Briefly Briefed: Newsletter #8 (26/10/23)
Come with me if you want to live.
This is week #8 of the ‘Briefly Briefed:’ newsletter. Many thanks for your continued interest. I’ve been posting fewer updates over the last week on LinkedIn and Twitter. It looks as though the algorithms are intentionally nobbling people who share external content (unless you contribute (on LinkedIn) to pointless collaborative articles for brownie points). Hopefully, the newsletter is timely enough to be useful. I will persist, and fingers crossed, the useful bits make it to your screens.
My ‘if you only read two things’ recommendations for the week are:
FalconHound. This is just a really useful tool, I highly recommend you try it out or pass it on to technical colleagues in your team (especially if you already run Bloodhound periodically).
Ross Haleliuk’s history of Cyber industry luminaries. I found this a really well researched piece and I learnt some background information I didn’t already know.
Hasta la vista, baby.
Lawrence
Funny Cyber Quote || Meme of the Week:
FalconHound: The Blue Team Multi-Tool for Enhancing BloodHound by Olaf Hartong / Falcon Force
FalconHound is a blue team multi-tool built to supercharge the capabilities of BloodHound. While BloodHound provides a snapshot view of a network environment, FalconHound keeps it updated in real-time. Designed for blue teamers, it leverages existing log data to update local group memberships and session information, filling gaps in BloodHound’s graphs. Moreover, it can trigger alerts and create enrichment lists based on these updated graphs. For instance, it can alert you if a user has a path to a high-privilege group. It's also adaptable, integrating activities from Azure, CVE data, and can even flag compromised users based on incidents in Sentinel or MDE. Essentially, FalconHound takes your BloodHound graphs from static to dynamic, offering a more comprehensive view of your security landscape. Nice work by Olaf and the gang.
So What?
This is just a really great tool I wanted to highlight. It demonstrates how the aggregation of open source tools can be really powerful, even in an Enterprise.
Microsoft Security Copilot Early Access Program: Harnessing Generative AI to Empower Security Teams by Vasu Jakkal
Microsoft is aiming to transform security operations with its Security Copilot Early Access Program. Utilising generative AI, Security Copilot acts as an AI assistant that streamlines tasks, allowing security teams to focus on high-impact projects. It's its goal is to reduce the time spent on core security operations by up to 40%. Integrated within Microsoft 365 Defender, it offers actionable recommendations, aids in cyberthreat remediation, and simplifies the writing of complex queries into natural language. Interestingly, it's extending the service to Managed Security Service Providers. Microsoft Defender Threat Intelligence is now included (for free), offering additional insight into cyberthreats.
So What?
Copilot promises to revolutionise security operations, making them more efficient and responsive at machine speed™. It’ll be interesting to see how this shapes up. I definitely see the need to automate even more SOC processes and having played with this already, I think it’s really powerful. Where I do have concern, is that when you centralise these types of capabilities, it becomes a juicy target for attackers. If you look at how advanced threat actors and red teamers leverage things like Defender for Endpoint Live Response as a C2, you can imagine how this could be used as a force-multiplier for attackers too. Especially in an MSSP context! These types of tools are always a trade-off between utility and the threat it poses to security. In typical Azure fashion, Security Copilot is configured with very high permissions (Global Admin), but can be operated by Security reader roles (still highly privileged). Overall, I believe we should cautiously embrace these types of tools, and keep applying pressure on vendors to provide appropriate security at the cadence of innovation.
How A Teenager (Junaid Hussain) Became A Hacker For Terrorists, A (mini) Documentary
A slightly sensationalised YouTube video charting the path of Junaid Hussain, a prolific Islamic State hacker. It’s an interesting video, and illustrates how people can be radicalised over time.
So What?
I think the video is a little tone deaf in parts, especially in their neutral tone relating to the EDL (the English Defence League, a right-wing / racist group in the UK). It highlights how personal situations can escalate, and how the current landscape of polarising politics can create shocking outcomes. Obviously, awful and terrifying stuff all round.
Anthropic, Google, Microsoft and OpenAI announce Executive Director of the Frontier Model Forum and over $10 million for a new AI Safety Fund by Google Cloud
Chris Meserole is now the first Executive Director of the Frontier Model Forum, an industry organisation committed to the safe and responsible use of advanced AI models. The announcement also includes the creation of an AI Safety Fund with over $10 million committed. This fund aims to advance research on AI safety, filling a crucial gap in current studies. Industry giants like Anthropic, Google, Microsoft, and OpenAI, alongside philanthropic partners, are the initial backers. The fund will support independent researchers to test and evaluate powerful AI models. The Frontier Model Forum will also share industry best practices and intends to engage in collaborative red teaming to assess AI vulnerabilities.
So What?
This is particularly useful for the security community, as the fund will finance research in red teaming and model evaluations. This could result in the creation of more robust security protocols, potentially raising industry standards. Moreover, by encouraging a common set of terms and practices, the Forum aims to streamline discussions and actions concerning AI safety and governance across sectors. It’s not the only effort in this area, by any means, but it’s good to see major players at the table.
