SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsThe US Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: a remote code execution flaw in Plex Media Server and a remote code execution flaw in XStream. Both have remediation due dates of March 31, 2023. Some reports have indicated that the breach of a LastPass engineer’s computer may have been conducted through a Plex vulnerability.
Most organizations will not have Plex, a popular video player, on their radar. But it played an important role in the LastPass breach. A developer's workstation had Plex installed. A vulnerability in Plex was used to compromise the workstation and that workstations was used in the large breach of encrypted LastPass credential files. Software running on developers’ personal systems is often overlooked. Organizations should provide incentives to developers to keep software on personal workstations up to date by reimbursing patching tools or offering assistance in managing the updates.
Along with making sure that installed copies of these products get fixed, riddle me this: should they be installed on work computers? Part of any hardening exercise is removing unnecessary components. If you’re ok with the risk, make sure it is documented.
Cerebral, a mental health services healthcare platform, has begun notifying more than 3 million people that their personal information was compromised. A Notice of HIPAA (Health Insurance Portability and Accountability Act) Privacy Breach recently posted on the Cerebral website says that the company has been using invisible pixel trackers and other tracking technologies from several third parties since late 2019.
It is critical to understand what information is included when using third party trackers. Do your homework, not stopping at the shiny graphics and dashboards those trackers provide you. Also understand where your data are kept and who controls their disposition.
This will be an interesting case as it makes its way through the court system. Did Cerebral know that invisible pixel trackers were being used by third parties on its online services? Did those third parties properly disclose to Cerebral the use of, and type of data logging captured by the pixel trackers? Did Cerebral have a data management process in place to review data collected by the healthcare platform and its third-party providers? This is also an excellent case study for both boards and the executive leadership team.
The US Cybersecurity and Infrastructure Security Agency (CISA) has announced the creation of its new Ransomware Vulnerability Warning Pilot (RVWP). RVWP was established to comply with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and has been in operation since the end of January. RVWP involves “leverage[ing] existing authorities and technology to proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks.”
I know using the term “ransomware” is good click bait but I sure hope CISA will also let critical infrastructure providers know if CISA finds vulnerabilities that would enable boring old breaches that expose sensitive information or other incidents that simply disrupt or corrupt critical services without trying to obtain ransom!
These warnings are intended to be one more data point of a potential for compromise. They will come from the local CISA office. If you received a notification, you can verify the identity of the CISA personnel through CISA Central: central@cisa.gov or (888) 282-0870. If you haven’t made contacts in your local CISA office, rectifying that before getting notified would be good. If you have, see what else they are doing that can help with your cyber hygiene.
While waiting to hear from CISA, be sure to that you have implemented strong authentication. Passwords continue to be implicated in a majority of breaches. One need not wait for a caution from CISA. The absence of a call from CISA is not evidence of anything.
The US Securities and Exchange Commission announced that Blackbaud has “agreed to pay $3 million to settle charges for making misleading disclosures about a 2020 ransomware attack.” Blackbaud provides donor data management software to non-profit organizations. When Blackbaud disclosed the incident in July 2020, the company said that donor bank data and Social Security numbers (SSNs) had not been compromised. However, a September 2020 SEC filing indicated that the attackers had accessed and stolen those data.
Good one to use to drive a tabletop exercise walking through your breach disclosure processes. Call it “Take an Hour to Help Ourcorp Avoid a $3M Fine.”
Consistency and transparency are crucial in a breach. It is more important to fully disclose customer impacts than to downplay them to avoid negative consequences. Make sure customer and regulatory reporting match. If one is found to be in error take immediate steps to rectify and communicate.
The details of this ransomware attack make for a good case study and should be captured in a tabletop exercise by the Board. Communication to employees, customers, and suppliers are important components of any incident response plan and should be regularly exercised by the leadership team. The final piece of the case study should capture total costs of the attack as IT and security budgets are reviewed.
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a cybersecurity advisory “detailing activity and key findings from a recent CISA red team assessment … of a large critical infrastructure organization with multiple geographically separated sites.” The advisory recommends establishing a baseline of normal network activity; conducting regular assessments; and enforcing phishing-resistant multi-factor authentication.
