Briefly Briefed: Newsletter #21 (01/02/24)
"Never hate your enemies. It affects your judgment."
This is week #21 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.
My ‘if you only read two’ recommendations for the week are:
Leadership Transitions - 10 Steps for Success by Phil Venables
Notorious Spyware Maker NSO Group Is Quietly Plotting a Comeback by Vas Panagiotopoulos
"Leave the gun. Take the cannoli."
Lawrence
Meme of the Week:
Cybersecurity Incident Tracker by Board Cybersecurity
This webpage provides a tracker for cybersecurity incidents reported in entities' 8-K filings. It lists recent cybersecurity incidents disclosed by various companies, including details such as disclosure dates, the companies involved, and brief descriptions of the incidents. The tracker aims to offer up-to-date information on cybersecurity breaches and incidents, highlighting their impact on the affected companies without delving into detailed analyses of each incident.
So What?
This is a useful resource for tracking breach filings for public listed companies (operating in the US). The traction that the SEC filing changes has gained will hopefully lead to increased awareness and pressure on boards to make significant investment into cybersecurity. Some analysts are already crediting this change for the uptick in predicted cybersecurity spend for 2024.
Rook to XSS: How I Hacked Chess.com with a Rookie Exploit by Jake
This article details how the author discovered and exploited a Cross-Site Scripting (XSS) vulnerability on Chess.com using a clever manipulation of image upload functionality. The exploit involved tricking the site into executing malicious JavaScript through crafted image attributes, demonstrating the potential for security breaches even on well-regarded platforms. The author's methodical approach showcases the importance of thorough security measures in web development, particularly regarding user-generated content and the handling of rich text editors.
So What?
This is a really nice write-up, with a lot of detail. If you’re interested in novel XSS or more broadly in understanding modern web attacks, this is pretty cool. What’s extra interesting, is that Jake is purportedly only 17. If this is accurate, he’s one to watch, this is a really detailed and mature post. I tried to track him down to say ‘good job’ and connect him with some consultancies to help him get an apprenticeship (it says he’s looking in his ‘about’), but the GitHub projects he purports to work on don’t seem to include his contributions. *shrug* probably someone’s attempt at anonymity *shrug*
Special Report: CISOs Report Rising Budgets for 2024 by NightDragon
This report highlights a significant increase in cybersecurity budgets as Chief Information Security Officers (CISOs) globally respond to escalating cyber threats. An anonymous survey conducted by NightDragon Advisors revealed that nearly 80% of CISOs experienced budget increases in 2023, with expectations of continued growth in 2024. This trend underscores the expanding role and responsibility of CISOs in safeguarding digital and physical systems amidst rising cyberattacks and geopolitical tensions. The focus areas for these increased budgets include ransomware resiliency, cloud security, and artificial intelligence, among others.
So What?
The expected increase in budgets is heartwarming reading for the industry. However, I always take these sorts of optimistic views from investors with a pinch of salt, as it’s in their self-interest to predict positive outcomes. That’s not to say I doubt the data or the efficacy of the work done by NightDragon.
There aren’t really any surprises as to how CISOs are reporting to spend their inflated gains.
New Ransomware Reporting Requirements Kick in as Victims Increasingly Avoid Paying by Coveware
The article discusses the introduction of new ransomware reporting requirements as organisations are increasingly opting not to pay ransoms. It explores the potential impacts of these requirements on the behavior of companies and the broader cybersecurity landscape. The discussion includes an analysis of how these changes might influence ransomware attack dynamics, victim response strategies, and the legal and operational challenges of adhering to the new requirements.
So What?
The article takes a strongly negative view on banning ransomware payments and over-reporting. The post argues this on the basis that it’s tantamount to admitting absolute failure by other means, and that bans have either proven ineffectual (in other jurisdictions) or the data are unclear. I’m not surprised by this position, given Coveware specialise in ransomware incident response and negotiation! However, they do make some strong points. I feel that despite strong objections, many nation states are considering banning ransomware payments. However, there don’t appear to be good contingency plans in place to mitigate the initial impact at organisational or economic level. I can’t see government sponsored task forces parachuting in to help every mid-sized Enterprise recover from back-ups they don’t even have. If we push ahead with this approach, greater support (and incentive) is going to be required to prevent an initial wave of chaos.
Justice Department and FTC Update Guidance that Reinforces Parties’ Preservation Obligations for Collaboration Tools and Ephemeral Messaging by US DoJ (Press Release)
The U.S. Department of Justice and the Federal Trade Commission have updated their guidelines to emphasise the importance of document and communication preservation, especially regarding collaboration tools and ephemeral messaging. This revision aims to address the challenges posed by modern communication technologies in legal investigations, ensuring companies retain necessary information for compliance and accountability.
So What?
