SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact Us"There's no other state that's done a bug bounty with a scope this large," says Lance Cleghorn, Senior Director of State Cybersecurity for the state of Maryland. In an interview with StateScoop's Keely Quinlan, Cleghorn posits that the capability of bug bounty programs is unique, allowing them to find vulnerabilities that otherwise might go unnoticed. Tracing the development of Maryland's program out of his experiences with the Defense Digital Service and "Hack the Pentagon" program, he emphasizes "diversity of thought" and the human element in the program's success. He and Katie Savage, Maryland's chief information officer, look forward to applying lessons learned in the process, and may look into fostering a state vulnerability disclosure program.
Well-managed bug bounty programs that are run by organizations have a good track record. But 'well-managed' also includes making sure your software inventory, update and configuration management processes are accurate, rapid and thorough. One of the common failings is updating all managed devices when vulnerabilities are found but a full network scan results in only 80% (or less!) of devices found showing up in Active Directory, etc. Another key point: have a plan in place about what to do when a vulnerability is discovered that cannot be fixed.
'Well-managed' in this case should include a requirement that such activity be conducted under management and supervision and with the permission of the target. The line between research and hacking is thin and obscure. Those incenting such activity have a special responsibility to those that they encourage.
Kudos to Maryland for finding a force multiplier. Note that if you're operating a bug bounty program, you need to be prepared to not only run the program, which can be outsourced, but also to remediate findings, including validation the issue is indeed fixed, which is trickier to outsource.
Bug bounty programs have proven their worth over the past decade. It's also reassuring to see the concept applied at the State level. My only quibble is to ensure that you've done the basics well (patching, secure configuration, monitoring) before spending precious cybersecurity dollars on finding implementation bugs.
In December, 2019, the United Nations resolved "to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes." The draft of the UN Convention Against Cybercrime was approved on Monday, Nov 11, and will be up for a general assembly vote in December. Eleven articles enumerate actions that would be criminalized when taken "without right," including: access to computer systems or parts of systems; interception of "non-public" electronic data transmission; interference with data, such as deletion, damage, or alteration; and interference with a computer system's function. Because these actions also represent elements of good-faith cybersecurity work, the treaty may criminalize legitimate research, ethical hacking, protective interception of signals, penetration testing, and red-team activities, and may discourage vulnerability disclosure programs. Acknowledgement of these cases is not explicit in the treaty, and any protection for researchers would therefore rely on national laws. The Cybersecurity Tech Accord, comprising over 100 major tech companies "including Microsoft, Meta, Oracle, Cisco, SalesForce, Dell, GitHub, HP and more" has voiced objection to the treaty, citing potential threats to cybersecurity research, specifically AI system safety research. Ilona Cohen with CyberScoop argues for proactive steps from US agencies to "develop and disseminate best practices for implementing the treaty," laying a cooperative and globally visible foundation for the protection of good-faith researchers. Human rights groups and the Electronic Frontier Foundation have also expressed alarm over potential abuses of the treaty as a "tool of repression." Six US Senators have formally submitted their disapproval of the treaty over its possible risks to "privacy rights, freedom of expression, [and] cybersecurity and artificial intelligence safety." The Tech Accord's representative noted that a feature of the treaty codifying inter-governmental transfer of personal information "virtually guarantees the Convention's provisions will be used abusively."
This was prompted after Russia took issue with the existing Budapest Convention, demanding the addition of a framework to address cybercrime. The trick will be the balancing act between processing actual crimes versus criminalizing security research, potentially torpedoing the effectiveness of bug bounty programs such as the success story from Maryland above.
Drafting legislation that accomplishes its intent while avoiding unintended consequences is difficult. It should be approached with both humility and caution. That is particularly true with Copyright, a law that is arbitrary in both intent and application.
