SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
OMB Rescinds Software Attestation Order
The US Office of Management and Budget (OMB) has rescinded two memoranda requiring agencies to obtain to software self-attestations from vendors before using their products. In a January 23, 2026 memorandum, OMB Director Russell T. Vought writes that M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices,” and a companion policy, M-23-16, "divert... agencies from developing tailored assurance requirements for software and neglect... to account for threats posed by insecure hardware." US federal agencies will still be required "to maintain a complete inventory of software and hardware and develop software and hardware assurance policies and processes that match their risk determinations and mission needs." The agencies may continue to use the resources and processes developed under the old memoranda but will no longer be required to do so. The new memorandum says that agencies could require vendors to produce a software bill of materials (SBOM), and points to the National Institute of Standards and Technology's (NIST's) Secure Software Development Framework "for additional information and options."
Editor's Notes
- Slide 1 of 4
This a step backwards, and it misses the chance for the US Government to play a leading role in using their purchasing power to drive security increases. Not that Software Bills of Materials were totally baked, but they are a needed ingredient in any real security recipe.
- Slide 2 of 4
Those memos were a bit burdensome, and vendors were disinclined to provide the attestations. And the requirement didn't include funding. This shift gives the appearance that OMB is putting its eggs in the SBOM/HBOM/Firmware BOM basket. As services to provide and leverage that information evolves, it'll become easier to have insight into what is running with which potential deficiencies.
- Slide 3 of 4
Notwithstanding the OMB decision, software development organizations bear responsibility for delivering secure software. The Center for Internet Security and the non-profit SAFECode recently published "A Guide to Assessing Software Security Practices." The guide informs end users/customers on what to ask for and what steps to take. It tells software development organizations what to do in practice for Secure by Design. And it informs industry bodies and government what specifics to look for to verify Secure by Design adoption. Use it.
https://www.cisecurity.org/insights/white-papers/secure-by-design
- Slide 4 of 4
This is another instance in which the responsibility for risk assessment may be assigned to a level of management that lacks the necessary knowledge, skills, abilities, and experience to carry it out. Moreover, it may be used as license to do whatever is convenient. This is an area in which good practice does not really vary with risk and should be mandated (even though inconvenient).
Slide 1 of 0- Slide 1 of 4
Microsoft Gives BitLocker Recovery Keys to FBI
Microsoft reportedly surrendered BitLocker encryption recovery keys for three laptops after being served a search warrant by the FBI in connection with a 2025 fraud investigation in Guam. Users may store BitLocker keys locally, but typically by default they are also backed up to Microsoft cloud servers, both for personal and managed devices. A Microsoft spokesperson stated that the company receives about 20 law enforcement requests every year and will provide keys given a "valid legal order," but cannot assist if there is no backup. Forbes states that this is the first publicly known case of Microsoft turning over users' encryption keys, contrasting this decision with prior refusals as well as with Apple's refusal to unlock their devices for the FBI, also noting that both Apple and WhatsApp allow their users to back up keys to the cloud in a file that is itself protected by encryption. Ars Technica, ZDNET, and Heise offer instructions on implementing disk encryption such that the recovery key is only accessible to the user.
Editor's Notes
- Slide 1 of 5
There are three issues here. The first is the trade-off between convenience and security. Management must understand that most organizations reserve the right to comply with "lawful" government orders. If that is a problem for you, do not share data with them, particularly private keys. The second issue is what constitutes a "lawful" order. Clearly a warrant issued by a court based upon probable cause meets the test of lawful and must be complied with. Everything else is questionable. The third issue is the duty to disclose. The default should be that the duty of a custodian includes the duty to tell the data owner about any disclosure, including in response to a lawful order. However, the US government insists that, in the name of national security, it can compel a custodian to disclose the data while forbidding said custodian from informing the data owner. Keep these issues in mind when deciding what to share.
- Slide 2 of 5
Microsoft can only provide recovery keys backed up (stored) in their cloud storage. The keys are stored online by default for Windows Home edition, and storing the key online is a valuable backup for home users. Unfortunately, unlike Apple and Google's cloud storage of encryption keys, Microsoft can access these stored keys when needed. Users can delete the key from their online account, but then it's on them to manage the key, and if it's lost, there is no recovery option. Note that once deleted, it can be found in Microsoft's systems for up to 30 days. One hopes Microsoft will take lead from Apple and Google to make some items, such as BitLocker keys, not retrievable by anyone other than the end user.
- Slide 3 of 5
This appears to be a nice example of convenience versus security. Storing BitLocker keys in the cloud makes it easier for companies and individuals to recover devices should the user forget their password, but it does leave the device susceptible to access should a third party have physical access to the device, and should they also have access, in this case via court orders, to the keys. If your threat model includes government agencies potentially accessing your devices, then do look at alternative ways of storing your BitLocker keys.
