Happy Friday,

This is week #25 of the ‘Briefly Briefed:’ newsletter. A big welcome to new subscribers, and many thanks to those who continue to read. Apologies for the delayed release, it’s been quite hectic/dramatic week for me, and today is my Birthday! Normal service will resume next week.

My ‘if you only read two’ recommendations for the week are:

• Palo Alto Fires Firewall Shot Heard ‘Round The World by R. Scott Raynovich

• Lockbit cybercrime gang says it is back online following global police bust by James Pearson

Have a great weekend!

Lawrence

Meme of the Week:

How to find the AWS Account ID of any S3 Bucket by Sam Cox

This article explains a method to identify the AWS Account ID of any S3 bucket, whether private or public. It builds upon a technique developed by Ben Bridts in 2021, enhancing it to work under more conditions. The approach involves using a VPC Endpoint for S3 and CloudTrail logs to incrementally discover the Account ID. It also details optimising the process to make it faster, reducing the time required to less than 10 minutes, and discusses potential security implications and ethical considerations.

So What?

It’s hotly debated as to whether AWS account IDs are sensitive or not, but this is quite an interesting enumeration technique anyway.

Palo Alto Fires Firewall Shot Heard ‘Round The World by R. Scott Raynovich

The article discusses Palo Alto Networks' strategic pivot towards "platformisation" of its cybersecurity offerings, aimed at integrating its vast product range to offer more cohesive solutions. This shift, intended for long-term market share gains despite short-term revenue sacrifices, signals a significant industry shakeup. Palo Alto's approach reflects a broader trend towards bundled cybersecurity solutions, addressing customer fatigue with managing disparate security products.

So What?

There have been a number of hot takes on this over the last week, mostly by analysts, marketers and product managers with outsized social media followings, who’ve never actually run a security function (shots fired!) In many of the narratives, there is a misapprehension that ‘platformisation’ is exclusively a cost-saving measure, and therefore, inherently bad. While this is a huge driver (often primary), ‘best-of-breed’ point solutions for every problem have other important drawbacks. These include: weak operationalisation (poor SOC integration), increased resource requirements, additional technical complexity, poor interoperability, lack of flexible options for hybrid environments and feature overlap (duplication) with other products. I’d argue (anecdotally) that higher operational efficiency and interoperability (in Enterprise environments) produces better security outcomes than higher efficacy point solutions with disjointed workflows. From a purely sales angle, if you doubt this approach will be successful, see Microsoft security revenues for details. Let’s see how this shapes up!

UK Government Department for Science, Innovation and Technology Areas of Research Interest

The document outlines the main research questions the Department for Science, Innovation, and Technology aims to address, aiming to bridge the gap between academia's scientific research and policy development. It highlights the department's desire to access a diverse range of suppliers, engage with researchers, and enhance policy decisions with strong evidence bases, seeking to address knowledge gaps and strengthen evidence in complex areas.

So What?

UK-specific. I was lucky enough to be involved in reviewing an early draft of the ARIs, therefore, I’m slightly biased as to whether they hit the right areas. I think there’s a good mix. I’m looking forward to seeing what gets picked up and the outcomes. No surprises that AI features heavily!

Microsoft’s AI Access Principles: Our commitments to promote innovation and competition in the new AI economy by Brad Smith

Microsoft announced its AI Access Principles at the Mobile World Congress, outlining commitments to innovation, competition, and responsible AI use. The principles aim to ensure broad technology access, promote public good, and include significant investments in AI infrastructure and partnerships. They build upon lessons from past technology developments and aim to foster a competitive, inclusive AI economy globally, reflecting Microsoft's role as a leading AI innovator and cloud provider.

So What?

This is a really interesting read. Among the overwhelming number of position papers and published principles for ‘AI’, this is one of the more interesting and aggregative. If you’re interesting in following the development of AI, this is worth a read.