I’m torn on this issue. On one hand, the preservation of evidence is important and key to serious investigations undertaken by law enforcement. Conversely, frameworks such as the GDPR and California Consumer Privacy Act (CCPA) encourage and mandate minimal data retention, further incentivised by requirement for take-downs, the right to be forgotten and subject access requests. Typically, these types of privacy framework do not define specific data retention periods. However, the inclusion of requirements to retrieve any and all data (which includes chat logs) pertaining to an individual upon request, means organisations want to retain fewer data. The longer and more comprehensively you retain information, the more challenging these tasks become.
Midnight Blizzard: Guidance for Responders on Nation-State Attack by Microsoft Threat Intelligence
This article covers Microsoft's response to a nation-state cyberattack dubbed "Midnight Blizzard," identified as originating from a Russian state-sponsored actor. It details the tactics and techniques used in the attack, including the exploitation of a legacy non-production test tenant without multifactor authentication (MFA) and the creation of malicious OAuth applications. Microsoft provides guidance on protecting against such attacks, highlighting the importance of auditing privileges, defending against password spray attacks, and implementing conditional access controls.
So What?
It’s great to see Microsoft providing increasing amounts of information about this incident. This is an interesting write-up and provides a good level of detail for use in CTI workflows.
Leadership Transitions - 10 Steps for Success by Phil Venables
Phil Venables shares insights on navigating leadership transitions effectively. The article outlines ten steps for success, emphasising patience, listening, promoting new ideas, transparency, and consistent communication. It advises on empowering teams, providing constructive feedback, and the importance of adapting to new roles while letting go of the past. The guide encourages leaders to periodically reassess their strategies, promoting continuous improvement and adaptability in leadership roles.
So What?
This is a great post and demonstrates the need for a growth mindset when stepping up into a leadership position. The stand-out points that resonate for me are ‘be patient and listen’ and the need to over-communicate. One of the first lessons I learnt as a leader, is you can’t say important things too many times (and people don’t read email!). <shamelessplug>I wrote quite a long (some would say too long) blog post on moving into leadership in cybersecurity, covering some similar points to Phil’s. It may (or may not) be interesting.</shamelessplug>
Using Google Search to Find Software Can Be Risky by Brian Krebs
The article highlights the risks associated with using Google search to find software downloads, noting that cybercriminals exploit this method to distribute malware-laden versions of popular applications. It discusses how malicious ads, often appearing above legitimate search results, mislead users into downloading compromised software, emphasising the sophistication of these schemes and Google's efforts to counteract them. The piece further explores the implications for internet safety and the continuous battle against malvertising.
So What?
Malvertising is one of those threat categories that rears its ugly head now and again in the media, when a novel vector appears. This is quite an interesting write-up and worth a few minutes.
AI Rise Will Lead to Increase in Cyberattacks, GCHQ Warns by James Pearson
Britain's GCHQ has issued a warning about the increasing risk of cyberattacks due to the rapid development of Artificial Intelligence (AI) technologies. The agency highlighted that AI lowers the entry barrier for potential hackers, making it easier for less sophisticated cybercriminals to conduct digital harm, including ransomware attacks. The report underlines the uneven impact of AI on cyber threats, with opportunistic hackers gaining the most in terms of capability, and advanced state-backed hackers leveraging AI for more complex cyber operations.
So What?
No surprises here!
Notorious Spyware Maker NSO Group Is Quietly Plotting a Comeback by Vas Panagiotopoulos
NSO Group is ramping up lobbying efforts in Washington and leveraging the Israel-Hamas conflict to position its Pegasus spyware as vital for global security. Despite a troubled past, including sanctions and financial woes, the firm aims to reshape its image and navigate US regulations through a multimillion-dollar campaign and strategic alignments, stressing its commitment to human rights amidst skepticism.
So What?
The thing I find most interesting about NSO is their public-facing strategy and open articulation of what the company does and can do (technically). Is this any different from companies offering offensive security services or C2 frameworks though? Has there been an exceptionalist view created in the media of NSO, unfairly vilifying them due to their clientele being less discrete (and more dictator’y?) I’m definitely not touching the political lens on this one!
SolarWinds Seeks Dismissal of ‘Unfounded’ SEC Cybersecurity Suit by Skye Witley (Bloomberg)
SolarWinds Corp. refutes SEC allegations over its handling of a major cyberattack, asserting it made appropriate disclosures before and after the incident. The company, alongside its CISO, is challenging the SEC's claims of securities fraud and control violations, arguing that the enforcement action unjustly expands the SEC's authority and requirements for cybersecurity disclosures.
So What?
This is certainly something that will be interesting to follow! Hopefully, justice will prevail.
