Briefly Briefed: Newsletter #5 (05/10/23)
Welcome, program.
This is week #5 of the ‘Briefly Briefed:’ newsletter. Hearty thanks for your continued interest. This week has seen not one, but two, human-centred security programs spun up (or re-launched, by NIST and FIRST, respectively.) Additionally, we’ve seen continued creativity from Lazarus group, in the form of trojanised software challenges. In other news, the University of Exeter in the UK launched a new Cyber Threat Intelligence Masters degree (badum, tsss!) I hope you enjoy this issue, and please do feel free to provide feedback on how I can improve the content.
My two favourite posts of the week were:
ESET’s detailed analysis of Lazarus group’s sneaky new vector. This is really interesting and demonstrates Lazarus’ ability to pivot and be creative.
Malwarebyte’s discovery of Malvertising in Bing Chat. Inevitable, I guess.
End of line.
Lawrence
Funny Cyber Quote || Meme of the Week:
The Security Research Product Function by Zack Allen
The post delves into the crucial role that security research teams play in cybersecurity start-ups. Unlike other industries where product marketing often drives value, cybersecurity relies on staying ahead of ever-evolving threats ("the baddies"). The article argues that security research teams act as navigators, guiding the product's development and marketing. By being attuned to the threat landscape, they help engineering, design, and marketing teams align their strategies. The post applies the Kano Model to explain how a research team could accelerate a product's features from 'must-haves' to 'wow' factors. The post posits that security research teams are not just adjuncts; they are core to the cybersecurity business model, ensuring that products can adapt quickly to new threats. The blog emphasises the growth of such teams, validating their significance in modern cybersecurity ventures.
So What?
I really enjoyed this blog, and having run a product / service innovation function within a large Cybersecurity company, I can definitely see the value of this approach. The key takeaway for me, is the tight linkage between technical research and market positioning. In start-ups, this is often intrinsic and the need for leaders (often founders) in the organisation to wear multiple hats and work interdisciplinarily drives this approach. This is where many larger organisations
get it wrongstruggle, and there is a disconnect between the technical teams, product and marketing. We’re starting to see an acceptance (and sometimes excitement) within technical communities for more commercial hybrid roles. This is mirrored within the application security field also, with a pivot to ‘Product security’. Tanya Janca wrote a great blog on this back in July, illustrating the nuances wonderfully (and was ripped off a couple of months later by CSO Online). I think this is great (although I’m biased, having lived in this niche for a while) and shows a more grown-up side to Cyber, and what we need to do to retain trust and relevance as an industry.
This post requires some maths knowledge, but don’t let that put you off if you’re not numerically inclined.
So What?
This won’t be for everyone, but if you have a good foundation in Mathematics and wonder about how crypto works, you’ll find this article interesting and accessible.
A quick summary of the latest announcement:
- Amazon Bedrock is now generally available to help more customers build and scale generative AI applications. Bedrock is a fully-managed service that offers access to foundation models for various business applications, simplifying integration and ensuring data security.
- Amazon Titan Embeddings is now generally available. Titan Embeddings is a language model that transforms text into numerical embeddings, facilitating advanced search and personalisation, while being particularly useful for Retrieval-Augmented Generation (RAG) applications.
- Meta’s Llama 2 coming in the next few weeks. Amazon Bedrock will soon offer access to Meta's next-generation Llama 2 large language models, which come with significant improvements in data training and context length, optimised for dialogue applications.
- New Amazon CodeWhisperer capability (coming soon) will allow customers to securely customise CodeWhisperer suggestions using their private code base to unlock new levels of developer productivity. CodeWhisperer will enable customised coding suggestions based on an organisation’s private code base, thus enhancing developer productivity while maintaining enterprise-level security.
- New generative BI authoring capabilities in Amazon QuickSight help business analysts easily create and customise visuals using natural-language commands. QuickSight's new generative BI authoring feature will allow business analysts to swiftly create custom visuals and calculations through natural-language queries, thereby improving efficiency.
