SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsLast week, the SANS.edu college released the third volume of its annual research journal. The journal summarizes some of the best research papers written by our students over the last year. Download your free copy:
The US Cybersecurity and Infrastructure Security Agency (CISA) is seeking public comment on a draft version of the Secure Software Self-Attestation Form. A September 2022 directive from the Office of Management and Budget (OMB) mandates that “Federal agencies must only use software provided by software producers who can attest to complying with the government-specified secure software development practices, as described in the NIST Guidance.” Comments will be accepted through June 26, 2023.
There will be a lot of grumbling around this, but this has been the critical missing first step after years of talk (new strategies every 4 years) by the US federal government around increasing software security and very little movement forward. Software Bills of Material are not very useful if all the software is packed with vulnerabilities. A positive side effect of this will be more of those government agencies who have been unable to patch data center software will move to FedRAMP cloud services to avoid the attestation effort.
The intent is to move the software industry to use secure design principles in product development – a good thing. That said, the government has to be careful not to ‘blacklist’ vendors as part of government procurement. Additionally, vendors may open themselves to increased liability should software defects be traceable to non-adherence in CISA specified design principles.
If you're a software provider, take the time to review and comment on the proposed form. While it's not clear how one could require a 100% attested software base, it's going to be different for providers, which currently provide software to federal customers, to continue to do so without this attestation.
Poor software quality has left us with an infrastructure that is expensive to use and a risk to our national, not to say global, security. This is a small step toward the minimum representation of quality that one should expect of any and all software vendors.
CISA
CISA
Security Week
MeriTalk
Fedscoop
In the interest of improving security, some software is being rewritten in Rust. Microsoft has begun rewriting core Windows libraries in the memory-safe programming language. Linux-like command line tools sudo and su are also being rewritten in Rust.
Progress/plans towards moving the memory-safe languages is a good question to ask in all software RFPs.
Moving to languages with more built in security protections is a great thing. I, for one, welcome our new Rust overlords!
I’ve been a fledging Rustacian for a while now. Rust is one of these languages that proves you can have speed and memory safety. In my opinion, every language has its use cases, and Rust is designed to replace some of the more commonly exploited software packages, from JavaScript engines to systems languages. The learning curve, however, is steep.
Something like 70% of the Windows CVEs are memory related. Moving from C++ to a memory safe, newer, programming language, in this case Rust, is good as you're not only using a language that has modern memory protections, but also forces re-evaluation of code, providing the opportunity to not carry forward sins of the past.
This is an exciting announcement and is a small, first step to memory safe code. That said, we’re still at least a decade or more away from seeing the Windows operating system written entirely in Rust.
Rust is a major improvement in our software development tools. By improving object type enforcement, it addresses the source of many of our software problems. Kudos to those who have contributed to it. Amazon, Google, and Microsoft lead a long list of corporate sponsors. Look for your suppliers on that list.
Nearly a year after introducing its Rapid Security Response feature, Apple has released its first updates for iOS and macOS through Rapid Security Response updates. The feature was designed to allow Apple to quickly issue patches more frequently when a vulnerability is being actively exploited or otherwise poses a serious risk. Apple has not yet provided details about the vulnerabilities the updates address. The update will add an (a) to the OS version to indicate that it’s been installed. Users are reporting difficulties installing the patches on iPhones.
I applied this update to my iOS and macOS systems with little issue. The new update process is significantly faster. However, Apple did not release any details as to what vulnerability it exactly patched. I do not like "mystery updates." Some users reported difficulties downloading the update which may be related to Apple not being able to handle the large number of requests, and the rapid deployment. According to code found by researchers, Apple intends to apply this update across its user base in two days.
I am on Apple Beta on several devices, so I have installed some rapid updates while in beta. These are sorely needed. They generally take less than 5 minutes to install. The first time it happens, I think many Apple users will be afraid to hit “install” because it’s never been a quick thing, but after a while, it should be simple for everyone. On a side note, this is not the conversation we would have with Android, as currently, it would revolve around “Are updates even available for my device?”
It’ll be interesting to see how quickly people and organizations deploy this, given the lack of details about the issue and some bumps in the road to installation. I think it’s a worthy experiment by Apple. I do hope they will report numbers and a timeline for how quickly users applied this update.
These updates, which I've seen in the Beta programs for iOS, are really slick, they are small, download and install quickly, which means it's a really low impact on end users, who can even install them over cellular data because of the small size. These rapid security response updates are available for iOS 16 and macOS 13 only. If they could change the trend of bundling new features and security updates, pushing low impact quick updates to users monthly would go over well with users and facilitate keeping devices updated.
Over the past couple years, we’ve seen an increase in active exploitation of Apple products. The Rapid Security Response feature is Apple’s response. It’s too early to tell if the feature will streamline patch management or create additional user headaches in the form of update fails.
Though I had "automatic updates" on, I had to initiate the update manually. No problems. Very fast update; minutes rather than the usual tens of minutes.