On Tuesday, November 12, Microsoft released updates to address more than 80 security issues in their products. Of those, three are rated critical, two have been actively exploited in the wild, and two were disclosed previously disclosed. The actively exploited vulnerabilities are a hash disclosure spoofing issue in Windows NT LAN Manager (CVE-2024-43451) and a privilege elevation vulnerability in Windows Task Scheduler (CVE-2024-49039).
Microsoft vulnerabilities constitute a pervasive and attractive attack surface. The success of Microsoft products makes their quality essential to the security of the world's infrastructure. While patching is an inefficient way to achieve quality, in this case it is also essential.
Can you say 89 fixes? I knew you could. Now make sure that you already sent the notice that you'll be patching and rebooting endpoints this weekend. There are only two zero-day issues identified in this set, but there are three critical flaws, two of which are being exploited in the wild. Of note: CVE-2024-46039, Kerberos RCE flaw, CVSS score 9.8, which is being actively exploited; CVE-2024-49039, Task Scheduler privilege escalation flaw, CVSS score 8.8; CVE-2024-43625, VMSwitch privilege escalation flaw, CVSS score 8.1; and CVE-2024-49019, AD Certificate Services privilege escalation flaw, CVSS score 7.8, all need to be addressed smartly, with the release the list of what's being exploited is going to evolve quickly.
ISC SANS
Krebs on Security
The Hacker News
Bleeping Computer
The Register
Security Week
MSRC
MSRC
The US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) issued a joint statement on November 13, 2024, reporting breaches and compromised data in the networks of US telecommunications companies by threat actors associated with the People's Republic of China (PRC). The unauthorized access, which was first disclosed in another joint statement in October 2024, is now confirmed to involve "theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders." The agencies state they are working on defense and support of those affected, and they ask any potential victims to contact their local FBI field office or CISA.
The Record
The Register
FBI
CISA
Since early 2024, the National Institute for Standards and Technology (NIST) has communicated delays in their analysis and metadata enrichment of vulnerability catalog entries due to a critical lack of resources. As of November 13, 2024, NIST has processed their full backlog of Known Exploited Vulnerabilities (KEVs), though their previous estimate for completing work on outstanding Common Vulnerabilities and Exposures (CVEs) by the end of the year was "optimistic" and will not be met, they stated in a news update. NIST stated "This is due to the fact that the data on backlogged CVEs that we are receiving from Authorized Data Providers (ADPs) are in a format that we are not currently able to efficiently import and enhance." The agency is working on new systems for processing these data, and has "a full team of analysts on board."
Switzerland's National Cyber Security Centre, Federal Office of Meteorology and Climatology MeteoSwiss, and Federal Office for Civil Protection (FOCP) have been receiving reports of people receiving letters containing malicious QR codes. The letters claim the code leads to a Severe Weather Warning app. In fact, when people scan the code, it downloads infostealing malware to their phones.
The QR code leads to a download for the Coper and Octo2 malware, which targets stealing credentials from as many as 383 banking and other mobile apps. Currently the attack only works on Android devices. Remediation included a recommended factory reset of the device. With the prevalence of QR codes and the install being doctored up to mimic the Alertswiss app developed by their Office of Civil Protection, users have to be particularly wary of being fooled. Even so, making sure to only install apps from known vetted app stores is a good first step.
QR tags have proved their worth, but they constitute the same risk as any other link. Knowledge and trust are crucial.
Canada has passed a pair of right to repair bills that amend the country's Copyright Act to allow circumvention of technological protection measures (TPMs) in the service of 'maintaining or repairing a product, including any related diagnosing,' and 'mak[ing] the program or a device in which it is embedded interoperable with any other computer program, device or component.' While the amendments allow the circumvention of TPMs in these cases, they do not provide access to the tools needed for the circumvention.
As a consumer, having options for repair services, including self-service, is a bonus. The trick now will be how to find trained/certified repair technicians with legal copies of the needed tools and supplies. Even so, that won't prevent motivated folks from either going without the proper tools or misrepresenting the tools and parts used. Trust but verify while this gets sorted.
