SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
SEC Files Civil Suit Against SolarWinds and its CISO
The US Securities and Exchange Commission (SEC) has filed a civil lawsuit against SolarWinds and its former Vice President of Security and Architecture, Timothy Brown, over the way they handled the supply chain attack that came to light in late 2020. The complaint alleges that the company and Brown “defrauded SolarWinds’ investors and customers through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened – and increasing –cybersecurity risks.”
Editor's Notes
- Slide 1 of 6
Read the lawsuit. Next, consider how many of the statements used against SolarWinds could be used against your organization. In my opinion, the lesson here is not "don't put your failings in writing," but rather "don't lie to your customers," and "having a policy isn't enough: You have to audit your systems to ensure compliance."
- Slide 2 of 6
There will be much hand-wringing about a CISO being directly blamed and legal actions taken against the CISO, but Uber’s CISO was convicted on similar offenses in 2022. Look, we have put a lot of focus on the conflict of interest between business units and security or CIOs and security as decisions were made to maintain profits vs. achieve safety/security. If CISOs don’t fight the good fight to represent customers and stakeholders safety, but instead join in on false filings to regulators about those decisions, criminal prosecution will and should follow.
- Slide 3 of 6
Honest, transparent and complete communication have to be the tenets of today’s climate of ongoing incidents. Respect trust and support your customers. Assume dirty laundry will be aired, and that is not the side of the SEC or FTC you want to see. Review your policies and response plan to ensure you’re not in danger of heading down a similar path when it hits the proverbial fan.
- Slide 4 of 6
I’ve heard through the indictment and some of the internal communications that many in our industry would consider harmless, such as being sarcastic, being used in a court case. Internally, security teams in publicly traded sectors on the stock market may start to have their internal cultures changed. If two people are having a casual work conversation over a protected medium like instant messaging where they need to let out steam and talk shop, they won’t. I think this is going to have adverse ripple effects on our industry. It will have positive ones, don’t get me wrong, but some of the unintended consequences may be a cultural poison pill. As someone who uses a bit of levity during highly stressful situations, I can see a scenario where everyone must be very corporate, diminishing the talent pool that these companies can gather significantly. If you are curious about the exchange, go to page 37, number 124. If this is the type of thing we are using as evidence, we will all be guilty of humanity. I am not advocating for the belligerent actions of SolarWinds; I’m advocating for the merits of decency in these manners. The problems we face are intractable. It’s more sometimes like first responder police work than accountant work. These are numbers and Excel spreadsheets. These are attack groups with people behind them, using psychology at times. We must talk freely without worrying about being called into court for sarcasm. This will push out-of-band communications, which isn’t a positive move.
- Slide 5 of 6
This may be the first time that a CISO has been named in a SEC lawsuit; it certainly has the cybersecurity world buzzing. What will be arguable is the ‘independence’ of the CISO from the rest of the executive team. Should, as the SEC claims, the CISO and not the CEO have responsibility for informing customers and investors? Regardless, the CISO role is about to change for the better.
- Slide 6 of 6
The issue in this lawsuit is not about the damage but about the coverup. Security professionals should not give unwarranted comfort or unnecessary alarm. Holding suppliers accountable for shipping malicious code is essential to addressing the supply chain problem. That said, while security is the responsibility of line management, staff, including CISOs, may still be accountable for failure to recommend essential, appropriate, and efficient security measures, or for the failure to document rejection of any such recommendations.
Slide 1 of 0- Slide 1 of 6
Okta: Employee Data Stolen
Okta has notified about 5,000 current and former employees that their personal data were compromised when a third-party vendor’s systems were breached. The cybersecurity incident affected IT systems that belong to Rightway Healthcare. Okta learned of the incident, which occurred on September 23, in early October.
Editor's Notes
- Slide 1 of 5
There is nothing more important to an information security program than identity. Pick your vendors careful, and document in detail why you accepted the risk to hand this critical information security function to a third party like Okta before the SEC comes knocking.
- Slide 2 of 5
Just as the SolarWinds incident pointed out, attackers are very actively trying to compromise highly privileged apps like system management (see ServiceNow item in this issue). The same is obviously true about identity/authentication systems and password managers. But the real lesson on this one is supply chain security – your company is probably using similar third party services as part of reducing costs of employee benefits. These attacks call for compromise hunting around all of those services.
