Briefly Briefed: Newsletter #22 (07/02/24)
This is week #22 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.
My ‘if you only read two’ recommendations for the week are:
Russian spies impersonating Western researchers in ongoing hacking campaign by Alexander Martin
Have a great week!
Meme of the Week:
Gil Shwed stepping down as Check Point CEO after 30 years by Sophie Shulman (CTech)
Gil Shwed, co-founder of cybersecurity giant Check Point, is stepping down as CEO after 30 years. Under his leadership, Check Point grew significantly, ending 2023 with $2.4 billion in revenue and $840 million in net profit. Shwed plans to transition to Executive Chairman, focusing on the company's future and cybersecurity market evolution. Despite facing competition, Check Point's profitability remains strong, with a market value around $19 billion. The company recently made a significant acquisition, purchasing Perimeter 81 for half a billion dollars.
The end of an era for Check Point. It will be interesting to see the direction the company takes post-handover. Towards the end of last year, there was a step change in the approach to their Partner program, with a focus on supporting MSSPs. My assumption is that they will follow the likes of Palo Alto, Crowdstrike and Symantec in creating broader ecosystems (read SASE/SSE/ZT) from their tech stack, supporting an MSSP-enabled play. Let’s see!
Announcement of a Visa Restriction Policy to Promote Accountability for the Misuse of Commercial Spyware by Antony J. Blinken, US Secretary of State
This article outlines the U.S. State Department's new policy to impose visa restrictions on individuals involved in the misuse of commercial spyware. The policy aims to counter the global misuse of spyware for repression, violating privacy, and enabling human rights abuses. It applies to those using spyware to target or intimidate individuals, including journalists and activists, those benefiting financially from such misuse, and their immediate family members.
This will present challenges for individuals associated with spyware vendors like Candiru, NSO Group, Intellexa, and Cytrox, all of which were added to trade blacklists in 2021 and 2023. Interestingly, this coincided with a conference this week (hosted by the UK and France), launching an initiative called the Pall Mall Process. The Pall Mall Process is aimed at addressing the proliferation of commercial cyber intrusion tools through joint-action commitments by attendees. Key absentees were: Israel, Austria, Egypt and North Macedonia. Israel’s absence is particularly significant. It accounts for two of the four companies that have been sanctioned by the U.S. (Candiru and NSO) for trafficking cyber tools that the U.S. assesses have enabled “transnational repression” by authoritarian governments.
On a side note, it’s very British to select an initiative name that will be ambiguous to pronounce for even native English speakers (outside of international Monopoly enthusiasts). Next up, ‘the Worcestershire-Leicestershire accord.’
How enterprises are using open source LLMs: 16 examples by Matt Marshall (Venture Beat)
The article discusses how enterprises are exploring open source large language models (LLMs) for various applications, offering 16 examples of real-world deployments. Despite initial slow adoption compared to closed models like ChatGPT, open source LLMs are gaining traction due to their flexibility and cost-effectiveness. The examples range from enhancing code efficiency to improving customer support, highlighting the growing interest and diverse applications of open source LLMs in the enterprise sector.
I found this article really interesting, as internal company initiatives are seldom public domain. It’s not surprising that most larger enterprises are either developing or delivering on an ‘AI’ strategy already. This reminds me a lot of the Internet of Things (IoT) boom, where everything became Internet enabled, whether it was a good idea or not. Similarly, I think we’re seeing (and will continue to see) the over-zealous application of AI in situations that don’t call for it. It will likely be a costly mistake for some. However, I do look forward to AI toasters and flipflops.
Disabling Intel ME 11 via undocumented mode by Positive Technologies Team
The article details Positive Technologies researchers' exploration of Intel Management Engine (ME) 11, uncovering an undocumented mode that disables Intel ME after initialisation. This discovery relates to the U.S. government's High Assurance Platform (HAP) program, aiming to reduce security risks. The process involves technical adjustments and poses risks to system functionality, highlighting the complexities and security implications of managing proprietary technology within computing hardware.
A more technical post, but an interesting read!
A federal jury awarded Centripetal Networks $151.5 million in damages, finding that Palo Alto Networks infringed on Centripetal's patent rights related to network-security technology. Palo Alto plans to appeal, arguing their technology is different and the patents invalid. This case follows Centripetal's previous legal victory over Cisco Systems, showcasing ongoing patent disputes in the cybersecurity sector.
Ouch! Centripetal are on a roll enforcing their patents. It doesn’t seem to have impacted PANW’s share price though.
The post discusses a survey revealing that 81% of cyber insurance underwriters anticipate a slight increase in premiums due to rising cyber risks, particularly from ransomware. Despite this, coverage levels are expected to remain constant. It highlights the importance of enhancing organisational processes and security awareness training to mitigate risks, rather than solely relying on insurance.
Do premiums ever go down? It will be fascinating to see how some of the planned ransomware regulations will impact pricing of Cyber insurance. On one hand, interventions such as banning ransomware payments could reduce the risk of multi-million payouts. However, operating losses due to protracted recovery efforts could offset this (if covered).
Russian spies impersonating Western researchers in ongoing hacking campaign by Alexander Martin
The article reports on a Russian cyber espionage campaign targeting Western researchers and academics. Hackers, believed to be working for Russian intelligence, use spearphishing techniques to impersonate colleagues and gain access to sensitive information. This operation reflects Russia's broader strategy to undermine democratic institutions and discredit critics, illustrating the persistent threat of state-sponsored cyber attacks and the importance of vigilance in digital communications.
Aren’t they just copying North Korea? These types of campaigns have been active for some years, as a fairly typical form of espionage. If you know academics or researchers who may not be aware of these types of attacks, it’s worth sharing and supporting them with your cyber knowledge.
