Briefly Briefed: Newsletter #24 (22/02/24)
Greetings,
This is week #24 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read.
My ‘if you only read two three’ recommendations for the week are:
LLM AI Cybersecurity & Governance Checklist by OWASP Top 10 for LLM Applications Team
A Security Analyst’s Guide to Identity Threats by Ted Kietzman and Jennifer Golden
Developer Roadmaps by Kamran Ahmed (bonus non-cyber recco!)
Enjoy the week ahead!
Lawrence
Meme of the Week:
International investigation disrupts the world’s most harmful cyber crime group by UK National Crime Agency (NCA)
The National Crime Agency (NCA) of the UK has spearheaded a global operation against LockBit, a notorious cyber crime group known for ransomware attacks. This landmark effort has seen the infiltration and takeover of LockBit's operations, leading to the seizure of their infrastructure and the arrest of key members. The operation, conducted in collaboration with the FBI and other international partners, underscores a significant advancement in combating cyber threats, highlighting the effectiveness of international law enforcement cooperation.
So What?
It’s always heartwarming to see larger scale take-downs. LockBit have certainly caused a lot of damage and losses over the years, this is a big win.
Top 10 web hacking techniques of 2023 by James Kettle (Portswigger)
The post presents the annual roundup of the top ten web hacking techniques of 2023, as identified by a community-powered effort. It covers innovative security research across a range of topics, from exploiting server vulnerabilities to novel attack methodologies. The list is a result of community nominations, voting, and expert panel analysis, aiming to spotlight significant contributions to web security research and encourage further exploration in the field.
So What?
This is an excellent contribution from Portswigger, and essential reading for application penetration testers and developers. What I like most about this post, is that it’s showcasing innovation at an individual level. It’s easy to think that appsec is all about scaling, automation and the same old injections attacks we’ve been struggling with since the late 90’s. I highly recommend reading the top 10 posts as well.
LLM AI Cybersecurity & Governance Checklist by OWASP Top 10 for LLM Applications Team
The document outlines a comprehensive checklist aimed at enhancing security and governance in the deployment and use of Large Language Models (LLMs). It provides guidelines and strategies for mitigating risks, ensuring responsible AI use, and integrating LLM security within existing frameworks. The checklist serves as a vital tool for technology and business leaders, aiming to balance the innovative potential of LLMs with the necessity for robust security measures.
So What?
OWASP are creating some really useful collateral for LLMs, and this is no exception. If you’re a CISO or responsible for the governance of Cybersecurity within an organisation, this is an essential resource.
Developer Roadmaps by Kamran Ahmed
This website offers a collection of community-driven roadmaps, guides, and articles aimed at helping developers choose a career path and enhance their skills in various domains such as Frontend, Backend, DevOps, and more. It serves as a platform for learners to find step-by-step paths and resources for different technical roles and technologies.
So What?
I was blown away by how usable and well constructed this resource is. If you’re new to programming or wanting to learn a new language, these ‘mind-map’ style guides and career roadmaps are an excellent place to start.
Dusting off Old Fingerprints: NSO Group's Unknown MMS Hack by Cathal McDaid (ENEA)
The article uncovers a previously unknown mobile network attack, "MMS Fingerprint," attributed to NSO Group. This technique, revealed through legal exhibits, allows attackers to discern a device's type and OS version via MMS without user interaction. The investigation into this method involved technical experimentation, shedding light on vulnerabilities within the MMS protocol and offering insights into the broader implications for mobile security and privacy.
So What?
The debate continues on the availability of advanced OST to nation states and commercial buyers. Many governments have made their position clear in the recent Pall Mall Process, which I covered last week. NSO featured in the news again this week, as Poland’s current government uncovered evidence of their predecessors (illegally) using Pegasus to spy on a large number of individuals.
Google open sources file-identifying Magika AI for malware hunters and others by Katyanna Quach (El Reg)
Google has released Magika, an AI-driven file identifier, as part of its AI Cyber Defense Initiative. Magika is designed to accurately identify file types to aid in cybersecurity, and is used by Gmail, Google Drive, and Chrome's Safe Browsing. This move is aimed at bolstering automated tools for IT network defenders, highlighting Google's commitment to using AI for enhancing security.
So What?
This is a great resource for operational security and networks teams.
CIEM Part 1: How least privilege leads to a false sense of security by Robert de Meyer
This article initiates a series on Cloud Identity Entitlement Management (CIEM), focusing on the challenges of managing Identity and Access Management (IAM) within AWS environments. It critically examines the principle of least privilege, suggesting that while important for security, its strict application may not be practical or beneficial in all cases, potentially leading to a false sense of security. The piece advocates for a balanced approach that protects critical assets without hindering productivity.
So What?
