SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsThe US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have jointly published guidelines for securing Continuous Integration/Continuous Delivery (CI/CD) environments. The document describes the attack surface, offers three potential threat scenarios, and makes recommendations for threat mitigation and hardening CI/CD cloud deployments.
The threat scenarios in this document are good starting points for tabletop exercises. CI/CD pipelines and DevOps processes are often tightly coupled with business processes and very different between organizations. A really good playbook to protect CI/CD for Business/Agency A might not work at all for Business/Agency B.
The report explains the conditions, threats, and issues in language that is easy to understand, and can help you build understanding of the issues without mentioning Log4-J or SolarWinds. The recommendations, including validation of code signatures, using accounts with limited lifespan, MFA, and keeping systems and services patched/updated are a conversation you can have with your teams to see where you can raise the bar as well as better understand your developers’ needs.
If adversaries gain access to a software developer’s environment, then undoubtably bad things can happen. The same is true if they gain access to any organization’s enterprise. The guidance published by CISA and NSA is useful, but first, adopt and implement an established cybersecurity framework (i.e., NIST CSF, NIST 800-53, CIS) for the entire enterprise.
On June 13, 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operations Directive (BOD) compelling federal civilian executive-branch (FCEB) agencies to mitigate the risk from Internet-exposed management interfaces. The BOD required that the agencies either remove the relevant devices from the Internet or implement stringent access controls by June 27. Researchers from Censys recently found “hundreds of publicly exposed devices within the scope outlined in the directive.”
BOD 23-02 had a short timeline, and the deadline went whizzing by on Tuesday. While CISA is circling the wagons to enforce the required change, make sure that you’ve covered this. Those exposed management interfaces are like candy to a baby, and when staff says something along the lines of them not being able to be found, remind them that with tools like Shodan, it’s very easy (trivial) to find them.
The Censys research highlights a gap between security directives issued, and action taken by FCEB agencies. The cause for this gap could be: 1) not knowing one’s environment; 2) mission impact; 3) other priorities; or 4) general indifference to the directive. Several of those causes have merit and a discussion should ensue between the FCEB agency and CISA. For the others, FCEB agency leadership should be held personally accountable for not implementing the BOD.
One "directs" Federal agencies; it is naive to believe that they can be "compelled." In this case, their ability to comply assumes that they know about all such controls. Many of them were installed in the absence of management direction or knowledge. Others are simply orphans.
CISA
Censys
The Record
Dark Reading
Nextgov
Bleeping Computer
SC Magazine
Gov Infosecurity
A vulnerability in a messaging feature of Medtronic’s Paceart Optima System, a cardiac device data workflow system, could be exploited to achieve remote code execution or create denial-of-service conditions. The feature is not enabled by default. The deserialization of untrusted data issue affects Paceart Optima versions 1.11 and older. Organizations are urged to update Paceart Optima to version 1.12 or newer.
The good news is that Medtronic is able to publicly state that “During routine monitoring, Medtronic identified a vulnerability in the optional Paceart Messaging Service…” before any attackers were able to exploit that vulnerability. Even better would have been if that routine monitoring and flaw detection had occurred during the pre-shipment testing of the software.
The best fix is to update to the newer version. An alternate mitigation is to disable the messaging feature both in the server and workstation. Review the business impact before disabling the service; it could be just applying the update will be far less disruptive.
Typically, most users install devices using the default configuration; it’s human nature. In this case, that’s a good thing as this vulnerability is in a feature that is not enabled by default. Given that, the likely number of users of this device that are vulnerable should be quite low. Regardless, they should heed the vendors risk mitigation guidance as an additional precaution.
Users of Microsoft Teams reported being unable to access the platform on Wednesday, June 28. Microsoft investigated the issue and determined that the problem was due to a configuration change. That change has been rolled back and Microsoft reported seeing availability improving around the world.
Regardless of the amount of regression testing you’ve done, you will find yourself needing to roll back changes once in a while. The question is are the rollback plans in the change viable? How about your decision process which results in a rollback? Suggest adding actual rollback testing to your training regimen.
Change control applies as much to configuration as to changed code. If it ran yesterday, it should run today. If not, return to yesterday's state. Of course, this requires plans and procedures that make returning to a previous good state, not only possible, but easy.
SC Magazine
Bleeping Computer
The Homeland Security Systems Engineering and Development Institute managed by MITRE has published a list of the 2023 CWE (Common Weakness Enumeration) 25 most dangerous software weaknesses. Topping the list are out-of-bounds write, improper neutralization of input during web page generation (cross-site scripting), improper neutralization of special elements used in an SQL command (SAQL injection), use after free, and improper neutralization of special elements used in an OS command (OS command injection). The US Cybersecurity and Infrastructure Security Agency (CISA) notes that “the CWE Top 25 is calculated by analyzing public vulnerability data in the National Vulnerability Data (NVD) for root cause mappings to CWE weaknesses for the previous two calendar years.”
The Homeland Security Systems Engineering and Development Institute is a Federally Funded R&D Center formed in 2009. Fourteen years later I’d like to see less focusing on enumerating well known weaknesses and more use of funding on reducing the frequency of them appearing in software bought by the US government.
Not really anything new here. Which means our approach is known, just hard to make SOP. For real, if you’re not actively doing dynamic and static analysis of code, that has to be done continuously. Make sure that your developers know they need to sanitize all input fields, regardless of how they are filled, not trusting the endpoint provided data without both guardrails and validation. Take a hard look at WAFs and get them into blocking mode rather than learning mode. Make sure that your scanning and testing of the app is done without the WAF inline so as not to obfuscate issues.