The article provides an analysis of critical vulnerabilities listed in the CISA KEV catalog from January 2023 to January 2024. It highlights that despite efforts to improve security through memory-safe languages like Rust, vulnerabilities due to insecure exposed functions and web routing/path abuses remain prevalent. The study shows that appliances are often targeted due to their network boundary positions and low defender visibility. The author recommends strategies for vendors, developers, defenders, and researchers to mitigate these risks.
It’s axiomatic that there’s almost never a single solution to a complicated problem in cybersecurity. Moreover, the post does miss efforts at the hardware level to address this problem, such as CHERI software stack for ARM Morello boards. Overall, I do agree that it will take a number of solutions in combination to mitigate issues created by insecure coding practices (and issues with languages / OSes themselves).
Your Security Program Is Shit by ciso
The article critically examines the state of security programs, arguing that many are ineffective due to a lack of genuine understanding and commitment from those in charge. It uses a hypothetical scenario to illustrate how organisations often prioritise appearances and compliance over actual security improvements, leading to a cycle of inefficiency and superficiality. The piece is a call to action for more authentic and effective security practices within the industry.
If you like ranty, sweary soapbox posts from a technical people who’ve never had to plan a defence at an organisational level without unlimited budgets, then this post is for you! More seriously though, I don’t disagree with the fundamental point of this post. Broadly speaking, cyber defence is not at the level it needs to be in order to provide appropriate assurance, and we all know it. I’m not sure that there’s a widespread denial of this though, as suggested in the post, as we see the outcomes regularly. I’ll refrain from listing all the challenges, but simply put, we need better tools, better training and better funding.
There Are Too Many Damn Honeypots by Jacob Baines
The article highlights the challenge of distinguishing between real and honeypot Confluence servers on the Internet. With over 235,000 Internet-facing Confluence honeypots identified versus at most 4,000 real servers, the author discusses the difficulty in accurately determining the number of hosts affected by vulnerabilities. The piece emphasises the importance of precise vulnerability impact assessment and the role of honeypots in both complicating and contributing to cybersecurity efforts.
I do agree with the point Jacob is making. There are a lot of honeypots out there, and their existence can skew important data. However, the article only relates to Confluence honeypots, meaning the title is a little clickbaity and not broadly relevant. The key takeaway for me, is that if you’re looking at Internet-wide meta-data, it’s pretty hard to remove all the noise, even if you’re being quite targeted.
Florida Bill Proposes Safe Harbor Against Breach Suits to Businesses Maintaining Recognized Cybersecurity Programs by Alexis M. Buese and Eric Setterlund
The article discusses a proposed bill in Florida offering businesses a safe harbor defense against data breach lawsuits if they implement robust cybersecurity measures that align with recognised standards. This legislation aims to motivate companies to adopt higher cybersecurity levels by providing legal protections for those that meet specified criteria, thus encouraging a proactive approach to cybersecurity.
It will be interesting to see whether this has the intended impact.
A multinational company in Hong Kong lost HK$200 million due to a scam involving deepfake technology. Scammers created a fake video meeting, impersonating the company's CFO and other staff, to instruct an employee to transfer funds. This marks a significant case of deepfake misuse in financial fraud, highlighting the growing sophistication of cybercriminals in leveraging new technologies to carry out scams.
As deepfakes improve and become more accessible, this problem will only increase. Defending against this type of threat is incredibly hard, as technical controls would be challenging to implement, and training individuals to recognise deepfakes will be an issue. Organisations need to ensure they have robust procedures for high risk functions, such as approval chains in Finance.
Google Search’s cache links are officially being retired by Jon Porter
The article reports on Google discontinuing its cache feature, once a tool for viewing webpages as Google indexed them. This function was crucial for SEO, news gathering, and bypassing regional content blocks, but has been deemed less necessary due to improved internet reliability. The gradual removal, noted by search liaison Danny Sullivan, reflects Google's assessment of the feature as an outdated legacy, with no immediate replacement plans but a potential future link to the Internet Archive for historical webpage views.
This was a really handy feature for CTI (and sometimes bypassing paywalls). Shame!
Microsoft Breach — What Happened? What Should Azure Admins Do? by Andy Robbins
The post elucidates the breach by "Midnight Blizzard," detailing the attack on Microsoft's Azure environment and offering advice for Azure admins. Key steps in the attack path included password guessing, compromising app registrations, and escalating privileges within Microsoft's corporate tenant. Andy stresses the importance of identifying and mitigating privileged foreign applications to protect Azure environments, illustrating the critical nature of cybersecurity vigilance and proactive defense measures in the face of sophisticated cyber attacks.
The post advises that Azure admins should:
Identify privileged foreign applications in their environment.
Focus on service principals with MS Graph app roles, using the Azure portal.
Check for dangerous MS Graph app roles and manage permissions carefully.
Automate the audit process for efficiency and thoroughness, leveraging scripting and Azure AD tools.
Be proactive in identifying and mitigating attack paths, especially those involving foreign applications with high privileges.
This is one of the better technical write-ups, and comes with some useful information on mitigation. If you’re a technical person responsible for securing identities in Azure, this is especially important.
ADAPT Framework for Modelling Adversary Behaviour by Robin Dimyan
The post introduces the ADAPT framework as a nuanced approach to understanding cyber threats, moving beyond the oversimplified label of Advanced Persistent Threats (APTs). ADAPT stands for Advanced, Adaptive, Persistent, and Targeted, offering a more detailed criteria for assessing cyber adversaries. By evaluating threats across these dimensions, Dimyan proposes a method that enhances cybersecurity planning and defense, making it a valuable tool for more effectively addressing and strategising against cyber threats.
Thanks for reading ‘Briefly Briefed:’ - To receive the newsletter on a weekly basis, please subscribe below.