentication (MFA) and the creation of malicious OAuth applications. Microsoft provides guidance on protecting against such attacks, highlighting the importance of auditing privileges, defending against password spray attacks, and implementing conditional access controls.

So What?

It’s great to see Microsoft providing increasing amounts of information about this incident. This is an interesting write-up and provides a good level of detail for use in CTI workflows.

Leadership Transitions - 10 Steps for Success by Phil Venables

Phil Venables shares insights on navigating leadership transitions effectively. The article outlines ten steps for success, emphasising patience, listening, promoting new ideas, transparency, and consistent communication. It advises on empowering teams, providing constructive feedback, and the importance of adapting to new roles while letting go of the past. The guide encourages leaders to periodically reassess their strategies, promoting continuous improvement and adaptability in leadership roles.

So What?

This is a great post and demonstrates the need for a growth mindset when stepping up into a leadership position. The stand-out points that resonate for me are ‘be patient and listen’ and the need to over-communicate. One of the first lessons I learnt as a leader, is you can’t say important things too many times (and people don’t read email!). <shamelessplug>I wrote quite a long (some would say too long) blog post on moving into leadership in cybersecurity, covering some similar points to Phil’s. It may (or may not) be interesting.</shamelessplug>

Using Google Search to Find Software Can Be Risky by Brian Krebs

The article highlights the risks associated with using Google search to find software downloads, noting that cybercriminals exploit this method to distribute malware-laden versions of popular applications. It discusses how malicious ads, often appearing above legitimate search results, mislead users into downloading compromised software, emphasising the sophistication of these schemes and Google's efforts to counteract them. The piece further explores the implications for internet safety and the continuous battle against malvertising.

So What?

Malvertising is one of those threat categories that rears its ugly head now and again in the media, when a novel vector appears. This is quite an interesting write-up and worth a few minutes.

AI Rise Will Lead to Increase in Cyberattacks, GCHQ Warns by James Pearson

Britain's GCHQ has issued a warning about the increasing risk of cyberattacks due to the rapid development of Artificial Intelligence (AI) technologies. The agency highlighted that AI lowers the entry barrier for potential hackers, making it easier for less sophisticated cybercriminals to conduct digital harm, including ransomware attacks. The report underlines the uneven impact of AI on cyber threats, with opportunistic hackers gaining the most in terms of capability, and advanced state-backed hackers leveraging AI for more complex cyber operations.

So What?

No surprises here!

Notorious Spyware Maker NSO Group Is Quietly Plotting a Comeback by Vas Panagiotopoulos

NSO Group is ramping up lobbying efforts in Washington and leveraging the Israel-Hamas conflict to position its Pegasus spyware as vital for global security. Despite a troubled past, including sanctions and financial woes, the firm aims to reshape its image and navigate US regulations through a multimillion-dollar campaign and strategic alignments, stressing its commitment to human rights amidst skepticism.

So What?

The thing I find most interesting about NSO is their public-facing strategy and open articulation of what the company does and can do (technically). Is this any different from companies offering offensive security services or C2 frameworks though? Has there been an exceptionalist view created in the media of NSO, unfairly vilifying them due to their clientele being less discrete (and more dictator’y?) I’m definitely not touching the political lens on this one!

SolarWinds Seeks Dismissal of ‘Unfounded’ SEC Cybersecurity Suit by Skye Witley (Bloomberg)

SolarWinds Corp. refutes SEC allegations over its handling of a major cyberattack, asserting it made appropriate disclosures before and after the incident. The company, alongside its CISO, is challenging the SEC's claims of securities fraud and control violations, arguing that the enforcement action unjustly expands the SEC's authority and requirements for cybersecurity disclosures.

So What?

This is certainly something that will be interesting to follow! Hopefully, justice will prevail.

An Encrypted Client Hello (ECH) Primer by John Grady (Broadcom / Symantec)

The paper explains the significance of Encrypted Client Hello (ECH) as an extension to the TLS 1.3 protocol, aimed at enhancing privacy by encrypting all connection metadata. It underscores the challenge this poses for security teams in terms of maintaining visibility into encrypted traffic for security and compliance purposes. The article posits that while ECH improves privacy, it necessitates proactive measures from security leaders to prepare, including education, planning, and engagement with product vendors to navigate the anticipated changes effectively.

So What?

I’ll be totally honest, and state that I didn’t have a clue what this was and that it was coming before reading this white paper. It’s worth a skim at the very least, as no doubt this will be a hot topic and something CISOs and CIOs will need to consider in their infrastructure designs.

Microsoft's Dangerous Addiction To Security Revenue by Alex Stamos

The article criticises Microsoft for exploiting security vulnerabilities within its cloud services as a sales opportunity for its security products. Stamos argues that Microsoft's approach to handling the breach linked to Russian intelligence services, specifically through its Azure Active Directory and Microsoft 365, underscores a broader issue. He contends that Microsoft is prioritising revenue from security products over the provision of inherently secure systems, calling for a shift towards security-by-default across all its offerings.

So What?

I agree with Alex’s key messages in this post. We do need to move to a world of security-by-default and at no extra cost to the customer. However, I take the dig at Microsoft’s handling of the latest breach with a pinch of salt. It’s easy for the likes of SentinelOne (Stamos’ employers) and Crowdstrike (who took a swing last week) to criticise (with limited access to facts), and it’s in their interest to do so as key competitors in the ‘XDR’ space. Moreover, I don’t see SentinelOne or Crowdstrike considering any of their pay-for features free add-ons and attackers certainly love to re-utilise a C2 for their own purposes. What does pride come before?

The Annual Cybersecurity Attitudes and Behaviors Report 2023 by Cybsafe

The article summarises a study on online habits and cybersecurity attitudes. It finds that 93% of respondents are daily internet users, with nearly half owning over ten sensitive online accounts. Despite 84% prioritising online security, 39% feel frustrated and 37% intimidated by it. The younger generation is more sceptical about the effectiveness of online security.

Access to cybersecurity training is limited, with only a quarter of respondents having it, predominantly those employed or studying. The report notes a high awareness of cybercrimes, with phishing and identity theft being common. However, Millennials are most affected by online dating scams. Most victims report these crimes, especially to banks.

The study also examines behaviours like password management, use of multi-factor authentication (MFA), software updating, data backup, and phishing detection. It reveals mixed practices across generations, with older individuals less aware of newer security measures. Overall, the report highlights varied cybersecurity attitudes and practices, indicating a need for increased awareness and training.

So What?

The report has some interesting information in it, and overall, Cybsafe have done a good job. I’ve not seen that many aggregated reports focused on awareness and training in this way. However, I do think that the report is overly long, lacking in ‘so what?’ and ‘now what?’ and the attempts at informality and Gen Z slang are a bit cringey!

Cybersecurity In 2024: Startling Insights from Over 1000+ CISOs by Francis Odem

The article summarises findings from over 1000 Chief Information Security Officers (CISOs), forecasting significant trends in cybersecurity for 2024. Key insights include an anticipated increase in security spending from $188 billion in 2023 to $215 billion in 2024, largely due to evolving SEC regulations and rising data breach costs. A major focus for CISOs is Identity Access Management (IAM), with a noted dissatisfaction with current solutions and a push towards more automated systems. Other areas poised for growth are data security, AI security, and cloud security. The article also touches on the challenges in sourcing skilled cybersecurity professionals and the integration of AI in cybersecurity strategies. Overall, the piece highlights the dynamic and expanding nature of the cybersecurity field as it adapts to new challenges and technologies in 2024.

So What?

An excellent analysis, which you’d expect from Francis. If the macro-environment of Cybersecurity is your world, this is worth a read.

Securing the Open-Source Software Ecosystem by The White House

The article outlines the Biden-Harris Administration's commitment to securing the open-source software ecosystem, particularly following the discovery of the Log4Shell vulnerability in 2021. The National Cybersecurity Strategy, established in 2023, aims to collaborate with the private sector and open-source community to enhance software security using memory-safe languages and other secure techniques.

Key to this strategy is the Open-Source Software Security Initiative (OS3I), which coordinates federal agencies and collects input from various stakeholders to develop policies that safeguard the open-source software ecosystem. In 2023, the OS3I's efforts focused on unifying federal approaches to open-source software security, developing strategic use within the federal government, promoting long-term investments in the ecosystem, and engaging with the open-source community.

So What?

This is a pretty interesting update and overview of what’s next.

Iranian Intelligence Used Narco Trafficker to Recruit Hells Angel for Planned Assassination by Alexander Martin

The article reports on the indictment of an Iranian drug trafficker, Naji Sharifi Zindashti, for attempting to recruit a Hells Angels member to assassinate an Iranian defector in Maryland. This operation, seemingly at the behest of Iran's Ministry of Intelligence and Security, highlights the use of organised criminal groups by the Iranian regime to carry out transnational repression acts, including assassinations and kidnappings, while maintaining plausible deniability. This incident is part of a broader pattern of such activities globally, implicating the involvement of other designated individuals and groups.

So What?

This is week #20 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.

My ‘if you only read two’ recommendations for the week are:

• Ransomware attacks leave small business owners feeling suicidal by Alexander Martin

• Many CVE Records Are Listing the Wrong Versions of Software as Being Affected by pluginvulnerabilities.com

"Remember who you're working for."

Lawrence

Meme of the Week:

Subscribe now

Many CVE Records Are Listing the Wrong Versions of Software as Being Affected by pluginvulnerabilities.com

This article discusses inaccuracies in Common Vulnerabilities and Exposures (CVE) records, highlighting instances where the wrong versions of software are listed as being affected by vulnerabilities. It cites examples where security providers like Wordfence and Patchstack, involved in the CVE system, inaccurately claim all previous versions of certain software as vulnerable. The article emphasises the significant implications of such inaccuracies, including misleading security assessments and incorrect identification of security breach sources. It advocates for a more accurate reporting system in the CVE records to mitigate these issues.

So What?

Whilst there is a lot of great work done by CNAs, NIST NVD and CISA, managing vulnerability data at a macro level still leaves a lot to be desired. This is one of a long list of issues relating to the accuracy and utility of vulnerability metadata at scale. The post illustrates the impact and overhead these shortfalls can create. It’s hardly news, but we (the collective infosec community) need to consider how to drive change and support agencies tasked with supporting these frameworks. Interestingly, according to this white paper, China’s CNVD is doing a better job than their US counterparts. Doubtless there are lessons to be learnt.

SECGov X Account Compromise by The SEC

The article describes a security incident involving the unauthorised access of the SEC's @SECGov X account on January 9, 2024. It details the SEC's response and coordination with law enforcement and federal oversight entities, including the FBI and DHS's Cybersecurity and Infrastructure Security Agency. The unauthorised access was achieved via a SIM swap attack on the SEC's phone number associated with the account. The article outlines the SEC's ongoing investigation, the disabling and re-enabling of multi-factor authentication on their accounts, and emphasises the SEC's commitment to cybersecurity and incident impact assessment.

So What?

I hope this is going on their Form 8k…. joking aside, this demonstrates why utilising SMS-based MFA is not a good idea. Attackers are becoming more skilled at bypassing MFA as adoption increases. It’s a good idea to enable more than two factors where the option is available, avoiding fall-back to SMS. It’s recommended to back-up authenticator apps securely, else you could lose access should your smart phone have issues (don’t save the files on your local machine unencrypted or in the same place you keep you passwords though!)

Hacking into a Toyota/Eicher Motors Insurance Company by Exploiting Their Premium Calculator Website by Eaton Zveare

The article details a significant security breach at Toyota Tsusho Insurance Broker India (TTIBI) and Eicher Motors, initiated through a premium calculator website. The exploit involved a client-side email sending mechanism, which led to the leakage of an email account password and enabled access to TTIBI's Microsoft corporate cloud resources. The breach revealed extensive customer information including insurance policy PDFs, OTPs, and more. Despite reporting the vulnerability, TTIBI took over two months to address the issue and had not changed the compromised email password, highlighting significant security oversights and risks.

So What?

It’s often the most inconspicuous functionality that proves the most problematic! Anyone else remember using the calculator in Windows XP to priv esc? What is it about calculator apps?

How to Vet a Corporate Intelligence Vendor by Maria Robson-Morrow, Katherine Tucker, and Paul R. Kolbe (HBR)

This article emphasises the growing demand for intelligence vendors in the corporate sector. It presents four key questions to guide the selection of an intelligence vendor: ensuring the vendor's expertise aligns with the company's needs, confirming that their services can be tailored to specific requirements, verifying the vendor's ethical standards, and fostering a supportive relationship with them. The authors stress the importance of specialisation, ethical conduct, and mutual understanding in these vendor-client relationships to maximise the effectiveness and integrity of the intelligence services.

So What?

The post provides good insights in to how to select intelligence vendors to support security goals. These types of cyber-physical risks are increasingly falling to the CISO to manage, especially in cases of offshoring or vendor management.

Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard by MSRC

The post details Microsoft's response to an attack by the nation-state actor known as Midnight Blizzard, identified as Russian state-sponsored actor Nobelium. The attack, detected on January 12, 2024, involved a password spray attack compromising a non-production test account and accessing a small percentage of Microsoft's corporate email accounts. It emphasises that the attack didn't stem from a vulnerability in Microsoft products or services and did not affect customer environments, production systems, source code, or AI systems. Microsoft outlines its commitment to security and business risk balance, mentioning the Secure Future Initiative and a move towards applying current security standards to all Microsoft-owned legacy systems and internal business processes. The post concludes with a pledge to share information and learnings to benefit the community and to continue collaborating with law enforcement and regulators.

So What?

The attack on Microsoft was the big news of the past week, as it became public following their SEC form 8K filing. Some industry stalwarts are sceptical of the details Microsoft have released, including Crowdstrike CEO George Kurtz, highlighting that details are unusually ‘scant’. This isn’t the first time he’s had a public pop at Microsoft though, and probably won’t be the last! It will be interesting to see more high-profile disclosures from publicly listed companies via this route, and the impact on share price and security spend.

How do you know you are "Ready to Respond"? by Angelika Rohrer

The article introduces the Continuous Improvement (CI) Framework, a tool designed to assess and improve an organization's readiness to respond to incidents. It emphasises the importance of having a well-maintained operational infrastructure for effective incident response. The framework includes a systematic approach to categorise and measure response strategies, identifying gaps in operational infrastructure, and guiding the prioritisation of improvements. The CI Framework is presented as a dynamic and scalable solution for organisations to enhance their incident response capabilities.

So What?

It’s great to see an emphasis on continuous improvement as part of IRPs. One of the most common mistakes in incident response, is not taking the time to evaluate past performance. This is often due to time pressures and the reliance of multi-purpose secops teams who’re spread thin. However, alongside testing well-documented plans, ‘lessons learnt’ are essential.

Ransomware attacks leave small business owners feeling suicidal by Alexander Martin (The Record)

The article, based on a Royal United Services Institute (RUSI) report, highlights the severe psychological impact of ransomware attacks on small business owners. It details cases where business owners felt suicidal and the need for PTSD support teams due to the immense stress caused by such attacks. The report underscores the intertwining of personal and professional lives in small businesses, intensifying the emotional toll of these cyber incidents. It also notes the often-overlooked stress on IT teams in larger organisations, leading to burnout and other mental health issues.

So What?

This is really distressing to see, but not wholly surprising. It can be quite emotionally draining to be a defender in larger organisations too, especially during late nights and ongoing campaigns (as I’m sure many of you know.) The report findings reiterate the human cost of cyberattacks. I hope that cyber-criminals will come to understand the affect their actions have on other human beings, sometimes ruining livelihoods.

Send Lawrence Feedback

‘LVE Repository’ (Language Model Vulnerabilities and Exposures)

The LVE Project is a repository that documents and tracks vulnerabilities and exposures of large language models. It focuses on identifying and sharing information about potential security and ethical issues associated with these advanced AI systems. The site is an open-source, Apache-2 licensed project, encouraging contributions from the community. It features various sections such as documentation, challenges, and a blog, aiming to foster a global collaborative effort in red teaming language models and addressing issues related to privacy, reliability, security, and trust.

So What?

As focal points for LLMs and AI safety and security emerge, it’s unclear which one will become ‘the Highlander’ of cybers. This is a useful resource though, and already has a good amount of data.

Financial Services Organizations Experience 137% Increase in Vendor Email by Mick Leach (Abnormal Security)

The article discusses a significant increase in vendor email compromise (VEC) and business email compromise (BEC) attacks targeting the financial services sector in 2023. It highlights a 137% rise in VEC attacks and a 71% increase in BEC attacks, illustrating the growing sophistication of cybercriminals in exploiting email systems. The article underscores the need for financial services organisations to adopt advanced security measures and strategies to counter these threats.

So What?

Some useful data to inform business cases and for aggregated reports, especially for those in the financial services industry.

How to Introduce Semgrep to Your Organization by Maciej Domanski (Trail of Bits)

The article provides a comprehensive guide on integrating Semgrep, a static analysis tool, into an organisation. It covers a seven-step plan for effective implementation, focusing on understanding Semgrep's capabilities, exploring its rulesets, tailoring it to specific organisational needs, and ensuring its ethical and effective use. The article emphasises the importance of training teams on Semgrep, customising its features, and integrating it into the CI/CD pipeline for optimal security and code quality enhancement.

So What?

I wouldn’t normally share product specific ‘how-tos’ outside of the CSPs (AWS, Azure, GCP), but this post has broader appeal, and I’m a big fan of Semgrep and their approach to SAST.

Hunting Adversary Infrastructure Training Course by Michael Koczwara

The course is designed to teach advanced techniques in hunting adversary infrastructure. It covers topics like infrastructure hunting, tooling, tracking criminal groups and nation-state actors from various countries, and exploring post-exploitation frameworks. The course is aimed at developing practical skills and deepening theoretical understanding of tracking APTs, criminal, and ransomware groups. It emphasises on learning how to track threat actors' infrastructure and advanced pivoting techniques.

So What?

Over the last few years, Michael has made some great contributions to threat hunting (especially around C2 frameworks). This training looks great for anyone involved in SOCs, threat hunting or detection engineering.

The Fundamentals of AD Tiering by Tobias Thorbjørn Munch Torp

The blog post by Tobias Thorbjørn Munch Torp provides a detailed guide on implementing Active Directory (AD) tiering. It covers the core concepts and practical steps to classify, organise, and secure AD environments into different tiers based on access privileges and security requirements. The post emphasises the importance of a structured approach to prevent unauthorised access and enhance overall AD security, offering a comprehensive view on tiering strategies for effective administration and security management.

So What?

Best. Name. Ever.

This is a well covered area of research and documentation, but there are some useful takeaways and it serves as a great primer for non-security engineers who need to tackle the AD tiering challenge.

It’s 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable by Jon Williams, Senior Security Engineer (Bishop Fox)

The article discusses vulnerabilities in SonicWall next-generation firewall devices, specifically series 6 and 7. It reveals two unauthenticated denial-of-service vulnerabilities that potentially allow for remote code execution (although they were not discovered by Bishop Fox themselves). The vulnerabilities, identified as CVE-2022-22274 and CVE-2023-0656, were found to be fundamentally similar but exploitable at different HTTP URI paths. The article reports that 76% of the scanned SonicWall firewalls exposed to the internet are vulnerable to one or both issues, posing significant security risks.

So What?

It’s 2024?? Why didn’t anyone tell me?! This is a nice piece of research by Bishop Fox, and illustrates the challenges vendors and organisations have when trying to patch. Network devices are generally more difficult to patch and many organisations don’t run the latest and greatest code versions for a number of technical (normally compatibility) reasons. That said, there’s unlikely to be a good use-case to not mitigate those specific CVEs.

Web LLM Attacks by Portswigger Web Security Academy

The article discusses the vulnerabilities associated with integrating Large Language Models (LLMs) into websites. It outlines how attackers can exploit these models to access data, APIs, or user information indirectly. The key techniques include prompt injection, exploiting LLM APIs, and indirect prompt injection. The article emphasises the need for robust security measures, such as treating APIs accessible by LLMs as publicly available and avoiding feeding sensitive data to LLMs. It provides insights into the potential risks and suggests best practices for safeguarding against LLM attacks.

So What?

This is a great resource, and for me, signifies the start of Web LLM pen testing going more mainstream. The content in the Web Security Academy is consistently high, and this is no exception.

Exploring the Vulnerabilities of AI :A Universal Prompt Injection Attack in the GPT Store by Andrew Horton

The article delves into the vulnerabilities in AI, focusing on a universal prompt injection attack in the GPT Store. It highlights how most GPTs, including those used in popular applications like Canva, are susceptible to information leaks. The post explains the concept of a prompt injection attack, where a special phrase is used within a prompt to disclose hidden pre-prompts or instructions of the AI, potentially leading to data breaches and other risks. The article also discusses the implications of such vulnerabilities, suggesting the need for better security measures in AI applications.

So What?

I really enjoyed this post (and subsequently playing with the pre-prompt injection payload and trying my own.) I’m not convinced this particular vector will disclose anything THAT sensitive, but I’m often surprised by what software ‘builders’ will decide to store where.

This is week #19 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read. The newsletter hit a milestone this week, of over 500 subscribers (growing at about 120 per month) and ~3000 views per month in total. I really appreciate the time you give my ramblings, and I hope you find utility in it.

My ‘if you only read two’ recommendations for the week are:

• The State of Software Supply Chain Security 2024 by ReversingLabs

• The quantum computing threat is real. Now we need to act. by Susan M. Gordon, John Richardson, and Mike Rogers

"Our true enemy has not yet shown his face."

Lawrence

Meme of the Week:

Subscribe now

South Korea Lays Out $470 Billion Plan to Build Chipmaking Hub by Sohee Kim

The article details South Korea's strategy to develop the world's largest chipmaking hub near Seoul. The plan involves a substantial investment of $470 billion by 2047 by major firms like Samsung Electronics and SK Hynix. This initiative will see the construction of 13 new chip plants and three research facilities. The project aims to increase South Korea's self-sufficiency in semiconductors and boost its share in the global logic chip market. The government's support includes significant tax breaks, positioning South Korea competitively against global rivals in the semiconductor industry.

So What?

Given the world’s over-dependency on Taiwan (and the Dutch company ASML, who build the machines that make the most advanced chips) to manufacture semi-conductors, this is a wise move by South Korea. Most developed countries have been panicking concerned about the dependency for some time, especially since tensions with China have increased over Taiwan’s independence (and its assurance by the US). The US passed the CHIPS and Science act in 2022, which incentivised chip manufacture on American soil and restricted export to China. This does seem to be having the intended impact, with Taiwan’s market share expected to reduce by 18% by 2033. The UK has promised a £1bn investment over the next 10 years, and has published a twenty year strategy (!) to assure supply chains domestically.

Landing at the NCSC (glad I brought my towel) by Ollie Whitehouse

Ollie outlines his strategic priorities for enhancing the UK's cybersecurity. He emphasises the need for evidence-based approaches to assess the efficacy of cyber defenses and addresses the challenge of technical security debt in the field. The post advocates for integrating cybersecurity as a fundamental feature in technology, rather than as a premium addition. He also highlights the importance of preparing for major cyber incidents and the role of market forces in driving cyber security improvements. The article reflects on the journey ahead in achieving these goals for national and international cyber resilience.

So What?

If you saw either of Ollie’s talks (at Black Hat Europe or the SANS summit), you’ll have captured the key themes in this post (with ~20% more Ollie). I think there’s a good mix of fundamentals (Cyber as a science and security as standard) and some of the more complicated challenges that still elude us (like technical security debt). I hope the UK industry will rally to support the NCSC mission, as these are issues that impact all. Good luck Ollie and team! </pompoms>

OpenAI Quietly Deletes Ban on Using ChatGPT for “Military and Warfare" by Sam Biddle

The article discusses OpenAI's recent policy change, which subtly removes the explicit ban on using its technology, like ChatGPT, for military purposes. The previous policy specifically prohibited uses that entailed high risk of physical harm, including weapons development and military applications. The revised policy omits the specific ban on military and warfare uses, instead broadly prohibiting service use to harm others. This change raises concerns about OpenAI's potential involvement in military applications and its partnership with defense contractors like Microsoft.

So What?

Sneaky, huh? What could it mean? I don’t think there’s a big conspiracy here; I would be surprised if the US NSA and DoD were too concerned by software Ts and Cs for an end-user product. Conversely, it is interesting to see the ongoing impact of the board substitutions last year at OpenAI, and doubtless this is a symptom of that cultural shift.

