SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsI’m sure this will be a Netflix mini-series in a few weeks! Remember the days of having to check the PBX phone bills for employee misuse? “Bitmining” means doing that for the electric bill. But, a good overall reminder that unauthorized use (by employees or intruders) of computing systems needs to be detected.
Cryptocurrency mining requires a lot of electricity to both power and cool the equipment. If you can figure that piece out, then the mining operation can be profitable. I am a bit surprised that in a high energy cost state like Massachusetts, government officials didn’t notice the spike in electricity costs sooner, to bring this crypto mining capper to a close.
Cryptomining uses a lot of power, so in places like New England where power is expensive, it's hard to be profitable unless you find a way to offset that cost. In this case, about $17.5K of power was purloined from the school. If you're not already watching for unexplained spikes in your power bill to detect mining, add that to your list.
Can you imagine you and a friend setup a crypto miner in high school and the US Coast Guard is called? I am sure some 15-year-olds are completely freaked out right now. The question is what happens next? Hopefully, they are guided in the right direction and not treated solely as criminals.
Some good inside information from Microsoft how malicious behavior can be used to detect attacks beyond relying on simplistic IoCs. I often find that vendors claim to use sophisticated approaches. But the reason they are hiding them as trade secrets is mostly the fact that they in the end rely on simple pattern/IoC matching instead of a good understanding of attack behavior. Microsoft does well by opening up how they are detecting these critical attacks.
Two major comments: (1) I’ve often used the analogy of a water company delivering contaminated water to customers and then selling water filtering services/products. In the early 2000s, during the waning years of Windows XP and the formative years of Windows Vista, Microsoft had a chance to make game changing security upgrades to Windows but instead it acquired two AV companies (GeCAD and Sybari) and 20 years later critical Windows vulnerabilities still being exposed and breaches of Windows still require reactive add-on products, from Microsoft and a broad array of security vendors; (2) putting that historical note aside, I think conditions are right for the level of automation Microsoft is showing. False positives are always a worry, but many incidents leave high assurance footprints. Probably more importantly, even CEOs are used to short disruptions when using the Internet and these days would accept that happening a few times per year if it meant they never had to do the perp walk after an incident.
Microsoft is moving from IOCs to AI for detection and response. For BEC detection, users are automatically suspended if you're using Microsoft Defender for Identity, and if using Defender for Endpoint, enrolled devices are not able to communicate with compromised devices. This service is in preview, and requires Defender pre-requisites, including Defender for Cloud Apps, and Defender for Identity.
While MSFT is an IT company, it is increasingly demonstrating its cybersecurity chops. Automation is key to changing the advantage that cybercriminals currently have. Additionally, the Defender capability extends security not only from Azure Cloud but more importantly, to the endpoint.
Microsoft’s automatic attack disruption appears to be very impressive, as they are moving beyond just individual IoC’s and leveraging the breadth of information the O365 can collect and correlate. However, what I feel is even more exciting is MS’s push to install Microsoft Defender by default with O365 apps. The easiest security behavior for any individual is the one they don’t think about. This is similar to MS’s push to have MFA enabled by default for Azure account.
Microsoft
The Register
ZDNet
Tech Republic
Bleeping Computer
Much interesting detail about what the attacker did but the smoking gun is: “…the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity.” If strong authentication/MFA had been in use, the attack fails. I guess a company that sells password management has DNA that makes it slow to move away from passwords (they did say MFA rollout was in process when the 2nd attack happened) but we expect and deserve better from security product vendors.
LastPass is coming under a lot of criticism regarding this breach but before we cast any more stones at LastPass how confident are you that you would have detected a similar type of breach in your own environment? This scenario is similar to the one I often give to clients when they confidently claim they are secure as everything is stored in the cloud and I respond saying how would they detect an attack if the device of one of their staff was compromised and used by the attacker to piggyback their access into their environments? Kudos to LastPass for being open in their findings of the breach so that we can all learn how to improve our security postures.
The downside to BYOD is there can be applications and services which, themselves, could lead to compromise of corporate activities performed on those systems. Since you don't own the hardware, prohibiting services such as Plex (the entry point) is problematic. This particular engineer was one of four with access to a highly sensitive password vault, which should have triggered risk-based actions, possibly not allowing that access or storage of those credentials on personal or off-premises systems. Odds are that remediation costs will far exceed the costs of providing managed corporate systems (physical or virtual) for remote work.
With this level of targeting it appears that this is more of a Nation State threat actor than some random attack group. The question then is what does LastPass do around this? They have suffered a major reputational hit, but against a well-funded Nation Station threat actor which companies would be able to fully shield themselves. Maybe transparency would have been a better solution for LastPass if they had the information at hand.