- Slide 3 of 5
According to Okta’s own statement (https://sec.okta.com/harfiles) the breach resulted from an employee using their personal Google profile on a company issued device which in turn stored the username and password of the Okta service account into that profile. A clear example of the risks posed by Shadow IT and lessons we should all take on how to ensure corporate credentials don’t leak into personal services.
- Slide 4 of 5
Another incident of third-party security issues. Notice that the headline is Okta data stolen, not Rightway Healthcare breach. Now imagine your business is secure authentication and identity management, and the third party is compromised by credential theft. Work to not only assess your third-party providers, but also offer to assist them with shortfalls, you are both stakeholders, not adversaries.
- Slide 5 of 5
The old adage, bad things come in threes, comes to mind with Okta. While this is a data breach with one of their third-party vendors, they still have a responsibility to understand the state of security with their suppliers. Companies should review their service level agreements with suppliers with an added focus on cybersecurity and incident reporting.
Slide 1 of 0- Slide 1 of 5
Microsoft’s Secure Future Initiative
Microsoft has launched its Secure Future Initiative, which includes a pledge from the company to improve the security of identity signing keys. The initiative rests on “three pillars: focused on AI-based cyber defenses, advances in fundamental software engineering, and advocacy for stronger application of international norms to protect civilians from cyber threats.”
Editor's Notes
- Slide 1 of 5
For those of you around when the Blaster Worm hit, the recent Azure security issues are looking very much like the "trusted computing" moment Microsoft had around 2005. I like the first part about the security of identity, but they could have left out the feel-good statement about AI and international norms.
- Slide 2 of 5
Obviously a good thing to see the top of Microsoft realizing the company’s focus had drifted away from “Security is Job 1.” Also, very good to see Microsoft EVP for Security Charlie Bell emphasized more focus on “Secure by Default” though mostly for cloud services vs. operating systems. A bit of irony: both Bell and Microsoft VP Brad Smith spent a lot of time hyping up AI tools are increasing security while just 6 weeks ago Microsoft exposed 38TB of data through the use of AI and insecure defaults on Azure cloud storage…
- Slide 3 of 5
Interesting plans on leveraging AI to improve security. As our adversaries are using AI to make more successful attacks, launching initiatives to use AI to help with defense is a logical move. Moving to a model of secure by design/default, while simple to state, and doable for new products, retrofitting your legacy inventory can be daunting, keep an eye on players like Microsoft for clues on getting your arms around that.
- Slide 4 of 5
I know it’s not the Microsoft Trustworthy Computing Memo. But it also is an admission that they have moved away from the idea of Trustworthy Computing. Maybe it was on accident; maybe it was on purpose to catch up to the market. Let’s just put it this way: how do you release an API with Microsoft Graph and about 4 years later realize people need telemetry from it?
- Slide 5 of 5
Seems a bit like a marketing ploy by Microsoft given its recent cybersecurity stumbles. That said, Microsoft can reassert itself as a champion of secure software development and engineering best practices, similar to what it did with its Security Development Lifecycle in 2005.
Slide 1 of 0- Slide 1 of 5
The Rest of the Week's News
Boeing Acknowledges Cyberattack
Boeing has acknowledged that it is investigating a cyber incident that affected systems in the aerospace company’s parts and manufacturing division. Boeing said that flight safety is not impacted.
Editor's Notes
- Slide 1 of 2
The incident seems to be contained to their lucrative parts sales and distribution system. The bad news is the LockBit ransomware gang is behind this, and gave Boeing six days to begin negotiating. In other words, they play hard-ball. While this isn’t finished, Boeing has engaged cyber and law enforcement expertise. If you were in their shoes, could you not only be prepared to engage with the ransomware gang, but also have your cyber and legal response team in play all within six days? To include mitigations to prevent any retaliatory or copy-cat attacks?
- Slide 2 of 2
Two observations: 1) Yet another example that even well-resourced organizations can fall victim to a ransomware attack; and, 2) Stay tuned as Boeing reports the cost of this cyberattack, to include lost revenue from business operations.
