SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsOn Thursday, March 2, the White House released its National Cybersecurity Strategy, which rests on five pillars: defending critical infrastructure; disrupting and dismantling threat actors to blunt their threat to national security and public safety; shaping market forces to boost security and resilience; investing in a resilient future through “strategic investments and coordinated, collaborative action;” and forging international partnerships to achieve common goals. The strategy’s initiatives include seeking to place responsibility for cybersecurity to manufacturers rather than end-users, imposing minimum security standards for critical infrastructure operators, and directing the Office of Management and Budget (OMB) to oversee technology modernization at federal civilian agencies.
Two key points in this strategy: (1) Much more talk about regulation, but the US has a very poor record of ever actually passing meaningful federal cybersecurity regulation – witness 20 years of draft national privacy laws that never see daylight; (2) We have seen in the past that the government’s best leverage is through its buying power. To me, the most important thing this strategy says is “We will use Federal purchasing power and grant-making to incentivize security.” But, to be a nattering nabob of negativism: Here’s what President Clinton’s strategy said in 1998: “The Federal Government shall, through its research, development and procurement, encourage the introduction of increasingly capable methods of infrastructure protection.” Changing government procurement rules to require higher levels of security and testing of all products and services the government procures should be easier than getting politicians to agree – we have examples like FIPS 140-1 and FedRAMP of that being true, but need many more.
The much anticipated, National Cybersecurity Strategy has dropped. In many respects it’s a continuation of the 2018 Strategy. The primary differences being regulating critical infrastructure sectors; and, [potentially] shifting the liability burden from consumers to software vendors. On regulation, you can only do so much via executive order. If the strategy is to be fully implemented, the legislative branch will have to be involved. On shifting software liability, defining and measuring ‘secure by design’ is very complicated. Additionally, any liability changes will require action by Congress.
This strategy intends to level the playing field through more specific regulatory requirements to ensure consistent implementation. So long as a risk-based approach remains, this will get us where we need to be. These regulations, and corresponding guidance from NIST and CISA, should be tools the private sector can leverage in planning their cyber strategy. The biggest challenge is going to be how solutions and deployment teams are funded. While mention is made of federal buying power, consideration has to be given to implementation, process engineering, and mortgage costs.
We have to start somewhere but this strategy suggests the difficulty of this problem. We are in far worse shape, heavier reliance on technology, and more vulnerable than we were in the Clinton Administration. One might well like to see a strategy that stressed measurement. To paraphrase Thompson, "If one cannot measure it, one cannot recognize its presence or its absence," and Demming, "If you do not measure it, you cannot improve it."
White House
Cyberscoop
Nextgov
Fedscoop
Ars Technica
SC Magazine
Security Week
Gov Infosecurity
GitHub secret scanning is now available for all public repositories. GitHub opened the public beta for secret scanning in December. Secrets are sensitive data that are inadvertently added to repositories; they include authentication tokens, API keys, and passwords.
Thanks Github for making this tool available for free. Github continues to lead in protecting open source developers by offering tools like this to free accounts.
Practitioner's note: Secret scanning will not turn on by itself. Per their blog post, "You can do this by going to the ‘Settings’ tab and clicking on ‘Code security and analysis’ under ‘Security’. Find ‘Secret scanning’ and click ‘Enable’."
Well done GitHub, choosing not to monetize security but rather, providing a security service for free to your users. Although a poor software development practice, developers often embed credentials (tokens, private keys) in their code. This service helps identify those credentials within the GitHub repository.
Uploading secrets to the repository can happen to anyone; I'll take any help I can get to make sure I don't mess up. This feature went beta back in December; it's now in production. That the service is free for all public facing repositories makes this a no-brainer - enable the scanning under Settings -> Code security and analysis (in the security section) click enable under Secret scanning. Discovered secrets trigger an alert to the contributor, repository admin and organization owners.
Salt Labs Researchers found that misconfigurations in Booking.com’s implementation of the OAuth open authorization standard could have been exploited to take over user accounts. The attack involves chaining together three security issues. Booking.com has fixed the problem.
The article by Salt Labs is a good read for anybody implementing OAuth. The Booking.com use case is a bit different than what is usually done with OAuth, but still close enough that it is possible for others to fall into the same trap. It is nice to have the detailed walk through to learn from.
OAuth is an authentication standard that reduces credential theft by limiting application access to login credentials. It has seen increased usage over the past five years by website operators. As such, we’re seeing more and more attacks that take advantage of application misconfiguration to steal OAuth tokens. In this case, Salt Labs responsibly reported the misconfiguration but next time it may be an cybercriminal looking for a quick payout.