Umm, ok, now what? Hire a cryptographer to circumvent the technological protection measures? Not sure I would call this a win for the right to repair lobby.
A federal judge in Massachusetts has sentenced former National Guardsman Jack Teixeira to 15 years in prison for leaking 'hundreds of pages of classified National Defense Information (NDI), including many documents designated top secret.' Earlier this year, Teixeira pleaded guilty to multiple counts of 'willful retention and transmission of classified information relating to the national defense.' Teixeira served as a cyber defense operations journeyman in the National Guard from 2019 until he was arrested last year.
Teixeira is accused of leaking Top-Secret Information. The consequence of loss for Top Secret information is categorized as causing exceptionally grave damage to national security and carries a much more severe consequence than losing Secret information, and your clearance briefing includes terms like Leavenworth and throwing away the key to incentivize proper handling of this type of data. By admitting his guilt his maximum sentence was reduced from 60 to 15 years; his goal had been the lightest possible sentence of 11 years. While most of you don't deal with classified data, have you considered the consequence of loss and consequences for your most sensitive data? (Not just privacy or health data.) Do you have data handling training in your onboarding? How about when staff are granted access to more sensitive data? Verify those briefings are kept current, required and repeated.
This was a classic case of failure to supervise. While failure to supervise is not a crime, it is subject to discipline. It should be instructive to our audience to know that 15 enlisted personnel (NCOs) and officers faced disciplinary action in this case. Both this case and the Snowden case demonstrated that supervision was not appropriate to the privileges of the perpetrators. Consider the use of Privilege Management software to improve control and accountability.
Justice
The Register
Ars Technica
A judge in the US state of Georgia has sentenced Robert Purbeck to 10 years in prison for gaining unlawful access to computers and stealing personal data. Purbeck's targets included a medical clinic and a Georgia municipality; he purchased access to these organizations on a darkweb marketplace. He also tried to extort bitcoin from a dentist in exchange for not leaking patient records. Purbeck was convicted of computer fraud and abuse earlier this year and has been ordered to pay more than $1 million in restitution.
A California teenager has pleaded guilty to multiple charges of 'making interstate threats to injure the person of another.' Eighteen-year-old Alan W. Filion targeted schools, religious institutions, government officials, and others; he also offered swatting-as-a-service. According to the plea agreement, Filion made approximately 375 swatting/threatening calls between August 2022 and January 2024, when he was arrested.
While not strictly a cybersecurity problem, swatting is a life and limb risk. So called "swat" teams should act with due caution and the crime should be punished like attempted murder.
Filion now faces a maximum of five years in prison for each of four counts of making interstate threats to injure the person of another state. Expect the state to make an example of Filion to discourage others attempting similar shenanigans.
Microsoft November 2024 Patch Tuesday
https://isc.sans.edu/diary/Microsoft%20November%202024%20Patch%20Tuesday/31438
CISA Top Routinely Exploited Vulnerabilities
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a
APT Actors Embed Malware within macOS Flutter Applications
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveHow to secure a moving target.
Virtual Event: SANS 2024 Detection & Response Survey: Transforming Cybersecurity Operations: AI, Automation, and Integration in Detection and Response | November 20, 10:30 AM ET | Join SANS Certified Instructor Josh Lemon and guest speakers as they provide insights into the prevalence of organizations maintaining separate detection and response teams, shedding light on the reasons behind such decisions and their implications for overall security posture.
Virtual Event: Cloud Security Convergence: How Control Models for A Robust Cloud Security Stack Are Changing | December 6, 1:00 PM ET | As cloud security controls mature, it's common to find that a wide variety of security controls and configuration capabilities are melding into a single platform or service fabric.
Special Offer: 20% Off GIAC Applied Knowledge Certifications Applied Knowledge Certifications truly test your mettle and set you apart from your peers in the field of cybersecurity.