- New free generative AI training for Amazon Bedrock. Amazon has launched a free, self-paced digital course aimed at introducing developers and technical audiences to the features and benefits of Amazon Bedrock.So What?
Amazon have finally entered the race! I’ve not experimented with this, so I can’t really comment or attest to efficacy. AWS tends to be the ‘techies favourite’ so I’m sure they’ll garner a committed following if there’s good feature parity and DX.
Another excellent deep dive on the ‘Software Supply Chain Vendor Landscape’ by Clint Gibler and Francis Odum
The pair provide “an analysis of over 20 supply chain security vendors, from securing source code access and CI/CD pipelines to SCA, malicious dependencies, container security, SBOMs, code provenance, and more.”
The post highlights the complexities and vulnerabilities introduced by the pervasive use of open-source components in modern software development. This second part of the report addresses the burgeoning market of vendors, who are taking diverse approaches to secure the software supply chain. These solutions often leverage frameworks such as SLSA, NIST's SSDF, or the OpenSSF Scorecard. The post underscores the role of regulatory mandates, like President Biden's executive order on cybersecurity, in driving demand for these solutions. It also reveals a significant uptick in interest from enterprises, corroborated by NightDragon's survey indicating that over 96% of CISOs are contemplating the adoption of software supply chain solutions within the next year.So What?
This is a really useful resource for CISOs, CIOs and Heads of Security especially. It’s often really hard to create a ‘long list’ in this area and to understand the market segmentation. I LOVE a good infographic with logos, too.
FIRST form a SIG (special interest group) for ‘Human Factors in Security’
Their mission:
“People have become the main driver for breaches but the human factors remain insufficiently addressed in the IT security sector. The mission of this SIG is to improve the understanding of human factors in security among security professionals worldwide. To achieve this goal we will facilitate a regular exchange on methods, measures and skill sets to effectively address the human factors in security.”
Members of FIRST are automatically approved (on request) to join the group and monthly meetings.So What?
This echoes the recent revamp of NIST’s ‘Human-centred cybersecurity’ program. It’s interesting to see these launch so closely together. One of the key pivots within the human-centred security space, is the shift away from blame and the assumption that people are the weakest link (finally!). While user education and awareness is super important, technical controls should be primary. Humans are as inquisitive as we are fallible, which is often a bad combination with technology. The onus is on creators to work better with human nature. I’m looking forward to see what comes out of these initiatives.
SingTel to sell stake in Trustwave for $205 million from Reuters
Singapore Telecommunications (STEL.SI) on Monday said it entered into an agreement with MC2 Titanium, LLC to sell its stake in cyber security business Trustwave for $205 million. Southeast Asia's largest telecom firm began a strategic review of its 98% interest in Trustwave in 2021 after buying it for $770 million in 2015.
It’s worth noting that they’re actually over-reporting losses in many of the articles, as Trustwave divested its GRC/PCI consulting division (SecureTrust) for $80mil in the interim.
So What?
This is a shame to see, I have lots of fond memories of leading the SpiderLabs team at Trustwave and all the amazing people I met (many I still call friends). I hope this is the change that's needed for the organisation and all the great people in the business are ok.
The Trustwave acquisition journey is a lesson in absent CEOs with no vision beyond cost cutting, focusing more on IPO and courting analysts than clients and taking highly invested staff for granted.
AutoGen: Enabling next-generation large language model applications from the Microsoft Research Blog
AutoGen, has been used as an integrated component of systems like Copilot, but it’s largely slipped under the radar (relative to other developments). However, this is a notable advancement for LLMs and provide some cool functionality.
“AutoGen is a framework for simplifying the orchestration, optimisation, and automation of LLM workflows. It offers customisable and conversable agents that leverage the strongest capabilities of the most advanced LLMs, like GPT-4, while addressing their limitations by integrating with humans and tools and having conversations between multiple agents via automated chat.”
AutoGen is available in public preview as a Python package for anyone to integrate into their apps.
So What?
