SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsLast week, SANS announced the renewal of its partnership as a Champion with Water-ISAC. The extended collaboration reflects a shared commitment to supporting the water and wastewater sector with practical training, research, and community engagement designed to counter increasingly aggressive cyber threats. The collaboration has advanced sector-specific research, including a SANS white paper, “Protecting Critical Water Systems with Five ICS Cybersecurity Critical Controls,” by Dean Parsons, and an associated five-part webinar series. Protecting Critical Water Systems with the Five ICS Cybersecurity Critical Controls (White paper): https://www.sans.org/white-papers/protecting-critical-water-systems-five-ics-cybersecurity-critical-controls
SANS 5 ICS Critical Controls for Water: https://www.sans.org/webcasts/sans-5-ics-critical-controls-for-water-control-1-ics-specific-incident-response-plan SANS Water & Wastewater Cybersecurity Partnership: https://www.sans.org/partnerships/water
Water-ISAC: https://www.waterisac.org/
ISACs are a great way to get more involved with your sector's community. Find out more here: https://www.nationalisacs.org/members
A fire at a government data center in Daejeon, South Korea, has disrupted the availability of hundreds of online government services, including a mobile identification system used by travelers and online postal and tax services. It took firefighters nearly 24 hours to extinguish the blaze at the National Information Resources Service (NIRS). The fire appears to have been caused by a lithium-ion battery explosion at the data center's backup power system. The Korea Herald writes, "Kim Ki-seon, chief of the Yuseong Fire Station in Daejeon, explained during a press briefing on Saturday that the blaze started during a procedure to shut off power ahead of relocating the batteries. NIRS had started the relocation as the UPS battery units were installed on the same floor as the servers, raising fire safety concerns."
Thermal runaway, which happens when a battery short-circuits and heats uncontrollably, is a concern with newer battery systems. While larger backup power systems have added fire suppression for this scenario, UPS units typically don't. In this case the NIRS team had moved 2/3 of the batteries and was in the process of shutting down the last set when the fire they were working to prevent occurred. In addition to making sure that you've mitigated battery fire risks, make sure that your emergency power off is connected with your UPS system(s), rack based or otherwise, such that everything is automatically powered off in the event of a fire. Most systems in there don't react well to super-heated air, flames or suppressant. Yes, with this strategy you need redundancy in multiple physical locations.
Datacenter fires are not all that uncommon. Batteries are one source, but so is fuel used for backup generators or just overheating components in equipment. As pointed out in the article, fuel sources should be located away from sensitive equipment. Too bad that moving the batteries triggered the fire.
While lithium batteries have been a boon for many of us, it also appears that lithium batteries do not necessarily go through all of the quality and safety checks. Here is my thinking on these things – if you have a lithium-ion battery that you are replacing, please use the official batteries and not a battery that is a “pseudo” knock off. I have heard of houses literally burning down because they purchased cheaper batteries for their drills. Here we have a datacenter and we don’t know the details but these things do happen.
Many of us think only of cyber dangers, yet physical dangers continue to exist and happen unexpectedly. Multiple redundancies will be required and regularly exercised as we move to an all-digital society. Unfortunately, there are still many lessons to learn here.
On July 12, 1973, a fire at the US National Personnel Records Center at 9700 Page Boulevard, St. Louis MO, burned for 24 hours, destroying the service records of 18 million US service personnel. Recovery efforts are ongoing. Modern distributed processing and cheap digital storage make it possible to efficiently mitigate such risk. In the 60s and 70s, when many enterprises relied on a single mainframe data center, the risk of fire was at the top of what was called the "backup and recovery" plan. Today the plan is called "business continuity."