An Encrypted Client Hello (ECH) Primer by John Grady (Broadcom / Symantec)
The paper explains the significance of Encrypted Client Hello (ECH) as an extension to the TLS 1.3 protocol, aimed at enhancing privacy by encrypting all connection metadata. It underscores the challenge this poses for security teams in terms of maintaining visibility into encrypted traffic for security and compliance purposes. The article posits that while ECH improves privacy, it necessitates proactive measures from security leaders to prepare, including education, planning, and engagement with product vendors to navigate the anticipated changes effectively.
So What?
I’ll be totally honest, and state that I didn’t have a clue what this was and that it was coming before reading this white paper. It’s worth a skim at the very least, as no doubt this will be a hot topic and something CISOs and CIOs will need to consider in their infrastructure designs.
Microsoft's Dangerous Addiction To Security Revenue by Alex Stamos
The article criticises Microsoft for exploiting security vulnerabilities within its cloud services as a sales opportunity for its security products. Stamos argues that Microsoft's approach to handling the breach linked to Russian intelligence services, specifically through its Azure Active Directory and Microsoft 365, underscores a broader issue. He contends that Microsoft is prioritising revenue from security products over the provision of inherently secure systems, calling for a shift towards security-by-default across all its offerings.
So What?
I agree with Alex’s key messages in this post. We do need to move to a world of security-by-default and at no extra cost to the customer. However, I take the dig at Microsoft’s handling of the latest breach with a pinch of salt. It’s easy for the likes of SentinelOne (Stamos’ employers) and Crowdstrike (who took a swing last week) to criticise (with limited access to facts), and it’s in their interest to do so as key competitors in the ‘XDR’ space. Moreover, I don’t see SentinelOne or Crowdstrike considering any of their pay-for features free add-ons and attackers certainly love to re-utilise a C2 for their own purposes. What does pride come before?
The Annual Cybersecurity Attitudes and Behaviors Report 2023 by Cybsafe
The article summarises a study on online habits and cybersecurity attitudes. It finds that 93% of respondents are daily internet users, with nearly half owning over ten sensitive online accounts. Despite 84% prioritising online security, 39% feel frustrated and 37% intimidated by it. The younger generation is more sceptical about the effectiveness of online security.
Access to cybersecurity training is limited, with only a quarter of respondents having it, predominantly those employed or studying. The report notes a high awareness of cybercrimes, with phishing and identity theft being common. However, Millennials are most affected by online dating scams. Most victims report these crimes, especially to banks.
The study also examines behaviours like password management, use of multi-factor authentication (MFA), software updating, data backup, and phishing detection. It reveals mixed practices across generations, with older individuals less aware of newer security measures. Overall, the report highlights varied cybersecurity attitudes and practices, indicating a need for increased awareness and training.
So What?
Cybersecurity In 2024: Startling Insights from Over 1000+ CISOs by Francis Odem
The article summarises findings from over 1000 Chief Information Security Officers (CISOs), forecasting significant trends in cybersecurity for 2024. Key insights include an anticipated increase in security spending from $188 billion in 2023 to $215 billion in 2024, largely due to evolving SEC regulations and rising data breach costs. A major focus for CISOs is Identity Access Management (IAM), with a noted dissatisfaction with current solutions and a push towards more automated systems. Other areas poised for growth are data security, AI security, and cloud security. The article also touches on the challenges in sourcing skilled cybersecurity professionals and the integration of AI in cybersecurity strategies. Overall, the piece highlights the dynamic and expanding nature of the cybersecurity field as it adapts to new challenges and technologies in 2024.
So What?
An excellent analysis, which you’d expect from Francis. If the macro-environment of Cybersecurity is your world, this is worth a read.
Securing the Open-Source Software Ecosystem by The White House
The article outlines the Biden-Harris Administration's commitment to securing the open-source software ecosystem, particularly following the discovery of the Log4Shell vulnerability in 2021. The National Cybersecurity Strategy, established in 2023, aims to collaborate with the private sector and open-source community to enhance software security using memory-safe languages and other secure techniques.
Key to this strategy is the Open-Source Software Security Initiative (OS3I), which coordinates federal agencies and collects input from various stakeholders to develop policies that safeguard the open-source software ecosystem. In 2023, the OS3I's efforts focused on unifying federal approaches to open-source software security, developing strategic use within the federal government, promoting long-term investments in the ecosystem, and engaging with the open-source community.
So What?
This is a pretty interesting update and overview of what’s next.
Iranian Intelligence Used Narco Trafficker to Recruit Hells Angel for Planned Assassination by Alexander Martin
The article reports on the indictment of an Iranian drug trafficker, Naji Sharifi Zindashti, for attempting to recruit a Hells Angels member to assassinate an Iranian defector in Maryland. This operation, seemingly at the behest of Iran's Ministry of Intelligence and Security, highlights the use of organised criminal groups by the Iranian regime to carry out transnational repression acts, including assassinations and kidnappings, while maintaining plausible deniability. This incident is part of a broader pattern of such activities globally, implicating the involvement of other designated individuals and groups.
So What?