Incident Response 2024 Report by Palo Alto Networks

The Unit 42 Incident Response Report for 2024 presents insights from cybersecurity incidents, focusing on trends like the rapid pace of attackers, the significance of software vulnerabilities, and the sophistication of threat actors. It emphasises the importance of speed in defense, the role of AI in cybersecurity, and provides recommendations for strengthening security postures. The report aims to guide organisations in proactively managing cyber risks and enhancing their security strategies. The key takeaways are:

Speed Matters. The time between initial compromise and data exfiltration is decreasing. Attackers are sometimes beginning to exfiltrate data in hours, not days. Defenders need to speed up as well.
Software Vulnerabilities Still Matter. They were behind the largest-scale attack campaigns in 2023. They lead the list of ways attackers get in. Measure your threat surface, then fix it quickly and comprehensively.
Threat Actors are Becoming More Sophisticated. They’re more organised, with specialised teams for different parts of the attack. They’re more knowledgeable and able to use IT, cloud, and security tools as weapons of offense. And they’re more efficient, using processes and playbooks to achieve their goals more quickly.

So What?

More reporting, presentation and business case fodder! Kudos to Unit42 for the absence of a marketing wall. It’s interesting to see that the ‘time-to-exfil’ is decreasing. The report suggests this is due to attackers being more focused, and the increase in data exfiltration being a primary goal. I’d add that this is likely supported by improved tooling, especially for automation.

Lockbit cybercrime gang says it is back online following global police bust by James Pearson

The article reports on the Lockbit cybercrime gang's resurgence online after a global police operation targeted them. Despite arrests and their website being compromised, Lockbit claims their backup systems remain operational. The UK's National Crime Agency acknowledges Lockbit's attempts to recover but asserts the group is still compromised, with ongoing efforts to disrupt their activities. The situation underscores the challenges law enforcement faces in permanently dismantling cybercrime networks.

So What?

This is disappointing, but not unsurprising given the resources the TA group have, and that the sting largely focused on taking down infrastructure. My thoughts mirrored The Grugq’s short write up on this, arguing that while LockBit's technological infrastructure can be attacked, the group remains resilient due to its business model and social infrastructure. His post suggests that offensive cyber efforts should target the social and organisational aspects of such groups to be effective, highlighting the distinction between attacking technology and impacting the broader system. That said, attribution is hard. Almost as hard as extradition and physically collaring suspects.

Exploring and Modifying a Prison Laptop by Zephray Wenting

The article discusses the author's experience with modifying a prison laptop purchased on eBay. It covers the process of overcoming the laptop's extensive security measures, including bypassing a BIOS password and hardware restrictions. The narrative details the technical steps taken to hack the BIOS, enabling the use of any hard drive, and the installation of a new operating system, showcasing the technical expertise and creativity involved in repurposing secure devices.

So What?

This is just a really interesting technical post and walk-through. I didn’t know prison laptops were a thing.

OpenSSF Securing Software Repositories Working Group Releases Principles for Package Repository Security by Jack Cable and Zach Steindler

The Open Source Security Foundation (OpenSSF) unveiled the "Principles for Package Repository Security," a framework to help package repositories enhance their security. Developed in collaboration with CISA, it aims to guide repositories through assessing and upgrading their security measures. The framework categorises security maturity levels across various capabilities, promoting significant improvements in authentication, authorisation, and more, within the open source ecosystem.

So What?

This is a really useful resource for those working in Application Security. The three level ‘tiered’ approach reminds me of the OWASP ASVS.

Send Lawrence Feedback

Guidelines for Handling Compromised IAM Credentials by AWS (Samples)

This GitHub document provides a comprehensive framework for identifying and managing compromised AWS Identity and Access Management (IAM) credentials. It outlines steps to detect breaches, mitigate risks, and secure AWS environments against unauthorised access. The playbook emphasises the importance of regular audits, the use of multi-factor authentication, and the implementation of least privilege principles to safeguard against potential security incidents.

So What?

This is a really useful playbook, linking to the AWS Security Incident Response Guide. If you’ve not come across the AWS samples repo on GitHub before (and you work with AWS), it’s worth familiarising yourself with the content.