Do Loose Prompts Sink Ships? Exploring the Cyber Security Issues of ChatGPT and LLMs by David C and Paul J from UK NCSC
While the technology offers a host of benefits, it also brings forth several risks. LLMs can generate biased or incorrect information, be prone to cyberattacks, and even inadvertently aid cybercriminals. The models do not learn from user inputs, but the data may be stored by the service provider, potentially posing privacy risks. The authors recommend not including sensitive information in queries to public LLMs. Organisations considering LLMs for business automation should closely examine terms of use and conduct security assessments. In summary, while LLMs are promising, caution is advised in their application to prevent compromising cybersecurity.
So What?
The article contains good, common sense advice. While I don’t think the post adds anything new in the grand scheme of LLM security, the value is in the simplicity and tone. As it’s provided by the UK NCSC, it will hopefully reach the right people who’re looking for this information.
Follow the people: @stake, NetScreen, IBM, Israel Defense Forces and the US Armed Forces mafia networks in cybersecurity by Ross Haleliuk
The article delves into the intricate tapestry of networks that significantly influence today's cybersecurity landscape. Companies like @stake, NetScreen, and IBM, along with military establishments such as the Israel Defense Forces and the US Armed Forces, have proven to be fertile ground for future cybersecurity leaders. These 'mafias' serve as talent incubators, churning out founders and executives who go on to shape the industry in profound ways. The post underscores that it is often the people behind the scenes, not just the innovative ideas, that wield immense power in this ever-evolving field. A must-read for anyone interested in understanding the dynamics of influence (and the history) within cybersecurity.
So What?
I really enjoyed this article, not only for the nostalgia factor, but I didn’t know some of the founder stories it covered. This is a great primer if you’re newer to the industry and care about the history and journeys of key people and companies.
If I were to be critical (which is so unlike me!), I would say there were a few key people missing (Jason Chan, a notable
@
Stake alum for one), who made some serious contributions to the security landscape. However, I understand that the focus was on commercial landscape shaping, over conceptual or technical contributions (not that many of those cited didn’t make that sort of contribution also). Who’s going to write the technical version of this?
Windows passwordless experience expands by Sayali Kale
Microsoft is advancing its commitment to a passwordless future by introducing an enhanced Windows passwordless experience for organisations, starting with the September 2023 update for Windows 11, version 22H2. Passwords, being inherently insecure and a primary target for cyberattacks, are being replaced by Microsoft with passwordless solutions like Windows Hello for Business and FIDO2 security keys. These phish-resistant credentials eliminate the need for passwords from the outset. Commercial entities can activate the ‘EnablePasswordlessExperience’ MDM policy to ensure a wholly passwordless user experience on Microsoft Entra ID integrated machines. After activation, the policy removes passwords from the user experience, including in-session authentication scenarios. Instead of passwords, users will utilise Windows Hello for authentication. The update also introduces a new web sign-in experience, aiming to shift organisations and users away from passwords in the forthcoming days.
So What?
Passwordlessness can’t come soon enough in my opinion. It’s great to see steps towards the removal of passwords and the interoperability with multiple other factors. Windows 11 is a significant driver towards this (although ‘Hello’ can run on Windows 10 also). However, adoption is slow, but improving, with 23.6% of Windows Desktop OS users on 11, and 71.6% on Windows 10 still. Let’s move, people!
They Cracked the Code to a Locked USB Drive Worth $235 Million in Bitcoin. Then It Got Weird by Andy Greenberg of Wired
A Seattle-based startup, Unciphered, claims to have developed a technique for cracking encrypted IronKey USB drives without triggering the data-erasure function that activates after 10 incorrect password attempts. The team's main target is a decade-old IronKey drive located in a Swiss vault, holding 7,002 bitcoins worth approximately $235 million. The drive belongs to Stefan Thomas, a Swiss entrepreneur based in San Francisco, who lost the password. Thomas has declined assistance from Unciphered, stating he has prior agreements with other security teams. Unciphered's technology could potentially unlock numerous forgotten cryptocurrency wallets, but they find themselves with a solution in search of a problem, as Thomas remains unresponsive to their advances.
So What?
I find it really interesting that this is back in the news. After BitCoin initially surged, there were often stories of people losing access to encrypted wallets (and other wild tales¹²³⁴⁵) with $millions tied-up and ‘hackers’ offered huge bounties to retrieve them. In this particular case, it’s fascinating that the owner of such a wallet has a solution available, but is unresponsive. I’m sure there’s a reason why, which we will find out in time, no doubt.
¹https://www.nytimes.com/2021/01/12/technology/bitcoin-passwords-wallets-fortunes.html
²https://www.cbc.ca/radio/asithappens/as-it-happens-friday-edition-1.5875363/this-man-owns-321m-in-bitcoin-but-he-can-t-access-it-because-he-lost-his-password-1.5875366
³https://au.finance.yahoo.com/news/man-has-two-more-chances-before-232-million-is-lost-forever-222045101.html
⁴https://decrypt.co/36210/researcher-finds-more-of-satoshi-nakamotos-lost-bitcoin-fortune
⁵https://futurism.com/growing-suspicion-crypto-ceo-faked-death
NIS 2 Quick Reference Guide by the Irish NCSC
The document provides a quick reference for “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).” That really is the full name of the NIS 2 directive!
For those not familiar with NIS 2, it's a EU directive focused on organisations deemed critical national infrastructure. It adds regulatory compliance requirements for those organisations. Compliance is expected by 17th October 2024.So What?
If you’re preparing for, or subject to, NIS 2, this is a really useful reference to create a high level plan.