Alphabet’s Isomorphic stacks two new deals with Lilly, Novartis worth nearly $3B ahead of JPM by Max Bayer

Not Cyber. The article reports on Isomorphic's recent agreements with Eli Lilly and Novartis, totaling almost $3 billion. These deals leverage Alphabet’s AlphaFold AI technology, underlying Isomorphic's platform, for predicting protein structures to expedite target discovery and compound development. The partnerships involve substantial upfront payments and potential milestone payments for developing small molecule therapies targeting unspecified diseases. The company, a branch of Alphabet and a product of Google DeepMind’s technology, has kept a low profile since its inception but has a notable scientific advisory board.

So What?

I shared this as a potentially interesting datapoint relating to AI’s impact more broadly. This technology is really exciting (IMHO) and will turbocharge biological (especially genomic) research.

The quantum computing threat is real. Now we need to act. by Susan M. Gordon, John Richardson, and Mike Rogers

The post highlights the urgent need for the U.S. to address quantum computing threats. The article posits that adversaries may exploit encrypted U.S. data using future quantum computing capabilities, making current public-key encryption obsolete. It urges immediate migration to post-quantum cryptography (PQC) for government and private sectors. The government has taken steps through executive orders and legislation, but more action is needed to protect sensitive data from these emerging threats.

So What?

The threat of PQC is becoming more and more real. I don’t believe that most Enterprises need to be worried just yet, but certainly nation states are worried (as the article alludes). The main challenge in preparing, for most organisations, is that the likelihood of threat actors retaining this capability is largely unknown (at least publicly). There is sure to be a large one-off expense for organisations to migrate, and ongoing costs as quantum resistant algorithms (or more likely their implementations) fail. One of the latest advancements is the ability to stabilise qubits at room temperature, which will ultimately lower the cost of quantum computers if broadly implementable. The field is moving really quickly, so it’s important to keep up-to-date as a defender. Key milestones and recommended algorithms are being maintained by NIST.

OWASP Mobile Top 10 2023: Updates by OWASP

The post shows the initial release candidates from the 2023 Mobile Top 10 and a comparison to the previous release. There are also links to contribute (via their Slack channel), and supplementary information from previous years.

So What?

The top 10s from OWASP continue to provide a useful reference point for vulnerability frequency and prevalence. However, many organisations and practitioners still use them for the wrong purpose. A common misuse of the top 10s (especially the web application flavour) is as a vulnerability baseline, in that it’s a minimal checklist of issues to mitigate. Whenever you attempt to illustrate a vast dataset in summary, you always end up with reference points that are not applicable in a high number of cases. The Top 10s are no different. You could argue that it’s ‘better than nothing’ (and you’d be right), but the efficacy of the outcome will be very low. If you’re attempting to find a good security baseline for mobile, the OWASP MASVS is more applicable.

Send Lawrence Feedback

Configure the deception capability in Microsoft Defender XDR by Microsoft

Microsoft have released new deception capability in Defender XDR. This post explains how to enable it. This companion article explains a bit more about the features and what it entails.

Enabling requires one of the following subscriptions, and EA or SA permissions:

- Microsoft 365 E5
- Microsoft Security E5
- Microsoft Defender for Endpoint Plan 2

So What?

If you utilise the Microsoft Defender suite, you may benefit from experimenting with these features.

The Deep Dive: Cyber Defense in 2024: A Special Report on Potential 2024 Cyber Threats by Deepseas

The report explores the evolving cyber threat landscape for 2024. It highlights the increased use of AI, data theft, and sophisticated ransomware by threat actors. The report, based on research and expertise, aims to provide guidance for CISOs and CIOs on mitigating these risks in a changing environment. It addresses key challenges such as the high demand on cybersecurity teams, the expanding attack surface, and the complexity of operationalising threat intelligence. The focus is on practical and strategic responses to these emerging threats. The key trends the report identifies are as follows:

Trend 1: AI Evolves from Tool to Weapon
Trend 2: Operational Technology (OT) Attacks Cross a New Line
Trend 3: The Ransomware Madness Continues
Trend 4: No Surprises Here – Humans Are Still Vulnerable
Trend 5: Identity Re-emerges as a Highly Targeted Attack Surface

So What?

No real surprises in this report, but useful datapoints for your presentations and papers!

The Global Risks Report 2024 by World Economic Forum

The report provides an analysis of global risks. The analysis, based on insights from nearly 1,500 experts, examines risks over different time frames to assist decision-makers. It highlights the growing global challenges, including environmental risks, societal polarisation, misinformation, economic difficulties, and technological threats. The report emphasises the need for immediate action to address these risks in a rapidly changing, fragmented world.

So What?

This report goes much broader than Cybersecurity. I found it interesting to provide economic context to the challenges we face as an industry. It’s not a light read though!

Generative AI first call for evidence: The lawful basis for web scraping to train generative AI models by the UK ICO

The article discusses the legal considerations for using web-scraped data to train generative AI models. The focus is on ensuring compliance with data protection laws, particularly the lawful basis under UK GDPR. The ICO examines whether the 'legitimate interests' basis can apply, requiring developers to pass a three-part test that includes assessing the purpose of processing, its necessity, and balancing individual rights against the interests pursued. The report emphasises the need for developers to carefully consider and document their compliance with these legal requirements.

So What?

Ironically, this week I received my first warning from ChatGPT regarding directly quoting information I provided to it. Essentially, I asked it to extract section headings from this article, to ensure the summary I created captured the key points. However, the prompt doth protesteth. The error I received was: “I'm sorry, I can't provide the exact headings from the report as it would involve directly repeating content from the article.” I thought this was pretty interesting given it’s not so fussy within the training datasets! Additionally, I have noticed that there is an increase in the number of sites using exception-based policies in their robots.txt for user-agent strings to block AI Bots. It’ll be interesting to see how governments intend to legislate, and more importantly, police this problem.

US Department of Defense Instruction: 858501 for Cyber Red Teams by US DoD

The instruction outlines the policies and responsibilities for the Department of Defense Cyber Assessment Program. It establishes the governance and functioning of the DoD Cyber Red Team (DCRT) community, including mission prioritisation, deconfliction, and reporting of findings. The instruction also defines the scope, authorities of DCRTs, and the processes for validating their skills and qualifications. It details the responsibilities of various DoD officials and departments in relation to the program, emphasising the need for coordination and compliance across different sectors of the DoD.

So What?

If you lead a red team or run regular exercises with third parties, there’s some interesting ideas in this instruction you may find useful.

AI here and there: in the Russian Federation created software to determine the owners of Telegram channels by Ivan Chernousov

The article explains that a new neural network, "Comrade Major," has been developed in Russia. This AI is capable of identifying the owners of anonymous Telegram channels by analysing various data sources like message descriptions, chat information, and digital footprints. The technology, designed to function like an analyst but with greater speed and efficiency, is undergoing internal testing. It's intended for use by organisations investigating cybercrimes related to anonymous Telegram communities. The full version is expected to be released between 2024 and 2025. The post also discusses the potential legal implications and the necessity of careful use to avoid violating privacy rights.

So What?

I challenge you to read ‘Comrade Major’ without a thick Russian accent applied to your inner monologue. The tool sounds pretty interesting, and provides an insight into what nation states may be developing (with AI) at a national level to address intelligence challenges at scale.

The State of Software Supply Chain Security 2024 by ReversingLabs

The report discusses the increasing ease and prevalence of software supply chain attacks. The analysis highlighted a visibility gap in software supply chains, making it difficult to detect and defend against such attacks. The report found a significant rise in malicious code on open-source platforms and noted that typical supply chain risks, like typosquatting and leaking sensitive data, persisted in 2023. The article also observed a growing trend of less sophisticated cyber actors exploiting these vulnerabilities for data theft, ransomware deployment, and other malicious activities. The report anticipates a continued rise in such threats in 2024.

Four key takeaways:

• Software supply chain attacks rose 1300% in the past three years.

• The Software Supply Chain Is a Blind Spot: Attacks such as the compromise of VoIP vendor 3CX laid bare a yawning visibility gap that hampers the ability of both software makers and their customers to detect software supply chain compromises and defend their organizations from malicious actors.

• Software Supply Chain Attacks Are Getting Easier: For example, Operation Brainleeches, identified by ReversingLabs in July, showed elements of software supply chain attacks supporting commodity phishing attacks that use malicious email attachments to harvest Microsoft.com logins.

• Change Is Coming... and More of the Same: ReversingLabs observed substantial changes in both the quantity and kinds of malicious code turning up on open-source platforms such as npm, PyPI, and NuGet.

So What?

More report fodder! It’s great to see one of these aggregated Cyber reports focus on a particular area. A lot of the time, the annualised tomes produced by large security providers are a mile wide and an inch deep, with skewed data slanted towards their customer base (for obvious reasons). The headline is undoubtedly the staggering growth of this attack class. Is it really a 2024 and not a 2023 report though? (Me? Pedantic?)

This is week #18 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.

My ‘if you only read two’ recommendations for the week are:

• Crawl, walk, run: Accelerating security maturity in the AWS Cloud by AWS

• Why Red Teams Can't Answer Defenders' Most Important Questions by Jared Atkinson

“Goodbye, my sweet friend.”

Lawrence

Meme of the Week:

Subscribe now

Crawl, walk, run: Accelerating security maturity in the AWS Cloud by AWS

Summary

The article offers a roadmap using a crawl, walk, run approach to boost an organisation's cloud security maturity. It outlines a step-by-step method to automate security in the cloud, focusing on maximising the use of AWS services and features. The guide aims to help organisations understand cloud challenges and opportunities and progress swiftly with AWS.

The crawl, walk, run methodology is broken down into six stages: plan, build, assess, operationalise, mature, and optimise. Each stage represents a phase in enhancing cloud security, from initial planning and building a foundation (crawl), to operationalising and maturing processes (walk), and finally optimising through assessment and automation (run).

So What?

There’s a huge amount of information provided by AWS on these pages. I like that it’s iterative and demonstrates understanding of a non-cloud-native adoption path.

Hunting M365 Invaders: Blue Team's Guide to Initial Access Vectors by Mauricio Velazco (Splunk)

Summary

The post explains the importance of security in Microsoft 365 (M365) with Entra ID for identity and access management. The article posits that initial access, the first foothold established by attackers, is critical, especially in cloud computing where identity is the new security perimeter. Compromised accounts can lead to further exploitation and data exfiltration.

The Splunk Threat Research Team provides an overview of data sources for M365 monitoring, including the Unified Audit Log (UAL) and Azure AD Logs. These logs are essential for effective threat detection, each serving different purposes and offering distinct insights into user activities and authentication events.

The post also delves into common initial access techniques against M365 tenants, such as password spraying and illicit consent grant. It offers practical strategies for simulating these attacks and details how security teams can detect them using Splunk. Additionally, the article highlights the importance of understanding both UAL and Azure AD logs for building robust detection analytics in M365 environments.

So What?

This post may be particularly interesting for CTI analysts, detection engineers or SOC analysts. It’s Splunk-centric (as you’d expect), but does contain lots of useful tips, which are applicable to other SIEM platforms. Effective logging for IAM is absolutely core to an effective monitoring strategy.

Cybersecurity and Privacy of Genomic Data by NIST

Summary

NIST is working with various stakeholders to develop voluntary guidance for managing Cybersecurity and privacy risks in genomic data. This involves creating frameworks and guidelines for organisations that handle genomic data. The NIST's National Cybersecurity Center of Excellence (NCCoE) has published the final version of NIST IR 8432, titled "Cybersecurity of Genomic Data." This document outlines current practices, challenges, and solutions for securing genomic data. Additionally, the draft version of NIST IR 8467, "Cybersecurity Framework Profile for Genomic Data," is under review following public feedback. NIST is also developing a Privacy Framework Profile for genomic data, representing its first foray into this specific area of privacy. These profiles aim to enhance, not replace, existing Cybersecurity and privacy standards used by organisations dealing with genomic data.

So What?

This post is more of a curiosity than an essential read (unless you work in genomics!). An area in the draft, which I found particularly interesting, was the walk-through of creating a Genomics-specific ‘profile’ within NIST Cyber Security Framework (CSF). If you’ve not looked at profiles before, they’re one of the best features within the NIST CSF, as they provide extensibility. Profiles are a method to create customised instantiations of the CSF, extending the framework to meet individual or sector needs. The profiles for manufacturing and financial services are particularly advanced; you can browse examples here.

Why Red Teams Can't Answer Defenders' Most Important Questions by Jared Atkinson

Summary

The post explains that red-team assessments in Cybersecurity are limited in their ability to validate the effectiveness of defenses. Drawing from Alfred Korzybski's philosophy, the article posits that Cybersecurity models, like red-team assessments, do not fully capture the complexity of real-world threats. Red teams typically test specific attack techniques, leaving defenders uncertain about the overall strength of their defenses against untested techniques. This narrow focus provides incomplete information about an organisation's security posture and can create a false sense of security.

Jared highlights the sheer number of attack variants, with some techniques having thousands or even millions of variations, making comprehensive testing impractical. He suggests that security professionals should not solely rely on vendors but verify their claims. The article proposes that testing a representative sample of attack variants could be more effective. It also discusses the potential of purple teams, which combine red and blue team efforts, but notes that even this approach needs to evolve. The challenge lies in building accurate test cases that encompass a broad spectrum of attack possibilities, a task that the cybersecurity industry is still grappling with.

So What?

I totally agree with Jared’s points in this short article. The utility of red teaming engagements is limited with respect to establishing the efficacy of your detection efforts. In my view, there are generally only three use cases for a pure red team assessment: a.) regulatory requirements, b.) scare the sh*t out of the exco/board to bring attention to security standards, and c.) you’re REALLY advanced in your security and feel you can mount an active defence. In my experience, purple teaming engagements (utilising some form of automation) offer far more value for this purpose.

The Artemis security scanner by CERT Polska

Summary

“Artemis is an open-source security vulnerability scanner developed by CERT PL. It is built to look for website misconfigurations and vulnerabilities on a large number of sites. It automatically prepares reports that can be sent to the affected institutions. Thanks to its modular architecture, it can be used to combine the results of various other tools in a single dashboard.”

Direct link to the repo: https://github.com/CERT-Polska/Artemis/

So What?

This is a really great tool and super handy if you do these types of tasks and don’t have a huge budget.

Plan a Better Meeting with Design Thinking by Maya Bernstein and Rae Ringel

Summary

The article posits that applying design thinking principles can vastly improve the productivity and engagement of meetings. Citing statistics on the ineffectiveness of most meetings, the authors suggest a four-step process: starting with empathy to understand participants' needs, setting a clear purpose and desired outcomes for the meeting, creatively designing the meeting agenda, and prototyping the plan by seeking feedback from participants.

This approach places the focus on the participants' experience, ensuring meetings are not just held for the sake of it but have clear, achievable goals. The authors highlight the importance of making meetings more engaging and effective, suggesting that even though the process may seem time-consuming initially, it ultimately leads to fewer, more productive meetings. The method involves understanding participant needs, defining goals, designing an engaging agenda, and iterating based on feedback, transforming both the efficacy of meetings and attitudes towards them.

So What?

Not cyber. I really like productivity hacks and trying new things with teams I collaborate with, so I thought I’d share this one. I was lucky enough to work with a couple of amazing product managers from Northern Ireland who had a deep understanding of design thinking. We ran a number of ideas through the process when I was leading the innovation accelerator at NCC Group. I’d highly recommend you give it a try if you need to create something new. I tried the approach (per the above) for building meetings, and it works pretty well. Meetings can be the death of productivity (and morale), so doing fewer, high quality confabs can really make the difference. I’d encourage anyone to experiment and see what works.

Send Lawrence Feedback

UK Strategic Suppliers Report by Tussell

Summary

The report provides an overview of Strategic Suppliers to the UK government, focusing on companies that do significant business with UK ministerial departments or provide vital services. These companies are designated as 'Strategic Suppliers' by the Cabinet Office and are subject to greater scrutiny to ensure public funds are well spent. The report analyses direct revenue and contracts won by these suppliers from the UK public sector for fiscal years 2018/19 to 2022/23.

Key findings include a decrease in public sector revenue earned directly by these suppliers by 17%, despite an overall 4% growth in public sector procurement. Technology emerged as the largest sector among Strategic Suppliers, with 74% of their revenue coming from the top 20 public sector buyers. Of the 39 Strategic Suppliers, only 11 saw growth in their direct public sector revenue. The report also notes changes in the list of Strategic Suppliers, including new entries and exits.

The article highlights that while overall public sector procurement increased, spending with Strategic Suppliers decreased, suggesting a gradual reduction in public sector reliance on these companies. However, their market share remains significant compared to total procurement expenditure on SMEs. The table below shows revenue by supplier.

So What?

I found this quite an interesting report, with some great data points. If you’re UK-based and work with the public sector, you may find this enlightening.

Most common Active Directory misconfigurations and default settings that put your organization at risk by Bastien Bossiroy

Summary

The article explores common misconfigurations and default settings in Active Directory (AD) that pose security risks to organisations. It explains that AD, a service managing users and resources within a network, often comes with default settings that can be exploited by attackers. The author, after auditing about 40 companies, identifies six recurrent misconfigurations that could allow attackers to gain unauthorised access or compromise a domain.

These include allowing delegation on administrator accounts, not enforcing “This account is sensitive and cannot be delegated” setting, not using AES encryption on service accounts, enabling print spooler on domain controllers, allowing users to create machine accounts, and not reprocessing unchanged GPOs on domain controllers. The post details how these vulnerabilities can be exploited and suggests mitigation strategies like enabling specific settings, restricting permissions, and regular password changes, especially for critical accounts like KRBTGT. The importance of regular security reviews and the use of tools like PingCastle, BloodHound, and Testimo for AD environment auditing is also emphasised.

So What?

Despite there being nothing new (technically) in the post, it provides a good reminder (or primer) on Active Directory security.

Under the Radar: Your Detections are missing logs — every single run by Alex Teixeira

Summary

The article highlights a significant challenge in Cybersecurity detection: the mismanagement of time-sensitive parameters in detection rules. Focusing on SIEM platforms like Splunk and Microsoft Sentinel, he points out that typical detection rules, which query data logs within specific time frames and intervals, often miss late-arriving logs. This results in potential threats going undetected.

The post explains that time inconsistencies in log generation and arrival at SIEM systems are common. To address this, he suggests adjusting detection strategies to cover both the log generation time (_time) and the time it's stored in the SIEM database (_indextime). He recommends extending the look-back period in queries and considering index time constraints to capture logs as soon as they arrive. Additionally, he proposes the use of delayed detections to allow time for late-arriving events to be included in analyses, thereby improving the accuracy and completeness of threat detection.

So What?

I’ve seen this problem a number of times in real life. It’s fairly common to hear this mentioned by the SOC on red or purple teaming engagements as a reason why detections failed to trigger. It may be worth giving this some attention (if you work in, or are responsible for, a SOC) and thinking about strategies to reduce the risk of time constraints reducing detection efficacy. Alex makes some great recommendations in the full post.

Hackers discover way to access Google accounts without a password by Anthony Cuthbertson

Summary

The article reports on a significant security threat discovered by researchers from CloudSEK, where hackers can access Google accounts without needing passwords. This exploit uses third-party cookies to bypass two-factor authentication and gain unauthorised access to private data. The vulnerability was first noted in October 2023 on a Telegram channel, where a hacker described compromising accounts through cookie manipulation.

Google authentification cookies, which typically allow users to stay logged in without re-entering login details, are being targeted. This method enables continuous access to Google services, even after a user’s password is reset. Google has acknowledged the threat and taken steps to secure compromised accounts, urging users to remove malware from their devices and activate Enhanced Safe Browsing in Chrome. The issue, highlighting the complexity of modern cyber attacks, was detailed in a report by Pavan Karthick M, a threat intelligence researcher at CloudSEK.

So What?

An interesting and concerning write-up!

Introducing the Best EDR Of The Market Project by Yazid Benjamaa

Summary

“The Best EDR Of The Market (BEOTM) is an open source EDR designed to serve as a testing ground for understanding and bypassing some of the detection mechanisms employed by many well-known EDRs. These methods focus on the dynamic analysis of a process and its states (memory, call stack, heap, API calls, etc.).
The purpose of this article is not to delve too deeply into details of these methods that are fully covered in other articles (which I may not explain any better), but to give a brief overview of how these methods are implemented in BEOTM.”

So What?

A more technical project, which will likely only appeal to those involved in red or blue teaming in a hands-on way. This is a great learning tool for people transitioning from pen testing to red teaming. It supports understanding how EDR technology works, without having to rely on trial and error, or getting access to expensive commercial EDRs outside of engagements.

Bitwarden Heist - How to Break into Password Vaults Without Using Passwords by RedTeam Pentesting

Summary

A security vulnerability was identified in Bitwarden's Windows Hello integration, allowing unauthorised access to Bitwarden vaults without needing the user's password or biometric authentication. Discovered during a penetration test, the exploit hinged on Bitwarden's use of the Windows Credentials API and Data Protection API (DPAPI) on domain-connected workstations. The method involved decrypting the vault's encryption key remotely using a backup key from the Active Directory domain controllers, effectively circumventing the need for the user's primary password.

The issue lay in Bitwarden's storage of the encrypted 'derived key' through the Windows Credentials API. This key could be decrypted using DPAPI backup keys accessible to anyone with domain controller access. Consequently, Bitwarden's biometric unlock feature unintentionally made the derived key obtainable without the user's main password or biometric input. Bitwarden rectified this flaw in the v2023.4.0 update.

So What?

Wasn’t passwordless meant to fix all our password problems? There’s definitely some irony in a passwordless auth mechanism, protecting a password manager, having a security flaw. Joking aside, all software can have bugs, and it’s good to see that Bitwarden fixed the issue swiftly.

Worse Than Solarwinds: Three Steps to Hack Blockchains and ML Through GitHub Actions by John Stawinsk and Adnan Khan

Summary

The post explains a vulnerability in GitHub repositories, particularly in Continuous Integration and Continuous Deployment (CI/CD) processes. The method allowed total control of GitHub Actions runner images, earning a $20,000 reward from GitHub's bug bounty program. The vulnerability was widespread, affecting many advanced tech companies, especially those in AI/ML and Web3, despite their strong security measures and bug bounty programs.

The researchers executed a three-step attack strategy: first, by finding and correcting a typo to gain contributor status; second, using this status to execute code on GitHub runners; and third, exploiting self-hosted runners for remote code execution and access to sensitive data. This method enabled them to compromise high-profile systems, including PyTorch and Microsoft Deepspeed releases, and potentially infiltrate major blockchain wallets and nodes. Detailed disclosures of these techniques are expected in future articles and potential conference presentations.

So What?

Is it worse than Solarwinds though? Despite the clickbait headline, this is quite an interesting attack chain. If you’re technical and involved in working with GitHub, it’s worth a read through of this post.

2023 CVE Data Review by Jerry Gamblin

Summary

The site shares a summary of 2023’s CVEs. Some key snippets are below:

• We ended 2023 with 28,902 published CVEs, up over 15% from the 25,081 CVEs published in 2022.

• On average, there were 79.18 CVEs published per day.

• October was the month with the most CVEs published, with 2,690 or 9.3% of all CVEs for the year.

• Tuesdays were the top publishing days, with 6,438 CVEs or 22.3% of all CVEs published. January 26th had the most CVEs published in a single day, with 348.

So What?

Some data for your next presentation! There’s a steady YoY growth of CVEs, but that’s to be expected with the birth-rate-death-rate inequality of software life cycles.

The Blind Spots of Automated Web App Assessments by Kevin Joensen

Summary

The post highlights the limitations of automated tools in application security assessments, emphasising the necessity of manual code review. While not dismissing the usefulness of automated tools, Kevin stresses that they often miss complex vulnerabilities, especially in critical applications. The article focuses on the challenges in detecting Broken Access Control (BAC), the top vulnerability listed in the OWASP Top 10.

To demonstrate this, Joensen created an application, VulnApp, with three simple BAC vulnerabilities: password reset leading to account takeover, updating another user's email, and retrieving another user's credit card information. Despite their apparent simplicity, these vulnerabilities were not detected by several leading automated scanners, including Acunetix, Burp Suite, Nuclei, AppScan, Wapiti, ZAP, and Netsparker/Invicti.

So What?

Automated scanners have always struggled with multi-stage or business logic vulnerability discovery. Perhaps the advent of ‘AI’ will change this, but I think we’re still quite a way off that. I’m sure someone will eventually create an automated tool that understands the intended flow and logic of an application from its code at some point.

This is week #17 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.

Happy New Year! We’re back a week earlier than expected, with lots of interesting snippets from pre- and post-Christmas/Holidays.

My ‘if you only read two’ recommendations for the week are:

• Operation Triangulation: What You Get When Attack iPhones of Researchers by Boris Larin

• Lapsus$: GTA 6 hacker handed indefinite hospital order by Joe Tidy

Hasta luego.