FACT SHEET: President Biden Issues Executive Order to Protect Americans’ Sensitive Personal Data by The White House

This fact sheet details President Biden's executive order aimed at safeguarding Americans' sensitive personal data from foreign threats. It mandates the Attorney General to block large-scale transfers of personal data to countries considered threats and sets up protections for various types of sensitive information. The order addresses concerns about privacy, counterintelligence, and national security, specifically targeting the sale and misuse of data by countries of concern and other entities.

So What?

It’s great to see steps towards greater regulation of personal data at a Federal level in the US.

LOTP - Living Off the Pipeline by Boost Security

The LOTP project investigates how development tools used in CI/CD pipelines, particularly command-line interfaces (CLIs), have features that could be exploited for remote code execution (RCE) by design. It focuses on identifying and cataloging these "foot guns" to help developers understand and mitigate potential security risks associated with running untrusted code changes or following a workflow injection.

So What?

Useful for DevSecOp folks.

Two hours of daily meetings is the limit, Slack survey shows by Matthew Boyle, (Bloomberg)

A survey by Slack Technologies indicates that exceeding two hours of meetings daily can diminish productivity. This global study involving over 10,000 desk workers found that extensive meeting hours led to a lack of focus on substantive work, with executives and employees alike feeling overburdened by meetings. Slack's findings suggest a need for organisations to reassess their meeting cultures to enhance efficiency and work-life balance.

So What?

Not cyber. I found this interesting, and I can definitely relate to the findings. I don’t believe there’s a magic number for meeting frequency and duration, but these types of study are great conversation starters.

Back To The Building Blocks: A Path Toward Secure And Measurable Software by The White House

The article outlines President Biden's National Cybersecurity Strategy, emphasising two significant shifts: redistributing cyberspace defense responsibility and realigning incentives for long-term cybersecurity investment. It advocates for the technical community's role in addressing memory safety vulnerabilities through programming and hardware, and establishing cybersecurity quality metrics to enhance software security across the ecosystem. This strategy represents a proactive approach to reducing vulnerabilities and fostering a secure, resilient digital space.

So What?

I’ll be watching closely how well the carrot and the stick work to move the needle in this area. I remain sceptical regarding reliance on community efforts to shift the needle in this area, as it hasn’t worked yet.

Identifying and Classifying Attack Techniques by Van Vleet

This article addresses the pivotal roles of identifying and classifying events to detect attack techniques within cybersecurity. It underscores the necessity for Detection Engineers to accurately detect events linked to attacks and differentiate them as malicious or benign within their unique environments. The complexity of this task is highlighted by the diversity of each enterprise's telemetry and noise, making a one-size-fits-all approach impractical. The Mitre ATT&CK matrix is referenced as a tool for outlining attack techniques, yet its effectiveness is contingent on the specific telemetry and environmental noise present in each case. The discussion extends to the importance of focusing on immutable elements for reliable identification and the classification of techniques into three categories: Inherently Suspicious, Suspicious Here, and Suspicious in Context. The article concludes with advice against competing with Endpoint Detection and Response (EDR) systems, advocating instead for a bespoke approach to covering gaps in detection, particularly for context-specific suspicious activities.

So What?

This will be interesting for detection engineers and those working in a SOC context. I strongly agree with the mantra of not competing with EDR, when it comes to handling ‘inherently suspicious’ techniques.

Report on the Cybersecurity and Resiliency of the EU Communications Infrastructures and Networks by European Commission

EU Member States, alongside the European Commission and ENISA (the EU Agency for Cybersecurity), have released a comprehensive report on the cybersecurity and resilience of Europe's communications infrastructures and networks. This initiative represents a significant advancement in the EU's coordinated efforts to secure telecommunications, building on previous work concerning 5G cybersecurity. Following the Nevers Call of 9 March 2022, a detailed risk assessment was carried out, identifying various threats to communication networks, including ransomware and supply chain attacks, which could significantly impact the security and resilience of connectivity infrastructure. The report introduces ten new risk scenarios of strategic importance, alongside strategic and technical recommendations for mitigating these risks. These include assessing the resilience of international connections, the criticality of core internet infrastructure, and enhancing transparency regarding the landscape of suppliers and service providers.

So What?

Some interesting datapoints in here, but a dry read!