Google Threat Intelligence Group (GTIG) has observed a backdoor malware campaign in which threat actors tracked as "UNC5221 and closely related, suspected China-nexus threat clusters," maintained long-term access to various US organizations' systems, exploiting vulnerable network appliances that did not support endpoint detection and response (EDR) tools. The intrusions notably targeted US "legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology [providers]" often employed by governments and large companies, and the average period of undetected access was 393 days. GTIG notes that logs were seldom retained long enough to help determine an initial access vector apart from a "focus on compromising perimeter and remote access infrastructure," especially VMware vCenter and ESXi hosts. The backdoor, dubbed "BRICKSTORM," disguises itself as legitimate software, and appears to use a unique command-and-control (C2) domain for each victim. The threat actors often accessed "the emails of developers, administrators, and individuals of likely strategic interest to China by abusing Microsoft Entra ID enterprise applications with elevated permissions," continuing to move through systems laterally and sometimes compromising SaaS providers' customers through their supply chains. "YARA rules have proven to be the most effective method for detecting BRICKSTORM," and GTIG also offers a script that will scan Unix systems for the malware without installing YARA. GTIG provides detailed threat hunting recommendations, suggesting that defenders look to attackers' tactics, techniques, and procedures (TTPs) rather than relying on "atomic IoCs," and urging organizations to maintain up-to-date asset inventories, always configuring devices for least privilege.
Not surprising; something I have been talking about in the classroom. These devices that do not run or support any decent amount of telemetry are being used maliciously by threat actors. Make sure you employ some type of Zero Trust in these environments. I do not recommend just having them opened for a long time.
We've all run appliances of one flavor or another which cannot run our EDR tool. Having tools such as Mandiant's BRICKSTORM scanner, which doesn't require YARA, can be helpful with these. Consider storing logs offline, and leverage a data lake if you have one, for 18 or more months. This may be a good time to review NIST SP 800-92 and M-21-31 for ideas on how to improve your logging processes; the idea is to stack the deck in favor of detecting and finding threat actors wherever they are, because 393 days is way too long.
When entered into the Verizon Data Breach Incident Report (DBIR) these numbers will skew the mean time to breach discovery metric.
We seem to spend a lot of time characterizing and differentiating threat actors. In this case we don’t know who the threat group is, but do know it isn’t the same as Silk Typhoon. Enough of the catchy names. The real story is that these threat actors continue to 'make hay' given our inability to manage patches expeditiously and to actively monitor the enterprise. A year-plus dwell time on target is simply too long and doesn’t uphold the standard of reasonable cybersecurity.
Dark Reading
The Register
SecurityWeek
The Record
The Hacker News
BleepingComputer
CyberScoop
The UK Government has announced that it will guarantee a £1.5 billion (US$2.01 billion) commercial bank loan to Jaguar Land Rover (JLR) through the Export Development Guarantee (EDG), "to give certainty to its supply chain" while JLR's production lines remain shut down and its large network of suppliers have been cut off in the wake of a debilitating cyberattack. The government assumes up to 80% of the loan's risk, and JLR will have five years to pay it back. JLR's UK plants employ approximately 30,000 people, and the broader supply chain accounts for about 120,000 jobs. The attack first disrupted operations on August 31, 2025 and workers have been told to stay home since the following day; the loan was announced on September 28, and while no firm return date has been provided, JLR has tentatively predicted resuming some production by October 1. The BBC reports that this "is believed to be the first time that a company has received government help as a result of a cyber-attack."
Reports are the attack is costing JLR about $67-94 million USD per day, and the attack started August 31, so they are motivated to restart operations as soon as possible. The loan is a heck of a statement of support and precedent from the UK government. They are leveraging the UK Export Development Guarantee (EDG) to underwrite the loan, which is a support mechanism designed to help UK companies who sell overseas. Hopefully other UK companies who fall into this category will be able to avail themselves of a similar option in a timely fashion.
During financial crises in the past (often due to risky financial practices), governments have often stepped in like this to rescue companies deemed “too big to let fail” – and usually followed up with tightened regulatory oversight and action to make sure risk practices were reduced/eliminated. The same path should be travelled after this failure to maintain essential security levels.
This may be the most expensive breach in history, but it is not without precedent (one thinks of Sony and Aramco). One hopes that it holds the record for a long time. However, our economic resilience is becoming more dependent upon your enterprise cybersecurity with each passing day. It is essential that we structure the enterprise network in such a way that no single user failure can bring down the entire business.