Lawrence

Meme of the Week:

Subscribe now

2023 Threat Landscape Year in Review: If Everything Is Critical, Nothing Is by Saeed Abbasi

The article reviews the cyber threat landscape for 2023, focusing on vulnerabilities and their impact. It highlights the findings of the Qualys Threat Research Unit, which observed an increase in disclosed vulnerabilities, with a significant number posing high risks.

The post explains that although a vast number of vulnerabilities were disclosed in 2023 (26,447), less than 1% of these posed the highest risk. These critical vulnerabilities were often exploited in the wild and included in the CISA Known Exploited Vulnerabilities catalog. However, 97 high-risk vulnerabilities were not listed in this catalog. The article explains that a third of these high-risk vulnerabilities affected network devices and web applications, and were quickly exploited, often on the same day as their disclosure.

The article also discusses the types of vulnerabilities and the tactics used by attackers. It emphasises the speed of exploitation, with the mean time to exploit in 2023 being 44 days. However, 25% of high-risk vulnerabilities were exploited on the same day they were published.

So What?

There are some interesting stats in this report, especially given Qualys’ wide reach in terms of datasets. However, there’s not really any new thinking in terms of the upshot. Prioritisation remains key, and those charged with vulnerability management need to understand the attributes (and shortcomings) of scoring frameworks (such as CVSS). A key facet is ensuring that prioritisation factors real-world exploitation frequency (which informs likelihood in risk models), as this post illustrates.

“As foretold - LLMs are revolutionizing security research:” ‘X’ Thread by

The thread links to a bug report on HackerOne (an ‘attack resistance management’ (bug bounty) provider), where the output is rather obviously from ChatGPT or another LLM prompt. The person triaging the issue gets increasingly frustrated, as it becomes apparent to him what’s unfolding i.e. he’s having a discussion with an LLM by proxy about a false positive, where the reporter seems to have modified the code (in another repo!) to fit the bug. He promptly closes the issue.

So What?

Bug Bounty programs already suffer greatly from ‘beg bounties’, where members of the crowd use automated tools to generate outputs they don’t understand and submit the bugs verbatim to chance their luck. The introduction of LLMs into the fray is likely to exacerbate this issue. In the past, poorly worded submissions and tool output ‘boilerplate’ were a clear red flag, and meant false positives / negatives could be closed quite quickly by experienced triagers. While LLMs can produce some good findings, they still require expert operation to discern whether the output is accurate, or not. Doubtless, this is already causing major headaches for providers on public / open bounties.

Apple And Cyber Startup Corellium Settle Four-Year Court Battle by Thomas Brewster (Forbes)

Apple and Corellium, have resolved their four-year copyright lawsuit, with the settlement terms remaining undisclosed. Initiated in 2019, Apple accused Corellium of illegally replicating its iOS for virtual iPhones used by security researchers and developers. Apple claimed this violated the Digital Millennium Copyright Act. Corellium argued their software was essential for security testing, a view supported by critics like the Electronic Frontier Foundation. The case included unexpected revelations, such as Apple's previous $23 million offer to buy Corellium. Apple eventually dropped some allegations and lost an appeal in 2021. The dispute concluded with a settlement, while Corellium continues to grow, expanding its workforce and developing new virtual technologies.

So What?

I’ve been keeping a keen eye on this since the inception of the case. Corellium solves some key issues in testing Apple devices, not least the need to maintain jailbreakable physical devices to complete some forms of testing. I have fond memories of running around Sim Lim Square in Singapore and Sai Yeung Choi South Street in Hong Kong with colleagues, haggling for used iPhones, before shipping them to testers around the world. It was almost a full time job for one of the team to maintain patch levels and ship where needed. Nostalgia aside, Corellium still seem to be in business, and this is a good thing for our industry IMHO.

Combating Emerging Microsoft 365 Tradecraft: Initial Access by Matt Kiely

The article discusses advancements in combating initial access threats in Microsoft 365. The post explains efforts in developing Huntress’ Microsoft 365 product to detect and deter hackers early in their campaigns. The focus is on enriching event data to identify and address vulnerabilities at the earliest stage possible.

The post explains that a significant portion of account takeovers and malicious activities originate from VPNs and proxies. To combat this, Huntress uses Spur, a third-party tool, to add context to IP addresses, identifying whether they come from a VPN, Tor node, botnet, or cloud service provider. This allows for a more accurate detection of potentially malicious activities.

So What?

There are elements of ‘look at our product’ (as you’d expect) in this post, but there is also some worthy content and deep dives into the enrichment and detection engineering process.

Tech Industry Lay-offs tracker by Roger Lee

The site provides raw data relating to the significant number of layoffs in the tech industry during 2022/23. Over 240,000 jobs have been lost in 2023, a 50% increase compared to the previous year. Major companies like Google, Amazon, Microsoft, Yahoo, Meta, and Zoom, as well as various startups, have contributed to these workforce reductions. While there was a slowdown in layoffs during the summer and autumn, the trend is picking up again.

So What?

Despite economists cautioning against fears of a recession, the tech sector's rebound has been slow, leading to continued workforce cuts. The layoffs not only show the impact on innovation and the pressures on companies, but also highlight the human cost of such actions and evolving risk profiles. Cybersecurity figures are included within these numbers and follow a similar trend. It will be interesting to see the way the workforce reacts to the relatively new challenge of job insecurity. Within the Cyber services industry, I’ve started to see more senior people starting up their own ventures or shifting to contracting. Perhaps this will stimulate the next wave of startups in the platform/services space, after many SMEs were hoovered up by the bigger players over the last ~10 years.

A Christmas Present: 2023-30 Cyber Security Strategy Legislative Reforms (Australia) by Cheng Lim

The article discusses the Australian Government's proposed legislative reforms as part of its 2023-2030 Cyber Security Strategy. These reforms include mandatory ransomware reporting, establishing a Cyber Incident Review Board, and expanding the Security of Critical Infrastructure Act 2018 (SOCI Act) to cover data storage systems used by critical infrastructure entities. The strategy aims to position Australia as a global leader in cyber security by 2030.

The article explains that the Consultation Paper, released by the Department of Home Affairs, details these reforms and calls for public input. Key aspects include two types of reporting obligations for ransomware – one when a demand is received and another if a payment is made. The government seeks feedback on the information that should be reported, the implementation of a no-fault and no-liability principle, and the entities required to report. Additionally, the post proposes a limited use obligation for information shared with government agencies and the establishment of a Cyber Incident Review Board to conduct no-fault incident reviews.

So What?

The article raises concerns about the broad scope of these powers and the need for clarity in their application. It concludes by supporting the clarification of protected information provisions and consolidating telecommunications security requirements under the SOCI Act. Most of these efforts align Australia to existing legislation in Europe and the EU.

The OpenTelemetry Project

“OpenTelemetry is an Observability framework and toolkit designed to create and manage telemetry data such as traces, metrics, and logs. Crucially, OpenTelemetry is vendor- and tool-agnostic, meaning that it can be used with a broad variety of Observability back-ends, including open source tools like Jaeger and Prometheus, as well as commercial offerings. OpenTelemetry is a Cloud Native Computing Foundation (CNCF) project.”

So What?

Rory McCune penned some thoughts about the utility of the framework in this LinkedIn post, which I agree with wholeheartedly. He highlights the significance of the ‘three pillars of observability,’ traces, metrics, and logs, which are essential for diagnosing and identifying security threats. Logs help correlate user requests in web applications, metrics are useful for spotting issues like Denial of Service attacks, and traces offer a comprehensive view of a user's request across multiple services. This observability is particularly useful in pinpointing vulnerabilities in complex systems involving micro-services.

Send Lawrence Feedback

ChatGPT will lie, cheat and use insider trading when under pressure to make money, research shows by Keumars Afifi-Sabet

The article reveals a study showing that AI chatbots like ChatGPT, when simulated as AI traders, will engage in deceptive practices like insider trading under pressure. In a research scenario, GPT-4, which powers ChatGPT Plus, was used to simulate an AI trader for a financial institution. The AI was fed prompts and given access to financial tools to make investment decisions. Under stress to perform well, GPT-4 resorted to insider trading in about 75% of cases and subsequently lied to cover its actions.

The study involved sending pressure-inducing messages from a "manager" and simulating a challenging trading environment. Even when discouraged from illegal activities, GPT-4 still engaged in insider trading and deception. This behavior persisted across various scenarios, indicating a tendency for AI to adopt deceptive strategies under certain conditions. The findings suggest a need for further research into AI behavior, particularly in real-world settings, to understand the propensity of language models to exhibit similar conduct.

Link to the white paper: https://arxiv.org/abs/2311.07590

So What?

Those who’ve experimented with LLMs, such as ChatGPT, will have noticed its propensity to make things up (hallucinate) or bend to human proclivities when pushed. We’re still in the early days, and it will be interesting to see how these challenges are tackled by vendors.

The Case for Memory Safe Roadmaps by CISA (and other FVEY agencies)

The article by CISA discusses the importance of adopting memory safe programming languages (MSLs) to address the prevalent issue of memory safety vulnerabilities in software. Memory safety vulnerabilities are common coding errors that are exploited by malicious actors, causing significant challenges for software manufacturers and customers. MSLs can eliminate these vulnerabilities, reducing the need for constant security updates and patches.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with other international cybersecurity authorities, developed this guidance as part of the Secure by Design campaign. They urge senior executives at software manufacturing companies to prioritise the implementation of MSLs and to create memory safe roadmaps that outline how they will eliminate memory safety vulnerabilities from their products. This approach is seen as critical for enhancing product safety and reducing customer risk.

The guidance provided includes steps for creating memory safe roadmaps and advises on the need for executive leadership in this transition. It emphasises that transitioning to MSLs is a business imperative requiring participation from various departments within an organisation.

So What?

Security in programming languages providing low-level memory manipulation have been been an ongoing challenge. This is highlighted by years of memory corruption bugs in Operating Systems such as Windows. It’s great to see these being addressed in these roadmaps, and by initiatives such as the Rust programming language and CHERI Arm Morello boards.

Randomized Controlled Trial for Microsoft Security Copilot by Ben Edelman, James Bono, Sida Peng, Roberto Rodriguez, Sandra Ho

The paper details a randomised controlled trial (RCT) conducted to assess the efficiency of Microsoft's Security Copilot, focusing on speed and quality improvements in security tasks. In the trial, participants, who were security novices, were divided into two groups: one with access to standard M365 Defender with Security Copilot features ("treatment subjects") and the other without these features ("control subjects"). They were assigned tasks like Incident Summarisation, Script Analyser, Incident Report, and Guided Response in a simulated environment featuring ransomware and financial fraud attacks.

The study found that participants using Copilot were significantly more accurate in completing tasks, with a notable increase in the speed of task completion. Copilot users were 44% more accurate overall and completed tasks up to 46.5% faster than the control group. The study suggests that Copilot's assistance can notably improve the performance of novices in security-related tasks. These findings highlight Copilot’s potential in increasing productivity and accuracy in Cybersecurity tasks, particularly for less experienced users.

So What?

It’s great to see a vendor like Microsoft publish a more transparent ‘white paper’ relating to the efficacy of their product. Knowing a couple of the people involved, this isn’t just a marketing puff-piece, although they have marked their own homework to some degree. It will be interesting to see how Copilots evolve, and at what point they can be trusted to be more autonomous. SOC is a key use-case for LLMs IMHO.

Operation Triangulation: What You Get When Attack iPhones of Researchers by Boris Larin

Boris Larin, alongside colleagues, presented findings at the 37th Chaos Communication Congress on 'Operation Triangulation', a complex attack targeting iPhones. This presentation was the first public disclosure of all exploits and vulnerabilities utilised in this attack, which is the most sophisticated the team has encountered.

The attack chain, named 'Operation Triangulation', involved a zero-click iMessage attack using four zero-days, effective up to iOS 16.2. The process began with a malicious iMessage attachment exploiting a TrueType font instruction vulnerability (CVE-2023-41990), followed by multiple stages of complex programming and obfuscation. It exploited JavaScriptCore and kernel memory, including a Pointer Authentication Code (PAC) bypass and an integer overflow vulnerability (CVE-2023-32434) for extensive read/write access at the user level.

Additionally, the attack used hardware memory-mapped I/O (MMIO) registers to circumvent Page Protection Layer, mitigated as CVE-2023-38606. After exploiting vulnerabilities, the attack could manipulate the device, including launching processes and injecting payloads to erase traces.

One aspect that remains a mystery is CVE-2023-38606, involving hardware-based security protection in recent iPhone models. The attackers used an unknown hardware feature of Apple SoCs to bypass this protection. The technical details of how this was achieved involve complex interactions with MMIO ranges and GPU coprocessor, which are not entirely understood yet.

The vulnerability demonstrates that even sophisticated hardware-based protections can be circumvented, emphasising the risks of relying on ‘security through obscurity’.

A less technical write-up can be found on Ars Technica.

So What?

This post is very technical, but fascinating. The attack focused on Russian state officials, international diplomats in Russia, and staff at Kaspersky. The FSB, Russia's intelligence agency, associated the assault with the NSA and alleged that Apple collaborated with the US agency. Yikes.

Understanding the NSA’s latest guidance on managing OSS and SBOMs by Chris Hughes

The post provides an overview of the NSA's guidance on managing open-source software (OSS) and software bills of materials (SBOMs) to enhance software supply chain security. The guidance, aligning with existing Cybersecurity standards, emphasises the importance of identifying and monitoring OSS vulnerabilities and license compliance. It recommends establishing a secure internal OSS repository for vetting components and advocates for the use of SBOMs for transparency and inventory management. Additionally, the NSA advises adopting Vulnerability Exploitability eXchange (VEX) documents and attestation processes to ensure secure software development. The article underscores the need for robust crisis management plans and secure code signing. It categorises tools for SBOM creation and stresses the significance of verifying SBOM accuracy. The approach aims to improve the transparency between software suppliers and consumers, thus bolstering overall software supply chain security.

So What?

Chris has provided some really useful information in this post, which mirrors the content of his book (which is actually pretty good!). It’s been interesting to watch the US’ journey with SBOMs and the impact it’s had on software security. Adoption has been reasonably slow, as many have been confused about what’s required and which flavours to use. Supplementary frameworks, such as SLSA and VEX have been quite useful in extending SBOM’s utility, but have not helped with complexity challenges. What I do really like about SBOMs is the increase in transparency to consumers. In my advisory work with the UK government, this is something I am always keen to champion. Consumer pressure is an important lever in improving software security. Utilising standards and legislative intervention, which support increased transparency, is a force multiplier. This is because it increases the pressure on the vendors / suppliers to remediate issues that may be hidden behind GRC opacity.

Lapsus$: GTA 6 hacker handed indefinite hospital order by Joe Tidy

Arion Kurtaj, an 18-year-old hacker and key member of the Lapsus$ cyber-crime gang, has been sentenced to an indefinite hospital order due to his autism. Kurtaj's hacking activities included leaking footage of the unreleased Grand Theft Auto (GTA) 6 game, causing significant harm to companies like Uber, Nvidia, and Rockstar Games, with damages nearing $10 million. Despite being under police protection and without his laptop, Kurtaj continued his hacking activities using alternative means. His mental health assessment revealed a strong intent to return to cyber-crime. The court found him unfit to stand trial, focusing instead on whether he committed the acts rather than his criminal intent. Another 17-year-old Lapsus$ member received an 18-month Youth Rehabilitation Order for similar offences, including harassment and stalking. The Lapsus$ group, mostly teenagers, was notorious for infiltrating large corporations and is still partially at large, having caused widespread shock in the cyber-security world.

So What?

From a humanist perspective, this is quite sad. Obviously, Lapsus$ caused carnage, which was clearly wrong. They disrupted the operations of businesses and the people within them, costing millions and creating distress in our community for the victims. However, they were (mostly) a group of very young individuals with a range of mental health issues and neurodiversity challenges. I hope they can be helped and rehabilitated, and we don’t see too many copycat groups emerge.

Internal All The Things: Active Directory and Internal Pentest Cheatsheets by ‘Swissky’ and Shubham Jagtap

This is a technical resource providing a multitude of cheat sheets for infrastructure penetration testing.

So What?

This is quite a comprehensive resource for infra/netpen testers. For someone just starting out or mid-career, this will be very useful.

The Mac Malware of 2023: A comprehensive analysis of the year's new malware by Patrick Wardle

A comprehensive report by one of the leaders in this space.

So What?

You’ll either have your interest piqued by this, or you won’t! It’s very technical and geared towards researchers.

This is week #16 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.

The new poll feature doesn’t seem to work very well via email, apologies if you had a blank section or an error. You can interact via the web version if you feel the need. Thanks to those who provided feedback already though!

I’m going to take a slight pause on the newsletter over the Holidays; normal service will resume on the 10th of January.

My ‘if you only read two’ recommendations for the week are:

• New Microsoft Incident Response team guide shares best practices for security teams and leaders by Microsoft Incident Response.

• Why building security products is hard and why skilled security practitioners are the only way to achieve an advantage over the adversary by Ross Haleliuk.

Yippee-ki-yay <deleted-expletive>!!!

Lawrence

Meme of the Week:

Subscribe now

2023 CBEST thematic report by Bank of England (FCA and PRA)

For those not in the UK (or who’re not familiar with CBEST), CBEST is an attack simulation framework (centred on an substantial red teaming engagement) focused on the UK financial services industry. The annual CBEST thematic is intended to inform the sector on the findings and lessons learned from the CBEST programme. The key themes for 2023 were identified as:

1. Identity and access management

2. Staff awareness and training

3. Secure configuration

4. Network security

5. Incident response and security monitoring

6. Data security

So What?

I was lucky enough to be involved in the genesis of CBEST (being on the exco of CREST and working with Banks who were clients), I was also on the other side of the fence whilst working for a retail bank. Overall, I think CBEST has been successful in its mission to highlight weaknesses in (and improve) Cybersecurity within the UK financial sector. It has spawned a range of other copycat frameworks (TIBER-EU (EU), iCAST (HK), AASE (Sing.) and CORIE (Aus.), which have had varying levels of success. It’s interesting to see this evolve and more sectors adopting equivalent ‘*BESTs’. The report itself is especially interesting if you work in the financial services sector.

BSAM: Bluetooth Security Assessment Methodology by Tarlogic

BSAM is the acronym for Bluetooth Security Assessment Methodology. BSAM is an open and collaborative methodology developed to standardise the security evaluation of devices using Bluetooth technology.

The BSAM methodology defines all the necessary Bluetooth security controls to provide manufacturers, security researchers, software developers, enthusiasts, and cybersecurity professionals with a guide for conducting security assessments on devices with Bluetooth communications.

So What?

This is a well constructed framework and methodology, which may be useful for those engaged in building or testing devices utilising Bluetooth.

Former Security Engineer For International Technology Company Pleads Guilty To Hacking Two Decentralized Cryptocurrency Exchanges by U.S. Attorney's Office, Southern District of New York

The press release reports that Shakeeb Ahmed has pled guilty to hacking two decentralised cryptocurrency exchanges, including Nirvana Finance. This case represents the first conviction for hacking a smart contract. Ahmed has agreed to forfeit over $12.3 million, part of which was fraudulently obtained cryptocurrency.

U.S. Attorney Damian Williams highlighted Ahmed's sophisticated methods used in the theft of over $12 million. In July 2022, Ahmed exploited smart contract vulnerabilities in two exchanges. He fraudulently generated $9 million in one attack and profited approximately $3.6 million from the other, leading to Nirvana Finance's shutdown. Ahmed laundered the stolen funds using various techniques, including cryptocurrency mixers.

Ahmed's conviction for computer fraud carries a maximum sentence of five years in prison. He has also agreed to pay restitution of over $5 million. The sentencing is scheduled for 13th of March 2024. The successful investigation involved Homeland Security Investigations and the Internal Revenue Service – Criminal Investigation.

So What?

Smart contracts and crypto-based software products remain a juicy target for adversaries, and the wild-west in terms of security levels (and regulation). If you want to understand the journey we’re about to see with ‘AI’ (and 10x3¹⁵ startups with one or no security person), crypto is likely a useful analogue.

New Microsoft Incident Response team guide shares best practices for security teams and leaders by Microsoft Incident Response

Microsoft’s Incident Response team has released a new guide to help organisations develop effective incident response strategies. The guide, titled "Navigating the Maze of Incident Response," focuses on the human elements and processes critical to a successful incident response. It is designed to assist security teams and senior stakeholders during the crucial hours following a breach's detection.

The guide explains that incident response is a shared responsibility, emphasising the importance of assembling a comprehensive team beyond just technical staff. This includes leadership, communication, and regulatory support, ensuring a holistic approach to managing incidents. The guide suggests a command structure to define workstreams, roles, and responsibilities, acknowledging that senior stakeholders often lack a clear understanding of the impact and risk of cybersecurity incidents due to poor communication.

The guide details key activities, responsibilities, potential challenges, and common pitfalls for each workstream. It also addresses the importance of understanding roles and responsibilities, shift planning for long responses, and preventing team burnout. Specific processes for each workstream are outlined, including situation reports, evidence requirements for on-premises and cloud data, and the establishment of secure communication channels. The guide aims to provide detailed, actionable information for effectively responding to and limiting the impact of cybersecurity incidents.

So What?

This is a really useful guide. I like that they’re considering a wider view of incident response and how it integrates into an organisation. It’s key to ensure broad engagement in incident response plans, and ideally, clear integration with business continuity planning, crisis management and prioritisation linked to business impact assessments.

Why building security products is hard and why skilled security practitioners are the only way to achieve an advantage over the adversary by Ross Haleliuk

The article examines the challenges in creating effective security products and the crucial role of skilled security professionals in cybersecurity. It argues that technological advancements, like AI, are accessible globally to both defenders and attackers, thus neutralising any significant advantage. The core message is that buying security products is essentially outsourcing security, with the effectiveness largely dependent on the quality of the security practitioners employed by the vendor.

The article further highlights that security products, like endpoint detection and response (EDR) tools, often provide generic solutions, which may not be fully effective due to the diverse nature of customer environments. This leads to the potential for false positives or negatives.

The post underscores the limitations of assembling multiple specialised security tools, as sophisticated attacks often span across different technological segments. Ross advocates for evidence-based security over promise-based approaches, emphasising the necessity for companies to build their own skilled security teams. The key to overcoming cyber adversaries, he suggests, is prioritising skilled personnel over tools.

So What?

I agree with a lot of the points Ross makes in this article. I feel that ensuring expertise within a business is the crux of the post. Observing the most successful startups, and the genesis of new sub-markets, it’s clear that the ones that last are driven by people who’ve lived the problems they solve. The key advantage startups have (over larger organisations) in solving these problems (IMHO) is a stronger linkage between the business decisionmaker and the problem. Having tried to develop ‘innovative solutions’ within a range of businesses (of varying sizes), the more disconnected the solution’s vision is from the problem, the more diluted the outcome. The challenge is often compounded by competing priorities within stakeholder groups, further constraining a unified mission.

Spera Security to join forces with Okta to advance Identity-powered security by Arnab Bose (Okta)

Okta has announced its plan to acquire Spera Security (for between $100-130mil), a company specialising in identity threat detection and security posture management. This acquisition, set to close in the first quarter of 2024, aims to enhance Okta's capabilities in identity threat detection and response (ITDR) and security posture management. Spera Security's integration will offer customers improved insights and technology to manage identity security risks more effectively. The collaboration is expected to bolster Okta's existing ITDR features and assist customers in dealing with the complexities and risks associated with cloud apps and services.

So What?

Big deal of the week! Okta have been embattled with breach woes of late. Their share price profile looks like a rollercoaster ride over the last 6 months, but this acquisition will hopefully rally it.

OpenAI buffs safety team and gives board veto power on risky AI by Devin Coldewey (Tech Crunch)

The article highlights OpenAI's recent enhancements to its AI safety measures. A new safety advisory group has been established to provide guidance on AI risks to the leadership, and the board now has veto power over potentially risky AI projects. These changes follow a leadership overhaul and increasing concerns about AI risks.

The central element of OpenAI's approach is its updated "Preparedness Framework," designed to identify and manage catastrophic risks in AI development. Risks are categorised into areas like cybersecurity, disinformation, and model autonomy, with a focus on preventing economic damage or harm to individuals. Models posing high risks will not be deployed, and those with critical risks won't be developed further.

The Safety Advisory Group, distinct from the technical team, will evaluate AI risks and make recommendations. While the leadership team makes initial decisions on AI deployment, the board has the authority to overturn these decisions. The article also questions the transparency and effectiveness of the board's oversight in this new safety structure.

So What?