The US Cybersecurity and Infrastructure Security Agency (CISA) has published an ICS Medical Advisory warning of two vulnerabilities in Illumina Universal Copy Service (UCS) v2.x; affected products are used for DNA sequencing. One of the flaws allows remote attackers to bind to an unrestricted IP address, eavesdrop on all IP addresses, and execute arbitrary commands. The second flaw is a privilege misconfiguration vulnerability that could be exploited to execute code with elevated permissions.
Many years ago, I had a chance to look at a DNA sequencing machine (not Illumina). I called it affectionately a "honey net." It consisted of a Windows, a Linux, and a Solaris system, in default configuration, with simple-to-guess passwords. The manual had a note about not connecting it to a public network. But the switch connecting the machines had an unused port to do just that. I always wondered myself if these machines are used for criminal forensics and if these vulnerabilities could affect the reliability of results presented in court.
Clearly, you need to install the provided update. But you also need to look at your network architecture. The flaw is being used to cause the device to listen on other network interfaces. With segmentation in ICS/OT networks, that should really be done with a purpose built router/firewall, not your endpoint. Additionally, make sure you're restricting access to those systems to only authorized components and users.
I find the intersection of bio-medical/genomic technology and cyber security issues particularly fascinating and scary. This is definitely an area to keep an eye* on! *See what I did there?
Yes, a critical (CVSS Score 10) vulnerability that warrants priority patching. That said two things going in favor of the defender: 1) a relatively small number of organizations involved in DNA sequencing worldwide; and, 2) ability to restrict access via the internet whilst prioritizing the patch.
SC Magazine
Bleeping Computer
The Hacker News
Illumina
CISA
T-Mobile has begun notifying about 850 customers that their personal information was compromised in a data breach. The intruders had access to T-Mobile data from late February through March of this year. The compromised data includes T-Mobile account PINs; T-Mobile has reset the PINs of affected customers. This is the second breach T-Mobile has disclosed since the start of this calendar year; in January, T-Mobile disclosed a November 2022 breach that affect ted 37 million customers.
I found that the easiest and cheapest way to maintain perpetual free credit monitoring is to maintain a T-Mobile account. That said, based on one of these monitoring services I subscribe to (thanks T-Mobile for paying for it), my information already has been leaked four times so far this year (not just from T-Mobile).
I'm not sure that saying "this breach only impacted 850 customers" will make the 37 million impacted by their last breach feel any better. This is breach number seven since 2018, a little better than one per year. When you find yourself in a scenario such as this, you probably have a different root cause, likely cultural, which needs to be fully addressed before you can stem the tide. If you're a T-Mobile customer, make sure you're enrolled in credit monitoring, update any account PINs and make sure you don't have any nefarious activity associated with the account or payment methods.
How many times has T-Mobile been breached? I can’t even count at this point; it seems to be an almost yearly event, even though it's not. This time it appears to be rather small at under 1000 users. With T-Mobile’s size being so large, you have to wonder if the customers even care at this point at this.
I suspect after this breach notification T-Mobile will spend a bit more time on securing its infrastructure vice it’s focus on the magenta color.
Several healthcare sector breaches have been reported to the US Department of Health and Human Services Office for Civil Rights (HHS OCR) and various attorneys general offices. Graceworks Lutheran Services in Dayton, Ohio reported a breach affecting more than 6,700 individuals to HHS OCR. Petaluma Health Center in California disclosed an incident that affected personal information of current and former employees, volunteers, and board members. New York-based Unlimited Care notified an unspecified number of people that their protected health information (PHI) may have been compromised. And NYSARC Columbia County Chapter (COARC) disclosed a ransomware attack that affected its systems last summer.
Take a look at the HHS Breach Portal below for the number of cases under investigation for a hint of what the healthcare industry is working through. If you're in the healthcare industry, you should be talking to your ISAC, CISA or other industry partners not only to obtain tools and resources to measure your security but also to establish relationships you're going to need for incident response when it happens. If you know folks in the sector, reach out to them and see if you can help; they are likely feeling a bit like a punching bag.
Unfortunately evil-doers continue their assault on the healthcare sector. Until we find ways to automate security for the cyber underserved, they will continue to be targeted by ransomware gangs.
Health IT Security
OCR Portal/HHS
In February, the US Marshals Service acknowledged that it suffered a ransomware attack, but no specifics were released about what system or systems within the organization were impacted. Now it has been determined that the affected system is one used by the US Marshals Service Technical Operations Group (TOG), which track individuals through their cell phones, emails, and web usage. Ten weeks after the attack, the system is still down.
As a government entity, ransom payment was not an option, nor should it be. That means the organization must have a ‘rock solid’ incident response plan which is regularly exercised. What’s troubling though is, ten weeks later the system is still down. One wonders what the last GAO/IG cybersecurity audit found with regard to the US Marshal Service.