Slide 1 of 0- Slide 1 of 2
ServiceNow Misconfigurations Could Lead to Data Leaks
ServiceNow says that misconfigurations in its platform could lead to data exposure. The misconfigurations were introduced in 2015. ServiceNow issued a fix for vulnerability late last month. ServiceNow is used at an estimated 80 percent of Fortune 500 companies.
Editor's Notes
- Slide 1 of 3
But since the SolarWinds incident was back in 2021, surely all you ServiceNow users checked for vulnerabilities and compromise back then… This one is really just a good reminder that “misconfigurations” of any piece of software can be like chumming the water to attract sharks. If you need to, pay for pen testing and an external security review to get the need to check and monitor be raised to CEO level. Have the contractor include a link to the SEC charges against SolarWinds.
- Slide 2 of 3
The take-away here is to review your ServiceNow ACLs regularly, to include what’s public. Make sure that objects which are marked public, are truly intended to be public. Where you have ACLs which allow for unauthenticated access, but you intend to restrict to logged in users, add gs.isLoggedIn() to the script section.
- Slide 3 of 3
APIs, and their representation as widgets, should have a set of permissions to perform actions through the interface. ServiceNow misconfigured the default access control list (ACL) that the widgets check. Vendors are always viewed more favorably when they are transparent in communicating a security vulnerability to their customers and investors.
Slide 1 of 0- Slide 1 of 3
Atlassian: Patch Critical Flaw in Confluence Data Center and Server
Atlassian is warning that there is a publicly released exploit for a recently disclosed improper authorization vulnerability in its Confluence Data Center and Server. Organizations are urged to upgrade to Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1. If they cannot upgrade immediately, Atlassian has also suggested mitigations.
Editor's Notes
- Slide 1 of 2
The short version is Atlassian recommends removing public access to your Internet facing Confluence sites until you’ve got the patch applied. It’s likely simpler and faster to just apply the patch rather than go through two change management iterations, even if treated as an emergency change. It may be time to re-assess the viability of their hosted version where they are taking care of these issues.
- Slide 2 of 2
Is Google Chrome or Atlassian this generation of Adobe Reader? It's hard to decide who gets patches more often. If it's by exploit potential, I think Atlassian has probably been responsible for more companies being breached. At least it’s not because of “atlassian123!”
Slide 1 of 0- Slide 1 of 2
FIRST Releases CVSS 4.0
The Forum of Incident Response and Security Teams (FIRST) has published an updated version of the Common Vulnerability Scoring System. According to FIRST, CVSS 4.0 “offers finer granularity in base metrics for consumers, removes downstream scoring ambiguity, simplifies threat metrics, and enhances the effectiveness of assessing environment-specific security requirements as well as compensating controls.”
Editor's Notes
- Slide 1 of 4
Remember when Microsoft would not use CVSS scoring? Two decades of CVSS by FIRST and volunteers have continued to improve the tools available to use the scores, but the reality of today’s attacks means patching any software on the path between bad buys and the crown jewels needs to happen - even those “Medium” 6.8s. A realist view of attack probability: “It may only be a 10% probability that an attacker will exploit that 6.8 scored vulnerability, but 90% of the time we fall in that 10%.”
- Slide 2 of 4
CVSS 1.0 was introduced in February 2005, version 2 in June 2007, version 3 in 2015. The last change to CVSS scoring was version 3.1 in 2019. Version 4 is intended to help you assess the relevance of a given score, including threat intel and environmental metrics, also incorporating OT/IoT differentiators. Version 4.0 adds additional scoring nomenclature to support that: CVSS-B: CVSS Base Score, CVSS-BT: CVSS Base + Threat Score, CVSS-BE: CVSS Base + Environmental Score and CVSS-BTE: CVSS Base + Threat + Environmental Score.
- Slide 3 of 4
I have a question about CVSS that maybe we can all talk about. What is more important, CVSS or CISA’s KEV? In other words, does it matter what your CVSS score across all your software, when a single exploit in your VPN or Load Balancer gets you fully owned?
- Slide 4 of 4
Well, it has been eight years since CVSS 3.0 was released, so an update was due. That said, I’m uncertain that the changes will be adopted quickly as some of the new metrics require data from external sources.