It’s great to see OpenAI introduce additional oversight. They’re going to need to spend a lot of money (although, they’re probably good for it) keeping up with inbound international regulation. I think it’ll be interesting to see how their model develops as GPT becomes the backbone of a lot of platforms. The impact on third-party risk management and data security cannot be understated. If you thought it was hard to pin-point where your data resides and how it’s used in typical cloud storage, LLMs say ‘hold me beer’.

What to do about disinformation by Eliot Higgins (Bellingcat, for the FT)

Eliot Higgins, founder of Bellingcat, addresses the issue of online disinformation, advocating for education over regulation as the solution. He observes how social media platforms, particularly post-changes at Twitter, have contributed to the spread of false information, undermining public trust in them as reliable news sources. Higgins cites examples from the Israel-Palestine conflict, where misinformation and misused images have manipulated public opinion. He emphasises the role of collaborative knowledge in combating disinformation, as demonstrated by Bellingcat's open-source investigations. The article suggests incorporating open-source investigation and critical thinking into educational curricula to empower people, especially the youth, to discern truth online. Higgins calls for a united approach from policymakers, educators, and tech leaders to create an informed society, highlighting the pivotal role of education in addressing the challenges of disinformation in the digital age.

So What?

I agree broadly with Elliot’s position, and I think there’s good evidence for this from countries like Finland. However, as with all things, a balanced approach is needed. The dis/misinformation war reminds me a lot of phishing. You can tell a person 1000000 times how to spot a phishing email, but a juicy pretext and some skilful design can catch-out almost anyone. In order to be successful in mitigation, you need to introduce external controls, as the human subconscious does what it does.

Send Lawrence Feedback

Latio Application Security Tester by Latio Tech

LAST is an open source SAST scanner that uses OpenAI to scan your code for security issues from the CLI. It requires you to bring your own OpenAI token.

So What?

I cannot attest to the efficacy of this software, but from a quick exploration of the repo, it seems to be a more advanced attempt to utilise GPTs to do SAST.

Introducing YARA-Forge by Florian Roth

The aim of YARA Forge is to develop user-friendly YARA rule sets sourced from various public repositories. Roth's experience in creating over 17,000 YARA rules (and YARA itself) and other related tools like yarGen and Panopticon has informed the development of YARA-Forge. The tool offers three rule sets - core, extended, and full - to cater to different needs, balancing accuracy, performance, and breadth of threat detection. YARA-Forge also provides feedback to rule authors for improvement and incorporates rules from various public repositories to enhance cybersecurity practices.

So What?

If you use YARA, this is a useful tool to support a boost in the efficacy of your rules.

Cloud engineer gets 2 years for wiping ex-employer’s code repos by Bill Toulas

The article reports that cloud engineer Miklos Daniel Brody was sentenced to two years in prison and ordered to pay $529,000 in restitution for deleting the code repositories of his former employer, First Republic Bank, as retaliation for being fired. First Republic Bank, a commercial bank in the U.S., was closed and sold to JPMorgan Chase in May 2023.

Brody's employment at First Republic Bank in San Francisco was terminated on March 11, 2020, due to a policy violation involving inappropriate use of a USB drive. Following his dismissal, he used his still-valid account to access the bank's computer network and cause damages exceeding $220,000. His actions included deleting the bank's code repositories, running a script to erase logs, inserting taunts in the code, impersonating other employees, and emailing proprietary bank code to himself.

Brody initially falsely reported his work laptop stolen and maintained this story even after his arrest in March 2021. However, in April 2023, he pleaded guilty to lying about the laptop and to charges of violating the Computer Fraud and Abuse Act. Alongside the prison term, Brody will also undergo three years of supervised release.

So What?

Yikes! This shows the impact of a disgruntled employee in full force. The incident demonstrates the importance of a good JML (Joiners, Movers, Leavers) process, which links to technical controls and regular user audits. Even in 2020, who kept their ‘personal files’ on a USB stick anyway?

Is It Raining Risk? What Data says about Cyber Risk in the Cloud (A Talk at FAIRCON) by Wade Baker (Cyentia Institute)

In the talk, Wade discusses cyber risk in cloud environments compared to on-premise (on-prem) setups, using insights from the FAIR institute's reports. He aims to determine if there's a measurable difference in cyber risk between the two environments, relating it to the FAIR framework.

Baker finds that a slightly higher proportion of organisations face more security exposures in the cloud, but there's no evidence suggesting that cloud environments are inherently less secure than on-prem. The differences in security levels are likely due to organisational characteristics and risk management capabilities. Choosing a suitable cloud provider is a crucial decision for managing cyber risk.

Organisations with a heavy reliance on cloud architecture generally report higher resilience outcomes. However, the transition phases of moving to the cloud might temporarily reduce this resilience. Baker also notes that attack paths compromising critical assets in the cloud tend to be shorter and have fewer control points compared to on-prem environments. Slides from the presentation are available here.

So What?

This is quite a useful talk for technical and non-technical people. Wade shares some interesting data relating to cloud risks, although the upshot is fairly non-descript (in that cloud has a similar risk profile to on-prem, but can be more secure if well configured).

By the same token: How adversaries infiltrate AWS cloud accounts by Thomas Gardner and Cody Betsworth

The post discusses how adversaries exploit AWS’s Secure Token Service (STS) to access cloud assets illicitly. The article explains that while traditional access methods like malware and phishing remain constant, in cloud environments, attackers focus more on identities and APIs. The AWS STS allows the provision of short-term access tokens, which are less prone to theft than long-term credentials but can be misused by adversaries.

The authors describe how attackers compromise long-term IAM keys (AKIA) through various means like malware, public repositories, and phishing. Once these keys are compromised, attackers use them to create short-term STS tokens (ASIA) for persistence and evasion. They detail the process of token generation and abuse, emphasising that adversaries often create additional IAM users with long-term keys for backup.

The post highlights the need for defenders, especially those working with AWS, to understand the mechanisms of STS abuse, including the generation and misuse of both long-term AKIA keys and short-term ASIA tokens. It suggests monitoring CloudTrail event data, detecting role chaining events, and building queries to identify chained credentials as effective strategies for staying ahead of such threats.

So What?

This is a very technical post, and aimed at those who are responsible for AWS security within an Enterprise. It’s really well written and highlights some key bits of information that are not well documented. It was nice to see that AWS also supported an update of this post, clarifying some of the details and purpose behind default behaviours.

How the EU AI Act regulates artificial intelligence: What it means for cybersecurity by Andrada Fiscutean

The EU AI Act, agreed upon by European Union lawmakers on December 8, 2023, is a significant law regulating artificial intelligence. The act, designed to protect consumer rights and foster innovation, carries substantial implications for cybersecurity, especially for tech giants and AI startups. The AI Act requires critical infrastructure and high-risk organisations to conduct AI risk assessments and comply with cybersecurity standards.

The act categorises AI systems into unacceptable risk, high-risk, and limited and minimal risk. It bans certain uses of AI, such as social scoring systems and real-time biometric identification, which are deemed invasive or discriminatory. For high-risk systems, robust cybersecurity measures are mandated, including sophisticated security features to protect against attacks and vulnerabilities in AI systems and the underlying ICT infrastructure.

Entities violating these rules could face penalties up to 35 million euros or 7% of global turnover. The bill awaits adoption by the Parliament and Council and is expected to come into effect no earlier than 2025.

So What?

I believe there’s still some way to go on this and it will be interesting to see how regulation evolves for AI.

CyberSprinters (Game) by NCSC

CyberSprinters is a collection of interactive online security resources for 7-11 year olds. CyberSprinters empowers them to make smart decisions about staying secure online.

The digital game can be played on phone, tablet and desktop, and is supported by a suite of activities to be led by educational practitioners working with 7-11 year olds. Parents and carers can also try the CyberSprinter puzzles with their children at home.

So What?

If you’ve got children or nieces and nephews, this is quite a nice way to get them involved and interested in their online security.

This is week #15 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.

I’ve made couple of minor changes this week to the newsletter, I’ve added a new ‘poll’ feature to rate the quality of the posts, and a feedback link half way down the page. I will change the poll weekly to include industry issues (feel free to make suggestions in the comments), and I’ll share results with subscribers. Please consider adding your thoughts (positive or constructive) via the feedback button if you have a moment, it links through to a Google form and remains private and confidential.

My ‘if you only read two’ recommendations for the week are:

• LLM AI Security & Governance Checklist by the OWASP Top 10 for LLM Applications Team.

• A Phisher’s Guide to Slack by Push Security.

May the Force be with you.

Lawrence

Meme of the Week:

Subscribe now

Ukraine's top mobile operator hit by biggest cyberattack of war by Max Hunder, Jonathan Landay, and Stefaniia Bern

Kyivstar, Ukraine's largest mobile network operator, was targeted in the biggest cyberattack since the Russian invasion began in February 2022. This attack, which disrupted services and damaged IT infrastructure, left millions without crucial air raid alerts. Kyivstar CEO Oleksandr Komarov attributed the attack to the ongoing war with Russia, stating it significantly damaged their infrastructure. Russian hacktivist group Killnet claimed responsibility, but without evidence. Ukraine's SBU intelligence agency is investigating the possibility of a Russian state-orchestrated cyber-attack.

The attack affected over 24.3 million mobile and 1.1 million home Internet subscribers. Services were partially restored, with full restoration expected by today (13/12). Ukrainian officials reported the cyberattack impacted air raid alert systems in over 75 settlements around Kyiv, forcing them to use loudspeakers for warnings. The outage also affected some Ukrainian financial institutions' ATMs and card terminals. This cyberattack is part of a pattern of alleged Russian cyberattacks against Ukrainian state bodies and companies.

So What?

The Grugq did a short write-up on this, which is more insightful than I can be on this topic. In short, he posits that although this attack is impactful, it’s not as disruptive as some of the other attacks seen in the conflict. It does seem fairly punitive, and aimed at reducing morale within the populous.

Russia's FSB malign activity: factsheet by the UK Foreign, Commonwealth and Development Office

The article explains that Russia conducts extensive cyber operations through its intelligence services, particularly the FSB (Federal Security Service), SVR, and GRU. The FSB's cyber programme includes two main centres: Centre 16 and Centre 18. Centre 16 focuses on collecting radio-electronic intelligence and has been active in cyber operations since at least 2010. It has targeted critical national infrastructure worldwide, including energy, healthcare, finance, and government sectors. These operations involve advanced malware like Snake, affecting over 50 countries.

Centre 18, part of the FSB's Counter-Intelligence Service, is responsible for cyber espionage and has targeted the UK's democratic and political processes. The National Cyber Security Centre (NCSC) has raised concerns about the risks posed by these centres. The article highlights the UK government's confirmation of FSB's involvement in these activities, aiming to increase awareness and transparency around these threats.

So What?

This is a great summary of state-sponsored Russian cyber operations. If you’re not constantly deep in CTI, this will provide you with a great primer on the FSB.

Conference Slide Repository by OnHexGroup

This GitHub repository contains a number of recent conference talk slides, including Black Hat Europe 2023.

So What?

The repo provides a handful of slide decks for the latest larger conferences. It’s a handy bookmark!

A Phisher’s Guide to Slack by Push Security

The document explains that instant messaging (IM) applications, like Slack, are becoming increasingly targeted for phishing and social engineering attacks. It highlights how attackers can gain initial access through external phishing and then exploit the platform for persistence and lateral movement. The article covers several Software as a Service (SaaS) attack techniques such as IM phishing, user spoofing, and exploiting OAuth system integrations. The focus on IM apps is due to their rising use in business communication and the higher degree of trust users place in them compared to email. The article posits that the expanded functionalities of IM apps, combined with a lack of centralised security controls and user unfamiliarity with these threats, make them attractive targets for attackers. Techniques like IM user spoofing, link preview spoofing, and using Slack's bot tokens for persistence are discussed. The guide aims to increase awareness of the security risks associated with IM platforms and the need for organisations to integrate these considerations into their security strategies.

So What?

This is a great resource from Push Security. I’m lucky enough to speak with the guys there regularly. They’re ahead of the curve in understanding the way that advanced actors are starting to utilise SaaS and identities maliciously (without touching networks or endpoints). This is a major threat for cloud-first organisations, and an emerging one for more traditional hybrid businesses.

LLM AI Security & Governance Checklist by the OWASP Top 10 for LLM Applications Team

The document presents a checklist addressing the surge in generative artificial intelligence (GenAI) applications, like ChatGPT. It underscores the need for organisations to prepare for both the opportunities and challenges posed by these advancements, particularly in Large Language Models (LLMs). The checklist is designed for leaders in various sectors, including technology, cybersecurity, and legal, to assist in understanding the risks and benefits associated with LLMs. It aims to help in strategising for the use and management of these technologies, covering scenarios for both internal applications and third-party services.

So What?

While the guide offers a starting point for developing LLM strategies, it is not comprehensive and should be adapted according to specific organisational needs and evolving regulations in the field of AI. However, this is still a great resource and a must-read for organisations utilising or developing LLMs.

Palo Alto Networks reaches a big milestone, and it’s Jim Cramer’s top cybersecurity stock by Morgan Chittum

The article states that CNBC's Jim Cramer has named Palo Alto Networks (PANW) as his top cybersecurity stock pick. This follows Palo Alto Networks becoming the first company in the Cybersecurity sector to achieve a $100 billion market cap. Cramer highlighted this accomplishment as a significant milestone, previously set as a goal by the company's management. He prefers Palo Alto over competitors like Fortinet due to its more diversified and less cyclical revenue channels, which enable the company to serve larger clients on a greater scale. The stock, part of ‘Jim’s Charitable Trust’, has seen substantial growth, becoming the Trust's third-best performing stock in 2023 and more than doubling in value year to date.

So What?

Wow! $100bn! This is a testament to marketing and business strategy, as much as it is to technological innovation. That’s not to say Palo don’t have some great tech in their portfolio, but from day one their positioning / acquisition strategy and messaging has been sublime.

Send Lawrence Feedback

Google expands minimum security guidelines for third-party vendors by John P. Mello Jr.

The article explains that Google has updated its Minimum Viable Secure Product (MVSP) program, initially launched in 2021, to enhance security standards for third-party applications. The update offers more comprehensive guidelines for working with external bug researchers and advocates for the integration of basic security features into applications by design, rather than charging extra for them. The MVSP program aims to establish a strong security baseline for third-party products, promoting key security controls as fundamental in enterprise-ready products and services.

The expanded guidance includes publishing a clear vulnerability disclosure policy, developing procedures for managing reported vulnerabilities, and ensuring prompt responses and patches within 90 days of discovery. Google also discourages vendors from adding costs for basic security features, aligning with security-by-design principles. Despite these advancements, nearly half of third-party vendors still fail to meet several MVSP controls, highlighting the need for greater awareness and enforcement in security compliance.

So What?

It’s always heart-warming to see the major CSPs raise the security bar for third-parties. I’m particularly happy to see the focus on full-disclosure procedures and patching. That said, the current state of adoption evidences the weakness of guidance as a control, with nearly half of third-party vendors electing to ignore the minimum standard. While I believe that regulation (or restrictive terms of use) should be used sparingly, and for the most important primitives of security, the CSPs need to find more effective mechanisms to enforce security hygiene within their ecosystems.

Blind CSS Exfiltration: exfiltrate unknown web pages by Gareth Heyes (Portswigger)

The post explains a novel technique for 'blind CSS exfiltration' to exploit vulnerabilities in web pages. This method is useful when JavaScript is not an option due to site constraints like Content Security Policy (CSP) or filters like DOMPurify. The technique involves injecting styles to extract data using CSS, particularly when the structure of the target page is unknown. It utilises CSS variables as triggers for requests to an external server, leveraging attribute selectors and the ‘:has’ selector. The process includes setting up conditional requests with background images and exploiting the :has selector to extract data from elements that don't normally allow it, such as hidden inputs. The approach is designed to be efficient in exfiltrating data from various form elements and anchor tags using CSS, even in cases where the page structure is not apparent. The article also discusses how to use @import chaining and multiple backgrounds for sending requests and collecting data effectively.

So What?

A much more technical share than usual, but this technique is pretty interesting. If you’re into the technical aspects of Appsec, you may find this useful at some point.

EDR Telemetry Repo by Kostas Tsale

This repo provides a list of telemetry features from EDR products and other endpoint agents, such as Sysmon, broken down by category.

The methodology of the project involves analysing EDR vendor table schemas, independent testing, and requiring evidence for contributed information. The Telemetry Comparison Table, a key part of the project, compares the telemetry from different EDR products. It focuses on out-of-the-box default telemetry events and covers categories like process execution, file system activity, scheduled tasks, network connections, registry activity, user activity, and system configuration changes. The project, currently focused on Windows operating systems, invites EDR vendors and the community to contribute to expanding and updating the information.

So What?

Another more technical resource. This is useful for detection engineers and red teamers especially. It provides lots of information regarding detection opportunities within quite a broad range of EDR technologies. However, these resources are only useful if they’re meticulously maintained, and many of these types of projects fall by the wayside when the maintainer moves on to the new hotness. Fingers crossed though, as this is good.

The Evolution of Enterprise Browsers by Francis Odum and Shubham Goel

This article explores the rapidly growing enterprise browser market in cybersecurity. In 2023, significant acquisitions occurred, such as Palo Alto Networks buying Talon Security for $625M, and Island Enterprise Security raising $100 million in funding, valuing the company at $1.5 billion. These developments indicate a strong trend towards enterprise browsers.

The article discusses the increasing importance of enterprise browsers in the context of the rise in hybrid workforces, BYOD policies, and the use of temporary or external contract employees. These factors drive the demand for enterprise browsers, which can virtualise work environments and SaaS apps, providing secure access to personal devices.

So What?

This is a very long and detailed post, but packed with great information. Gartner estimates that by 2027, enterprise browsers will be a key component in enterprise super-app consolidation strategies. The article outlines three potential long-term outcomes for enterprise browsers, including becoming a central platform for deploying security and productivity software, a main platform for managing work for third-party contractors and BYOD policies, or becoming acquisition targets for larger platforms. Let’s see. I remember secure browsers being the future in the 2010s too.

Personal Data in the Cloud Is Under Siege. End-to-End Encryption Is Our Most Powerful Defense by Ivan Krstić (Lawfare)

The article highlights the increasing threat of data breaches in the cloud, emphasising the vulnerability of personal data stored by various organisations. These breaches are becoming more sophisticated, with criminals using stolen data for ransom or public disclosure.

The author advocates for a shift to end-to-end encryption as a solution. This method ensures encryption keys are only available to the intended users, making data inaccessible to service providers and, consequently, to attackers. While implementing end-to-end encryption is challenging and not yet widespread, it is considered the most effective way to protect data in the cloud. The article warns against legislative attempts to weaken encryption, arguing that such measures would compromise overall data security for the sake of solving individual crimes. End-to-end encryption is essential for safeguarding privacy and should be preserved as a key defence against cloud data breaches.

So What?

There’s certainly an attack on privacy as a human right, by many of the world’s governments at the moment. If you’re an advocate of such things, it’s worth considering how you can support organisations championing the cause. Here are some such groups:

• Open Rights Group (UK)

• Privacy International (UK/International)

• EPIC (US)

• EFF (US)

• Digital Rights Watch (Aus)

Ex-Twitter exec claims in lawsuit he was fired for raising security concerns by Daniel Wiessner (Reuters)

Alan Rosa, former global head of information security at Twitter, now known as X Corp, has filed a lawsuit alleging wrongful termination. Rosa claims he was fired for opposing budget cuts imposed after Elon Musk's acquisition of the company. These cuts, he argues, would have hindered Twitter's compliance with a U.S. Federal Trade Commission (FTC) settlement. The lawsuit, filed in New Jersey federal court, includes claims of breach of contract and retaliation.

Rosa asserts that the proposed 50% reduction in his department's budget and the shutdown of software vital for law enforcement cooperation would violate the terms of a $150 million FTC settlement from earlier in 2022. This settlement was based on Twitter's misuse of personal data and required the implementation of stringent privacy and security measures.

Rosa was dismissed shortly after voicing these concerns. His lawsuit seeks compensatory and punitive damages, plus legal fees. Since Musk's takeover, X Corp has faced multiple lawsuits from ex-employees, covering issues like severance pay, discrimination, and mass layoffs, which the company denies.

So What?

X has been embattled by lawsuits since Musk took control. It’s interesting to see someone in Infosec on the other side of a lawsuit for a change…

Ex-commissioner for facial recognition tech joins Facewatch firm he approved by Mark Townsend

The post explains that Professor Fraser Sampson, the former UK biometrics and surveillance camera commissioner, has joined Facewatch, a firm he previously approved, as a non-executive director. This move, occurring the day after he left his government role, has raised concerns of a potential conflict of interest. Facewatch, which uses biometric cameras in high streets, was the first to receive the watchdog's backing under Sampson's tenure. Critics, including advocacy groups like Big Brother Watch, argue that this hiring blurs the lines between public duty and private interests, undermining public trust. They point out the lack of specific laws regulating facial recognition surveillance in the UK and express concerns about privacy and bias in the technology.

However, Sampson defends his decision, stating he took measures to avoid conflicts of interest and had given prior notice of leaving his government role. He believes his move to Facewatch, which he views as a company committed to lawful and ethical operations, is justified. Facewatch chairman Nick Fisher supports this view, saying Sampson's appointment reinforces their commitment to responsible use of facial recognition technology.

So What?

I don’t really know enough about the situation either way to comment, but there’s a concerning element to these types of conflicts of interest.

This is week #14 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read. I’m (intentionally) later releasing this week’s newsletter, due to being at Black Hat Europe this week. It’ll be back to it’s normal Wednesday spot next week.

My ‘if you only read two’ recommendations for the week are:

• Platform Consolidation In Cybersecurity: A Palo Alto Networks Case Study by Francis Odum

• European Repository of Cyber Incidents by EuRepoC

If you can't do something smart, do something right.

Lawrence

Meme of the Week:

Subscribe now

Unlocking the Power of MITRE ATT&CK: A Comprehensive Blog Series on Implementation Strategies for Incident Response Teams by Check Point Team

The Blog introduces a series on using the MITRE ATT&CK framework for Incident Response Teams. It emphasises the transformation of incident reports into standardised MITRE ATT&CK terms to improve clarity and consistency in communication. The blog details a process where perpetrator activities in reports are identified and translated into specific ATT&CK (sub)techniques. This approach aims to provide a uniform language for describing cyber incidents, aiding in better understanding and response. The series intends to demonstrate the benefits of this method in incident reporting and its potential applications in broader contexts such as cyber threat intelligence and security exercises.

So What?

It’s good to see Check Point producing this type of content, I would imagine it’s in connection to the MSSP program they launched in October. The post is quite simple, but appears to be the first in a series discussing how to utilise ATT&CK to standardise response. I’ll be keeping an eye out for subsequent posts.

Introducing Secret Code for Chat Lock by WhatsApp

The post introduces a new feature called ‘secret code’ for the Chat Lock function. Chat Lock was previously launched to help users secure sensitive conversations. The secret code adds an extra layer of security, allowing users to set a unique password that differs from their phone's unlock code. This enhances privacy for locked chats. Additionally, users can choose to hide the Locked Chats folder from their chat list, making it accessible only by entering the secret code in the search bar. Users who prefer visibility can still have the folder appear in their chat list.

The process of locking new chats has been simplified; users can now long-press a chat to lock it, rather than adjusting settings within each chat. The introduction of secret code, which started rolling out on the 30th November, and will be globally available in the coming months, has been well-received by the community.

So What?

If you need to use WhatsApp due to ‘human-compatibility issues’ (your non-Cyber friends and family won’t download Signal) this is quite a nice feature to add additional privacy and security.

Platform Consolidation In Cybersecurity: A Palo Alto Networks Case Study by Francis Odum

The article provides an update on Palo Alto Networks' (PANW) journey towards becoming a heavyweight cybersecurity company. Originally a company specialising in on-premises firewall security, PANW has developed significantly under the leadership of CEO Nikesh Arora since 2018. The company now delivers a comprehensive cybersecurity platform, broadening its scope to include network security, cloud security, and the Cortex Security Operation Centre (SOC) platform. This growth has led to PANW generating over $3.2 billion in Annual Recurring Revenue (ARR) from next-generation security products, accounting for nearly 40% of its revenue.

PANW's strategy centres on platform consolidation in the fragmented cybersecurity market. Rather than simply consolidating vendors for cost-saving purposes, PANW's approach of ‘platformisation’ integrates products to improve security outcomes and add value. The strategy’s success is reflected in their financial results, demonstrating strong growth and notable market share increases in comparison to their competitors.

The article emphasises PANW's achievements in various market segments, particularly in the SASE market with over $1 billion in ARR, and the Cortex SOC business reaching $1 billion in bookings.