It’s one thing to speak to the need for strong security by ICT vendors, another entirely to measure for compliance. The US is a signatory to the International Common Criteria Recognition Arrangement, which sets the requirements for evaluation of ICT products. It’s mostly been a failure: high cost to the product vendor, lengthy evaluation process, lack of demand by consumers, stifled innovation, and inability to maintain state of security. Until we develop and mandate new criteria for implementing “strong security as a standard feature in [vendor] products,” adherence to cybersecurity best practices, such as the CIS Critical Security Controls, is the only defense.
The lack of effective self-regulation and focus by vendors, including cybersecurity vendors, on good cybersecurity is coming home to roost for those vendors. It is interesting to see how governments are now looking at introducing regulations to force vendors to improve their cybersecurity. The EU is already implementing this with its EU Cybersecurity Certification (https://www.enisa.europa.eu/topics/certification/eu-cybersecurity-certification-faq) which requires vendors to meet minimal cybersecurity requirements for at least 5 years for the product or service.
In-depth testing, unit/acceptance testing should be verifying both function and security features in products. With pressure to deliver faster, at all costs, the temptation is to let users find the issues. While I like the analogy of users being "crash test dummies", the reality is in the automotive industry, testing is risk based, life-safety is well vetted, while IT security is less so, as evidenced by car hacking activities. Your risk model has to be modified to include not only cyber security in development and testing, but also consider the impacts and potential liability for customers (internal and external) damaged by security flaws from your product.
We have been saying this for almost as long as many of the readers here have been alive. I am not sure if this is a good or bad thing at this point. What I can tell you is that we will see how much security matters over the next few years as the world is trending into a much larger war footing.
Hear, hear! While the market has demonstrated a clear preference for openness, generality, flexibility, feature rich, and early, the quality of our most popular software is an embarrassment to its authors, not to say a disgrace. Patches are so numerous and frequent as to suggest a reservoir of vulnerabilities both known and unknown. The result is a fragile infrastructure that makes us vulnerable both to criminals, all the time, and to nation state adversaries in times of armed conflict.
Nextgov
Gov Infosecurity
MeriTalk
DUO
SC Magazine
That they can determine that the breach did not impact the database related to the Witness Security Program (aka Witness Protection program) indicates they are aware of which data is were. Keeping an inventory of data collections in a legacy environment, while challenging is doable. Cloud has made this far more difficult, particularly as cloud services make it nearly trivial to spin up copies without constraints, such as obfuscation and access controls. Technology is emerging to allow you to examine resources created in your cloud and alert on discovery of new collections of data you're concerned about. (PII, IP, PHI, payment card, etc.) Use these notifications to not only document where things are but also trigger security reviews to insure they are protected and only contain appropriate data.
Not much info on this one, but one comment: it appears that the major issue was a breach that enabled sensitive data to be exposed. Seems like “ransomware” is always thrown into reports because it seems to draw more “clicks.” The failure that needs to be rectified was not protecting the data (or critical executables). The ransom part doesn’t happen if that failure doesn’t occur.
Reporting the last few months has been on a wave of ransomware attacks against both the healthcare industry and local government. Here’s an example of what appears to be a successful attack against a well-resourced organization. It would be helpful to understand what defensive measures the USMS had in place; in essence what worked and what didn’t work throughout the attack lifecycle. That knowledge helps build better cybersecurity best practices while we wait for “secure by design.”
Telus is working to determine which data was breached, their information doesn't match the scope of the attackers' claims, which comes back to knowing what data is where as well as having good records of accesses, at both the OS and application level. The increased use of SMS and phone calls for second factor authentication has put telecommunications providers in the crosshairs. Who needs a SIM-swapping attack if I can just view the traffic en route?
Dark Reading
The Register
Bleeping Computer
Global News
Part of the story here is about making sure that your outage notifications are kept current. While the Dish website continued to report down services, updates from management were not included. Make sure that you've got a plan to keep your customers apprised, daily or even hourly depending on the impact your service has when down.
This appears to be very bad. If you're a boost mobile or DishTV user how long before your out of service or if you are out of service how long before you are back in service? Could you imagine if this was as ATT or Verizon? This one is not the top news article because it's "only DishTV."
Practitioner's note: Tools like WPScan are great for hunting down those outdated plugins that the auto-update process misses.
This is a premium theme sold through ThemeForest. It runs about $70 + support, and is targeted to the Real Estate market. There are two CVE's - CVE-2023-26540 and CVE-2023-260009 with raw CVSS 3 scores of 9.8. This is one to make sure that you've applied the update, even if you've got automatic updates configured as it is being actively exploited in the wild. I mean, like check before you finish that cup of coffee, OK?
