Briefly Briefed: Newsletter #14 (07/12/23)
Hello there, shiny people.
This is week #14 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read. I’m (intentionally) later releasing this week’s newsletter, due to being at Black Hat Europe this week. It’ll be back to it’s normal Wednesday spot next week.
My ‘if you only read two’ recommendations for the week are:
European Repository of Cyber Incidents by EuRepoC
If you can't do something smart, do something right.
Meme of the Week:
The Blog introduces a series on using the MITRE ATT&CK framework for Incident Response Teams. It emphasises the transformation of incident reports into standardised MITRE ATT&CK terms to improve clarity and consistency in communication. The blog details a process where perpetrator activities in reports are identified and translated into specific ATT&CK (sub)techniques. This approach aims to provide a uniform language for describing cyber incidents, aiding in better understanding and response. The series intends to demonstrate the benefits of this method in incident reporting and its potential applications in broader contexts such as cyber threat intelligence and security exercises.
It’s good to see Check Point producing this type of content, I would imagine it’s in connection to the MSSP program they launched in October. The post is quite simple, but appears to be the first in a series discussing how to utilise ATT&CK to standardise response. I’ll be keeping an eye out for subsequent posts.
Introducing Secret Code for Chat Lock by WhatsApp
The post introduces a new feature called ‘secret code’ for the Chat Lock function. Chat Lock was previously launched to help users secure sensitive conversations. The secret code adds an extra layer of security, allowing users to set a unique password that differs from their phone's unlock code. This enhances privacy for locked chats. Additionally, users can choose to hide the Locked Chats folder from their chat list, making it accessible only by entering the secret code in the search bar. Users who prefer visibility can still have the folder appear in their chat list.
The process of locking new chats has been simplified; users can now long-press a chat to lock it, rather than adjusting settings within each chat. The introduction of secret code, which started rolling out on the 30th November, and will be globally available in the coming months, has been well-received by the community.
If you need to use WhatsApp due to ‘human-compatibility issues’ (your non-Cyber friends and family won’t download Signal) this is quite a nice feature to add additional privacy and security.
The article provides an update on Palo Alto Networks' (PANW) journey towards becoming a heavyweight cybersecurity company. Originally a company specialising in on-premises firewall security, PANW has developed significantly under the leadership of CEO Nikesh Arora since 2018. The company now delivers a comprehensive cybersecurity platform, broadening its scope to include network security, cloud security, and the Cortex Security Operation Centre (SOC) platform. This growth has led to PANW generating over $3.2 billion in Annual Recurring Revenue (ARR) from next-generation security products, accounting for nearly 40% of its revenue.
PANW's strategy centres on platform consolidation in the fragmented cybersecurity market. Rather than simply consolidating vendors for cost-saving purposes, PANW's approach of ‘platformisation’ integrates products to improve security outcomes and add value. The strategy’s success is reflected in their financial results, demonstrating strong growth and notable market share increases in comparison to their competitors.
The article emphasises PANW's achievements in various market segments, particularly in the SASE market with over $1 billion in ARR, and the Cortex SOC business reaching $1 billion in bookings.
I agree with the assessment in this post, it’s been interesting to watch Palo Alto grow and their strategy develop. As I’ve mentioned in other posts, I think this is undoubtedly due to needing to compete with Microsoft, and the disconnected nature of point solutions and heterogenous tech ecosystems. The post is extremely well researched, so if you’re interested in the business side of Cybersecurity, this is a must-read, as it unpicks PANW’s strategy really well.
European Repository of Cyber Incidents by EuRepoC
The European Repository of Cyber Incidents (EuRepoC) is an independent research consortium dedicated to better understanding the cyber threat environment in the European Union and beyond. Launched in November 2022, their key objectives are to promote data-driven discussions and policymaking within the field of cyber security and raise awareness of cyber security threats. They seek to achieve this by providing an analytical framework for assessing and comparing the ‘life cycle’ of cyber incidents, focusing on technical, political and legal aspects.
The repository itself is a queryable data source of worldwide Cyber incidents.
There are a lot of different ways to explore the data on the site, with a two minute video running you through it from the homepage. The table view on the dashboard provides the most accessible view for research. This is really useful if you’re building risk and threat models, and you want to discover ‘what if’ scenarios from real-world incidents. Moreover, building table-top exercises based on incidents defined within the database is also a nice use case.
State of Cloud Security by DataDog
The report analyses the security posture of thousands of organisations using AWS, Azure, or Google Cloud. It focuses on common risks that often lead to cloud security incidents.