UK Government
BBC
The Guardian
The Register
TechCrunch
The Record
SecurityWeek
Fortra disclosed a critical deserialization of untrusted data vulnerability in their GoAnywhere Managed File Transfer (MFT) software on September 18, 2025, and released a patch the same day. Researchers at watchTowr Labs say they have observed "credible evidence" that the vulnerability has been actively exploited in the wild since at least September 10. In their analysis of the issue, researchers at Rapid7 maintain that it "is not just a single deserialization vulnerability, but rather a chain of three separate issues. This includes an access control bypass that has been known since 2023, the unsafe deserialization vulnerability CVE-2025-10035, and an as-yet unknown issue pertaining to how the attackers can know a specific private key." Users are urged to update to upgrade to Fortra GoAnywhere MFT version 7.8.4 or v7.6.3 (Sustain Release). The Fortra vulnerability was one of five vulnerabilities added to the US Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog on Monday, September 29, with a mitigation due date of October 20.
If you're running Fortra's GoAnywhere MFT, make sure the patch is applied and that access to the Admin console is not available over the Internet; that is the attack vector. CVE-2025-10035, deserialization of untrusted data flaw, has a "perfect" CVSS score of 10.0. With the continued focus on compromising file transfer systems, don't wait to address this flaw.
CyberScoop
The Hacker News
Help Net Security
SC Media
watchTowr
watchTowr
Attacker KB
Fortra
NIST
CISA
The recently-launched Neon call-recording app has been taken down, following a report from TechCrunch that logged-in users were able "to access the phone numbers, call recordings, and transcripts of any other user." Neon pays users who allow them to record their phone calls; Neon then sells the data to AI companies to be used in training their models. TechCrunch notified the app's "founder," who took down the Neon servers and started notifying users that the app would be paused, but Neon has not yet disclosed the security issue. The app can still be downloaded, but it is not currently functional. The app claims that it records only phone calls placed within the app, and records only one side of the conversation. Several US states require that all parties on phone calls consent to being recorded.
The concept of paying users to eavesdrop in order to train AI seems wrong, and maybe illegal in some cases.
Access controls continue to challenge service providers. Recording of sessions and using AI-driven transcription is a common solution, and it can be a real time saver later on, making this extremely attractive to implement. Understand (and verify) what data is collected, where it is going to be stored, and who can access it. Regardless of legal requirements, making an explicit statement that you're recording and transcribing a meeting, call, etc. including opt out instructions – which is itself captured in the recording, even if the platform is notifying people of the recording – remains a best practice.
“Security, yes, that’s important, but if I don’t get this product to market, I’ll lose out on a business opportunity.” And well, there you have it. A privacy concern, but then, users are paid to have their calls recorded.
Today's NewsBites appears loaded with risks I never thought of before.
TechCrunch
ZDNet
CNET
Engadget
The US Cybersecurity and Infrastructure Security Agency (CISA) and partner agencies in six countries have published guidance for securing operational technology (OT) systems, titled “Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture.” The document "defines a principles-based approach for how operational technology (OT) organisations should build, maintain and store their systems understanding. It is aimed at cyber security professionals working in organisations that deploy or operate OT across greenfield and brownfield deployments. Integrators and device manufactures can also use these principles to ensure their solutions enable effective asset and configuration management." The five principles are: define processes for establishing and maintaining the definitive record; establish an OT information security management program; identify and categorize assets to support informed risk-based decisions; identify and document connectivity within your OT system; and understand and document third-party risks to your OT system. The document was developed by the UK National Cyber Security Centre (NCSC), the Australian Signals Directorate Australian Cyber Security Centre (ASD's ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security (Cyber Centre), the US Federal Bureau of Investigation (FBI), New Zealand’s National Cyber Security Centre (NCSC-NZ), Netherlands National Cyber Security Centre (NCSC-NL) and Germany’s Federal Office for Information Security (BSI).