- Slide 4 of 5
It was a lawful order from the court. As such, the vendor is compelled to comply with the order. At the end of the day though, the user is given the option. Surely they understand what that means when it comes to storing locally, storing with a third party, or storing in the vendor's cloud. If not, then suggest a close reading of the recovery key guidelines. For many organizations though, it’s an easy choice: recoverability over privacy.
- Slide 5 of 5
There will be legal challenges to this type of thing to define the applicability of well-established case law in the US around companies unlocking employee physical lockers for law enforcement.
Slide 1 of 0- Slide 1 of 5
Patch Now: Microsoft Office Zero-Day Exploited
Microsoft has issued an out-of-band security advisory warning of an actively exploited high-severity zero-day flaw in Microsoft Office. The flaw has been added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog (CISA KEV), with a remediation due date of February 16 for FCEB agencies. CVE-2026-21509, CVSS score 7.8, allows an unauthorized local attacker to bypass Object Linking and Embedding (OLE) mitigations when a targeted user opens a malicious Office file, due to "reliance on untrusted inputs in a security decision." The preview pane is not an attack vector. This flaw affects both 32-bit and 64-bit versions of Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise. The advisory offers instructions for patching and mitigation: Users running Office 2021 and later must restart their applications to ensure service-side patches are automatically applied; users running Office 2016 and 2019 must install the security update or manually follow Microsoft's provided directions to safely apply proper registry keys.
Editor's Notes
The exploit requires a user to open a malicious Office file; as much as we hope users listen to our guidance on opening files, good luck with that. The newest Office versions benefit from a service update, but users will need to relaunch running components, such as Word or Excel. There is a workaround for Office 2016 and 2019 of modifying registry keys relating to COM Compatibility; it's going to be simpler to apply the update when released. Windows Defender has protections to block exploitation, so check your EDR provider for their implementation of these as well.
The Rest of the Week's News
Poland Thwarted Wiper Attack Targeting Power Grid
In late December 2025, Polish authorities thwarted an attempted cyberattack targeting the country's power grid. The targeted systems included combined heat and power plants as well as a system that manages power derived from renewable energy resources, such as wind turbines and photovoltaic farms. The attack aimed to deploy wiper malware. Researchers at ESET have dubbed the malware DynoWiper; they say that they "attribute the attack to the Russia-aligned Sandworm APT with medium confidence due to a strong overlap with numerous previous Sandworm wiper activity [they] analyzed." ESET also observed that the attack against the Polish power grid fell on the 10th anniversary of the Sandworm attack on Ukraine's power grid.
Editor's Notes
- Slide 1 of 4
Wiper malware is designed to permanently disable systems and force operators into recovery under stress, making this a reliability and safety concern as well as a cybersecurity incident. The focus on combined heat and power plants and renewable management systems highlights how attackers target assets that directly affect grid stability and public welfare, even without causing a full blackout. The timing, target set, and use of wiper malware together indicate a deliberate, state-aligned operation designed to test resilience, not to make money or steal data.
- Slide 2 of 4
If you don't remember Sandworm from ten years ago, you probably do remember the NotPetya attack from 2017. Same motivation — disruption of services —albeit NotPetya was only supposed to target the Ukraine, but got out and spread worldwide. ESET published an IoC to detect Win32/KillFiles.NMO aka DynoWiper. Add that to your arsenal.
- Slide 3 of 4
All operators of critical infrastructure should review all internet facing devices, eliminate access where possible, and maintain high patch vigilance.
- Slide 4 of 4
Power grids are designed to fail in such a way as to limit damage and facilitate restoration. Such design may make them resistant to natural failures but vulnerable to malicious attack. The bigger they are, the harder they fall.
Slide 1 of 0- Slide 1 of 4
Fortinet Acknowledges SSO Bypass on Patched Devices
In a January 22, 2026 blog post, Fortinet acknowledged that attackers have found a way to bypass patches the company issued in December to address single sign-on (SSO) authentication vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiCloud. Fortinet became aware of the issue when customers began reporting "unexpected login activity ... on their [fully-patched] devices." In addition, researchers at Arctic Fox recently observed "a new cluster of automated malicious activity involving unauthorized firewall configuration changes on FortiGate devices" similar to a campaign the researchers described in December shortly after Fortinet released the patches. Fortinet says it is currently working on a fix for the issue and lists indicators of compromise. Until a fix is available, Fortinet recommends that users restrict admin access, disable FortiCloud SSO logins, and be on the lookout for an advisory once the fix is available. The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59718 to the Known Exploited Vulnerabilities (KEV) catalog in December.
Editor's Notes
- Slide 1 of 2
There are few phrases that are as haunting to cybersecurity professionals as this one: "unexpected login activity ... on their [fully-patched] devices…” but here we are. While I could comment on the Fortinet Fiasco du jour, I will refrain from that and instead remind readers of the absolute importance of logging login events (both success and failure) and of having human and automated systems review those login events regularly (such as daily or more often if possible). Sometimes suspicious login events are all we’ve got to discover an attacker’s presence. Double check your logging configs throughout the environment to ensure you’ve got a chance at detecting this malfeasance.