As near as I can tell, they are building a new version of the system, from the ground up, with enhanced security. This identifies a challenge you may face in this scenario - do you rebuild (completely) or do you restore, repairing any issues to restore services. Delivering IT projects, with security and functionality in place, at a given release date is challenging on a good day. Develop your risk acceptance criteria in your tabletop or other BC/DR activities so you're not making this decision "flat footed."
German health insurance system IT service provider Bitmarck experienced a cyberattack against its internal systems. In accordance with their “security protocol, BITMARCK then took customer and internal systems offline and carried out an impact analysis.” Bitmarck suffered another attack in January 2023 that resulted in the theft of 300,000 insurance policy holders’ information.
Note the website below is their temporary site; their main site is also offline at this time. While they don't believe any EHR data was exposed in this breach, and they are rebuilding systems, they are also not convinced the attacks will not continue. Another case where they are following the BC/DR plan to restore services. Another repeat attack scenario, where discovery of what core changes can be made to stop recurrence is going to be a challenge. This is a case where stepping back to the basics, making sure you know what you have, what it is and is not supposed to be doing, that it is updated and configured securely and properly monitored and then build from there. Yes, use a structured framework such as the critical controls, to do this analysis, you're already stressed and distracted by the attack, take advantage of any help you can get to get to the other side.
While our focus is usually on the healthcare and education sector, here’s an example of an apparently well-resourced IT service organization that suffers not one, but two cyber breaches over the course of a few months. One does wonder whether the evil-doer was ever really ‘booted’ from the network after the first breach.
Several UK banks reported outages of their online and mobile services on Friday, April 28. Customers were unable to access account balances and other data. The affected institutions include Lloyds, Halifax, Bank of Scotland, all of which are subsidiaries of Lloyds Banking Group, and TSB, which has been associated with Lloyds Banking Group in the past.
In this case, these banks have the same parent company and are likely using the same service provider for online and mobile banking. In the past we would have called this a service bureau or outsource. In the credit union industry this is called a Credit Union Service Organization. In all cases, these service providers, which lower the barrier to having all the desired functions and services for customers, also represent potential single points of failure, depending on how their services are architected. What a participating FI needs to do is ask how tenants are isolated, what the availability model is, and how they are protected from issues, ranging from DDoS and routing issues to ransomware or other cyber-attacks. Ask about options you have not currently contracted for, or may not have existed when you first started working together, then compare with their competition. It may be simpler to activate new security features than switching, but in some cases, their business/growth model doesn't align with yours and the best answer is to part ways.
Bleeping Computer
Atlanta-based cold storage and logistics company Americold Realty Trust has disclosed that it experienced a cybersecurity incident earlier this year. In a filing with the US Securities and Exchange Commission (SEC), Americold wrote that after learning of the incident, they “implemented containment measures and took operations offline to secure its systems and reduce disruption to its business and customers.” Americold operates 250 temperature-controlled warehouses around the world. The facilities are used by food producers, distributors, and retailers.
Given the connection between their IT systems and what's in those warehouses, taking out their IT systems renders their ability to manage what is in cold storage, as it were, nearly impossible, even though refrigeration systems appear to be operating perfectly. They expect to have workarounds in place this week. Until then, they are asking for no inbound shipments, and to limit outbound shipments to critical, namely driven by product expiration dates. An interesting challenge is building the system with enough centralization to run the business effectively while having enough resiliency and isolation to segment affected areas yet keeping the rest of the business operational.
Passive Analysis of a Phishing Attachment
https://isc.sans.edu/diary/Passive+analysis+of+a+phishing+attachment/29798
Quick IOC Scan With Docker
https://isc.sans.edu/diary/Quick+IOC+Scan+With+Docker/29788
Deobfuscating Scripts When Encodings Help
https://isc.sans.edu/diary/Deobfuscating+Scripts+When+Encodings+Help/29792
Apple Rapid Security Response
https://www.macrumors.com/2023/05/01/rapid-security-response-16-4-1/
Grafana Security Release
Illumina Vulnerability
Hackers Are Breaking Into AT&T Email Accounts To Steal Cryptocurrency
Threat Actor Selling New Atomic MacOS AMOS Stealer on Telegram
https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/
Zyxel Firewall Vulnerability
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by SANSDay 2 of the ICS Security Summit has begun and we are so excited to announce that this year's ICS/OT Survey is now live!
Tune in tomorrow, May 3rd at 1:00pm ET as SANS Instructor Pierre Lidome hosts an upcoming webcast - Implementing Attack Surface Management | Register now: https://www.sans.org/info/225930
Join report authors Heather Mahalik and Lee Crognale on Wednesday, May 10th at 1:00pm ET as they dive into the annual 2023 Report: Digital Forensics | Register now: https://www.sans.org/info/225935
Upcoming webcast with Dave Shackleford on Thursday, May 11th at 10:30am ET | Top Code Vulnerabilities to Avoid in 2023 | Register now: https://www.sans.org/info/225940