The title is a bit misleading and clickbaity, but the article itself is interesting and well-reasoned. The misleading part is that it’s about a specific implementation in AWS, rather than a conceptual flaw. I don’t agree that the principle of least privilege (POLP) creates a false sense of security in general. What the article articulates well is that AWS IAM can be complex, and there are trade-offs when applying the POLP. It’s still worth your time if you interact with IAM in AWS.
A Security Analyst’s Guide to Identity Threats by Ted Kietzman and Jennifer Golden
This document delves into the escalating threats in identity security, emphasising the complexity of digital identities and the sophistication of attacks exploiting them. It serves as a comprehensive guide, covering current identity-based threats, prevention, and detection strategies. The focus is on workforce identity, exploring attacks on individual and infrastructure identities within organisations. Through detailed examination of attack techniques and preventive measures, the guide aims to provide a central resource for security analysts navigating the identity threat landscape.
So What?
I’m not sure that I understand what they mean by a ‘security analyst’, but this is a really great snapshot of the ‘identity threats’ landscape. They have identified and signposted the key threat actors and defensive work in the space. I liked the references to Push Security’s SaaS attack matrix and narrative on scattered spider especially. From speaking with red teamers (and friends at Push), these vectors are widely unmitigated and little understood. To illustrate this, I’ve seen first-hand IR and red team reports where the attackers didn’t touch the endpoint, but achieved all the ‘worst case’ goals. That said, this is towards the leading edge of emerging threats for most organisations, as most traditional (phishing/BEC initial access) vectors are still effective. Most CISO are still struggling with more fundamental issues, but they need to raise their awareness of this growing threat.
Updating Microsoft Secure Boot keys by Sochi Ogbuanya
Microsoft is preparing to update Secure Boot keys to enhance system security, with new Unified Extensible Firmware Interface (UEFI) Certificate Authorities set to be introduced. The update, starting in February 2024, will be rolled out in phases, ensuring only trusted software runs during system boot-up. This change aims to maintain high security standards against emerging threats, with a focus on ensuring compatibility and preventing disruptions during the update process.
So What?
It’s always great to see improvement of fundamental functionality in Windows. It’s worth a few minutes to gain a good understanding of what this means.
Staying ahead of threat actors in the age of AI by Microsoft Threat Intelligence
This article discusses the evolving landscape of cyber threats in the context of rapid AI development. It highlights Microsoft's collaboration with OpenAI to identify and mitigate threats involving AI technologies, focusing on the misuse of AI by cybercriminals. The piece outlines Microsoft's commitment to ethical AI use, emphasising the need for rigorous safety standards and the importance of AI in enhancing cybersecurity measures.
So What?
Similar to the Duo report, this contains some great information about key threat actors and mitigations within the ‘AI’ space.
Chinese Hacking Contractor iSoon Leaks Internal Documents by Akshaya Asokan and David Perera
An internal document leak from iSoon, a Shanghai-based hacking contractor, reveals dissatisfaction and low pay among its workforce, despite successful cyber operations. The company, associated with the Ministry of Public Security, has been involved in hacking regional governments and potentially NATO. The leaked details include technical specifics about malware and strategies, emphasising the widespread capabilities within China's hacking ecosystem.
So What?
This was one of the big news items of the week! There was a lot of interesting information in this leak, with a lot of big name organisations being mentioned and targeted. You can see the full leak on GitHub (set Google Translate to stun!)
Commission opens formal proceedings against TikTok under the Digital Services Act by European Commission
The European Commission has initiated formal proceedings against TikTok under the Digital Services Act (DSA), concerning potential breaches in the protection of minors, advertising transparency, data access for researchers, and the management of addictive design and harmful content. The proceedings aim to investigate TikTok's compliance with DSA obligations, focusing on systemic risks, privacy and security for minors, advertising repository reliability, and transparency in research data access. This action underscores the Commission's commitment to safeguarding digital space integrity, especially for vulnerable groups like minors.
So What?
More controversy! No comment.
Threat Horizons: New Year, New Cloud Threat Insights by Google Cloud Security Team
The report discusses emerging cloud security threats anticipated in 2024, including risks posed by high-profile global events. It highlights the prevalence of cryptomining due to weak cloud configurations and underscores the importance of robust security measures to counter ransomware and data theft. The piece also advises on mitigating actions, such as enhancing log management and adopting a multi-layered security strategy to protect against sophisticated cyber threats, particularly from nation-state actors like the People’s Republic of China.
So What?
These threat Horizon reports are always a good read, and I recommend following them. No particular surprises this time around.
A final Kubernetes census by Rory McCune
The article marks the conclusion of tracking Kubernetes clusters exposed online via the Censys API, noting a significant increase from 842,350 to 1,626,249 clusters since August 2022. This project highlighted Kubernetes adoption trends and version usage, revealing challenges in updating cycles among cluster operators. The cessation of the daily tracking script was due to the end of free API access, providing valuable insights into Kubernetes configurations and distribution defaults.
So What?
Rory has done some great work with this project, I’m sure the data will be useful for a number of analyses. Here is a link to the full dataset.