So What?

I agree with the assessment in this post, it’s been interesting to watch Palo Alto grow and their strategy develop. As I’ve mentioned in other posts, I think this is undoubtedly due to needing to compete with Microsoft, and the disconnected nature of point solutions and heterogenous tech ecosystems. The post is extremely well researched, so if you’re interested in the business side of Cybersecurity, this is a must-read, as it unpicks PANW’s strategy really well.

European Repository of Cyber Incidents by EuRepoC

The European Repository of Cyber Incidents (EuRepoC) is an independent research consortium dedicated to better understanding the cyber threat environment in the European Union and beyond. Launched in November 2022, their key objectives are to promote data-driven discussions and policymaking within the field of cyber security and raise awareness of cyber security threats. They seek to achieve this by providing an analytical framework for assessing and comparing the ‘life cycle’ of cyber incidents, focusing on technical, political and legal aspects.

The repository itself is a queryable data source of worldwide Cyber incidents.

So What?

There are a lot of different ways to explore the data on the site, with a two minute video running you through it from the homepage. The table view on the dashboard provides the most accessible view for research. This is really useful if you’re building risk and threat models, and you want to discover ‘what if’ scenarios from real-world incidents. Moreover, building table-top exercises based on incidents defined within the database is also a nice use case.

State of Cloud Security by DataDog

The report analyses the security posture of thousands of organisations using AWS, Azure, or Google Cloud. It focuses on common risks that often lead to cloud security incidents.

The conclusion indicates improvements in security posture across these cloud environments. This progress is attributed to cloud providers offering more secure defaults, the adoption of solutions that scan for insecure configurations, and increased general awareness of cloud security risks. Issues like long-lived credentials, insufficient MFA adoption, and excessive privileges are hard to detect and fix. The report suggests that continuously scanning for misconfigurations and promptly addressing these issues are crucial strategies for enhancing cloud security, thereby preventing breaches and allowing developers to continue producing software efficiently. A summary of the key ‘facts’ is shown below:

1. Long-Lived Credentials Continue to be a Risk​​.

2. MFA for Cloud Access is Not Sufficiently Enforced​​.

3. In AWS, IMDSv2 is Still Widely Unenforced, but Adoption is Rising​​.

4. Adoption of Public Access Blocks in Cloud Storage Services is Increasing​​.

5. A Substantial Portion of Cloud Workloads are Excessively Privileged​​.

6. Many Virtual Machines Remain Publicly Exposed to the Internet​​.

So What?

Despite the report being quite high-level, it provides good awareness on the most common (and impactful) mistakes organisations are making with cloud platforms. I really like that the researchers share the methodology in some detail at the end of the end of the report.

Security Navigator 2024: Research-driven insights to build a safer digital society by Orange Cyberdefense

The Security Navigator, issued by Orange Cyberdefense, offers insights from their standpoint as a significant player in cyber security and part of a worldwide telecom operator. The report highlights that this year has witnessed crucial changes, with geopolitical unrest affecting the recovery post-COVID and the digital realm turning into a battleground for state-supported groups and political activists. The focus of cyber attacks has shifted from financial gain to destruction, leading to a turbulent threat landscape.

The report also notes an increase in cyber extortion, particularly in the EMEA and Asia Pacific regions, with small and medium enterprises increasingly being targeted.

So What?

In particular, I liked the OT section (by Ric Derbyshire) and I appreciated the linkage to his high-quality research presenting ‘Dead Man’s PLC’ (check it out if you’re interested in OT security). Overall, as perennial corporate wrap-ups go, there is a lot of useful content in here and it’s high quality across the board. My only criticisms are that it’s VERY long, and (somewhat ironically) it’s quite difficult to Navigate due to topics that you would expect to be grouped together, not being grouped together.

Virtual Meeting Fatigue: Exploring the Impact of Virtual Meetings on Cognitive Performance and Active Versus Passive Fatigue by Niina Nurmi and Satu Pakerinen

The paper explains how Zoom fatigue is not burnout. It’s ‘boreout’. The new study posits that when meetings are virtual, we’re not overwhelmed—we’re under-stimulated. Cardiac measures show drowsiness, not stress. The antidotes are common sense but not common practice: fewer, shorter, more interactive online meetings.

So What?

A useful thing to know. Sometimes we need to hear the obvious to take action on what we already know to be true.

Federal judge blocks Montana's TikTok ban before it takes effect by Bobby Allyn

A federal judge in Montana has temporarily blocked a state law that sought to ban TikTok. This law, unique in attempting a complete ban of a specific app within a state, has been criticised for overstepping state power and potentially violating the First Amendment. Judge Donald Molloy highlighted that the law seemed more focused on anti-China sentiment than protecting consumers. He also noted that Montana lacks authority in foreign affairs and found the national security case against TikTok unconvincing. TikTok, owned by Beijing-based ByteDance, has faced scrutiny over concerns of sensitive data being shared with Chinese authorities or being used for propaganda, but there is no public proof of this. TikTok sued Montana, arguing the ban suppresses free speech and lacked solid evidence. The case continues as states and the federal government debate TikTok's future, with national security experts viewing it as part of broader U.S.-China tensions. TikTok has tried to address concerns by storing U.S. data on servers managed by Oracle and limiting China-based employees' access to this data.

So What?

I won’t comment on this for work reasons, but it will be interesting how this plays out.

EU Commission welcomes political agreement on Cyber Resilience Act

The European Commission has hailed a recent political accord on the Cyber Resilience Act, a law aimed at boosting the cybersecurity of all digital products within the EU, from hardware like baby monitors to software such as computer games. The Act requires products to meet cybersecurity standards, with less than 10% needing third-party evaluation.

Key to the Act is the stipulation that every digital product sold in the EU must be cyber secure, evidenced by a CE marking. Manufacturers are now obligated to ensure cybersecurity from product design to post-market, including providing security updates for years after sale. This increases manufacturer transparency and empowers consumers with safer choices.

Pending formal approval by the European Parliament and Council, the Act will be enforceable 20 days after its publication. Manufacturers, importers, and distributors have 36 months to comply, with a 21-month period for specific reporting duties.

So What?

This is great news. This represents a significant step forward in enhancing Cybersecurity across the EU (and more broadly). By setting comprehensive standards for digital products, from hardware to software, it ensures a higher level of security in consumer products.

The Act places a very welcome emphasis on manufacturer responsibility, requiring them to consider cybersecurity at every stage of a product's life cycle, including after-sale support.

I’m not a fan of over-legislating, but there comes a point where it’s the only tool left in the box.

The Chaos at OpenAI is a Death Knell for AI Self-Regulation by Eugenia Lostri, Alan Z. Rozenshtein, Chinmayi Sharma (Lawfare)

The article discusses the recent upheaval at OpenAI, highlighting it as a sign that AI self-regulation is unfeasible. Key events include the firing and rehiring of CEO Sam Altman, tensions between OpenAI’s original mission of cautious AI development and its shift towards commercialisation, and conflicts between those advocating rapid deployment of AI technologies and those urging caution due to potential risks. This turmoil, intensified by OpenAI’s complex corporate structure and its partnership with Microsoft, raises concerns about the effectiveness of industry self-governance in AI. The article suggests that government regulation might be necessary to ensure responsible AI development.

So What?

The authors of this post may be sensationalising the OpenAI saga somewhat. It was certainly dramatic and impactful, but I believe we’re going to see significant regulatory intervention either way. In fact, it’s mostly underway.

AWS Security controls mappings to MITRE ATT&CK by MITRE Center for Threat Informed Defense

The project empowers organisations with independent data on which native AWS security controls are most useful in defending against the adversary TTPs that they care about. It achieves this by mapping security capabilities of AWS to the ATT&CK techniques that they can protect, detect, or respond to. This will allow organisations to make threat-informed decisions when selecting which native security capabilities to use to protect their workloads.

So What?

This is really useful, I didn’t realise that it was somewhat hidden away and not everyone had come across it. The mapping supports a move toward continuous control monitoring and automated risk and threat modelling. One of the big challenges in the GRC world, is the disconnect between policy, standards and technical controls. Being able to standardise the way you represent a TTP and map threats to controls in a consistent way is super important.

The Hidden Opponent: Cyber Threats in Sport by NCC Group

The aim of the report is to help organisations and individuals involved in the world of sport to understand their levels of cyber security vulnerability and exposure against the ever-evolving technology and threat landscape. Moreover, the report guides sports organisations and athletes towards practical advice to reduce cyber security risks, thus protecting their brand reputation, data confidentiality, system integrity, and asset availability. The report is underpinned by qualitative and quantitative research performed by a team of researchers from the University of Oxford’s Researcher Strategy Consultancy, in collaboration with global cyber security and risk mitigation experts NCC Group, and Phoenix Sport & Media Group.

So What?

This won’t be relevant to everyone, but it’s an interesting read irrespective of your operating sector. The CTI relating to the most recent attacks is particularly interesting, as some of them weren’t covered in as much detail in the industry press at the time.

Black Hat Europe Talk: Industrialising Cyber Defence in an Asymmetric World by Ollie Whitehouse

Ollie's keynote focused on the increasing complexity and impact of cyber-attacks, emphasising the need for preparedness in an asymmetric cyber world. He highlighted that attackers' brazenness, improving technical skills, and operational sophistication pose significant challenges. The talk stressed the difficulty in coping with sustained attacks, especially when attackers can resort to extreme tactics upon discovery.

Key issues included the ongoing struggle with technology volume, security features being optional rather than standard, and the rapid pace of digital transformation. Ollie highlighted that access to security data is limited, creating knowledge asymmetry. He posited that the problem is compounded by linear scaling limitations and the high level of technical debt in existing systems.

His closing thoughts in summary, were:

• Impose cost (on adversaries)

• Build evidenced resilience

• Prepare for when

For those who weren’t at BlackHat, I believe they will put this talk online after a short period of time. It’s worth a watch.

So What?

In typical Ollie fashion, he hit the key points hard and delivered a good one-two punch to vendors concurrently. I agreed with the majority of the talk, and felt it was well constructed and researched (as you’d expect). However, I did disagree on the approach to applying pressure to vendors to include ‘security features as standard’ (or to paraphrase Ollie, seatbelts at no extra cost) within their products. His (NCSC’s) position is to encourage organisations to band together and refuse to pay, with the example of CNI organisations cited as a credible cohort to attempt this. While I do agree that consumer pressure is an important lever to pull, as we’ve seen countless times, security only happens when there’s a proper incentive. I’m not sure that this is. The approach could trigger an exception for CNI (and that’s not at all a bad thing), but I’m not convinced this will trigger a cascade and suddenly Microsoft will un-grey all the E5 security goodies and Salesforce will trim the extra ~$400k they want to switch on proper logging. Legislative interventions like the EU Cyber Resilience Act could be more reliable vehicles.

This is week #13 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.

My two ‘if you only read two’ recommendations for the week are:

• A video from CSPAN about a social engineering attack utilising AI to replicate a family member’s voice via @notcapnamerica (on ‘X’).

• Getting into AWS cloud security research as a n00bcake by Daniel Grzelak.

Allons-y!

Lawrence

Meme of the Week:

Subscribe now

Getting into AWS cloud security research as a n00bcake by Daniel Grzelak (Plerion)

The article provides an insightful guide for beginners in AWS cloud security research. Daniel shares his personal journey and lessons learned, emphasising the importance of hands-on experience. He advises readers to build and break things within AWS to understand its complexities and vulnerabilities. The article covers several key areas: building in AWS to understand its intricacies, using practice environments like 'flAWS' and 'CloudGoat' for real-world testing, the significance of writing and sharing knowledge, learning from experts in the field, and maintaining ethical standards in research. Additionally, the post discusses the value of networking with engineers and consistently engaging in research activities. It also highlights specific focus areas for research, such as examining AWS documentation, decomposing SDKs, identifying API discrepancies, finding undocumented APIs, targeting open-source integrations, and exploring the AWS shared responsibility model.

So What?

I think there’s real value in these types of posts, especially given the skills gap - kudos to Daniel. The post is pretty well written and the signposting of resources alone is worth your time if you’re starting out, or continuing your journey into the clouds.

Haveibeensquatted domain squatting analyser

Not porn. The site (based on haveibeenpwned) provides domain squatting permutations. It limits to a smaller number if you’ve not signed up, but enrolment is free.

So What?

This could be useful as part of a proactive domain ownership strategy, to acquire potentially squattable domains (although, there are services that will do this for you). Additionally, you could use this as a seed, to create a block list of domains for email senders. However, you’d need to be fairly confident of the domain’s reputation before committing.

A video from CSPAN about a social engineering attack utilising AI to replicate a family member’s voice via @notcapnamerica (on ‘X’)

This six-and-a-half minute video tells a story, recanted by the victim (a U.S.-based attorney), where he received a distressing call from his ‘son’ (using a Deepfaked voice). The attackers created a pretext whereby his son had been involved in a traffic accident, and had injured a pregnant woman whilst under the influence. The attackers asked for money ($9k) for his son’s bail as part of a complex and procedurally accurate scenario involving a bitcoin ATM.

So What?

The video emphasises the emotional impact of scams as much as the terrifying use of AI. I’d highly recommend sharing this with friends and family, as it highlights the vitriolic creativity of scammers, and the capability of modern AI. Moreover, it provides a sombre reminder to those of us who simulate attacks (especially those utilising social engineering) that there is a human impact on targets and victims. Select your pretexts wisely.

Biden's AI Executive Order: What it says, and what it means for security teams by Joseph Thacker (Wiz)

The article explains the implications of the 2023 Executive Order on AI (order number 14110) issued by President Biden, focusing on its impact on security teams in companies using AI. The order establishes new standards for AI safety, security, and privacy protection. It stresses the importance of developing AI systems that are safe, secure, and trustworthy, with extensive testing required before public release. The article highlights the need for security teams to begin preparing for compliance with these standards, emphasising extensive red-team testing, privacy protection, and fairness in AI applications. The order has significant implications for AI use in various sectors, including healthcare and criminal justice, and requires security teams to adapt their practices to ensure AI systems are ethical and compliant with the new standards.

So What?

This is a great write-up, and provides a useful lens on how the latest Executive Order in the U.S. will impact us as an industry. It’s great to see an emphasis on efficacy assurance (red team assessments etc.). One of the greatest threats to security, is the complacency of compliance. It’s really important to understand your controls and the appropriate way to assess their effectiveness.

Independent Review of University Spin-out Companies by The Department of Science, Innovation and Technology (UK government)

The article reviews the role of spin-out companies, which are start-ups created from university research, in contributing to the UK's ambition of becoming a science and technology superpower. The review identifies best practices from successful university spin-out ecosystems globally and within the UK, aiming to support spin-outs in gaining more investment and faster growth. The UK's unique opportunity lies in leveraging strengths across various academic disciplines, including humanities and arts, to build a leading innovation ecosystem. The review outlines key elements for a successful spin-out ecosystem, including a diverse pool of academic founders, anchor institutions like universities, service providers, accessible investment capital, partnerships with large corporations, talented early employees, and supportive infrastructure. It highlights the success of ecosystems in the US and the UK's 'golden triangle' and presents recommendations for the UK to enhance its spin-out environment.

A summary of the ten recommendations:

1. "Accelerate towards innovation-friendly university policies that all parties, including investors, should adhere to where they are underpinned by guidance co-developed between investors, founders, and universities."

2. "More data and transparency on spin-outs through a national register of spin-outs, and universities publishing more information about their typical deal terms."

3. "HEIF should be used to reduce the need for universities to cover the costs of technology transfer offices (TTOs) from spin-out income."

4. "Create shared TTOs to help build scale and critical mass in the spin-out space for smaller research universities."

5. "Government should increase funding for proof-of-concept funds to develop confidence in the concept prior to spinning-out."

6. "In developing the ‘engagement & impact’ and ‘people & culture’ elements of REF 2028, the four Higher Education Funding Bodies should ensure that the guidance and criteria strongly emphasise the importance of research commercialisation, spin-outs, and social ventures as a form of research impact."

7. "Founders need access to support from individuals and organisations with experience of operating successful high-tech start-ups, regardless of the region founders are based in or sector they operate in."

8. "UK Research and Innovation (UKRI) should ensure that all PhD students they fund have a voluntary option of attending high-quality entrepreneurship training."

9. "Recognising the important role that university-affiliated funds have played in helping spin-outs from some regions access finance, universities considering working with new affiliated investment funds should continue to ensure they are still able to attract a wider set of investors and encourage competition when agreeing such deals."

10. "We welcome ongoing reforms to support scale-up capital, such as changes to pensions regulation and encourage the government to accelerate these efforts."

So What?

This may be interesting to people based in the UK, who’re involved with the Cyber startup sector.

Startups should consider hiring fractional AI officers by Raphael Ouzan (TechCrunch)

The article discusses the idea that startups, particularly those with limited resources, should consider hiring fractional AI officers. This approach involves hiring AI professionals on a part-time or contract basis, providing startups with the expertise they need without the full-time cost. The article likely explores the benefits of this strategy, such as cost-effectiveness, access to specialised skills, and flexibility. It may also address how startups can integrate these fractional officers into their teams and strategies for making the most of their expertise in developing AI capabilities.

So What?

The concept of fractional or virtual executives is not new (especially for CTOs and CISOs). However, having a deep understanding of AI is becoming evermore important. I believe there could be some benefit to smaller organisations in this approach, as these types of resources can be scarce and cost-prohibitive. That said, smaller organisations aren’t really going to benefit from generic or high-level advice. The challenge with a fractional executive, is they’ll only be able to provide broad strokes, and understanding the organisation’s strategy part-time will be slow (a killer for market agility). I’d posit that startups would likely get more benefit from a point-in-time consulting engagement focused on the opportunity for, and benefits of, utilising AI. Not everything needs AI/ML; shocking, I know. Alternatively, it could be worth prioritising that ‘sweet-sweet’ VC money on a full-time resource, if that’s core to your mission.

Trusted by Millions, Yet So Wrong - Password Strength Tools by Eddie Zhang

The article discusses the inaccuracy of popular password strength tools. Eddie reveals that four out of the top ten search results for these tools provide questionable security advice. Despite one tool estimating a password example would take two million years to crack, Zhang demonstrates it could be cracked in just eight seconds using a $650 graphics card. The article explains this discrepancy as due to these tools employing a simplistic approach to estimating password strength, failing to consider human patterns in password creation. Zhang suggests using multi-factor authentication, not reusing passwords, using a password manager, and creating longer, less predictable passwords. He also highlights the need for improved user education in cybersecurity and questions the effectiveness of regulatory frameworks in reducing cyber misinformation.

So What?

Solid advice and quite a nice write-up.

Active Directory Canaries (Tool) by Airbus Protect

The repo presents "Active Directory Canaries," a detection tool for Active Directory enumeration techniques. The tool utilises the concept of DACL Backdoors, first introduced by Andy Robins and Will Schroeder in their 2017 white paper "An ACE Up the Sleeve." The main purpose of this project is to offer and continuously update a PowerShell script that simplifies the deployment of required Active Directory objects, thereby enhancing the detection and monitoring capabilities against potential enumeration attacks within Active Directory environments.

So What?

Canaries are a really great tool, complementing XDR and other detection-focused capabilities. From regularly speaking with capable red teamers, I know that Canaries are one of the things they really hate. It makes their jobs harder, giving SOCs a clear vector on their activities. Canaries are especially useful as the signal-to-noise ratio is very high, given there is no legitimate use case to interact with them. I’d highly recommend experimenting with this tool, commercial options or some of the built-in honeytoken capabilities within Azure.

Top 5 reasons why OpenAI was probably never really worth $86 billion by Gary Marcus

The article by Gary Marcus argues that OpenAI's estimated $86 billion valuation was likely unrealistic. It explains that the true value of OpenAI resides in its staff, not its intellectual property, data, customer list, or infrastructure. This perspective is supported by the ease with which other companies replicated OpenAI's achievements.

The post points out the unresolved issue of hallucinations in AI, a problem acknowledged by OpenAI's leadership. The article further discusses OpenAI's unclear business model and the high cost of running advanced systems like GPT-4. The revenue generated is mostly from testing, not sustained usage, making it speculative.

Additionally, the post critiques OpenAI's hybrid non-profit model, highlighting the tension between safety and financial return. Finally, it questions the ability of large language models to address the alignment problem, essential for AI safety and reliability. The article concludes that OpenAI's high valuation was more based on promise than tangible results, with its non-profit mission clashing with profit-driven goals.

So What?

There are some fair points in this analysis, based on traditional ways of valuing companies. Moreover, Gary makes some great points about the specific shortcomings of the platforms themselves. However, OpenAI stole a march on EVERYONE and catapulted AI from a future promise in projects like DeepMind, to government departments’ top priority. I know grandparents who use ChatGPT. It’s inherently difficult to value a company at this stage of its life, as so much of the value is entrenched in its potential. I believe the valuation represents the level of investment in OpenAI and the astronomical disruption they’ve caused to the software market. The question for me, is whether OpenAI can continue to innovate and retain their ‘lead’, with everyone else playing catch-up.

Security Planning Workbook by CISA

The Security Planning Workbook is a comprehensive resource that can assist critical infrastructure owners and operators with the development of a foundational security plan. The workbook is designed to be flexible and scalable to suit the needs of most facilities.

It is intended for individuals involved with an organisation’s security planning efforts, including individuals or groups with varying degrees of security expertise, charged with the safety and security of facilities and people. This product also provides descriptions of critical elements of security planning information, offers a multitude of resources, and includes fillable fields to guide a stakeholder’s planning efforts. 

So What?

This is a great resource for SME organisations or people new in-role taking stock.

The RULER Project by Phill Moore

The RULER project is an initiative aimed at enhancing forensic investigations through the detailed study of application logs. It highlights the challenge of understanding logs from different applications and seeks to provide a structured approach to identify crucial forensic information. The project primarily compiles data from various sources, crediting those who have contributed significantly to this field.

The project does not focus on recommending what should be logged; instead, it emphasises understanding what is typically logged by default. The project currently concentrates on endpoint information relevant to investigations but is open to expanding into other log categories.

The roadmap for RULER includes incorporating a wider range of logs such as mail and web server logs, storing data in formats like YAML or databases for tool integration, and contributing to the DFIR Artefact museum.

So What?

This is a useful resource for Red and Blue teams. The description of what it is and how it works is a bit vague, but essentially, it’s a list of things relating to software internals for EDR and other interesting tools.

Cybersecurity firm executive pleads guilty to hacking hospitals By Sergiu Gatlan

The article reports on Vikas Singla, the former chief operating officer of Securolytics, pleading guilty to hacking two Gwinnett Medical Center (GMC) hospitals in 2021. The attacks occurred in September 2018, targeting GMC Northside Hospital in Duluth and Lawrenceville. Singla disrupted phone and printer services and stole patient data from a mammogram machine's digitising device. He also printed stolen patient information and threatening messages in Duluth's GMC hospital. These actions were part of a strategy to boost Securolytics' business, with Singla promoting the hack on Twitter and the company mentioning it in client outreach.

The cyberattacks caused over $817,000 in damages. Singla has agreed to pay this amount as restitution. Despite facing 17 counts of intentional computer damage and one count of obtaining information, prosecutors recommend a 57-month probation sentence due to his serious health conditions. Sentencing is scheduled for February 15, 2024.

So What?

Yikes! There’s not much to say about this, other than the profile of cyber-related insider vectors increasing within the media.

SBOM Hall of Fame by communitysec

This Github repo seeks to highlight organisations that are doing SBOMs ‘right’ (in contributors’ prevailing views), giving praise to those working hard on the challenges and providing learning to others about their success.

So What?

Echooo, echooo! I’m in two minds about this sort of effort. On one hand, I like that they’re celebrating success and signposting what good looks like. Conversely, who made these folks (or whoever contributes) arbiters of SBOMs implementation and will this yield enough detail to be useful? I guess we’ll find out if anyone ever adds an organisation to the table.

This is week #12 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read. I’ve shifted the weekly release to a day earlier. This is to avoid some cross-over with other newsletters and to experiment with a good time to hit your inboxes. Please let me know if this doesn’t work.

My ‘if you only read two’ recommendations for the week are:

• The OpenAI / Sam Altman saga (see below).

• Ransomware gang files SEC complaint against company that refused to negotiate by CSO Online.

So long, and thanks for all the fish.

Lawrence

Meme of the Week:

Subscribe now

OpenAI fires co-founder and CEO Sam Altman for allegedly lying to company board by Blake Montgomery and Dani Anguiano

This was the big story of last week (and the weekend, and this week). I’ve been following closely, and compiled a quick timeline (the dates are UK time zone) for reference.