Read the document, and then engage your OT system owners to do the same. Then have a conversation about how you can document and monitor their environment without disrupting it or lowering their availability or security. Fundamentally, you need to know what is out there and what it's doing before you can start discussing security. Suggest having dedicated points of contact on your team who become intimately familiar with specific OT/ICS systems and owners so these conversations can be had.
Microsoft Threat Intelligence has observed "limited attacks" involving a new variant of XCSSET, a type of modular malware first observed in 2020 that targets macOS systems by spreading through Xcode projects and executing once an infected project is built, then taking control of a variety of apps and exfiltrating information. The new variant notably monitors the clipboard for signs of copied digital wallet addresses and replaces them "with its own predefined set of wallet addresses," and has components that target Firefox for information theft. The malware hides itself in new ways as well, "using run-only compiled AppleScripts ... also add[ing] another persistence mechanism through LaunchDaemon entries." Microsoft shares IoCs and recommends mitigating the threat of this variant by ensuring operating systems and applications are up to date; inspecting and verifying all downloaded or cloned Xcode projects; checking that copied and pasted information is not tampered with; and using endpoint security tools. Microsoft analysts "shared these findings with Apple and collaborated with GitHub to take down repositories affected by XCSSET."
XCSSET emerged in 2020 and has been evolving since; prior to this update, we last heard of a resurgence in February. The Firefox and clipboard crypto modules are new with of the latest variant. Mitigations include running the latest macOS and Xcode, running a current EDR that will detect/block XCSSET activity, and verifying the integrity of Xcode projects downloaded or cloned. Enable threat detection and malicious site protections in bowsers. Grab the IoCs from the Microsoft blog for your threat hunters.
macOS (like Linux) does not have many good telemetry options. I am very surprised we have not seen the same number of payloads for these Unix devices that we have for Windows. It’s going to be a long while before we get the same type of EDR telemetry in these systems.
A good reminder that while using macOS and Firefox does avoid Windows malware, security through obscurity is never sufficient – essential security levels still need to be maintained.
Microsoft
The Register
SecurityWeek
The Hacker News
BleepingComputer
Authorities in the Netherlands have arrested two teenagers in connection with suspected espionage on behalf of Russia. According to the authorities, the two individuals were recruited via Telegram by a hacker with Russian ties; one of the teenagers allegedly walked past Europol, Eurojust, and the Canadian embassy while carrying a Wi-Fi sniffer. The individuals appeared before a magistrate judge on September 25; one is still in police custody, the other is under house arrest.
Recruiting locals for espionage is a tried and true tradition. When carrying/using tools like Wi-Fi or Cellular sniffers or access points, make sure that you understand the legal ramifications, whether transmitting, receiving or de-authorizing; your cybersecurity research may be their crime and it's not guaranteed to end well, particularly if a government or foreign entity comes into play.
I call this the “person behind the curtain” scenario, and I remember seeing this as far back as the 90s, where intelligence operatives fed exploits to “kids” to have them attack various organizations (see Operation SOLAR SUNRISE).
Wait, someone is willing to pay me to carry my phone [err, Wi-Fi sniffer] whilst getting my steps in. Cool, ok, maybe not. It does make me wonder though, what is the actual crime>: Everyone quick, get that Wi-Fi monitoring app off your device.
A generation or two ago, Dutch academics encouraged their students to hack as long as their targets were outside the Netherlands. Needless to say, they lived to regret it. The Brits thought it was amusing because the targets were mostly in the US but they carried much of the attack traffic.
NL Times
The Record
Infosecurity Magazine
BleepingComputer
SecurityWeek
BBC
The Register
Japanese brewer Asahi Group Holdings, Ltd. has disclosed that it "is currently experiencing a system failure caused by a cyberattack, affecting operations in Japan." Asahi reports that it has suspended "order and shipment operations at group companies in Japan [and] call center operations, including customer service desks." In addition to its operations in Japan, Asahi owns global beer brands and has regional operations in Europe, Oceania, and Southeast Asia. The company has 30,000 employees.