Note the response to the vulnerability disclosure, not only taking the input seriously but also quickly confirming they had not been compromised, then quickly resolving the issue, while acknowledging Salt Security for their report. I am sure we would prefer our own teams discover flaws, external discovery as a partnership rather than an adversarial action is a thing. If you don't already have a VDP policy, with supporting practices and possibly rewards, now is the time.
Salt
Infosecurity Magazine
CSO Online
Dark Reading
This article examines the good and the bad in the ways five organizations – Cash App, International Committee of the Red Cross (ICRC), LastPass, Rackspace, and Zacks Investment Research – responded to data breaches.
Good reading to base a desktop exercise around to make sure your breach responses will be more like the “Do-be’s” than the “Don’t be’s.”
This 8 minute read would be excellent homework before you gather to work your business continuity plan and exercise. Not only does this give you ideas about what sort of actions did or did not work, it's also food for thought when creating that tabletop exercise.
A good summary of incident response [in]action by several companies that suffered a cyber breach. The key takeaways from the article: 1) be responsible, bad news doesn’t get better over time; 2) be transparent to both employees and users; and 3) provide a post mortem on the attack to include where defenses failed.
In a Form 8-K filing with the US Securities and Exchange Commission (SEC) satellite television provider Dish Network said that the network outage initially reported on February 23 resulted in some data being exfiltrated. As of Thursday morning, the Dish Network website indicates that it is still ”experiencing a system issue.”
Dish so far has made some of the common mistakes in handling a highly public incident like this: not communicating with customers, and allowing rumors based on insider leaks and incomplete releases as part of financial filings shape the story will hurt Dish's reputation more than the actual incident. I know people are likely busy dealing with the incident, but I also doubt that the PR team is helping remediate ransomware.
Note the statement from Dish below; it's not a bad starting point. Two things to note: First, there appear to be no updates since the 27th. Consider updates, with timestamps, to show you're not only working the problem but also aware of customer impact. Second, don't be afraid to be more transparent as to what the issue is. Indicators are that Dish had a data exfiltration/ransomware type of attack; most folks are aware of these attacks and what's involved to recover.
Cisco has released updates to fix two vulnerabilities in the web-based user interface of several models of its IP phones. The first vulnerability (CVE-2023-20078) is an insufficient validation of user-supplied input issue that could be exploited to execute arbitrary commands. The second vulnerability (CVE-2023-20079) is an insufficient validation of user-supplied input issue that could be exploited to cause a denial-of-service (DoS) condition. There are no workarounds.
If you're running firmware version 12.0.1, you're not affected; if you're running a version older than 11.3.7SR1, you need to push the update. You may want to let your users know how to have their devices manually update, rather than rebooting their phone at an inopportune moment.
In any case, prefer purpose-built apps for sensitive applications, specifically to include finance, travel, and health.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added one bug to its Known Exploited Vulnerabilities catalog. The unspecified flaw in ZK Framework’s AuUploader could allow an attacker to retrieve the content of a file located in the web context. The vulnerability was patched in May 2022, CISA notes that it is being actively exploited to target unpatched systems.
[Neely] ZK is an open-source Ajax Web app framework. Yes, this is Java, it facilitates creating a GUI for web apps. Check for applications, like ConnectWise backup and recover which have ZK embedded. The exploit leverages an internal forward, allowing access to hidden content in the WEB-INF folder. Check the ZK alert (https://tracker.zkoss.org/browse/ZK-5150) for details and remediation information. You have until March 20th to update packages using this framework.
The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Decider web application, a tool for that “helps network defenders, analysts, and researchers quickly and accurately map adversary tactics, techniques, and procedures (TTPs) to the ATT&CK knowledge base.” Decider was created in partnership with Homeland Security Systems Engineering and Development Institute™ (HSSEDI) and the MITRE ATT&CK team.
You're going to need to download Decider and host it on your own server. The idea of the framework is by mapping the attackers’ behavior and progress, you're going to be better prepared to anticipate their next move, shutting down the attack. The problem is ATT&CK is complex, involved and tricky to use. Decider is positioned to simplify this using plain language that analysts at any level can understand. When things are going south, any help I can give my team is a win. Check this out before you're responding to an incident.
Kudos to CISA for simplifying the tedious task of mapping adversary attack behavior. It will be a handy aid for threat intelligence analysts to document attack patterns used by adversaries. Unfortunately, as we well know, many adversaries change their tactics and techniques given the target.