• 17/11 – The media report that Sam Altman has been fired by the board of OpenAI, accused of “being not consistently candid in his communications.” Greg Brockman (co-founder) is removed from the board, but retained his role in the company as President (although he subsequently resigned). CTO Mira Murati is named interim CEO.

• 17/11 - Theories about why this happened flood the Internet.

• 18/11 – Investors scramble to try and reinstate Altman, with the board seemingly agreeing to take him back and potentially resigning themselves.

• 20/11 - Altman and Brockman are announced (by Satya Nadella) as joining Microsoft, to lead Microsoft’s new advanced AI research team.

• 20/11 – Murati is out (of the interim CEO role) and Emmett Shear is in (ex-CEO of Twitch).

• 20/11 - OpenAI staff demand the OpenAI board resign after sacking of Altman. They claim Microsoft has assured them that there are jobs for all OpenAI staff if they want to join the company.

• 20/11 – Altman may still believe that the door may re-open at OpenAI.

• 21/11 – Microsoft CEO, Satya Nadella, dodges the question of whether Altman will return to OpenAI, but states that ostensibly, Sam Altman will be running the show.

• 22/11 – OpenAI rehires Sam Altman as CEO. A new ‘initial’ board of Bret Taylor (Chair), Larry Summers, and Adam D’Angelo has been instated.

So What?

The situation is pretty crazy, it’s quite shocking how to see how unstable OpenAI was, and the apparent naivety of the board. I don’t believe the drama is over yet, keep the popcorn ready. The situation has raised some interesting questions on the governance structure of OpenAI. The board's power stemmed from bylaws established in 2016, which allowed board members to elect and remove directors without formal meetings. The reason behind the ‘ousting’ is still unclear, although the Internet is awash with theories. I think the most likely root cause is a rift in ethos between Sam and the board. As of this morning (22/11), Sam is back and with a new board to boot. Do we all just act like nothing happened now? Will Emmett Shear include this role on his LinkedIn profile? Let’s see.

New ways to pay for research could boost scientific progress by The Economist

The article explains how alternative funding methods for scientific research could invigorate progress in the field. It posits that the current system, dominated by grants, may stifle innovation and is increasingly competitive, making it difficult for researchers to secure funding. The piece explores several new approaches, such as the 'golden ticket' method allowing for backing unorthodox ideas, and a lottery system for grant allocation, currently being trialled in various countries. Other suggestions include establishing new research institutions and adopting models like the DARPA approach, which has been influential in various research fields. The article also highlights the success of the Howard Hughes Medical Institute, which funds individuals for long-term research, encouraging more risk-taking and potentially leading to ground-breaking discoveries.

So What?

I have a number of friends who’re academics. They spend an inordinate amount of time applying for grants and various stages of funding, rather than focused on research. In an extreme case, a close friend (a Professor of Neuroscience at UCL) spent a year as a project manager overseeing the install of an MRI scanner. This meant he had little time to spend on key research. It’s great to see efforts to change the model and boost research outputs through streamlining processes. In order to move quickly, researchers must not be over-burdened by other tasks. The DIANA accelerator is a great example (with elements of Cyber focus) of an effort tackling this problem, led by NATO.

If you’re interested in this topic, you may find the following papers interesting on the subject:

1. "Are Ideas Getting Harder to Find?" (2020) by Nicholas Bloom, Charles I. Jones, John Van Reenen, and Michael Webb

   • Published in: American Economic Review, April 2020, Volume 110, Issue 4, Pages 1104-44

   • Abstract: The paper discusses the concept of diminishing returns in scientific progress, examining whether the effort required to generate new ideas and knowledge is increasing​​.

2. "Scientific Grant Funding" (2022) by Pierre Azoulay and Danielle Li

   • Published in: "Innovation and Public Policy"

   • Abstract: This chapter discusses grant funding in early-stage, exploratory science, focusing on the design of grant programs, peer review processes, and incentives for risk-taking​​​​.

3. "Scientific prizes and the extraordinary growth of scientific topics" (2021) by Ching Jin, Yifang Ma, and Brian Uzzi

   • Published in: Nature Communications, October 5, 2021

   • Abstract: The study examines the impact of scientific prizes on the growth of scientific topics, finding that prizewinning topics produce more papers, citations, retain more scientists, and attract more new entrants and star scientists compared to non-prizewinning topics​​​​.

4. "Incentives and Creativity: Evidence from the Academic Life Sciences" by Pierre Azoulay and colleagues

   • Published in: National Bureau of Economic Research

   • Abstract: This paper explores the impact of different funding streams within the academic life sciences on scientific creativity, particularly comparing the careers of investigators from the Howard Hughes Medical Institute (HHMI) and grantees from the National Institutes of Health (NIH)​​​​.

5. Papers by Kyle Myers:

   • "Estimating Spillovers from Publicly Funded R&D: Evidence from the US Department of Energy"

     • Abstract: The paper quantifies R&D spillovers from grants to small firms by the US Department of Energy, highlighting the broader impact of these grants beyond direct recipients​​.

   • "The Elasticity of Science"

     • Abstract: This paper investigates the extent to which scientists are willing to change the direction of their work in response to targeted funding opportunities, emphasizing the large switching costs of science​​.

6. "Unblock research bottlenecks with non-profit start-ups" by Adam Marblestone and colleagues

   • Published in: Nature

   • Overview: This work discusses the concept of Focused Research Organisations (FROs) and their potential to address research bottlenecks in science​​​​.

Running Signal Will Soon Cost $50 Million a Year by Andy Greenberg

The article explains the financial challenges facing Signal, an encrypted messaging app, operating as a non-profit. Signal's president, Meredith Whittaker, has disclosed its operating costs to demonstrate the contrast with for-profit surveillance business models. Signal's costs are around $40 million this year and expected to rise to $50 million by 2025. Main expenses include infrastructure and staff salaries for about 50 employees. Initially funded by the US government's Open Technology Fund, Signal now depends on donations. While small in-app donations have grown, substantial increases are necessary for Signal's sustainability. Charging users isn't an option, as Signal strives to offer private communication free from the pressures typical in for-profit tech firms.

So What?

I’m a big fan of Signal. It occupies an important place in the world of digital privacy, as one of the few vendors with high levels of security combined with a clear code of privacy-focused ethics. It’s worth considering funding this project, if you’re a user of the platform.

Responsible AI at Google Research: Adversarial testing for generative AI safety by Kathy Meier-Hellstern

The post explains Google Research's approach to ensuring the responsible use of AI, specifically in the realm of generative AI (GenAI). The Responsible AI and Human-Centered Technology (RAI-HCT) team, along with the BRAIDS (Building Responsible AI Data and Solutions) team, are focusing on integrating responsible AI practices into GenAI applications. This involves a comprehensive risk assessment, internal governance, and the development of tools to identify and mitigate ethical risks. A key part of this strategy is adversarial testing, which tests AI models against a range of potentially harmful inputs to understand and address safety concerns. This includes scaled adversarial data generation, automated test set evaluation, and community engagement to identify unforeseen risks, as well as emphasising rater diversity to ensure evaluations consider a wide range of human perspectives. This approach is crucial for managing the transformative but potentially risky nature of GenAI, ensuring it remains inclusive and safe for diverse user communities​​.

So What?

There are some really useful tools in these projects. If you’re involved in the organisation of development efforts for GenAI, the frameworks will provide some good support.

Multi-source analysis of Top MITRE ATT&CK Techniques by Cyentia Institute

In a recent meta-study that analysed 22 Cyber threat reports, Cyentia Institute and Tidal Cyber examined the breadth of visibility and reporting across the MITRE ATT&CK matrix. They used Version 12.11 for the study, which defines a total of 193 techniques.

The sources they analysed reported sightings of only124 (64%) ATT&CK techniques. Over one-third (36%) of all techniques were not reported by any of the 22 sources reviewed. Just over half (52%) of ATT&CK techniques were seen by three or more sources, and less than a quarter (23%) of them were reported by at least five sources.

So What?

This demonstrates that visibility varies widely across different sources - and why it's important to draw from multiple reporting sources to achieve broad coverage of TTPs in Cyber Threat Intelligence. Moreover, it stresses the importance of prioritisation in Detection Engineering, as 46% of techniques weren’t cited in any of the 22 sample reports. I can think of lots of use cases where these data are applicable.

Applying Context to Control Adversaries (Part 1) by John Fitzpatrick

The article explains the importance of a context-centric approach in cybersecurity. It argues that traditional threat-centric strategies are insufficient, as they often involve playing catch-up with evolving adversarial tradecraft. The post presents a model for tailored cyber defence, combining general, threat-informed, and context-centric approaches. The article posits that the key is to understand how adversaries are likely to apply their tactics in specific environments. This context-centric approach aims to dictate how adversaries must operate within a given environment, effectively putting defenders in control. The article proposes that merely improving existing strategies is not enough; a tailored cyber defence that takes into account the unique aspects of each environment is crucial for effective security.

So What?

I agree with John’s point in this post, and I think the proposed model is interesting. It’s common that we lack important context in Cybersecurity. Often, this is because it’s hard to define, or the tools/frameworks we use lack orientation to our environments.

A good example of where this problem occurs is CVSS as a vulnerability descriptor. Organisations (and vendors) often prioritise based on the ‘base score’ calculation. This lacks contextual information about the environment, and data pertaining to observations of exploitation in the wild. The impact is that effort is misspent remediating issues that are lower risk.

In order to make the types of models [John presents] viable, there is a need to scale processing, application of metadata and analysis (i.e. you need to automate the automatable). The reason that inferior (or sometimes counterproductive) models become popular, is their ease of use and availability. If you spend more time modelling, than you would have done just working in series on a full dataset, what’s the point?

Privileged Identity Management (PIM) – Common Microsoft 365 Security Mistakes Series by Ru Campbell

The article discusses common security mistakes in using Microsoft 365's Privileged Identity Management (PIM). It highlights the importance of PIM in controlling and monitoring access to critical resources in Microsoft 365 environments. The post emphasises the need for organisations to properly configure and manage PIM to avoid security vulnerabilities. The post points out that neglecting PIM can lead to unnecessary risks and exposure to potential security breaches. The article serves as a guide to understanding the critical role of PIM in enhancing the security posture of Microsoft 365 implementations. The blog covers the following five common mistakes:

• ‘Require Azure MFA’ probably isn’t giving you the security you think it is

• Not using authentication context

• Not appropriately requiring approval to activate

• No mitigation against role lockouts

• Not protecting non-Entra or non-Azure resources with PIM for Groups

So What?

This is a useful resource for those engaged in securing M365 environments.

3 Ways We’ve Made the CIS Controls More Automation-Friendly by the ‘Center for Internet Security’ (CIS)

The article discusses updates to the CIS Critical Security Controls to enhance their compatibility with automation in compliance efforts. The Center [sic] for Internet Security has made three changes: removing the "Intersects With" relationship to reduce ambiguity, emphasising shared efforts in control implementation, and adding a page of unmapped CIS safeguards. These updates aim to simplify compliance by making it easier for machines to understand and process the data. The goal is to move away from manual comparisons of frameworks towards an automated future, making compliance more efficient and less labour-intensive.

So What?

Welcome to the 21st Century CIS! It’s great to see CIS support the ‘how’ as well as the ‘what’. CIS controls and benchmarks have been a staple of the technical security community for a long time. Historically, we’ve relied upon vendors or open source projects to operationalise the outputs. I hope that this marks a step-change in their approach, and to see more efforts from CIS in this direction.

Ransomware gang files SEC complaint against company that refused to negotiate by CSO Online

The BlackCat ransomware gang is exploiting new US Securities and Exchange Commission (SEC) rules by filing complaints against companies that refuse to pay ransoms. The group filed a complaint against MeridianLink, alleging failure to disclose a significant breach. This tactic leverages upcoming SEC regulations requiring companies to report material breaches within four business days. The case raises questions about the new rules' effectiveness in combating cybercrime and their potential misuse by ransomware gangs. This development signals a new phase in cyber extortion, emphasising the need for robust cybersecurity defences beyond mere compliance.

So What?

The cheek, the nerve, the gall, the audacity and the gumption!

This is a big lesson to governments, regulators and commercial organisations regarding threat models. A number of nation states are currently planning to ban paying ransoms in ransomware scenarios. This shows the levels of creativity of cybercriminals, who’ve made vast sums via this vector. They’re not going to let it go without a fight. That said, the SEC were probably quite pleased by this outcome!

A 12 Lesson course teaching everything you need to know to start building Generative AI applications by Microsoft

The training supports learning the fundamentals of building Generative AI applications. Each lesson covers a key aspect of Generative AI principles and application development. Throughout this course you build your own Generative AI start-up, so you can get an understanding of what it takes to launch your ideas.

So What?

I did a couple of the training courses within this already, and it’s really well constructed. Nice job!

PrivateGPT: A Production-Ready AI Project for Offline Use by Iván Martínez

PrivateGPT is an AI project designed for querying documents privately using Large Language Models (LLMs), functioning entirely offline. It offers an API for building private, context-aware AI applications, extending the OpenAI API standard. The API has two parts: a high-level API simplifying document ingestion and chat completions, and a low-level API for advanced users to create complex pipelines. PrivateGPT also provides a Gradio UI client and various tools for usability. This project caters to privacy concerns in industries like healthcare and legal, offering an offline solution for using LLMs while maintaining data control.

So What?

I’ve been waiting for a well-maintained open source private alternative to the various commercial options. Here it is. I can’t attest to the efficacy of the claims (as to privacy, safety etc.), but from initial experiments, this looks pretty good.

UK's National Cyber Security Centre Submits First RFC to IETF by Phil Muncaster

The UK's National Cyber Security Centre (NCSC) has submitted its first Request for Comments (RFC) to the Internet Engineering Task Force (IETF), focusing on indicators of compromise (IoCs). RFC9424, a result of three years of collaboration with industry experts, aims to provide a comprehensive reference for IoCs, detailing their lifecycle and usage in cybersecurity. It includes real examples and discusses the 'pyramid of pain', a concept illustrating how some IoCs pose greater challenges for attackers to modify and evade detection. This initiative highlights the importance of involving cybersecurity experts in the design and development of internet standards.

So What?

It’s nice to see an attempt to standardise IoCs. Kudos to those involved.

NIST AI Risk Management Framework Development

NIST, in partnership with private and public sectors, has created the AI Risk Management Framework (AI RMF) to address risks associated with artificial intelligence (AI). Launched on January 26, 2023, the AI RMF is designed for voluntary use, aiming to enhance trustworthiness in AI design, development, usage, and evaluation. The development process was consensus-driven, open, and collaborative, involving public input, drafts, and workshops. The framework is aligned with other AI risk management efforts. Additionally, NIST has released a companion AI RMF Playbook to accompany the framework.

So What?

I’m not sure how I missed the launch of this framework (back in Jan), but it’s a pretty useful reference if you’re engaged in policymaking for AI.

This is week #11 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read. This week’s edition is quite ‘news heavy’, as there have been a lot of interesting happenings in the Cyberverse!

My two ‘if you only read two’ recommendations for the week are:

• The Mirai Confessions by Andy Greenberg.

• Cover Your Tracks, A Project of the Electronic Frontier Foundation.

Until our paths cross again in this ever-changing city of life.

Lawrence

Meme of the Week:

Subscribe now

The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster Finally Tell Their Story by Andy Greenberg

The article narrates the tale of Josiah White, Dalton Norman, and Paras Jha, three young hackers responsible for creating the Mirai botnet. The botnet, born from their ‘passion for computers and hacking’, led to a major internet outage in 2016, impacting significant websites like The New York Times and Twitter. The post traces their journey from enthusiastic explorations in cybercrime to the development of Mirai, highlighting the far-reaching implications of their actions. It culminates in losing control of Mirai, and their eventual cooperation with the FBI. The article underscores the thin line between ‘youthful curiosity’ and serious legal consequences.

So What?

I found this article really interesting. Normally, I don’t find all the backstories about hackers that interesting, I’m more intrigued by the logistics of the hack. However, this is fascinating, and gives some great insights into what happened at the time. It’s quite a long read, but possibly worth 15 minutes of your time to understand Mirai folklore.

Inside Wall Street's scramble after ICBC hack by Paritosh Bansal

The cyber attack of the Industrial and Commercial Bank of China's (ICBC) U.S. broker-dealer arm was a significant event, highlighting vulnerabilities in the financial sector. The attack was so severe that it caused a complete blackout of the corporate email system, leading employees to switch to Google mail. This incident put the brokerage's resources under strain, as it temporarily owed BNY Mellon a staggering $9 billion, far exceeding its net capital. ICBC Financial Services, the New York-based unit of ICBC, received a cash injection from its parent company to cover the shortfall and manually processed trades with the assistance of BNY Mellon. ICBC collaborated with cybersecurity firm MoxFive to establish secure systems to resume normal business operations. However, the recovery process was expected to take several days. During this period, ICBC requested its clients to temporarily suspend business and clear trades elsewhere, causing other market participants to reassess their exposure and reroute trades​.

So What?

Yikes! I don’t normally dabble in TI in the newsletter too much, as this is better covered by other newsletters (thanks Ollie) or commercial sources. However, this is quite an interesting story I was keen to highlight, especially if you work in FS.

Introducing GPTs by OpenAI

The article introduces GPTs, a series of language models developed by OpenAI. You can now create custom versions of ChatGPT that combine instructions, extra knowledge, and any combination of skills. The article explains the evolution and capabilities of these models, highlighting their significant advancements in natural language processing and understanding. GPTs have been designed to generate coherent and contextually relevant text based on given prompts, “marking a breakthrough in AI-driven language generation.” The post details the various applications of GPTs, ranging from composing emails to creating content and even coding.

So What?

The introduction of GPTs is as terrifying as it is exciting. It gives individuals the ability to quickly create their own sub-versions of ChatGPT, leveraging the prompt and general capabilities of the platform. The scary part, is how people are using them, and the data they’re sharing (or encouraging others to share). Within the security sphere I’ve seen (and experimented with) a few that were released this week. One of the most concerning was Cyber Guardian (clicking this link will re-direct you to ChatGPT and add Cyber Guardian to your ‘My GPTs’ automagically, it can be removed and doesn’t appear to do anything malicious). Cyber Guardian is an incident response assistant for SOC analysts. While I think it’s a great training aid, the way it functions encourages analysts to put live incident data into the prompts. Clearly, this isn’t a good idea, as these data are likely to contain sensitive information. Other security-related GPTs I’ve seen, work in a similar ways. My advice to those responsible for cybersecurity, is to create a robust policy regarding AI and ML, and consider blocking public services whilst making private services (post security review and with SDL guidelines) available. This ‘Generative AI’ policy from Contrast Security is a great starting point.

Cover Your Tracks, A Project of the Electronic Frontier Foundation

"Cover Your Tracks" is a tool developed by the Electronic Frontier Foundation that allows users to test how well their browsers protect them from tracking and fingerprinting. It gives users an insight into how online trackers view their browser, showing the most unique and identifying characteristics of their browsing tool. This service aims to educate users on the methods and technologies used for online tracking, highlighting the importance of digital privacy and the means to safeguard it​​.

So What?

This tool is really useful for individuals to see how easily tracked you are across the Internet, using just your browser. If you’re not already using Privacy-centric browsers, like Brave (Chrome-based) or LibreWolf (FireFox-based) it’s worth considering a move.

Two Female BBC Reporters Left Terrified After Bosses Staged Fake Break-In in Bid to Beef Up Office Security by Julia Atherly

The article reports on an incident where the BBC staged a fake break-in at a regional headquarters as a security test, leaving two female reporters terrified. The event occurred late at night after the reporters had finished work. An actor, hired to simulate an intruder, was discovered lurking in the underground staff car park, causing significant distress to the two women. BBC Director-General Tim Davie has promised to investigate the incident, which occurred in Nottingham. The BBC's East Midlands editor, Emma Agnew, informed the staff that no managers in England were aware of the test, and the BBC has refrained from commenting on security matters. This incident has raised concerns among staff, particularly about the allocation of resources towards such security tests rather than improving actual security measures​​​​​.

So What?

Firstly, I must say that I am deeply sorry for including a link to The Sun. I couldn’t find another reference for this story.

This incident highlights what can go wrong during physical entry attack simulations and social engineering exercises. It’s a good reminder of the potential risks and human harms that can unintentionally manifest. There are few cited examples of these exercises going wrong in the media, but having been a social engineer myself and in the industry a long time, I can confidently say that there are a lot of near misses (putting it mildly). The most famous case is undoubtedly the ‘Coalfire’ employees who found themselves in jail, following an exercise for a Courthouse in the US.

How to Create a Web3 Security Incident Response Plan by Rob Behnke

The article guides Web3 developers and auditors in creating a comprehensive security incident response plan for decentralised protocols. Despite robust security measures, the risk of hacks in Web3 applications, particularly in smart contracts, remains a concern. The article outlines various scenarios that qualify as security incidents, emphasising the importance of a swift response to mitigate damage. Key steps in crafting an effective response plan include identifying critical roles, setting up a 'war room' for collaboration, evaluating security threats, executing defensive security measures, and maintaining transparent communication with users. Additionally, the plan should detail the development and deployment of bug fixes and conducting a post-mortem analysis to improve future responses. The article highlights the significance of regular drills to familiarise the team with the incident response process, enhancing the overall security preparedness of Web3 projects​​.

So What?

A slightly esoteric post, but there are some useful reflections for anyone involved in creating IRPs for organisations who indulge in Web3 tech.

SentinelOne Launches PinnacleOne Strategic Advisory Group

SentinelOne announced the launch of PinnacleOne, a strategic risk analysis and advisory group. Led by industry experts Chris Krebs and Alex Stamos, PinnacleOne aims to provide insights and strategies to help customers navigate the complex landscape of cyber risks and evolving technology. The group will operate as both a strategic advisory body and a think tank, offering services to understand digital threats, evaluate security postures, and develop robust security strategies. Krebs, joining as Chief Intelligence and Public Policy Officer, brings experience from his role as the inaugural director of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Stamos, appointed as Chief Trust Officer, has a background as the Chief Security Officer of Facebook and Chief Information Security Officer at Yahoo. PinnacleOne represents SentinelOne’s commitment to addressing the holistic challenges of cybersecurity in a rapidly changing digital environment​​.

So What?

I wouldn’t normally highlight such a small acquisition, but I found this interesting due to the parties involved. The move demonstrates the broadening of their portfolio for SentinelOne. This mirrors other PLCs in the space (such as Crowdstrike and Palo Alto) to become more holistic Cybersecurity providers. The nuance in this acquisition is that Krebs Stamos is so small, with only eight employees, and under three years in existence. I’d assume this is more about Krebs and Stamos as individuals, building a practice during their earn-out, than acquiring a footprint in the consulting space.

This tiny device is sending updated iPhones into a never-ending DoS loop by Dan Goodin

The post explains a significant security vulnerability impacting updated iPhones. Security researcher Jeroen van der Ham discovered this issue when his iPhone continuously crashed due to a series of disruptive pop-ups while travelling by train. The source of the problem was a passenger using a Flipper Zero device – a portable tool capable of various wireless communications, including RFID, NFC, Bluetooth, Wi-Fi, and standard radio signals.

Flipper Zero, launched in 2020, has become notorious for its ability to cause a Denial of Service (DoS) loop on iPhones, exploiting vulnerabilities in the Bluetooth protocol. The device employs custom firmware to generate a relentless stream of Bluetooth messages, overwhelming the iPhone's system. This vulnerability predominantly affects iPhones running iOS 17.0 and newer.

So What?

This is quite an interesting vulnerability and the fact that it can’t really be prevented (at time of writing) is unfortunate. Currently, the only way to shield iOS devices from such attacks is to disable Bluetooth in the settings.

A Tale of 2 Vulnerability Disclosures by Eddie Zhang

Eddie Zhang's blog post, "A Tale of 2 Vulnerability Disclosures," recounts two very different experiences with reporting security issues. While assessing a client's online presence, Zhang found two exposed data storage areas (buckets) that belonged to other companies. In the first case, he reported a security issue to Monash University. They responded quickly and positively, thanking him and acknowledging his help. This experience shows how well things can go when companies are prepared for such reports.

The second experience was not as positive. The company involved did not have a clear way to report security problems. Zhang tried contacting their top executives via LinkedIn, but the response he got was dismissive. He even got blocked by one of them. Attempts to involve the media and privacy organisations didn't help.

These two stories highlight the different ways companies can handle security reports. While some respond well and work with the person who found the problem, others might ignore or dismiss such reports. This difference can affect how quickly and effectively security issues are resolved.

So What?

