SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
CISAs Cyber Safety Review Board Report on 2023 Microsoft Exchange Online Intrusion
The US Cybersecurity and Infrastructure Security Agency's (CISAs) Cyber Safety Review Board (CSRB) has released a report on the Microsoft Exchange Online intrusion that occurred last summer. The threat actor accessed Microsoft Exchange mailboxes of high-level officials in the US government using authentication tokens that were signed by a key Microsoft had created in 2016. Microsoft does not know how the threat actor obtained the key. CSRB report finds that the intrusion was preventable, and concludes that Microsofts security culture was inadequate.
Editor's Notes
- Slide 1 of 4
I think this quote from the CSRB report sums it up: Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management. During this review time frame Microsoft announced their Secure Future Initiative focusing on the required internal culture change is a pre-requisite for that being anything more than a marketing campaign.
- Slide 2 of 4
Security culture (or lack thereof) was emphasized in the report at least 12 times. Security is no longer just a technical issue but a people and ultimately cultural issue. Kudos to Microsoft for being so open and cooperative with the CSRB in creating the report.
- Slide 3 of 4
This was not a single event but a combination of events, from a compromised laptop in an acquired company which wasn't verified prior to connection to the corporate network to those old MFA tokens. Take the issues outlined in the report and see if you have any similar gaps. Don't omit culture from your consideration. Not just secure day one but remaining so always, with verification and incentives if possible.
- Slide 4 of 4
This is an excellent report and I encourage you to read it. It highlights to me that Microsoft need to have another Bill Gates Trustworthy Computing moment but focused on Trustworthy Cloud Computing.
Slide 1 of 0- Slide 1 of 4
Ivanti Promises Security Culture Change and Releases Fixes for Four More Vulnerabilities
Ivanti has published a security advisory that includes fixes or four vulnerabilities in their Connect Secure and Policy Secure Gateways. The flaws CVSS scores range from 5.3 to 8.2. Over the past several months, Ivanti has been struggling with the fallout of government breaches related to their products. The company's CEO, Jeff Abbott, published an open letter promising a revamp of their core engineering, security and vulnerability management practice, and an emphasis on secure by design.
Editor's Notes
- Slide 1 of 3
Another CEO admitting a need for a security culture change for focus on making sure their products are secure but this time from a security product vendor. To make sure these culture changes are more than just posters in the lunch room, any security vendor should show results of measurable progress, such as third-party security testing/review of all products. Here's an idea: no security product company should be allowed to use the terms AI or machine learning in their marketing/advertising unless they go at least 12 months without a vulnerability with a CVSS score above 7.
- Slide 2 of 3
Real culture change takes time. Even so, kudos to Ivanti publicly stating they'll hit this head on. Which means you need to trust but verify when it comes to your Ivanti products.
- Slide 3 of 3
An open letter is merely the first step in changing the culture to that of security accountability. Bill Gates did something similarly in 2012 that ushered in the era of trustworthy computing. What comes after the letter is what matters, and that takes leadership that doesn't prioritize revenue and valuation over basic software security.
Slide 1 of 0- Slide 1 of 3
More Details About the XZ Backdoor
An interview with Andres Freund, who discovered the backdoor; more information about the malicious code itself; and musing about the identity of the developer, Jia Tan, who contributed the malicious code.
Editor's Notes
As more details emerge on this near miss, it's clear this was a nation-state backed supply chain attack. Why so? The level of sophistication employed, the patience in building the supply chain attack, the use of cryptography to protect the exploit, the social engineering to include use of sock-puppet accounts. Lots of lessons learned here; many that are also applicable to commercial software configuration control processes.
The Rest of the Week's News
Google is Prototyping Device Bound Session Credentials Feature in Chrome
By stealing authentication cookies, thieves can bypass multi-factor authentication and access accounts belonging to true owner of the cookies. Google is taking steps to make stolen cookies useless. A Chromium Blog post reads, we're prototyping a new web capability called Device Bound Session Credentials (DBSC) that will help keep users more secure against cookie theft. The project is being developed in the open at github.com/WICG/dbsc with the goal of becoming an open web standard.
Editor's Notes
- Slide 1 of 3
This is an interesting feature that may help with one of the current, fundamental, web application security issues. While there are some "workarounds" that try to fix this issues, a standard approach will make implementation easier.
- Slide 2 of 3
Creating cookies and tokens which will only work on the device/browser they were created with seems like it'd already be a thing wouldn't it? While this won't change overnight, having Google behind this proposed standard should provide the needed drive to make that happen sooner than later.
- Slide 3 of 3
Using compromised credentials is one of the easiest methods attackers employ for initial access. By binding authentication to the device, it forces the evildoer to be local on the device, where defensive protections can kick in to protect the device and enterprise. One potential stumbling block will be a dependency on use of a TPM for storage. Here's hoping the trial goes well and DBSC becomes mainstream.
