SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsTwitter has many years of “puzzling” behavior around security. In 2022 Twitter paid a $150M civil penalty because of “misrepresentation” of actions it was required to take because of privacy violations as far back as 2011. Also in 2022, former Twitter CISO Peiter “Mudge” Zatko testified to the US Senate Judiciary Committee about Twitter management’s refusal to deal with essential security hygiene issues and personnel issues. Under new ownership, Twitter has made moves that are only “puzzling” if you are looking for increases in security vs. increases in Twitter revenue and reduction of losses. Any business use of Twitter needs to be accompanied by dedicated brand awareness/security efforts to quickly detect misuse or compromise.
This is more about finding additional ways to monetize Twitter as opposed to security. Yes, SIM swapping is a thing, but its successful use is incredibly small given the large-scale use of SMS as a second factor of authentication. The inconvenience [if one can call it that] of moving to a different second factor for authentication will likely drive users to Twitter Blue.
When was the last time you looked at your accounts and made sure you had enabled any MFA options? Have you gone back to the ones using SMS to see if there is an alternative? Lastly make sure you understand the recovery process, both for your account and your authentication app or device. Then test this when you have time for it to go wrong.
Non-paying twitter users are still able to use the arguably more secure authenticator app or token as a second factor.
There are better 2FA solutions available than SMS. However, to many uses SMS 2FA is simple and easy to use. Removing SMS 2FA is very much a retrograde step which will leave many accounts more vulnerable as they either won’t pay for Twitter Blue or won’t adopt alternative MFA solutions such as Apps due to their poor user experience and cumbersomeness. It will also be interesting to see how European data protection regulators will view this move by Twitter and if they will be of the opinion that this is weakening security for many accounts.
Given the implication of passwords in breaches, we should be encouraging the use of strong authentication, not pricing it. One infers that this decision is not about security.
Wired
ZDNet
Wired
ZDNet
Bleeping Computer
Gov Infosecurity
I hope GoDaddy will share more details. Wrongly assuming an adversary is evicted from your network is a dangerous and common problem. For GoDaddy, this also resulted in unsuspecting users being redirected to malicious sites when visiting websites hosted with GoDaddy.
GoDaddy states that law enforcement has confirmed the same attackers have been “targeting hosting services like GoDaddy.” So, if you are using low-cost hosting providers that compete with Go Daddy, like A2, BlueHost, Host Gator, Network Solutions, etc, you should get assurances from them about security status.
One has to wonder, given that the cyber actor has been entrenched on GoDaddy networks for several years, if the company is putting profit over security. You can have both but only if you lead with security; else, you give customers a reason to leave.
At this point GoDaddy claims to have things under control and has not only taken steps to monitor but also block recurrence. While I have had friends tell me GoDaddy was compromised, having that confirmed in their 10K filing was not the announcement I was looking for. If you see anomalous behavior on a service provider proactively open a ticket and report it. Don’t assume they “know about it.”
Fortinet provides no workarounds here. The fix is to update your NAC/WAF devices. While you’re at it make sure that you’re restricting access, particularly to administrative interfaces to trusted devices and networks. Also make sure you’re monitoring for unexpected activity.
Fortiguard
SC Magazine
Bleeping Computer
Security Week
The Hacker News
Many with high CVE scores, so important to prioritize patching using lessons learned from the SUNBURST SolarWinds compromise. In June 2022 SolarWinds announced an effort to move to a secure development process, maybe it is now bearing fruit – we will know if we see less high CVE “fruit” in the future.
If you still have SolarWinds Orion deployed in your environment make sure you have plans to deploy the update in a timely fashion. Double check access is restricted and monitored actively. Expect guidance from regulators still wary from the prior SolarWinds incident. You’ll need your strategy ready when you need to respond.
Nobody is immune from compromise. This incident is restricted/contained, depending on the root cause, recurrence may be prevented. You should verify your exercises include containment scenarios for multiple incident types, as well as disclosure requirements. While pertinent information must be included in your SEC filing, delaying disclosure until then is not consistent with current transparency expectations customers now demand.
Computer forensics are most often done on a stand-alone network with no connectivity to other enterprise networks. If this turns out to be the source of the incident, then it is easily contained and remediated. We should know more in the coming days.
It will be interesting to see how the revised act will deal with the criminalization of “possession of stolen data” as this could have adverse effects for security researchers, cybersecurity companies, and breach notification sites such as HaveIbeenpwned. https://haveibeenpwned.com/
A lot has changed since this became law in 1990. One area that stands out is the emerging science of cybersecurity. Any update has to take into consideration that cybersecurity researchers often test commercial IT and security products for weaknesses and publish those findings. There has to be protections for this research in the update to this law.
This is a necessary, politically visible step. When planning big system improvements like this understanding dependencies and integrations is critical. Allow enough time to develop replacement or new mechanisms, particularly with new technologies - no matter how easy it looks on paper. Make sure management understands this part of the process and its critical nature.
One hopes that EHR systems are isolated from other systems to reduce their attack surface.
Having messages filtered to the Junk mailbox is only one part of the plan. Train users to be suspicious of messages regardless of mailbox, considering options where suspicious email never gets to end user mailboxes. Microsoft claims this is resolved.
These successful recoveries continue to point out that these virtual “currencies” have near zero business use without being converted to real currencies. That money laundering step gives law enforcement the opportunity to seize the assets.
This doesn’t mean the money will go back to the initial wallets it was purloined from. It means that law enforcement is getting better at unwinding the techniques used by the Lazarus group which includes data hiding, obfuscation of the trail and wiping of artifacts. The motivation to recover these funds appears to be blocking their use in the North Korean nuclear weapons program.
A continuation of nations banding together and focusing law enforcement activities in pursuit of cybercriminals. Law enforcement collectively is getting better at following the money trail and seizing ill-gotten gains. Don’t forget though, if we’re to be successful against ransomware attacks, more work still needs to be done to build resiliency in enterprise networks.
OneNote Suricata Rules
https://isc.sans.edu/diary/OneNote%20Suricata%20Rules/29564
Phishing Emails to out Handlers Inbox
https://isc.sans.edu/diary/Spear+Phishing+Handlers+for+UsernamePassword/29560
New IIS Backdoor
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/frebniis-malware-iis
Fortinet Updates
https://www.fortiguard.com/psirt-monthly-advisory/february-2023-vulnerability-advisories
https://twitter.com/Horizon3Attack/status/1626692778062237713
Outlook Spam
GoDaddy Breach and Website Redirects
Twitter Alters 2FA
Cisco ClamAV Patches
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by AWS MarketplaceRead this ebook to learn top 6 cloud security trends for 2023 and beyond, plus better practices and tools to help improve your cloud security posture.
Tune in for our upcoming webcast, Rise of the Infostealers, on February 28th at 1:00pm ET.
Join Matt Bromiley on February 28th at 3:30pm ET for our upcoming webcast, Foiling Modern Attacks: Map MITRE ATT&CK Tactics to Falco Rules | Register now: https://www.sans.org/info/225330
Upcoming webcast on March 2nd at 1:00pm ET | The State of DDoS Attacks: A Look Back at 2022 - Join us as we uncover attack trends from the last year, and discuss what to expect in 2023.