- Slide 2 of 2
If you've got Fortinet devices, you need to disable FortiCloud SSO login to management (admin) interfaces until a fix is available. Moreover, restrict these logins to authorized devices, ideally internal. Use the IoCs from Arctic Wolf to see if you're impacted. If so, you're going to need to reset credentials on your firewall.
Slide 1 of 0- Slide 1 of 2
Microsoft Releases a Second OOB Update for Problem with January's Patch Tuesday Release
Microsoft has released a second out-of-band (OOB) update to address an issue that was introduced in the January 2026 Patch Tuesday updates. The updates released on Saturday, January 24, fix an issue that was preventing "Outlook and other apps from opening files from, or saving files to, cloud-based storage sites such as OneDrive and Dropbox." This is the second OOB update Microsoft has published for issues introduced in the January 2026 Patch Tuesday release. On Saturday, January 17, Microsoft published OOB updates to fix two issues: one that prevented some Windows 10 and Windows 11 users from logging in via remote connections, and another that prevented certain Windows 11 devices running Secure Launch from shutting down or hibernating. Microsoft says the January 17 updates are included in the January 24 OOB update.
Editor's Notes
I heard some of those eye-rolls at another OOB patch. Thing is, there are two issues from the January update; the patch helps with access to cloud services, not the issue with the black screen boot for Windows 11 25H2 and 24H2. Either of these issues will light up help desks, so applying the available patch is a good idea. Ironically, applying KB5078127 requires a reboot.
CISA Adds Known VMware DCERPC Vulnerability to KEV
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in VMware vCenter Server to the Known Exploited Vulnerabilities (KEV) catalog. CVE-2024-37079, a heap overflow vulnerability, affects vCenter Server's implementation of the DCERPC protocol. As described by The Register, DCERPC "allows software to invoke procedures and services on a remote system across a network. This bug can be abused by someone with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution." The flaw was disclosed in June 2024 and updates addressing the flaw were made available that same month. CISA added the CVE to the KEV after reports that the flaw is currently being actively exploited in the wild. Federal Civilian Executive Branch (FCEB) agencies have until February 13 to mitigate the issue.
Editor's Notes
- Slide 1 of 2
The fix is to apply the patches. VCF users need to use the async patch tool to apply the update; vCenter Server needs to be updated to 8.0 U2d, or 7.0 U3r. If you're running vCenter 6.x, it's EOL, so you need to update to a supported version. If you're running 7.0, you may get a failure on the U3r update due to unsupported ciphers. This is because U3q is built on BoringSSL rather than OpenSSL. OpenSSL silently ignores unsupported ciphers while BoringSSL does not, and the fix is to reset the TLS ciphers in the rhttpproxy config file and retry the update. Limit the access to your vCenter servers to authorized devices.
- Slide 2 of 2
Perhaps adding a vulnerability known since June 2024 to the KEV will spur CISOs to patch. Then again, they really should have patched the vulnerability back in June 2024 or heck even 2025. The Register states it pretty clearly in its opening sentence: "You’ve got to keep your software updated." Failing to do this does not constitute a standard duty of care.
Slide 1 of 0- Slide 1 of 2
London Boroughs Provide Updates on Recovery from November Cyber Incident
Several London (UK) boroughs have published updates regarding the progress of their recovery from a November 2025 cybersecurity incident. The attack affected the councils of Westminster City and Kensington and Chelsea; Hammersmith & Fulham Council was also affected via "shared legacy ... systems." In a January 23 update, the Royal Borough of Kensington and Chelsea confirmed that the incident "was a cyber-attack with criminal intent, with data copied and taken away." Some of the council's services continue to experience disruptions, including some telephone lines being unavailable, and slower service for response times as well as for revenue and benefits processing. Hammersmith & Fulham Council says most services are operating as usual. The City of Westminster's cyber incident update page indicates that some services are still experiencing disruptions.
Editor's Notes
The tip here is to keep an eye on the relevant status page; the boroughs are keeping things updated online, which includes contact and workaround information. I'm a big fan of leveraging communication from others for my outage playbook. Take a look at the information published here: note that it is both direct and thorough, and that it includes working links to supporting information.
Dresden State Art Collections Suffers Cyberattack
The Dresden (Germany) State Art Collections (SKD) was the target of recent cyberattack on January 21, 2026. The Dresden State Art Collections comprise museums in Dresden, Leipzig, and Herrnhut, as well as libraries and archives. The incident affected the organization's digital infrastructure, disrupting the availability of its phone and digital access, including the online shop and visitor services. Museum sites are currently accepting cash payments only. Physical and technical security are unaffected, and the museums are open to visitors. The organization has not provided details about the incident.
Editor's Notes
The Museum web sites include information about reduced services, but the degree of granularity could be better, even though contact information is provided. If you want to visit one of the museums and pay cash, you're good to go. If you're looking for their digital resources, you're likely going to need that contact information to figure out what's working.