Slide 1 of 0- Slide 1 of 3
Omni Hotels Discloses Cyberattack
Omni Hotels & Resorts has told customers that recent IT outrages were due to a cyberattack. In a statement on their website, the company says it began responding to the attack on Friday, March 29. Omni initially took some of their systems offline as a precaution; most have since been restored. Customers reported that door locks were not working and that they were unable to pay their bills with a credit card.
Editor's Notes
One of the interesting side effects of the outage was advice to be nice to the hotel staff as so much isn't working and there is little they can do. I'm going to remember that one next time I run into a systems down situation. As systems are being restored and still offline since last Friday, this has the markings of a ransomware attack. The latest from Omni is that most of their systems are back online. They stop short of a target date for restoring everything. While tricky, it's not a bad idea to let folks know your target date for service restoration to manage expectations as well as increase transparency.
Fix Available for LayerSlider WordPress Plugin Vulnerability
A critical vulnerability in the LayerSlider plugin for WordPress could be exploited to steal data, including password hashes. The SQL injection flaw was discovered by a security researcher participating in a recent Wordfence Bug Bounty Extravaganza. The vulnerability was submitted on March 25 and the plugins developers were notified of the flaw that same day. They fixed the vulnerability in LayerSlider version 7.10.1, which was released on March 27. The plugin, which is used to create animated content, has more than one million active installations.
Editor's Notes
The $5,000 bounty is Wordfence's largest bounty to date. Given the publicity, unpatched versions will be targeted. Make sure you're updated. Yup, unsafe input handling strikes again. And the maintainers had the patch out in less than a week after being notified. SQLi/input validation has to be table stakes. At this point both the free and paid versions of Wordfence have rules to prevent the exploit.
Jackson County, Missouri Government Discloses Ransomware Attack
On Tuesday, April 2, Jackson County, Missouri, confirmed that a ransomware attack was responsible for disrupting county services and declared a state of emergency. Impacted services include online property, marriage license, and inmate searches, as well as tax payments. The incident is being investigated by the FBI, the Department of Homeland Security, and third-party IT experts.
Editor's Notes
Not a lot of deets on the attack. Suffice it to say that state and local government continue to be targets. This is the second such ransomware event for Jackson County, having paid a ransom in 2019. It strengthens the argument not to pay a ransom as it only incentives evildoers to revisit for another payout.
CISA Cybersecurity Resources for High Risk Communities
The US Cybersecurity and Infrastructure Security Agency (CISA) has compiled a library of cybersecurity resources for high risk communities, which include activists, journalists, human rights defenders, academics, and other employees associated with civil society organizations that are at heightened risk of being targeted by cyber threat actors because of their identity or work, and many of which have little to no budget for cybersecurity. The resources are grouped into categories: customized tools to assess and mitigate risk; helplines and communities; and tools and services to strengthen your cyber defenses.
Editor's Notes
- Slide 1 of 3
You have heard advice about taking steps to protect folks in high risk locations but not a lot about what that means. And this includes free as well as reduced cost resources, tools and security communities. As an exercise, consider having your team divide up the list from CISA and report out on relevance of each item.
- Slide 2 of 3
A very useful guide from CISA. The UK's National Cyber Security Centre (NCSC) also has a very useful and similar guide: https://www.ncsc.gov.uk/collection/defending-democracy
- Slide 3 of 3
A helpful library but ultimately, the high-risk communities need the resources and skills to implement the cybersecurity advice. As a part of the security community, we collectively must automate cybersecurity best practices.
Slide 1 of 0- Slide 1 of 3
Internet Storm Center Tech Corner
Playing with xzbot: Some things you can learn from SSH traffic
https://isc.sans.edu/diary/Some+things+you+can+learn+from+SSH+traffic/30808
Slicing up DoNex with Binary Ninja
https://isc.sans.edu/diary/Slicing+up+DoNex+with+Binary+Ninja/30812
Wait Just an Infosec Episode with Bojan Zdrnja
https://isc.sans.edu/j/xzutils
Dan Mazzella: Infostealers in Automotive Headunits
https://www.sans.edu/cyber-research/exploring-infostealer-malware-techniques-automotive-head-units/
HTTP/2 Continuation Flood
https://nowotarski.info/http2-continuation-flood-technical-details/
Dangers of CSS in HTML Email
https://lutrasecurity.com/en/articles/kobold-letters/
Google Proposes Device Bound Session Credentials (DBSC)
https://blog.chromium.org/2024/04/fighting-cookie-theft-using-device.html
Four More Ivanti Vulnerabilities
Google Pixel Zero Day
https://source.android.com/docs/security/bulletin/pixel/2024-04-01
Chrome Incognito Mode Settlement
https://www.wired.com/story/google-chrome-incognito-mode-data-deletion-settlement/
Google E-Mail Sender Guidelines FAQ
https://support.google.com/a/answer/14229414?hl=en&fl=1&sjid=2270464422796374445-NC
Cisco Updates and VPN Best Practices
https://sec.cloudapps.cisco.com/security/center/publicationListing.x
Apache Pulsar Vulnerability
https://pulsar.apache.org/security/CVE-2024-29834/
Progress Flowmon Network Monitoring Tool Vulnerability CVE-2024-2389