The conclusion indicates improvements in security posture across these cloud environments. This progress is attributed to cloud providers offering more secure defaults, the adoption of solutions that scan for insecure configurations, and increased general awareness of cloud security risks. Issues like long-lived credentials, insufficient MFA adoption, and excessive privileges are hard to detect and fix. The report suggests that continuously scanning for misconfigurations and promptly addressing these issues are crucial strategies for enhancing cloud security, thereby preventing breaches and allowing developers to continue producing software efficiently. A summary of the key ‘facts’ is shown below:
Long-Lived Credentials Continue to be a Risk.
MFA for Cloud Access is Not Sufficiently Enforced.
In AWS, IMDSv2 is Still Widely Unenforced, but Adoption is Rising.
Adoption of Public Access Blocks in Cloud Storage Services is Increasing.
A Substantial Portion of Cloud Workloads are Excessively Privileged.
Many Virtual Machines Remain Publicly Exposed to the Internet.
Despite the report being quite high-level, it provides good awareness on the most common (and impactful) mistakes organisations are making with cloud platforms. I really like that the researchers share the methodology in some detail at the end of the end of the report.
Security Navigator 2024: Research-driven insights to build a safer digital society by Orange Cyberdefense
The Security Navigator, issued by Orange Cyberdefense, offers insights from their standpoint as a significant player in cyber security and part of a worldwide telecom operator. The report highlights that this year has witnessed crucial changes, with geopolitical unrest affecting the recovery post-COVID and the digital realm turning into a battleground for state-supported groups and political activists. The focus of cyber attacks has shifted from financial gain to destruction, leading to a turbulent threat landscape.
The report also notes an increase in cyber extortion, particularly in the EMEA and Asia Pacific regions, with small and medium enterprises increasingly being targeted.
In particular, I liked the OT section (by Ric Derbyshire) and I appreciated the linkage to his high-quality research presenting ‘Dead Man’s PLC’ (check it out if you’re interested in OT security). Overall, as perennial corporate wrap-ups go, there is a lot of useful content in here and it’s high quality across the board. My only criticisms are that it’s VERY long, and (somewhat ironically) it’s quite difficult to Navigate due to topics that you would expect to be grouped together, not being grouped together.
Virtual Meeting Fatigue: Exploring the Impact of Virtual Meetings on Cognitive Performance and Active Versus Passive Fatigue by Niina Nurmi and Satu Pakerinen
The paper explains how Zoom fatigue is not burnout. It’s ‘boreout’. The new study posits that when meetings are virtual, we’re not overwhelmed—we’re under-stimulated. Cardiac measures show drowsiness, not stress. The antidotes are common sense but not common practice: fewer, shorter, more interactive online meetings.
A useful thing to know. Sometimes we need to hear the obvious to take action on what we already know to be true.
A federal judge in Montana has temporarily blocked a state law that sought to ban TikTok. This law, unique in attempting a complete ban of a specific app within a state, has been criticised for overstepping state power and potentially violating the First Amendment. Judge Donald Molloy highlighted that the law seemed more focused on anti-China sentiment than protecting consumers. He also noted that Montana lacks authority in foreign affairs and found the national security case against TikTok unconvincing. TikTok, owned by Beijing-based ByteDance, has faced scrutiny over concerns of sensitive data being shared with Chinese authorities or being used for propaganda, but there is no public proof of this. TikTok sued Montana, arguing the ban suppresses free speech and lacked solid evidence. The case continues as states and the federal government debate TikTok's future, with national security experts viewing it as part of broader U.S.-China tensions. TikTok has tried to address concerns by storing U.S. data on servers managed by Oracle and limiting China-based employees' access to this data.
I won’t comment on this for work reasons, but it will be interesting how this plays out.
The European Commission has hailed a recent political accord on the Cyber Resilience Act, a law aimed at boosting the cybersecurity of all digital products within the EU, from hardware like baby monitors to software such as computer games. The Act requires products to meet cybersecurity standards, with less than 10% needing third-party evaluation.
Key to the Act is the stipulation that every digital product sold in the EU must be cyber secure, evidenced by a CE marking. Manufacturers are now obligated to ensure cybersecurity from product design to post-market, including providing security updates for years after sale. This increases manufacturer transparency and empowers consumers with safer choices.
Pending formal approval by the European Parliament and Council, the Act will be enforceable 20 days after its publication. Manufacturers, importers, and distributors have 36 months to comply, with a 21-month period for specific reporting duties.
This is great news. This represents a significant step forward in enhancing Cybersecurity across the EU (and more broadly). By setting comprehensive standards for digital products, from hardware to software, it ensures a higher level of security in consumer products.
The Act places a very welcome emphasis on manufacturer responsibility, requiring them to consider cybersecurity at every stage of a product's life cycle, including after-sale support.