Not much new here, but I’d reorder the top three recommendations to be: (1) enforcing phishing-resistant multi-factor authentication; (2) establishing a baseline of normal network activity; and (3) conducting regular assessments.
According to the report, there were 13 actions taken that should have resulted in a response from the target and didn’t. I think we all have some reading to do to ensure we’re not in the same boat.
enetration testing is an important security action and makes up control 18 of the CIS Critical Security Controls. However, it should only be leveraged after doing the work upfront to: 1) know your environment (HW, SW, Data); 2) establish a configuration and patch management process; and 3) activity monitor your enterprise. Otherwise, all you get for the cost of the red team exercise is a reminder that you should… know your environment, have a configuration and patch management process, and monitor your enterprise.
Law enforcement agencies in multiple countries have taken action to hobble operations of the NetWire remote access trojan (RAT). The FBI seized a domain associated with NetWire. In Switzerland, authorities seized a server that hosted NetWire infrastructure. And law enforcement authorities in Croatia have arrested an individual in connection with the alleged operation of NetWire.
This RAT has been available for sale since 2012. Is cheap ($80-100) and multi-platform (Win, Android, Linux, Mac) and distribution is via infected Office docs sent in email. Prevention (essentially don’t click unknown attachments, don’t enable macros) can be aided by newer document scanning options in many email tools. Look to your existing provider, Microsoft, Google, etc. for integrated options before asking about an add on. If you have a solution that is not enabled, ask the why; make sure you don’t have cultural versus technical problems to solve.
Another week, another takedown by international law enforcement. These actions have only come about because of increased information sharing between nations. Over the past two years we’ve seen law enforcement action against the evil-doers themselves, their infrastructure, and the currency exchanges they use. Don’t forget though that the end user has to do their part by enabling basic cyber hygiene on their enterprise.
Krebs on Security
Justice
Security Week
Bleeping Computer
The US Cybersecurity and Infrastructure Security Agency (CISA) and Women in CyberSecurity (WiCyS) have signed a Memorandum of Understanding, “which outlines opportunities for the two organizations to formally partner on bringing awareness to the incredible careers in the industry and building a pipeline for the next generation of women in cybersecurity.”
We all struggle, at times, to find qualified staff in our profession. One of the first tasks they are working on is mentorship programs to pair upcoming women with those already in a cybersecurity career. I’m already thinking of opportunities in my organization. Go to the WiCys.org website to learn more.
The Housing Authority of the City of Los Angeles (HACLA) has disclosed a data breach that affects personal information, including driver’s license, payment card, passport, and financial account numbers and health insurance data. HACLA detected encrypted files on its network on December 31, 2022. An investigation revealed that intruders had had access to HACLA’s network since mid-January 2022.
Go back and read that again. The attackers were in their network since January 15, 2022. Detection is key to reducing dwell time. Having secure configurations as well as documentation about what is running where, ideally with controls on running new software are good ways to keep things in check. At a minimum, make sure you are not only collecting logs from everything but also have alerts configured for anomalies. Make verifying logs and alerts SOP when commissioning any system on premises or cloud. If you can’t get logs forwarded from a given service, develop procedures to cover the gap.
This is an interesting disclosure. HACLA has an annual operating budget of $1B. Surely with a budget of that size, it has established a cybersecurity program. A review of staffing, training, and cybersecurity practices should be part of the after-action report.
The Centre Hospitalier Universitaire (CHU) Saint-Pierre in Brussels, Belgium, was the target of a cyberattack over the weekend. The incident caused the organization to divert ambulances to other hospitals. By Saturday evening, the affected servers were disconnected and restarted; they remain disconnected from the Internet. CHU Saint-Pierre’s chief executive said that the hospital “launched the emergency plan specifically established for this type of situation.”
If you’re in this position, can you execute an emergency plan that you have confidence in? If you’re saying anything but a confident yes, you know what needs to be done. Even if you are confident, make sure your backup and their backup are also as confident.
While it has not yet been determined if this was a ransomware attack, the outcome is the same: severe impact to business operations. Having to revert back to staff intensive processes is both inefficient and poses some risk to patient care. The hospital will and has largely recovered from this attack and it will most certainly revisit its patch and configuration management processes.