Bleeping Computer
Patchstack
Patchstack
Patchstack
Obviously, a two-year time-to-detect is a serious failure of essential security hygiene, regardless of who launched the attack. News Corp’s SEC filing points to attacks against “… third-party providers for certain technology and “cloud-based” systems and services that support a variety of business operations.” Another example of (1) needing to assure that security visibility and control extends into any cloud services that will store or process sensitive information; and (2) skilled attackers are going after high leverage targets – cloud services and software products with high market shares. The reason to highlight (2) is that (1) is required even if you are using the AWS, Azure, GCP, Salesforce, etc. of the world -are you administering those services securely enough?
Dwell time is always a challenge. Make sure you are using every trick available to detect anomalous activities. If you've migrated to the cloud, look at capabilities from your CSP, you may have to (steel yourself) talk to your account/sales rep to discover tools you may not be aware of. Interestingly, while NewsCorp company claims the attack was not focused on exploiting personal information, names, dates of birth, medical/health insurance information, social security, passports, financial accounts and driver’s license numbers were exfiltrated and appear to be being used for identity theft.
Ars Technica
Bleeping Computer
Infosecurity Magazine
Document Cloud
In this case the suspects appeared to sell the information exfiltrated, despite the victims paying to "get it back." While many ransomware operators do delete the data after you've paid to get it back, you are dealing with cyber criminals and should not assume this is actually done. Make sure that your ransomware recovery strategy revolves around actions you can take not involving paying for data or decryption keys. Then make sure that you can actually do those things.
Two observations: 1) Law enforcement is getting better, much better in ferreting out cybercriminals; 2) Unfortunately, ransomware payouts are still lucrative and because of that, will continue to attract cybercriminals.
A good reminder that a ransomware attack can be deemed to be a breach of the EU General Data Protection Regulation and if the regulation applies to you then you may be required to report it. Note that the fine partly relates to how Centric Healthcare managed their response which resulted in 2,000 patient records being permanently lost. So a key lesson is how well rehearsed and practices are your incident response processes and procedures and can you with confidence say those processes and procedures won’t do more harm than good? Practise makes perfect and perfect takes practise.
This outcome by the DPC will have an interesting effect on organizations that fall under their oversight. Centric Healthcare is applauded for quickly notifying DPC of the cyber breach but admonished for not adequately protecting data for forensics. Incident response plans will now need to be updated to address human error, if possible.
Make sure that your recovery process includes forensic imaging where possible, or your investigating team may not be happy with you. While there will be exquisite pressure to return systems online instantaneously, having these images to reconstruct system state may actually help move things along without crippling your investigation. If you're not certain, talk to incident responders about what they need to properly forensicate an incident, then modify your plans accordingly.
The Irish Times
Phishing Again and Again
https://isc.sans.edu/diary/Phishing+Again+and+Again/29588
URL Files and WebDav used for IcedId Bockbot Infection
https://isc.sans.edu/diary/URL+files+and+WebDAV+used+for+IcedID+Bokbot+infection/29578
oledump msi file plugin
https://isc.sans.edu/diary/oledump+MSI+Files/29584
Unlocked Phone Stealing
More Fake Authenticator Apps
Zoneminder Vulnerability
https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr
WebLogic Exploit (not verified) CVE-2023-21839
https://github.com/4ra1n/CVE-2023-21839/blob/master/cmd/main.go
Automatic Disruption of Ransomware and BEC attacks with Microsoft 365 Defender
Cisco Vulnerabilities
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by Devo Technology, Inc.The Personal Stories, Challenges, and Triumphs of Women in Cyber | In this panel discussion, leading women in cyber will come together to share their experiences, discuss challenges they’ve faced throughout their careers, and offer advice on how more women can flourish in cybersecurity.
Upcoming webcast on Thurs, March 2nd at 1:00pm ET | The State of DDoS Attacks: A Look Back at 2022 - Join us as we uncover attack trends from last year, and discuss what to expect in 2023.
Streamline and Eliminate Audit Procedures | Join Matt Bromiley on Tuesday, March 14th at 3:30pm ET as we dive into a new platform designed to streamline and eliminate the taxing audit procedures of yesterday.
Tune in for our first 2023 SANS Report deep-dive of the year with Kevin Garvey | Become Timeless: The Present and Future Skills Needed for Cyber Security Job Success at Any Level on Wednesday, March 15th at 1:00pm ET | Register now: https://www.sans.org/info/225395