I’m not a fan of over-legislating, but there comes a point where it’s the only tool left in the box.
The Chaos at OpenAI is a Death Knell for AI Self-Regulation by Eugenia Lostri, Alan Z. Rozenshtein, Chinmayi Sharma (Lawfare)
The article discusses the recent upheaval at OpenAI, highlighting it as a sign that AI self-regulation is unfeasible. Key events include the firing and rehiring of CEO Sam Altman, tensions between OpenAI’s original mission of cautious AI development and its shift towards commercialisation, and conflicts between those advocating rapid deployment of AI technologies and those urging caution due to potential risks. This turmoil, intensified by OpenAI’s complex corporate structure and its partnership with Microsoft, raises concerns about the effectiveness of industry self-governance in AI. The article suggests that government regulation might be necessary to ensure responsible AI development.
The authors of this post may be sensationalising the OpenAI saga somewhat. It was certainly dramatic and impactful, but I believe we’re going to see significant regulatory intervention either way. In fact, it’s mostly underway.
AWS Security controls mappings to MITRE ATT&CK by MITRE Center for Threat Informed Defense
The project empowers organisations with independent data on which native AWS security controls are most useful in defending against the adversary TTPs that they care about. It achieves this by mapping security capabilities of AWS to the ATT&CK techniques that they can protect, detect, or respond to. This will allow organisations to make threat-informed decisions when selecting which native security capabilities to use to protect their workloads.
This is really useful, I didn’t realise that it was somewhat hidden away and not everyone had come across it. The mapping supports a move toward continuous control monitoring and automated risk and threat modelling. One of the big challenges in the GRC world, is the disconnect between policy, standards and technical controls. Being able to standardise the way you represent a TTP and map threats to controls in a consistent way is super important.
The Hidden Opponent: Cyber Threats in Sport by NCC Group
The aim of the report is to help organisations and individuals involved in the world of sport to understand their levels of cyber security vulnerability and exposure against the ever-evolving technology and threat landscape. Moreover, the report guides sports organisations and athletes towards practical advice to reduce cyber security risks, thus protecting their brand reputation, data confidentiality, system integrity, and asset availability. The report is underpinned by qualitative and quantitative research performed by a team of researchers from the University of Oxford’s Researcher Strategy Consultancy, in collaboration with global cyber security and risk mitigation experts NCC Group, and Phoenix Sport & Media Group.
This won’t be relevant to everyone, but it’s an interesting read irrespective of your operating sector. The CTI relating to the most recent attacks is particularly interesting, as some of them weren’t covered in as much detail in the industry press at the time.
Black Hat Europe Talk: Industrialising Cyber Defence in an Asymmetric World by Ollie Whitehouse
Ollie's keynote focused on the increasing complexity and impact of cyber-attacks, emphasising the need for preparedness in an asymmetric cyber world. He highlighted that attackers' brazenness, improving technical skills, and operational sophistication pose significant challenges. The talk stressed the difficulty in coping with sustained attacks, especially when attackers can resort to extreme tactics upon discovery.
Key issues included the ongoing struggle with technology volume, security features being optional rather than standard, and the rapid pace of digital transformation. Ollie highlighted that access to security data is limited, creating knowledge asymmetry. He posited that the problem is compounded by linear scaling limitations and the high level of technical debt in existing systems.
His closing thoughts in summary, were:
Impose cost (on adversaries)
Build evidenced resilience
Prepare for when
For those who weren’t at BlackHat, I believe they will put this talk online after a short period of time. It’s worth a watch.
In typical Ollie fashion, he hit the key points hard and delivered a good one-two punch to vendors concurrently. I agreed with the majority of the talk, and felt it was well constructed and researched (as you’d expect). However, I did disagree on the approach to applying pressure to vendors to include ‘security features as standard’ (or to paraphrase Ollie, seatbelts at no extra cost) within their products. His (NCSC’s) position is to encourage organisations to band together and refuse to pay, with the example of CNI organisations cited as a credible cohort to attempt this. While I do agree that consumer pressure is an important lever to pull, as we’ve seen countless times, security only happens when there’s a proper incentive. I’m not sure that this is. The approach could trigger an exception for CNI (and that’s not at all a bad thing), but I’m not convinced this will trigger a cascade and suddenly Microsoft will un-grey all the E5 security goodies and Salesforce will trim the extra ~$400k they want to switch on proper logging. Legislative interventions like the EU Cyber Resilience Act could be more reliable vehicles.
Thanks for reading ‘Briefly Briefed:’ - To receive the newsletter on a weekly basis, please subscribe below.