I’ve not played with AutoGen outside of its implementations, but I’ve heard it’s a game changer from AI experts I know. These are not particularly useful insights from me, but watch this space I guess!
Too Many Vulnerability Prioritisation Standards: Use This One Instead by Jake Kouns and Ben Haynes
This is an interesting talk from the recent Mandiant (now part of Google Cloud) WISE conference. The talk discusses various common frameworks for prioritising vulnerability remediation.
So What?
Vulnerability remediation prioritisation (say that 3 times quickly) is a hot area right now. There are quite a few options emerging, which aim to supersede the incumbent and ubiquitous, CVSS. These include the likes of EPSS and SSVC. This video (although slightly vendor tinged) provides some interesting thoughts in this area.
Lazarus luring employees with trojanised coding challenges: The case of a Spanish aerospace company by Peter Kálnai
ESET report that employees at a targeted company were recently duped by a counterfeit recruiter on LinkedIn into executing a malicious file disguised as a coding challenge.
Their investigation revealed four distinct execution chains delivering three types of payloads via DLL side-loading. The most significant payload was the ‘LightlessCan’ backdoor, designed to elude real-time security monitoring and professional analysis, representing a substantial shift from its predecessor, ‘BlindingCan’, Lazarus group's primary HTTP(S) RAT. With ‘high confidence’, they attribute this cyber-activity to Lazarus group, specifically linking it to their ‘Operation DreamJob’ campaigns. The ultimate objective of this sophisticated attack was cyberespionage, indicating a marked escalation in Lazarus' capabilities and tactics.
So What?
We’re starting to see Lazarus be more creative in their vectors. As a defender, these types of attacks are particularly concerning, as they’re challenging to mitigate. They continue to be an important threat actor to watch if you’re in their sights.
National Security Agency is starting an Artificial Intelligence security centre
The U.S. National Security Agency (NSA) is inaugurating an Artificial Intelligence Security Centre to bolster U.S. defence and intelligence systems. Announced by the outgoing director, Army Gen. Paul Nakasone, the centre will function within the NSA’s existing Cybersecurity Collaboration Centre. It aims to collaborate with private industry and international partners to secure the U.S. defence-industrial base against threats, predominantly from China and Russia. The centre will focus on securing AI models from theft and sabotage and will work closely with U.S. industry, national labs, academia, and the Department of Defence.
So What?
Most nation states are gearing up for AI (and how they regulate and legislate it). There’s way too much activity to summarise, but it’s obviously an area we should all be watching and concerned about. NCC Group (full disclosure, my employer) have created a really comprehensive snapshot of where we are at the moment, which also signposts some great research that’s been done by the team.
NIST unveils their ‘Human-Centered Cybersecurity’ program
This is essentially a re-vamp of their ‘Usable Cybersecurity’ program, founded back in 2008.
The new title aims to eliminate misconceptions and articulate the program's broader mission of considering the human element in cybersecurity. Operating at the intersection of cybersecurity, cognitive science, and psychology, the multi-disciplinary team conducts research ranging from authentication protocols to how social influences affect cybersecurity among young people. To amplify the reach of their work, NIST has also revamped its website, optimising it for searchability and ease of navigation.
So What?
See above!
Malwarebytes have discovered intentional malware distribution through Bing Chat (powered by OpenAI's GPT-4) by Jérôme Segura
Microsoft's introduction of ads into Bing Chat has inadvertently exposed users to malvertising risks. Users seeking to download software like 'Advanced IP Scanner' can be misled into clicking malicious ads, which are positioned above organic search results. The ads are typically hosted via compromised ad accounts and direct victims to websites that differentiate between genuine users and security mechanisms. Once entangled, victims download malware-ridden MSI installers. The post from Malwarebytes also stresses the continued need for robust security measures, both at the organisational and user levels.
So What?
Yikes! This was inevitable, but it’s interesting to see how implementations can be abused and what the end game is in this particular case. While the OWASP top 10 for LLMs is going to be a useful guide, tracking the TI for this nascent threat is essential for defenders.