Slide 1 of 0- Slide 1 of 4
Ontario Hospitals Systems Still Experiencing Downtime
Five hospitals in Ontario, Canada are still unable to access electronic health records and other information nearly two week after their IT services provider was targeted by a ransomware attack. The five hospitals -- Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital – along with their shared service provider TransForm Shared Service have also disclosed that the attackers stole information from their IT systems.
Editor's Notes
- Slide 1 of 2
The condition of the hospitals has been characterized as “Code Grey” as they still don’t have access to patient records after two weeks. While TransForm is still actively working to recover, the hospitals are still facing work-around measures. The question is how long can you effectively operate on Plan B? (Manual processing or otherwise). Then the really hard part - how will you re-incorporate that data into your systems in a timely fashion, to include provisions where on-line versions are available but not updated? Now schedule a time to run through that scenario in depth.
- Slide 2 of 2
While one understands that healthcare systems are stressed, it is both essential and efficient to isolate clinical systems from public network facing applications like e-mail and browsing and employ strong authentication on those applications.
Slide 1 of 0- Slide 1 of 2
British Library Confirms Cyber Incident
On Saturday, September 28, the British Library disclosed that its systems were affected by an incident causing a major outage. The library said the attack “is affecting [the library’s] online systems and services, our website, and on-site services including our Reading Rooms.” The Toronto Public Library also recently disclosed a cybersecurity incident.
Editor's Notes
The British Library seems to be a much harder hit than TPL. In this case, the library’s internal systems for providing Internet access to patrons is also offline, having been replaced by local hotspots. As such their web and phone services are also off-line. They are using X (Twitter) to keep the public apprised of their situation. Think about how you’d inform customers if your primary communication paths were offline. Then consider what you can do to separate/protect your public facing services from being impacted when other systems are compromised.
Ace Hardware Experiences Cybersecurity Incident
A cyberattack is causing problems for Ace Hardware servers. The issue is preventing customers from placing online orders. The attack has also affected Ace’s Warehouse Management Systems, the Ace Retailer Mobile Assistant (ARMA), Hot Sheets, Invoices, Ace Rewards and the Care Center’s phone system. ACE CEO John Venhuizen said that 1,202 of the company’s 4,900 servers and connected devices need to be restored.
Editor's Notes
While Ace has been communicating about what’s on/offline, their employees are feeling uncertainty, having been sent home when their business unit is unable to operate, without assurances they would be paid in a timely fashion. The action here is to make sure that you are taking care of your people when an incident shuts down parts of your operation. Think out of the box, consider partnering with your credit union, or other FI, to provide bridging loans, payroll advances, etc. to reassure your staff they are also being looked after while you’re getting the incident resolved.
Internet Storm Center Tech Corner
Quick Tip for Artificially Inflated PE Files
https://isc.sans.edu/diary/Quick+Tip+For+Artificially+Inflated+PE+Files/30370
Malware Dropped Through a ZPAQ Archive
https://isc.sans.edu/diary/Malware+Dropped+Through+a+ZPAQ+Archive/30366
Multiple Layers of Anti-Sandboxing Techniques
https://isc.sans.edu/diary/Multiple+Layers+of+AntiSandboxing+Techniques/30362
Apache ActiveMQ Flaw Exploited
https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
Critical Firepower Vulnerability
Dozens of npm Packages Caught Attempting to Deploy Reverse Shell
https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/
CVSS 4.0 Now Official
https://www.first.org/cvss/v4-0/index.html
MOZI Botnet Kill Switch
URL Shorteners in .us
https://securityonline.info/infoblox-uncovers-malicious-wave-in-us-domain-registrations/
Impersonating Slack Users
https://falconspy.org/redteam/tradecraft/2023/10/05/2023-10-05-Slack-Impersonation.html
CVE-2023-22518 Improper Authorization Vulnerability in Confluence Data Center and Server
Malvertisement Promotes Malicious PyCharm Version
Thorn SFTP Gateway Java Deserialization RCE CVE-2016-1000027 CVE-2023-47174
https://help.thorntech.com/docs/sftp-gateway-gcp-3.0/gcp-java-deserialization-rce/