Thus far, no ransomware gang is taking credit for this attack. Asahi has published the outage notice at the top website’s newsroom, but is not yet providing alternate call center (including customer service) numbers. It's been seen that having alternate contact information as soon as possible helps maintain customer relationships and has become a best practice.
Yep, suspect some ransomware gang is at it again. Let’s hope they don’t end up like JLR and need a bailout short-term loan from the government.
In a blog post, Postmark writes that "a malicious actor created a fake package on npm impersonating our name, built trust over 15 versions, then added a backdoor in version 1.0.16 that secretly BCC’d emails to an external server." Researchers at Koi Security have described the malicious npm package as "the world’s first sighting of a real world malicious MCP server." Koi's risk engine "flagged postmark-mcp when version 1.0.16 introduced some suspicious behavior changes." Postmark's true MCP server is published in GitHub, not npm.
In this case I found out MCP means Model Context Protocol, not Master Control Program – I've watched Tron too many times, and it is a service for sending email via Postmark. Postmark has published the official libraries, SDK, and copy of Postmark MCP so you can verify you're running legitimate copies. If you discover you're running the fake package, you should rotate any credentials sent via email as well as your Postmark server API token.
Postmark App
Koi Security
DarkReading
The Hacker News
The Register
SC Media
SANS Internet Storm Center StormCast Tuesday, September 30, 2025
Apple Patch; PAN Global Protect Scans; SSL.com signed malware
https://isc.sans.edu/podcastdetail/9634
Apple Patches
Apple released patches for iOS, macOS, and visionOS, fixing a single font parsing vulnerability
https://isc.sans.edu/diary/Apple+Patches+Single+Vulnerability+CVE202543400/32330
Increase in Scans for Palo Alto Global Protect Vulnerability (CVE-2024-3400).
Our honeypots detected an increase in scans for a Palo Alto Global Protect vulnerability.
Nimbus Manticore / Charming Kitten Malware update
Checkpoint released a report with details regarding a new Nimbus Manticore exploit kit. The malware in this case uses valid SSL.com-issued certificates.
https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/
SANS Internet Storm Center StormCast Monday, September 29, 2025
Convert Timestamps; Cisco Compromises; GitHub Notification Phishing
https://isc.sans.edu/podcastdetail/9632
Converting Timestamps in .bash_history
Unix shells offer the ability to add timestamps to commands in the .bash_history file. This is often done in the form of Unix timestamps. This new tool converts these timestamps into a more readable format.
https://isc.sans.edu/diary/New+tool+converttsbashhistorypy/32324
Cisco ASA/FRD Compromises
Exploitation of the vulnerabilities Cisco patched last week may have bone back about a year. Cisco and CISA have released advisories with help identifying affected devices.
https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
Github Notification Phishing
Github notifications are used to impersonate YCombinator and trick victims into installing a crypto drainer.
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveUnpatched software is one of the easiest ways attackers get in. ThreatLocker® Patch Management gives you visibility into vulnerabilities across your network and ensures applications stay secure with timely updates. Take control of your attack surface and reduce risk before it’s exploited.
Webcast | Enhancing Security Operations with Google Threat Intelligence | Tuesday, September 30, 2025 at 3:30 PM ET From tracking threat actors and malware campaigns to monitoring the dark web for emerging risks, you’ll see how Google’s converged ecosystem provides both operational and strategic value.
Webcast | Modernizing OT Security | Wednesday, October 1, 2025 at 10:30AM ET Hear from SANS experts Tim Conway & Jason Dely on how Digital Twin Technology, AI and Threat Emulation are being utilized to transform OT defense and compliance readiness.
Virtual Event | SANS CloudSecNext Summit Solutions Track | Friday, October 3, 2025 at 10:00am MT (12:00pm ET) Join SANS Senior Instructor Brandon Evans as he hosts this 2 hour event delving into the latest tools, techniques and procedures to help you better secure cloud, multi-cloud and hybrid environments.