More than a dozen vulnerabilities have been detected in Akuvox E11 smart intercoms. The flaws were reported to the US Cybersecurity and Infrastructure Security Agency (CISA) by researchers from Claroty’s Team 82. Both Claroty and CISA have attempted to notify the Chinese vendor and coordinate the vulnerabilities’ disclosure since January 2022. The vulnerabilities remain unfixed; CISA recommends disconnecting Akuvox E11 devices from the Internet until fixes are made available.
These vulnerabilities include remote code execution flaws, remote activation of microphone and camera, and access to downloaded images and files stored on the device. As of March 13th, Akuvox acknowledges the flaws and promises updated firmware by March 20th. While it is great to see they are addressing the flaws, 90 days to acknowledge a vulnerability report is unacceptable in 2023, particularly when more than one source reaches out. If you have one of these devices, seriously look at keeping it offline until patches are out or maybe replacing it given the response to vulnerability disclosures. Make sure that your own organization not only has a vulnerability disclosure policy that includes timely response, but also that it is published on your web pages, preferably under a link like domain/security. Take a look at DHS BOD 20-01 for more ideas and sample language.
A reminder that there are always work arounds. As in this case, most are not welcomed by users or suppliers.
The failure of Silicon Valley Bank (SVB) and Signature Bank this weekend left many of the bank's customers with questions as to how to communicate with the bank, or how to access their money. Scams often take advantage of these uncertainties, and some indications of scammers becoming ready to act have been sighted. The Internet Storm Center already spotted some suspicious domain registrations, and observed companies using simple emails to update account information with partners.
If nothing else, scammers are opportunistic, with perhaps more agile development processes than defenders. Expect this to continue to play out over the next couple months. That said, phishing, smishing, or vishing, is the primary attack technique used. Integrate awareness of this attack technique as part of your enterprise security program.
The primary issue with these banks was liquidity risk. They didn’t have the capital to back up withdrawals and sold investments at a loss, heading down a slippery slope. My point is there is an opportunity to learn from these events if you’re in the financial sector. It is worth noting these banks largely had a very specific customer base, e.g, VCs, who operate differently from traditional depositors. If you (or your friends) have funds in SVB or Signature Bank, you’re still covered by the insurance fund. IT and cyber staff were offered 150% of their salaries to operate the banks for the next 45 days while this all gets sorted out. Be extra careful of any requests to change payment accounts (think BEC) or of offers from third parties offering to help you with you recover your funds. Double check all such offers.
SVB Scams and New Domain Registrations
https://isc.sans.edu/diary/Incoming+Silicon+Valley+Bank+Related+Scams/29630
AsynRAT Trojan - Bill Payment (Pago de la factura)
https://isc.sans.edu/diary/AsynRAT+Trojan+Bill+Payment+Pago+de+la+factura/29626
Mirai Payload Generator
https://isc.sans.edu/diary/Overview+of+a+Mirai+Payload+Generator/29624
Multi-Technology Script Leading to Browser Hijacking
https://isc.sans.edu/diary/MultiTechnology+Script+Leading+to+Browser+Hijacking/29620
CISA Adds Older PLEX and VMWare Vulnerabilities to Known-Exploited List
FortiOS Vulnerability Exploited
https://www.fortiguard.com/psirt/FG-IR-22-369
OneNote will warn users of embedded content
Google Removing Chrome Cleanup Tool
https://security.googleblog.com/2023/03/thank-you-and-goodbye-to-chrome-cleanup.html
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by SANSFree virtual event this Friday, March 17th at 10:30am ET | Join Christopher Crowley as he chairs our annual 2023 SOC/SOAR Solutions Forum!
Upcoming Webcast | Join us on Thursday, March 16th at 10:30am ET for Top 5 Reasons Why Posture Management is Not Enough for Cloud Security | Register now: https://www.sans.org/info/225505
Join Dave Shackleford on Wednesday, March 22nd at 1:00pm ET for the 2023 State of MDR Report.
2023 SANS Survey: Breaking IT-OT Silos with OT/ICS Visibility | If you live in the world of OT/ICS, SOC or Visibility, take this survey for your chance to win a $250 Amazon gift card: https://www.sans.org/info/225515