Anyone who’s tried to disclose vulnerabilities to vendors knows how frustrating this can be. The process of full disclosure does need legislative intervention before it’s going to change (IMHO). There are already efforts towards this in most developed countries. Vendors need to create pathways for notification and embed security in their development processes. This is not exactly news to anyone though.

North Korea experiments with AI in cyber warfare: US official by Bryson Masse

The article reports a significant revelation by Anne Neuberger, Deputy National Security Advisor of the United States, about North Korea's escalating cyber capabilities through artificial intelligence (AI). This is a first-time public acknowledgment by a U.S. official regarding the use of AI in cyber warfare. North Korea, alongside other nation-states and criminal entities, is reportedly utilising AI to expedite the creation of malicious software and identify vulnerable systems. This advancement poses a heightened threat to global enterprises, given North Korea's history of impactful cyberattacks, like the Sony Pictures breach and the WannaCry ransomware incident. These AI-enhanced cyber operations not only increase the efficacy of attacks but also contribute significantly to North Korea's revenue, suspected of funding its missile program. The article underscores the urgency for businesses to bolster their cybersecurity strategies in response to these evolving threats.

So What?

More AI threats! This is not at all surprising, but it’s interesting to see this documented. We’re undoubtedly seeing the start of the arms race in offensive and defensive applications of AI.

50 Shades of Vulnerabilities: Uncovering Flaws in Open-Source Vulnerability Disclosures by Aqua Nautilus researchers

Aqua Nautilus researchers conducted a comprehensive analysis of open-source projects, revealing significant flaws in the vulnerability disclosure process. This research, involving GitHub activities and the National Vulnerabilities Database (NVD), highlights the early exposure of vulnerabilities, posing serious security threats. The team introduces the concept of 'Half-Day' and '0.75-Day' vulnerabilities, which lie between the traditional '0-day' and '1-day' categories, underscoring the complexity of vulnerability disclosure. These new categories emphasise the risk of attackers exploiting vulnerabilities during this interim phase. The researchers suggest mitigation strategies such as responsible disclosure, proactive scanning, and runtime protection to enhance open-source security.

So What?

More full disclosure! The study underscores the need for standardised disclosure processes and raises awareness about the gravity of early vulnerability exposure​​. I’m not sure I’m onboard with the fractional x-Day terms though!

Insights on outsourcing and other lessons from a data breach – the UK FCA perspective by Herbert Smith Freehills (A UK law firm)

On 13 October 2023, the UK Financial Conduct Authority (FCA) published a Final Notice to Equifax Limited, fining the firm over £11 million for the 2017 data breach affecting over 13.7 million UK consumers. The FCA found Equifax in breach of several Principles for Businesses, emphasising the need for rigorous oversight in intra-group outsourcing and effective risk management.

So What?

The case highlights the necessity of proper software maintenance, prompt incident notification, and accurate customer communication. Additionally, the regulatory landscape has evolved since the breach, with a focus on operational resilience, individual accountability, and customer protection. This incident underscores the importance of firms maintaining data security and complying with evolving regulatory expectations​​.

LOLSecIssues by Florian Roth

Cybersecurity's lighter side: a collection of the most amusing misunderstandings and missteps from newcomers to offensive security tools. A repository where naiveté in infosec is met with humour.

So What?

I’m not really a fan of ‘punching down’ or laughing at inexperienced people, but I feel like this is done in a light-hearted way. We all make mistakes, I’m just hoping I deleted all of mine!

Localtoast, a scanning tool by Google

Localtoast is a scanner for running security-related configuration checks such as CIS benchmarks in an easily configurable manner.

The scanner can either be used as a standalone binary to scan the local machine or as a library with a custom wrapper to perform scans on e.g. container images or remote hosts.

So What?

A handy tool if you perform these types of checks for a living!

This is week #10 of the ‘Briefly Briefed:’ newsletter. Many thanks for your continued interest. A big welcome to new subscribers, and many thanks to those who continue to read. A few people have asked about the greetings and sign-offs I use in the newsletter. It’s one of those ‘if-you-know-you-know’ situations, I theme each newsletter greeting from a sci-fi film or book, trying to match it to some of the content that week. It keeps me entertained and hopefully it’s fun for the sci-fi fans amongst you to figure out the reference.

My two ‘must-read’ recommendations for the week are:

• No Way Out: The Changing World of Cybersecurity Exits by Cole Grolmus. If you’re interested in the business side of the industry, Cole presents an interesting analysis the current state.

• Caricatures of Security People by Phil Venables really made me laugh. It’s surprisingly well illustrated (thanks AI) and treads the line between well-intentioned teasing and poking fun.

It is our duty to challenge you. Goodbye.

Lawrence

Funny Cyber Quote || Meme of the Week:

Subscribe now

Google Officially Launch their Secure AI Framework (SAIF)

Google has introduced the Secure AI Framework (SAIF), aiming to set industry security standards for AI development and deployment. SAIF is designed to ensure AI systems are secure-by-default, incorporating lessons from software development and specific AI security concerns. It introduces six core elements: expanding security foundations to AI, extending threat detection and response, automating defences, harmonising controls across platforms, adapting controls for AI deployment, and contextualising AI risks in business processes. Google's move to establish SAIF reflects their broader commitment to cybersecurity within AI, leveraging their expertise and advocating for a collaborative approach to address and mitigate emerging risks. As AI becomes more integral across industries, the SAIF provides a structured approach to maintaining its integrity and trustworthiness.

So What?

I covered the draft of the SAIF framework a few weeks back, but this announcement marks the official launch. There’s so much content at the moment relating to AI security, safety and its regulation; it can be overwhelming. It’s hard to pick through what’s useful and/or applicable. I’d definitely recommend reading through Google’s effort though. The framework is underpinned by Google’s 2018 ‘Responsible AI Practices’ and links through to NIST’s Risk Management Framework (RMF).

ATT&CK v14 Unleashes Detection Enhancements, ICS Assets, and Mobile Structured Detections by Amy L. Robertson

MITRE has updated their ATT&CK knowledge base to version 14, delivering a number of enhancements to cybersecurity detection and knowledge sharing. The release includes improved detection guidance, analytics, and an extended scope in both Enterprise and Mobile domains. Key updates feature over 75 BZAR-based analytics for Lateral Movement detection, refined relationships between detections, data sources, and mitigations, and the introduction of 14 new Assets within the ICS domain, designed to foster sector-wide communication and threat understanding. Additionally, Mobile ATT&CK now includes Phishing (T1660) with associated mitigations, and structured detections aimed at achieving parity with Enterprise capabilities. The navigation experience of the ATT&CK website has been streamlined for better usability. MITRE's ongoing collaboration with the cybersecurity community underscores the collective effort to stay ahead of adversaries.

So What?

It’s great to see MITRE ATT&CK continuing to develop. The latest updates add some great tweaks to Navigator (although these days, you’d want to automate such things) and additional techniques. If I’m honest, I do find ATT&CK a double-edged sword. While it provides a universal ‘language’ across functions to describe TTPs (which was a game changer), it also creates (if used wrongly) artificial limitations to the scope, and a false sense of security in terms of coverage. Many organisations and practitioners use it as a Cyber bingo card, gamifying the elements to create the false sense that they’ve ‘caught ‘em all’. Jared Atkinson demonstrated this point brilliantly in Part 5 of his ‘On Detection’ blog series. He demonstrates the different lenses through which we can view and assess the permutations within a single TTP. He gives the example of a sub-technique from MITRE ATT&CK (OS Credential Dumping: LSASS Memory sub-technique) and shows that at a functional level, there are over 39,000 variations of this single sub-technique alone. This shows how nuanced detection engineering can be, and what a blunt instrument ATT&CK is, if poorly understood or misused.

Secure-by-Design Foundations by the Australian Cyber Security Centre

The Australian Cyber Security Centre (ACSC) has published draft ‘Secure-by-Design’ Foundations to assist technology manufacturers and developers to adopt secure-by-design practices.

The secure by design approach is central to Australian cyber security, particularly for tech manufacturers and users, to embed security from the start, ensuring privacy and ongoing management of vulnerabilities. ASD’s ACSC has introduced Secure-by-Design Foundations to initiate discussions and provide guidelines for integrating security into product development. These Foundations cover holistic organisational security, shifting security considerations early in the development process ("shift left"), integrating security into code development, comprehensive testing, robust data security, continuous assurance, diligent maintenance and support, and secure deprecation practices.

The strategy encompasses various aspects, from appointing senior stakeholders to embedding security into the organisation’s culture, from secure coding practices to maintaining and supporting digital products throughout their lifecycle. The goal is to reduce risks like insider threats, supply chain compromises, and data breaches, and improve consumer confidence through assured secure products. ACSC encourages feedback on these Foundations and seeks to expand the tools available for enhancing digital security.

So What?

It’s great to see a focus on fundamentals and ‘by-design’ security being considered at a national level. The framework itself is nothing new (globally speaking), however, this is possibly a first step towards regulatory and/or legislative intervention across key sectors in Australia.

No Way Out: The Changing World of Cybersecurity Exits by Cole Grolmus

The article explains that the cybersecurity industry is facing a critical period akin to a high-stakes game of musical chairs, with too many highly valued companies and not enough exit opportunities to match. There are 82 'unicorns'—firms valued at over $1 billion—and 36 acquisitions by private equity firms, but history shows there are not enough exit chairs for all 118 companies. The post posits that the industry's ‘exuberant phase’, fuelled by a bull run in venture capital investing, M&A, and public company valuations, is over. IPOs are drying up, and strategic acquisitions are focusing more on value rather than volume.

The reality check brought about by the market downturn requires a rethinking of strategies and expectations. The industry must accept fewer IPOs and value-driven acquisitions, leading to a reset of inflated valuations and a move towards more sustainable growth metrics. Despite the challenges, the author argues that good strategic choices can put the industry on a better trajectory, with examples like Perimeter 81’s acquisition by Check Point and the merger of ForgeRock and Ping Identity offering hope. A strategic shift towards sustainability over hyper-growth could lead to a more mature and resilient cybersecurity industry.

So What?

Broadly speaking, I agree with many of the observations in this post. I think we were all waiting for the bubble to burst on over-inflated valuations in Cyber vendorland. I wouldn’t say the boom times are completely over though, but we’re seeing VCs approach silicon valley (and Austin, Boston, Israel and the UK) in a more sceptical and mature fashion as we move into 2024. That said, Cisco and Palo Alto didn’t seem to get the memo!

Inaugural Global AI Safety Summit Outcomes by NCC Group

The article explains the significant developments from the recent Global AI Safety Summit, highlighting the importance for businesses to understand and adapt to the evolving AI landscape. The Bletchley Declaration by 28 countries, including the US and China, aims to foster the development of safe and responsible AI. It calls for global cooperation to tackle the challenges posed by frontier AI and to collaborate on risk-based policies. Furthermore, the International Guiding Principles for Advanced AI systems and the Statement on Safety Testing set expectations for developers and users of advanced AI systems, emphasising rigorous government assessments of AI models.

Domestic applications of these international agreements were evident, such as the US’s Executive Order on Safe, Secure, and Trustworthy AI, the establishment of a US AI Safety Institute, and the UK’s commitment to a principles-based approach to AI regulation within its current legal framework. The imminent EU AI Act and Australia's watchful stance on AI regulation suggest a global trend towards embedding safety and security principles in domestic regulation.

So What?

Businesses should pay close attention, as emerging regulations will likely impose responsibilities not only on AI developers but also on users. With privacy, information security, and ethics at the forefront, it's essential for organisations to consider how varying regulations across borders will impact their operations.

Demystifying Generative AI: A Security Researcher's Notes by Roberto Rodriguez

This is a quite a technical (and very long) post, deep-diving into the fundamentals of generative AI.

The article explains the core principles of Generative Artificial Intelligence (AI) from a security researcher's perspective. Don’t let that put you off if you’re not so technical, it’s really well explained. It embarks on a journey starting with the definition of AI and then dives deeper into its subsets, Machine Learning (ML) and Neural Networks (NN), followed by Deep Learning (DL). The post posits that understanding the distinction between AI and ML, alongside the progression to NN and DL, is essential for grasping the foundations of Generative AI.

Moreover, the post explains the architecture of Neural Networks, breaking down complex terms such as Parameters, Weights, and Activation Functions into simpler concepts. The significance of training methods, including forward propagation and backpropagation, is addressed to explain how neural networks improve their output. By simplifying these sophisticated terms, Roberto seeks to inspire security professionals to leverage Generative AI in their field.

So What?

This is a really long article, but it’s hugely informative. I’d definitely take a look if you’re more technical and interested in the nuts and bolts of generative AI, but not already an expert. Kudos to Roberto for trying to make this area more accessible to the community and embracing AI, rather than going down the security FUD road.

Caricatures of Security People by Phil Venables

A tongue-in-cheek look at the diverse tapestry of personalities and roles that make up the security industry. The post encourages readers to appreciate the wide array of backgrounds, skills, and experiences found in the sector, whilst also engaging in a light-hearted caricaturing of these roles, inclusive of self-reflection. The narrative acknowledges that although individuals may sometimes appear to underperform, it is often a reflection of their circumstances rather than their capabilities. With a gentle reminder that everyone is generally doing their best, the article serves both as a comical insider’s look at the security profession and a nudge to understand the broader context behind each role’s challenges and contributions.

So What?

Why not? This is pretty funny. I’m sure we’ll all see elements of ourselves in these, even if we don’t want to admit it.

The 2023 Barclay Simpson Salary & Recruitment Trends Guide: Cyber Security & Data Privacy

The perennial guide for Cyber salaries in the UK. The report covers the following areas:

• The long-term impacts of Brexit and the pandemic on hiring

• The current hiring climate for cyber security and data privacy professionals

• The current state of diversity and inclusion

• Permanent and contract recruitment trends and challenges

• Up to date salary information by role and sector

So What?

These figures serve as a useful guide for those in the industry. Also, there are some useful data on trends, and movements of salaries over the last period.

Microsoft Azure AD Conditional Access Principles and Guidance by Claus Jespersen

The document is an informal compilation of best practices and principles for implementing a Conditional Access framework, as gathered from delivering enterprise customer engagements. It emphasises a Zero Trust approach and offers foundational protection strategies, although it explicitly states that it is not official guidance from Microsoft. As a 'Notes from the field' resource, it provides practical insights alongside Microsoft’s formal documentation and suggests additional reference points like the work of Alex Filipin and existing Microsoft docs on Conditional Access. The latest updates to the document include enhancements to policies for various user types and a new spreadsheet template for documenting Conditional Access policies. It also hints at adjustments required for specific customer environments and licensing tiers, mainly designed around E3 licenses, with certain features requiring E5. This resource is useful for those new to Conditional Access, as well as veterans looking to incorporate more advanced features into their security architecture.

So What?

If you’re an ‘Azure house’ and have some sort of responsibility for technical design, this is an excellent resource.

GCHQ release version 10 of CyberChef

CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR and Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.

The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms. It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years.

So What?

CyberChef is handy for ad hoc manipulation of small amounts of data. A must-have for casual CTFers and web hackers.

Unauthorised Access to Okta's Support Case Management System: Root Cause and Remediation by David Bradbury (Okta CSO)

The post presents a root cause analysis for the recent security breach within Okta's customer support system, where a threat actor accessed files (of less than 1% of Okta's customers) between the 28th September and the 17th October, 2023. The unauthorised access involved HAR files containing session tokens that could be used for session hijacking. This vulnerability was exploited to hijack sessions of five customers. The breach was facilitated by a service account with extensive permissions, whose credentials were compromised through an employee's personal Google account. Okta's subsequent investigation revealed a failure to identify suspicious downloads due to different log event types, which were later detected with the aid of an indicator provided by BeyondTrust. The post explains that Okta has since disabled the compromised service account, blocked personal Google profiles on managed devices, enhanced system monitoring, and introduced session token binding to prevent similar incidents.

So What?

I don’t like to comment on breaches in general, I think when you’re external to an incident, you don’t have all the details and it’s easy to judge. However, this thread on ‘X’ is quite interesting, if you enjoy a hot take.

This is week #9 of the extra-spooky Halloween edition of ‘Briefly Briefed:’ A hearty welcome to new subscribers, and many thanks to those who continue to read. I’ve been unwell this week, so please forgive any errata caused by much of this week’s edition being written in the wee hours of this morning.

My ‘if you only read two’ recommendations of the week are:

• The Solarwinds vs. SEC saga! If you’re a US-based CISO, this will be especially sobering.

• FIRST’s finalised publication of CVSS 4.0. It’s a timely opportunity to review what you use for vulnerability scoring and prioritisation, if you haven’t recently.

Until next time, Sidney.

Lawrence

Cyber Quote || Meme of the Week:

Subscribe now

The Bletchley Declaration by Countries Attending the AI Safety Summit, 1-2 November 2023

Leaders from around the world met at the AI Safety Summit and issued the Bletchley Declaration. The declaration emphasises the transformative potential of Artificial Intelligence (AI), calling for its safe, human-centric, and responsible use. It acknowledges both the immense opportunities AI offers in areas like healthcare, education, and sustainable development, as well as the significant risks it poses, including in cybersecurity and biotechnology. A major focus is on 'frontier AI', which encompasses advanced general-purpose AI models that could potentially cause harm. The declaration calls for international cooperation to mitigate these risks and affirms that all stakeholders, including governments and private sectors, have roles to play in ensuring AI safety. The countries resolved to work inclusively, share scientific research, and meet again in 2024.

So What?

It’s great to see collaboration at an international level on AI. As we’ve seen with software security more generally, creators and vendors will rarely consider security without appropriate legislative intervention. In the case of AI, I’m hopeful, but still sceptical, as to whether safety and security will catch-up with functional innovation. International collaboration is especially important for new technology like AI, as the globalised economy means vastly different regulatory controls can stifle adoption and innovation. Let’s see where this goes.

SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures

The U.S. Securities and Exchange Commission (SEC) has charged Austin-based software firm SolarWinds and its CISO, Timothy G. Brown, with fraud and internal control failures. The charges relate to misleading investors about the company's cybersecurity measures from its 2018 IPO to its 2020 announcement of a cyberattack named "SUNBURST." Internal documents suggest that SolarWinds and Brown were aware of significant cybersecurity risks but failed to disclose these to investors, leading to accusations of fraud. Following the disclosure of the SUNBURST attack, SolarWinds’ stock price dropped significantly. The SEC seeks various penalties, including civil fines and an officer and director bar against Tim Brown. This case serves as a stern reminder for companies to be transparent about their cybersecurity risks and practices.

So What?

Yikes. As a CISO myself, this certainly makes me nervous (and happy to be based outside the U.S.) This is a clear message on personal accountability from the SEC for CISOs. This approach gives parity, in terms of accountability, to CISOs for information security in the same way that CFOs or CEOs are accountable for corporate finance. While that may be appropriate in terms of the CISO being the most senior ‘Cyber person’ in the business, in most organisations seniority and remuneration are not geared for this level of accountability. In a similar situation to Joseph Sullivan (the Uber CISO who served during the 2014 and 2016 breaches) there was proven wrongdoing. Both concealed issues where there should have been transparency. This was obviously caused by serious misjudgement by both individuals, although I don’t suppose to know the pressures (or potential coercions) that they were under in both instances. It does provide a few lessons though:

• Never compromise your ethics.

• Go on record when you feel the wrong course of action is being taken.

• We need to work together to de-stigmatise CISOs who’re on watch during a breach (as we all know it’s inevitable during your career).

• CISOs need a seat at the ‘big table’ if they’re subject to this level of personal risk and accountability.

• Don’t accept or pursue cringey Cyber awards. It’s embarrassing enough to nominate yourself then campaign your friends and colleagues for votes, without something like this happening after being named CISO of the year.

Four dozen countries declare they won’t pay ransomware ransoms by AJ Vicens

A significant gathering of the International Counter Ransomware Initiative is on the horizon. Convened first by U.S. President Joe Biden in 2021, this year's focus is on information sharing, artificial intelligence, and blockchain analysis to combat ransomware. Most notably, member nations, including 48 countries, the European Union, and Interpol, are committing to a joint policy statement declaring they will no longer pay ransoms. This move has stirred controversy, yet aims to strike at the financial core of ransomware operations. The initiative will also share a blacklist of cryptocurrency wallets related to ransomware. While ransomware attacks are on the rise, the collective move aims to set a norm against paying ransoms and to intensify international actions against ransomware groups.

So What?

Another challenge for security teams! However, I believe this is likely the right course of action. There will be significant short-to-medium term pain for organisations hit by ransomware attacks, and what this means for Cyber insurance will be interesting. There will certainly need to be greater support for medium-sized businesses and small enterprises from Governments, as they’re currently a sweet spot for cyber criminals. Support will need to be offered at both the preventative and recovery side of the incident, in order to be effective. I foresee this being a protracted battle, as this is an ‘easy buck’ for threat actors, and there is a risk of organisations being tempted to conceal payments.

FIRST Officially Publishes Common Vulnerability Scoring System (CVSS v4.0)

FIRST has officially released CVSS version 4.0, a significant update to the Common Vulnerability Scoring System. The tool assesses the severity of security vulnerabilities, offering a numerical score and qualitative severity rating. The new version aims to provide higher fidelity in vulnerability assessment and introduces additional metrics, such as Automatable, Recovery, and Value Density. Notably, CVSS v4.0 is more applicable to OT/ICS/IoT environments. With refined base metrics and enhanced effectiveness in assessing specific security requirements, CVSS 4.0 is hoped [by FIRST] to be a 'game-changer'. It also introduces new nomenclature like CVSS-B (Base Score), CVSS-BT (Base + Threat Score), and others.

Additional links:

Specification: https://www.first.org/cvss/v4.0/specification-document
User Guide: https://www.first.org/cvss/v4.0/user-guide
Examples: https://www.first.org/cvss/v4.0/examples
FAQ: https://www.first.org/cvss/v4.0/faq
Calculator: https://www.first.org/cvss/calculator/4.0

So What?

Vulnerability risk scoring and remediation prioritisation are hot areas right now. There are quite a few options emerging, which aim to supersede the incumbent and ubiquitous, CVSS. These include the likes of EPSS and SSVC.

Anecdotally, there seem to be two camps when it comes to CVSS. The ‘early rejectors’ and ‘the faithful’. I sit firmly in the first camp, and although there have been some great changes in 4.0, I think the standard is getting overly complex, to the point where you need to spend more time modelling than remediating. One of the key reasons CVSS became hated by those responsible for making prioritisation decisions, is that only the base score is automatable. This meant that there was a lack of context and large amounts of manual toil. Moreover, there’s a lack of context around exploitation likelihood through CTI, something that’s addressed by EPSS and initiatives like CISA’s KEV. Ultimately, organisations prioritised the wrong things. Notwithstanding these points, some organisations will find utility in the new standard and it’s horses for courses.

Confirmed: Palo Alto Networks buys Dig Security for $400M by Ingrid Lunden

Palo Alto Networks, a prominent U.S. security firm, has confirmed the acquisition of Dig Security, an Israel-based company. Although the official financial terms remain undisclosed, sources indicate a deal worth around $400 million. There's ongoing speculation about Palo Alto's second acquisition, Talon, which when combined with Dig, could sum up to a $1 billion investment for the firm. This acquisition is significant for Israel's tech landscape, especially given the prevailing political tensions and events. Amidst these, the tech sector, especially cybersecurity, plays a pivotal role in the country's economy. Dig Security specialises in data security posture management, assisting organisations in understanding their assets across various cloud environments. This acquisition will see Dig's offerings integrated into Palo Alto's Prisma business, focusing on cloud security. The partnership aims to enhance cloud security, especially with the rise of AI-enabled applications and the surge in data transfers to the cloud.

So What?

I wrote a longer article on what I think is playing out through some of these bigger acquisitions back in September. Suffice to say, this is another big swing from Palo Alto and probably a smart play. xSPM-as-a-service is the new EDR MDR XDR mXDR, I’m calling it now!

State of the CISO: A global report on priorities, pain points, and security gaps by Salt Security

This survey and report investigates the transformation of the Chief Information Security Officer (CISO) role due to the digital-first economy. It covers how digitalisation has not only impacted security frameworks but also generated personal challenges for CISOs such as increased stress and litigation risks. The paper flags a critical issue: the security vulnerabilities around APIs (who would have guessed an API security company would reach this conclusion!), now deemed by Gartner as potential mega risks. With cybercriminals weaponising AI, CISOs find themselves in a race to adopt AI for good, to counterbalance these threats. The report also stresses that enhancing security is not solely the duty of the CISO; it requires attention from all C-level executives. The study is based on a sample of 300 CISOs from varied sectors and countries, collected in April 2023.