Security Week
Dark Reading
SC Magazine
Bleeping Computer
CISA
GitHub
According to a report from ESET researchers, the BlackLotus UEFI bootkit malware can now bypass Secure Boot on fully patched Windows 11 machines. The bootkit exploits a known vulnerability that Microsoft fixed in January 2022, although "exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list."
The We Live Security blog below provides supporting evidence to this bootkit being used in the wild. Hat tip to Paul Asadoorian for the following: We thought this might just be a hoax, but it is not. The BlackLotus bootkit being sold on the underground is real, and folks have found it in the wild. Turns out it uses Baton Drop (https://github.com/Wack0/CVE-2022-21894) to bypass Secure Boot. The attackers introduce signed, but vulnerable, boot loaders which allows them to remove the Secure Boot policy and infect the system.
We Live Security
The Register
Security Week
The Hacker News
Recently disclosed data breaches affecting the healthcare sector include a network server breach at Evergreen Treatment Services in Washington State; a network server breach at Sentara Healthcare in Virginia; a network server breach at the Health Benefit Plan of Bridgewater-Raritan Regional School District Bridgewater-Raritan Regional School District (BRRSD) in New Jersey; and patient data exposure at Hutchinson Clinic in Kansas.
The healthcare sector continues to be a prime target for attack. Why is that. One reason is lack of resources (human, technology) available to properly secure its infrastructure. Another is security awareness training. Often security is an ‘additional duty as assigned’ for employees of small facilities that make up the bulk of the healthcare sector. We’ve got to simplify the secure implementation of IT applications for all.
The healthcare sector needs a little love here. They remain a popular target and regrettably they are a living example of life safety versus security; let alone costs. The last time I was in a hospital I was looking at all the equipment they have to deploy to remain current/viable, then consider the cost of the equipment, it was striking that they were as hard of a target as they are. The good news is organizations like Health-ISAC, CISA and others have resources they can leverage. I have contemplated asking my doctor, the next time I see him. if he needs help keeping his office secure. That may not be a bad opportunity for a little give-back.
These breaches suggest a flat network. We have been arguing here for structured and layered networks. More specifically, in healthcare we have suggested that clinical systems be isolated from the porous public network facing apps like e-mail and browsing. Similarly, servers should be isolated from the public networks. If it cannot be seen, it cannot be exploited.
Health IT Security
Evergreen Treatment
Sentara
BRRSD
Hutch Clinic
OCR Portal
YARA: Detect the Unexpected
https://isc.sans.edu/diary/YARA+Detect+The+Unexpected/29598
Python Infostealer Targeting Gamers
https://isc.sans.edu/diary/Python+Infostealer+Targeting+Gamers/29596
BB11 Distribution Qakbot (Qbot) activity
https://isc.sans.edu/diary/BB17+distribution+Qakbot+Qbot+activity/29592
SANS.edu Student Marco Gfeller: Lightweight Python-Based Malware Analysis Pipeline
https://www.sans.org/white-papers/lightweight-python-based-malware-analysis-pipeline/
Drone Security and the Mysterious Case of DJI's DroneID
https://github.com/RUB-SysSec/DroneSecurity
Booking.com OAuth Flaw
https://salt.security/blog/traveling-with-oauth-account-takeover-on-booking-com
DNS Abuse Techniques Matrix
https://www.first.org/global/sigs/dns/DNS-Abuse-Techniques-Matrix_v1.1.pdf
BlackLotus UEFI Bootkit
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
TCG TPM2.0 implementations vulnerable to memory corruption
https://kb.cert.org/vuls/id/782720
Aruba Vulnerability
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt
Cisco VoIP Phone WebUI RCE
LastPass Incident Details
https://support.lastpass.com/help/incident-1-additional-details-of-the-attack
https://support.lastpass.com/help/incident-2-additional-details-of-the-attack
CISA Red Team Shares Key Findings
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a
Jailbreak Chat
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by RandoriUpcoming virtual event | Attack Surface Management Solutions Forum on March 8th at 11:00am ET - Learn how to operationalize attack surface management in order to improve their threat intelligence, vulnerability management and offensive security programs.
Become Timeless: The Present and Future Skills Needed for Cyber Security Job Success at Any Level on Wednesday, March 15th at 3:30pm ET | Join us to dive into the hard skills you should learn to become a cybersecurity superstar at any level!
Streamline and Eliminate Audit Procedures | Join Matt Bromiley on Tuesday, March 14th at 3:30pm ET as we dive into a new platform designed to streamline and eliminate the taxing audit procedures of yesterday.
Upcoming Webcast | Join us on Thursday, March 16th at 10:30am ET for Top 5 Reasons Why Posture Management is Not Enough for Cloud Security | Register now: https://www.sans.org/info/225435