A useful compilation and prioritization of software bugs found in vulnerable products. That said, did much really change from 2022 to 2023? From 2021 to 2022 to 2023? Where’s the connection between this sort of list and teaching secure software development best practices to reduce or eliminate these sorts of bugs from being coded in the first place? Organizations like the non-profit SAFECode are a resource to understand and implement secure software development best practices as well as provide training. Use them.
These weaknesses are common, at least in part, because coders and programmers have not been trained to avoid them. The CERT at Carnegie-Mellon told us years ago that the number of instances is not going down.
Microsoft has released Sysmon 15, which includes two new features. First, Sysmon is now a protected process, which means that “Windows uses code integrity to only allow trusted code to load into the protected service… and also protects these processes from code injection and other attacks from admin processes.” Second, Sysmon 15 is capable of detecting new executables.
Having system running as a protected service makes it harder for adversaries to disable it, which is a strong argument to update to version 15 by itself. The new executable detection (which checks under C:\Users and C:\ProgramData) gives visibility to locations where an executable could more easily be installed. Running sysmon -s will dump the schema - if you haven’t looked recently, it’d be a good time to see if there is anything else you’re not adequately leveraging.
Bleeping Computer
Microsoft
The US Cybersecurity and Infrastructure Security Agency (CISA) plans to launch an initiative later this year that will help federal agencies understand and implement cyber supply chain risk management (C-SCRM). Speaking at FCW’s Supply Chain Workshop earlier this week, CISA’s C-SCRM Project Management Office Lead Shon Lyublanovits said that the initiative will include a hub for resources as well as a training program.
If you’re trying to figure out where to find training material to support increased supply chain security, which is part of EO 14028, or even to find ways to improve after reading the MITRE 25 top software weaknesses, the resources on this site will be of value, regardless of being in the public or private sector.
The US Cybersecurity and Infrastructure Security Agency (CISA) has published two updated documents through its Secure Cloud Business Applications (SCuBA) project. The SCuBA Technical Reference Architecture is designed for agencies to “use to adopt technology for cloud deployment, adaptable solutions, secure architecture and zero trust frameworks.” The extensible Visibility Reference Framework “enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps.”
SCuBA is providing information to better secure SaaS environments. The reference architecture is worth a read as it highlights all the areas you should be considering for cloud-based applications, especially for a SaaS where there may be less visibility to what’s “under the covers.” This may also provide some insight as to things your SOC is worried about when it comes to your cloud-based applications.
According to a study published in the Journal of the American Medical Association (JAMA), ransomware attacks targeting health care facilities could have indirect effects on other health care facilities in the area. The study found that hospitals near those suffering a ransomware attack may experience an increase in the number of patients seen as well as insufficient resource es to care for time-sensitive emergency conditions. The “study suggests that health care cyberattacks such as ransomware are associated with greater disruptions to regional hospitals and should be treated as disasters, necessitating coordinated planning and response efforts.”
Ransomware third-party impacts is not something we’ve thought about much, but if I have to shift a lot of my patients to your facility, and you’re already maxed out, this could end badly. If possible, sit-down with peer businesses where you would send customers during a ransomware attack and see what their capacity is to handle that. Include conversations about what happens if more than one of you are impacted.
The results of the study are not surprising. Healthcare is a delicate ecosystem where an impact in one area will affect other areas. Unfortunately, cyberattacks in this critical sector have only served to highlight this fact. Local, state, and federal government should pull together to support development of incident planning and response efforts for both cyber and natural disaster scenarios.
The number of organizations affected by MOVE-it-related cyberattacks keeps growing; one estimate puts the figure at more than 130. Among the more recently confirmed victims are the University of California Los Angeles (UCLA) and Siemens Energy. Schneider Electric is investigating reports that they were the victim of a MOVEit-related cyberattack.
If you’ve got MOVEit, assume compromise, forensicate the heck out of that environment. You really don’t want to discover you’re a member of this group from a third-party. Have frank conversations about which patches were applied when as well as alternatives to that service. If you migrate off, make sure that it is not just turned off but also fully decommissioned (as in uninstall/deprovisioned, etc.)
If your enterprise uses this product, it is time to assume that you are compromised and begin mitigation.
SC Magazine
Ars Technica
Bleeping Computer
Security Week
Security Week
Gov Infosecurity
The Importance of Malware Triage
https://isc.sans.edu/diary/The+Importance+of+Malware+Triage/29984/
Kazkhastan: The world's last SSLv2 Super Power
GuLoader or BatLoader/Modiloader infection for Remcos RAT
https://isc.sans.edu/diary/GuLoader+or+DBatLoaderModiLoaderstyle+infection+for+Remcos+RAT/29990
Drone Security and Fault Injection Attacks
https://labs.ioactive.com/2023/06/applying-fault-injection-to-firmware.html
npm manifest issues
https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem
Dell BIOS Updates
CVE-2023-26258 Remote Code Execution in ArcServe UDP Backup
https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/
Sysmon Update
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36
Process Mockingjay: Echoing RWX In Userland To Achieve Code Execution
RowPress: Amplifying Read Disturbance in Modern DRAM Chips
https://dl.acm.org/doi/abs/10.1145/3579371.3589063
Google Chrome Update
https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop_26.html
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by GoogleDave Shackleford reviewed Google's reCAPTCHA Enterprise platform.
SANSFIRE 2023 Bonus Session: Dodge the Sliver Bullet and Find the Smoking Gun | Tune in on Tuesday, July 11 at 12:30pm ET to learn about insightful community developed detections, and an open NDR that puts the power in your hands.
2023 SANS Survey: Application Security on Tuesday, July 18 at 10:30am ET - Join John Pescatore to discuss how organizations currently (or plan to) discover APIs in use, determine whether vulnerabilities exist in the use of these APIs, and more.
Take the SANS Network Security in the Hybrid Cloud Era Survey to share your insights about overall strategies to better accommodate hybrid on-premises and cloud environments.