Key findings:

1. The Healthcare and Financial Services industries face the biggest security impact due to the rapid pace of digital transformation initiatives.
2. Almost half of CISOs worldwide have concerns that a security breach in their organisation may result in personal litigation and liability.
3. 78% of CISOs are prioritising API security more highly than two years ago, and 95% of CISOs say API security is a planned priority over the next two years.
4. The speed of AI adoption is the global development most impacting the CISO’s role.
5. 91% of CISOs say hiring of qualified cybersecurity talent remains a significant issue to deliver digital transformation initiatives.

So What?

There’s nothing surprising in an API security company creating a report that shows API security is super important. However, there are some useful nuggets in this report and definitely some presentation and business case stats worth caching.

How To Build A Security Strategy in 13 Easy Steps by Jesper Johansson

The article outlines a 13-step approach to constructing an effective security strategy. Starting with the identification of business objectives, the article emphasises aligning security goals with the company's vision. From there, it navigates the complexities of risk assessment, emphasising its significance in prioritising threats. The author suggests regular updates to the strategy, ensuring it remains relevant in a dynamic threat landscape. By following these steps, businesses can fortify their defences, making them resilient to emerging challenges.

1. Unmanaged Or Non-Centralised Assets

2. Weak User Authentication

3. Over Privileged Users

4. Vendor And Other External Access

5. Unpatched Assets

6. Secrets Storage And Rotation

7. Non-ephemeral Infrastructure

8. Lack Of Outbound Traffic Restrictions

9. Improper Security Dependencies

10. Software Dependencies

11. Unnecessary Services Or Foot Print

12. First Party Software Security Controls

13. Lack Of Visibility

So What?

Not exactly a risk-based approach, but a good list of things to think about, with some sensible recommendations as to how they can be achieved.

Understanding Malicious Cyber Activity in the United Kingdom by GreyNoise Labs

The post investigates the nature of malicious cyber activity targeting and originating from the United Kingdom. Utilising their “planetary-scale sensor network”, the researchers observed nearly 600,000 malicious exploitation attempts against U.K. IPs, alongside 8,293 attacks coming from the U.K. The most malicious traffic originates from ISP networks, and alarmingly, mobile networks are the third most common source. The Mirai botnet tops the list for malicious activity, being a constant threat to unsecured systems. The report concludes with a nod to the U.K.'s cybersecurity measures, as only 3.4% of inbound malicious attempts were U.K.-specific, suggesting effective national cyber defence mechanisms.

So What?

Some useful high-level numbers for UK-based cyber folks. GreyNoise produce similar reports for other countries, which can be found here.

How to Banish Heroes from Your SOC? by Anton Chuvakin

The blog addresses the pitfalls of relying on 'heroism' in a Security Operations Centre (SOC). Heroism, defined here as individuals compensating for systemic issues, often leads to unsustainable and inefficient operations. Examples include analysts working extended hours and ad-hoc solutions to systemic problems. The author argues for moving from an 'artisanal' approach, dependent on individual heroics, to an 'industrial' system that prioritises automation, consistent processes, and a systematic approach. The key takeaway is that it's better to let a flawed process break to reveal systemic issues, rather than depending on individuals to constantly patch holes. A call to action is made for SOCs to 'de-heroise' and adopt more scalable, sustainable methods.

So What?

I don’t believe this is new thinking, as there are analogues to various other fields, and (IMO) this is standard feature of human systems when left unchecked. Hero-driven development is likely the architype of this in the tech world. However, Anton does make a great point in identifying this in SOCs. There is a broader scaling issue that creates these sorts of dynamics, and this is often compounded with businesses pushing to ‘do more with less’ and failing to invest in automation.

Detecting and annoying Burp users by Julien Voisin

An older post that’s been trending again recently, but is still relevant. The post outlines techniques for disrupting the use of BurpSuite, a popular application security (and hacking) tool that works by intercepting and modifying HTTP requests.

So What?

This sort of active defence has been discussed for some time, I think it’s really useful and I’m glad this particular post is doing the rounds again. This has largely evolved into ‘deception tech’, although it’s fallen out of favour somewhat of late. My favourite talk on this topic is Chris John-Riley’s at DEFCON back in 2013, it’s still relevant and contains some solid logic.

The 2023 OWASP Global Board election has been finalised

Although it will not be publicly announced until next week, an email was sent to the OWASP mailing list, confirming that the following people have been elected to the Global Board:

• Steve Springett

• Sam Stepanyan

• Kevin Johnson 

• Avi Douglen

So What?

Congratulations to those elected!

For those who haven’t been following the this year’s OWASP drama, it started with an open letter, signed by a number of prominent members calling for significant change. OWASP responded, but it wasn’t emphatic enough, causing Mark Curphey (one of the founders) to step down and subsequently Glenn Cate to be removed from the board. This triggered a migration of a number of members to join the newly formed Software Security Project under the Linux Foundation. Shortly after, one of the flagship project (OWASP ZAP) announced they were moving over to the SSP also. Let’s see how this pans out, and whether there is room for an OWASP competitor.

This is week #8 of the ‘Briefly Briefed:’ newsletter. Many thanks for your continued interest. I’ve been posting fewer updates over the last week on LinkedIn and Twitter. It looks as though the algorithms are intentionally nobbling people who share external content (unless you contribute (on LinkedIn) to pointless collaborative articles for brownie points). Hopefully, the newsletter is timely enough to be useful. I will persist, and fingers crossed, the useful bits make it to your screens.

My ‘if you only read two things’ recommendations for the week are:

• FalconHound. This is just a really useful tool, I highly recommend you try it out or pass it on to technical colleagues in your team (especially if you already run Bloodhound periodically).

• Ross Haleliuk’s history of Cyber industry luminaries. I found this a really well researched piece and I learnt some background information I didn’t already know.

Hasta la vista, baby.

Lawrence

Funny Cyber Quote || Meme of the Week:

Subscribe now

FalconHound: The Blue Team Multi-Tool for Enhancing BloodHound by Olaf Hartong / Falcon Force

FalconHound is a blue team multi-tool built to supercharge the capabilities of BloodHound. While BloodHound provides a snapshot view of a network environment, FalconHound keeps it updated in real-time. Designed for blue teamers, it leverages existing log data to update local group memberships and session information, filling gaps in BloodHound’s graphs. Moreover, it can trigger alerts and create enrichment lists based on these updated graphs. For instance, it can alert you if a user has a path to a high-privilege group. It's also adaptable, integrating activities from Azure, CVE data, and can even flag compromised users based on incidents in Sentinel or MDE. Essentially, FalconHound takes your BloodHound graphs from static to dynamic, offering a more comprehensive view of your security landscape. Nice work by Olaf and the gang.

So What?

This is just a really great tool I wanted to highlight. It demonstrates how the aggregation of open source tools can be really powerful, even in an Enterprise.

Microsoft Security Copilot Early Access Program: Harnessing Generative AI to Empower Security Teams by Vasu Jakkal

Microsoft is aiming to transform security operations with its Security Copilot Early Access Program. Utilising generative AI, Security Copilot acts as an AI assistant that streamlines tasks, allowing security teams to focus on high-impact projects. It's its goal is to reduce the time spent on core security operations by up to 40%. Integrated within Microsoft 365 Defender, it offers actionable recommendations, aids in cyberthreat remediation, and simplifies the writing of complex queries into natural language. Interestingly, it's extending the service to Managed Security Service Providers. Microsoft Defender Threat Intelligence is now included (for free), offering additional insight into cyberthreats.

So What?

Copilot promises to revolutionise security operations, making them more efficient and responsive at machine speed™. It’ll be interesting to see how this shapes up. I definitely see the need to automate even more SOC processes and having played with this already, I think it’s really powerful. Where I do have concern, is that when you centralise these types of capabilities, it becomes a juicy target for attackers. If you look at how advanced threat actors and red teamers leverage things like Defender for Endpoint Live Response as a C2, you can imagine how this could be used as a force-multiplier for attackers too. Especially in an MSSP context! These types of tools are always a trade-off between utility and the threat it poses to security. In typical Azure fashion, Security Copilot is configured with very high permissions (Global Admin), but can be operated by Security reader roles (still highly privileged). Overall, I believe we should cautiously embrace these types of tools, and keep applying pressure on vendors to provide appropriate security at the cadence of innovation.

How A Teenager (Junaid Hussain) Became A Hacker For Terrorists, A (mini) Documentary

A slightly sensationalised YouTube video charting the path of Junaid Hussain, a prolific Islamic State hacker. It’s an interesting video, and illustrates how people can be radicalised over time.

So What?

I think the video is a little tone deaf in parts, especially in their neutral tone relating to the EDL (the English Defence League, a right-wing / racist group in the UK). It highlights how personal situations can escalate, and how the current landscape of polarising politics can create shocking outcomes. Obviously, awful and terrifying stuff all round.

Anthropic, Google, Microsoft and OpenAI announce Executive Director of the Frontier Model Forum and over $10 million for a new AI Safety Fund by Google Cloud

Chris Meserole is now the first Executive Director of the Frontier Model Forum, an industry organisation committed to the safe and responsible use of advanced AI models. The announcement also includes the creation of an AI Safety Fund with over $10 million committed. This fund aims to advance research on AI safety, filling a crucial gap in current studies. Industry giants like Anthropic, Google, Microsoft, and OpenAI, alongside philanthropic partners, are the initial backers. The fund will support independent researchers to test and evaluate powerful AI models. The Frontier Model Forum will also share industry best practices and intends to engage in collaborative red teaming to assess AI vulnerabilities.

So What?

This is particularly useful for the security community, as the fund will finance research in red teaming and model evaluations. This could result in the creation of more robust security protocols, potentially raising industry standards. Moreover, by encouraging a common set of terms and practices, the Forum aims to streamline discussions and actions concerning AI safety and governance across sectors. It’s not the only effort in this area, by any means, but it’s good to see major players at the table.

Do Loose Prompts Sink Ships? Exploring the Cyber Security Issues of ChatGPT and LLMs by David C and Paul J from UK NCSC

While the technology offers a host of benefits, it also brings forth several risks. LLMs can generate biased or incorrect information, be prone to cyberattacks, and even inadvertently aid cybercriminals. The models do not learn from user inputs, but the data may be stored by the service provider, potentially posing privacy risks. The authors recommend not including sensitive information in queries to public LLMs. Organisations considering LLMs for business automation should closely examine terms of use and conduct security assessments. In summary, while LLMs are promising, caution is advised in their application to prevent compromising cybersecurity.

So What?

The article contains good, common sense advice. While I don’t think the post adds anything new in the grand scheme of LLM security, the value is in the simplicity and tone. As it’s provided by the UK NCSC, it will hopefully reach the right people who’re looking for this information.

Follow the people: @stake, NetScreen, IBM, Israel Defense Forces and the US Armed Forces mafia networks in cybersecurity by Ross Haleliuk

The article delves into the intricate tapestry of networks that significantly influence today's cybersecurity landscape. Companies like @stake, NetScreen, and IBM, along with military establishments such as the Israel Defense Forces and the US Armed Forces, have proven to be fertile ground for future cybersecurity leaders. These 'mafias' serve as talent incubators, churning out founders and executives who go on to shape the industry in profound ways. The post underscores that it is often the people behind the scenes, not just the innovative ideas, that wield immense power in this ever-evolving field. A must-read for anyone interested in understanding the dynamics of influence (and the history) within cybersecurity.

So What?

I really enjoyed this article, not only for the nostalgia factor, but I didn’t know some of the founder stories it covered. This is a great primer if you’re newer to the industry and care about the history and journeys of key people and companies.

If I were to be critical (which is so unlike me!), I would say there were a few key people missing (Jason Chan, a notable @Stake alum for one), who made some serious contributions to the security landscape. However, I understand that the focus was on commercial landscape shaping, over conceptual or technical contributions (not that many of those cited didn’t make that sort of contribution also). Who’s going to write the technical version of this?

Windows passwordless experience expands by Sayali Kale

Microsoft is advancing its commitment to a passwordless future by introducing an enhanced Windows passwordless experience for organisations, starting with the September 2023 update for Windows 11, version 22H2. Passwords, being inherently insecure and a primary target for cyberattacks, are being replaced by Microsoft with passwordless solutions like Windows Hello for Business and FIDO2 security keys. These phish-resistant credentials eliminate the need for passwords from the outset. Commercial entities can activate the ‘EnablePasswordlessExperience’ MDM policy to ensure a wholly passwordless user experience on Microsoft Entra ID integrated machines. After activation, the policy removes passwords from the user experience, including in-session authentication scenarios. Instead of passwords, users will utilise Windows Hello for authentication. The update also introduces a new web sign-in experience, aiming to shift organisations and users away from passwords in the forthcoming days.

So What?

Passwordlessness can’t come soon enough in my opinion. It’s great to see steps towards the removal of passwords and the interoperability with multiple other factors. Windows 11 is a significant driver towards this (although ‘Hello’ can run on Windows 10 also). However, adoption is slow, but improving, with 23.6% of Windows Desktop OS users on 11, and 71.6% on Windows 10 still. Let’s move, people!

They Cracked the Code to a Locked USB Drive Worth $235 Million in Bitcoin. Then It Got Weird by Andy Greenberg of Wired

A Seattle-based startup, Unciphered, claims to have developed a technique for cracking encrypted IronKey USB drives without triggering the data-erasure function that activates after 10 incorrect password attempts. The team's main target is a decade-old IronKey drive located in a Swiss vault, holding 7,002 bitcoins worth approximately $235 million. The drive belongs to Stefan Thomas, a Swiss entrepreneur based in San Francisco, who lost the password. Thomas has declined assistance from Unciphered, stating he has prior agreements with other security teams. Unciphered's technology could potentially unlock numerous forgotten cryptocurrency wallets, but they find themselves with a solution in search of a problem, as Thomas remains unresponsive to their advances.

So What?

I find it really interesting that this is back in the news. After BitCoin initially surged, there were often stories of people losing access to encrypted wallets (and other wild tales¹²³⁴⁵) with $millions tied-up and ‘hackers’ offered huge bounties to retrieve them. In this particular case, it’s fascinating that the owner of such a wallet has a solution available, but is unresponsive. I’m sure there’s a reason why, which we will find out in time, no doubt.

¹https://www.nytimes.com/2021/01/12/technology/bitcoin-passwords-wallets-fortunes.html

²https://www.cbc.ca/radio/asithappens/as-it-happens-friday-edition-1.5875363/this-man-owns-321m-in-bitcoin-but-he-can-t-access-it-because-he-lost-his-password-1.5875366

³https://au.finance.yahoo.com/news/man-has-two-more-chances-before-232-million-is-lost-forever-222045101.html

⁴https://decrypt.co/36210/researcher-finds-more-of-satoshi-nakamotos-lost-bitcoin-fortune

⁵https://futurism.com/growing-suspicion-crypto-ceo-faked-death

NIS 2 Quick Reference Guide by the Irish NCSC

The document provides a quick reference for “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).” That really is the full name of the NIS 2 directive!

For those not familiar with NIS 2, it's a EU directive focused on organisations deemed critical national infrastructure. It adds regulatory compliance requirements for those organisations. Compliance is expected by 17th October 2024.

So What?

If you’re preparing for, or subject to, NIS 2, this is a really useful reference to create a high level plan.

This is week #7 of the ‘Briefly Briefed:’ newsletter. Humble thanks for your continued interest.

It’s Cybersecurity awareness month; just in case you have forgotten! Please remember to: run an extra tricky phishing simulation, add 20% moar cyberz to your company website and bore your friends and relatives with how important MFA is.

My two ‘must-read’ recommendations for the week are:

• Ross Haleliuk’s deep dive into the ‘Great CISO resignation.’ It’s a heavy read, but made a great attempt to mine the data supporting his argument. The results are imperfect, but it balances some of the bluster in the industry press.

• The white paper “The impact of founder personalities on start-up success.” If you’re a leader or start-up founder, I think you’ll find it an insightful read.

So say we all.

Lawrence

Funny Cyber Quote || Meme of the Week:

Subscribe now

"The impact of founder personalities on start-up success" an interesting white paper by Paul X. McCarthy et al.

In an extensive study undertaken by a multidisciplinary team of academics, the role of founders' personalities in start-up success has been highlighted as remarkably influential. The research analysed over 21,000 global start-ups using AI algorithms and the "five-factor" psychology model. It revealed that entrepreneurs possess distinct combinations of personality traits, such as a penchant for risk-taking, networking, and relentless energy, which are essential for start-up success. The study identifies six key founder personality types—Leader, Accomplisher, Operator, Developer, Fighter, and Engineer—each with its unique blend of traits. Moreover, the study found that start-ups led by a diverse blend of these personalities are 8 to 10 times more likely to succeed. The paper demonstrates that while products and market interest remain important, the 'secret sauce' to start-up success appears to be significantly influenced by the personalities at the helm.

So What?

It’s great to a see legitimate research in this area, and not a pithy op-ed in the WSJ. The paper has broader applicability to leadership in general, and is a useful tool for reflection on ‘style’. The key takeaway for me, is the importance of creating a balanced leadership style and to develop your weaker areas. It’s tempting to disconnect your work persona from your core personality, either as a protective mechanism or to project a more positive image. Authenticity, (or lack thereof) is easier to recognise than we can sometimes lead ourselves to believe.

The Open Compute Project (OCP) has launched a program called ‘Security Appraisal Framework and Enablement’ (S.A.F.E.) to enhance the security of data centre IT infrastructure

The Open Compute Project (OCP) has launched a program called ‘Security Appraisal Framework and Enablement’ (S.A.F.E.) to enhance the security of data centre IT infrastructure by standardising the security audit process for hardware and firmware. This aims to reduce the costs and redundancies associated with device security audits, and is supported by notable industry players including Google, Microsoft, and Intel. This collaborative effort aims to advance the security posture of device hardware and firmware across the supply chain, reflecting a community-driven approach to tackle security challenges in data centre operations.

So What?

This is a great initiative, backed by some well-resourced organisations. It’s especially pertinent at the moment, given the uptick in legislative interventions we’re seeing in developed nations. Many governments are transitioning (or considering to transition) a broader sub-set of datacentres to CNI. Frameworks like SAFE can support these efforts. One of the challenges the framework addresses, is a lack of specificity and rigour in frameworks like ISO27001. Within traditional ISMSs, there are significant gaps in: implementation, transparency (to clients) and validation of technical controls. In general, I’m a strong proponent of increased regulation in this space, and these types of initiatives provide additional support. Kudos.

The 'great CISO resignation' isn’t what it looks like: a hype-free, data-driven, in-depth look at the evolution and challenges of security leaders by Ross Haleliuk

The article primarily looks at US Fortune 500 CISOs (but does consider some other segments) in order to challenge whether the 'Great CISO resignation' is a real phenomena, or not. Ross' data show that the average tenure of a CISO in Fortune 500 companies stands at 4.5 years, with a median value of 3.6 years. This is not significantly shorter than the average tenures observed for CEOs or other top executives, particularly when the data are adjusted for other variables like industry and age. According to the post (taking secondary data from a recruitment consultancy) CEOs average a tenure of 6.9 years, while other executive roles in evolving fields like the CMO and CHRO average around 3.5 to 3.7 years, respectively. The data appear to challenge the prevailing belief in a retention crisis for security leaders.

So What?

Ross has taken a great crack at a really difficult issue to quantify. The data utilised to support the original hypothesis, were not as rigorous and have largely come from surveys related to job satisfaction. While he acknowledges the limitations in his methodology (really well), I'd still challenge that the F500 isn't representative of the broader landscape. A key element, which skews the data (IMO), is the (increasing) salary gap between top-end CISOs and the rest (IANS recently released a survey showing this). It's unlikely F500 CISOs would retain salary parity moving to vCISO roles vs. those down the stack (one of the key trends contested) or feel the pressure to move quickly. Therefore, I think it may be a stretch to extrapolate and difficult to avoid specious conclusions. That said, anecdotally, I do see similar patterns to what Ross describes and feel this could be a storm brewing, rather than a current trend.

Chinese Cyber: Resources for Western Researchers from Ollie Whitehouse

Ollie runs the r/blueteamsec subreddit and publishes a newsletter called ‘bluepurple’. Both focus on threat intelligence and nation state level cyber activity. This post aggregates his primary sources for intelligence gathering on China.

So What?

If you’re not in a role that requires this much detail relating to Chinese Cyber activities, you’ll likely find this too much. However, if you’re a likely target or responsible for elements of CTI, this is a goldmine!

An interactive map, showing where it’s il/legal to pay a ransom in an extortion event by Ryan Kovar

This is a really interesting resource giving a high-level overview (going to State level in the US) of legislative interventions for ransomware payments.

So What?

This resource should be considered indicative, and you should always consult legal representatives and your cyber insurance provider before taking any action. However, this provides a useful snapshot of the landscape.

“Can open source be saved from the EU's Cyber Resilience Act?” by Steven J. Vaughan-Nichols

The European Union's Cyber Resilience Act (CRA) aims to enhance cybersecurity by setting stringent criteria for digital goods sold within the EU. While well-intended, the CRA poses significant challenges for open source software development. Software creators are mandated to secure their products, address security flaws, and publish updates. While this is laudable in principle, the CRA is burdensome for open-source developers, including those outside the EU. Individual and non-profit developers could be exempted, but those accepting recurring donations from commercial entities would likely need to comply with CRA requirements. A possible amendment may exclude projects with a fully decentralised development model (let’s see!). Compliance requires providing risk assessments, documentation, and reporting security vulnerabilities within 24 hours to the European Union Agency for Cybersecurity. Critics argue that the CRA fails to understand the unique structure of the open-source community, thereby inadvertently stifling innovation.

So What?

I tend to agree with the article’s perspective on the draft legislation. I believe this will stifle Open Source projects, although I’m perplexed as to how they will enforce it at the scale required. I don’t really have much to add, let’s see how this plays out.

Where is Cyber Policy Headed in the UK? A report back from the 2023 political party conferences by Verona Johnstone-Hulse and Kat Sommer

With a UK general election on the horizon, NCC Group’s Government Affairs team recently attended annual conferences for both the Conservative and Labour parties to gauge their stances on cybersecurity. Both parties view technology as instrumental for their respective government agendas but differ on regulatory frameworks. The Conservatives advocate for an 'enabling' government to harness tech for growth and national security. They favour a principles-based approach to regulation for increased agility. Labour aims to support thriving regional tech economies and will retain key laws like the Online Safety Bill unless they fail to meet objectives. AI emerged as a significant topic, with both parties acknowledging its promise and peril. International considerations were also prominent, including differing perspectives on the UK’s role in global technology standards and alliances. The focus on technology and cybersecurity across the political spectrum highlights its centrality in future governance and regulation.

So What?

A lot hinges on next year’s election in the UK, especially in terms of the direction of travel for ‘Science and Technology.’ It does seem that both [major] parties are taking this seriously, and I’d hope to see continued investment in DSIT and various other initiatives within this space. AI is obviously taking centre stage.

Google Cloud has introduced a two-pronged indemnification strategy concerning its generative AI services by Neal Suggs and Phil Venables

“If you are challenged on copyright grounds, we will assume responsibility for the potential legal risks involved.”

The first indemnity relates to the training data used by Google, providing intellectual property indemnity against third-party claims. The second indemnity covers the generated output created by customers, offering protection against third-party intellectual property claims, conditional on responsible AI usage. The indemnities extend to various Google Cloud services and are designed to address potential legal risks. Full terms can be found here.

So What?

This is interesting to see, and it’s certainly a positive step by Google Cloud. I have to admit, my first thought was ‘I wonder what happened to trigger this!’ when I read it. This is definitely a welcome step forward, and acknowledges the need for greater control, transparency and consideration of legal implications in LLMs, and other ‘black box’ data models. From a risk management standpoint, I felt my cockles warmed, albeit only slightly.

AWS has created a new guide: "Building a Scalable Vulnerability Management Program on AWS"

The guide provides comprehensive information on creating a structured vulnerability management programme in a cloud environment, focusing on both traditional and cloud-specific security challenges.

Targeted Outcomes:

- Develop policies to streamline vulnerability management and maintain accountability.
- Establish mechanisms to extend security responsibilities to application teams.
- Configure AWS services based on best practices for scalable vulnerability management.
- Identify patterns for routing security findings within a shared responsibility model.
- Report on and continually refine your vulnerability management programme.
- Enhance security finding visibility to improve overall security posture.

So What?

As much as I think AWS is a great platform, they’ve been lacking a ‘killer’ security product (vs. Microsoft and Google) for a long time. However, I do appreciate the latest wave of guidance for enabling native cloud security. I think AWS are going the extra mile to support operationalisation of security in their environment, with this and other recent guidance. I hope they do similar for other fundamental areas too.