Daily Tech Digest - July 12, 2021

Red teaming – getting prepared for the inevitable

A red teaming exercise is undertaken with the aim of exploring areas that other assessments would overlook to determine the overall attack chain. Unlike a penetration testing exercise, which usually lasts for around a week or two, a red teaming engagement should be considerably longer. The total elapsed time of an engagement will be several months, or even up to a year, with the team carrying out a series of different exercises during that time and allowing time gaps in between. During the exercise, the team works to identify vulnerabilities and formulate plans on how criminals could exploit the identified weaknesses. These could lie within a business’ people, network, company inboxes, or even physical access to offices. There are several stages to a red teaming engagement, both on a technical and physical level. ... The red team will spend a significant portion of time mapping out the various physical and technical access points to an organisation before they attempt to breach. The preparation for a red teaming exercise takes significantly longer than other security assessments, as there is often a very specific set of targets in mind, rather than testing any and every area of the business.

Navigating Active Directory Security: Dangers and Defenses

Threat actors typically need initial access on a domain-joined system in an organization, says Natarajan, and they can achieve it in multiple ways, including spear-phishing emails with malicious attachments, drive-by download attacks, and exploiting a vulnerability in an Internet-facing system. Once a victim runs the malicious binaries, the attacker has a better chance of getting initial access over the system. They could exploit other system flaws to gain administrative privileged access, and AD reconnaissance tools can help them understand the directory structure and choose their targets. Various mis-configurations – which experts agree are plentiful in AD environments – can help them escalate their privileges to domain administrator. "To me, it's almost more attractive because there's not a patch for that," says Will Schroeder, technical architect at SpecterOps, of misconfigurations from an attacker's perspective. "There are ways that people can fix it, but over time this kind of debt and misconfiguration can build up." Because AD systems are so complex, little things can create large security holes over time.

Programming Evolution: How Coding Has Grown Easier in the Past Decade

In the past decade, APIs have played a huge role in the programming evolution. It's easy for developers to have a love-hate relationship with APIs. APIs create additional security risks that programmers need to manage. They often place limits on which functionality you can implement within an API-dependent app because you can only do whatever the API supports. And APIs can become single points of failure for applications that depend centrally on them. On the other hand, APIs make the lives of programmers easier in the sense that they make it fast and simple to integrate disparate services and data. Until about 10 years ago, if you wanted to import data from a third-party platform into your app, you probably would have had to resort to an "ugly" technique--such as scraping the data off of a web interface. Today, you can easily and systematically import the data using the platform's API ... Until about a decade ago, not only were there relatively few open standards that major vendors supported, but companies often went out of their way not to make their platforms compatible with those of external organizations. 

Understanding and stopping 5 popular cybersecurity exploitation techniques

Criminals use stack pivoting to bypass protections like DEP by chaining ROP gadgets in a return-oriented programming attack. With stack pivoting, attacks can pivot from the real stack to a new fake stack, which can be an attacker-controlled buffer such as the heap. The future flow of program execution can be controlled from the heap. While Windows provides export address filtering (EAF), a next-gen cybersecurity solution can provide an access filter that prevents the reading of Windows executables (PE) headers and export/import tables by code, using a special protection flag to protect memory areas. An access filter should also support allowlist so heuristics can be tweaked as needed. ... Many advanced, next-gen cybersecurity solutions place hooks on sensitive API functions to intercept and perform checks, such as antivirus scanning, before allowing the kernel to service the request. Criminals can take advantage of the fact that only sensitive functions are monitored. By calling an unmonitored, non-sensitive function at an offset (to intentionally address an important kernel service instead), cybercriminals can often evade security software. 

AI has become a design problem

All the best data, model, and development practices in the world cannot fully guarantee perfectly behaved AI. In the end, good user interface design has to appropriately present AI to end users. An effective user interface can, for instance, tell the user the provenance of its insight, recommendations, and decisions. ... Historically, UIs presented data as matter-of-fact. Common lists of data were not suspect; they were simply regurgitating what was stored. But increasingly, presentations of data are sourced, culled, and shaped by AI and therefore carry with them the suspect nature of the AI’s curation. UI design must introduce new mechanisms to allow users to inspect data provenance and reasoning and introduce visual cues to better share data confidence and bias to the user. As we navigate the intricacies of a technology already integrated into many of our systems, we must design these systems in a responsible manner, mindful of transparency, privacy, and fairness. Design can frame AI-driven user experiences to end users in a manner that engenders trust and helps the end user understand the scope, strengths, and weaknesses of a given system. In turn, fear and mistrust are alleviated around the mysterious black boxes.

4 Key Observability Metrics for Distributed Applications

Latency is the amount of time it takes between a user performing an action and its final result. For example, if a user adds an item to their shopping cart, the latency would measure the time between the item addition and the moment the user sees a response that indicates its successful addition. If the service responsible for fulfilling this action degraded, the latency would increase, and without an immediate response, the user might wonder whether the site was working at all. To properly track latency in an Impact Data context, it's necessary to follow a single event throughout its entire lifetime. ... Tracking error rates is rather straightforward. Any 5xx (or even 4xx) issued as an HTTP response by your server should be tagged and counted. Even situations that you've accounted for, such as caught exceptions, should be monitored because they still represent a non-ideal state. These issues can act as warnings for deeper problems stemming from defensive coding that doesn't address actual problems. Kuma can capture the error codes and messages thrown by your service, but this represents only a portion of actionable data. 

How to avoid the network-as-a-service shell game

Our Rule One says that your project has to meet financial targets, meaning a target ROI. NaaS makes it easier to figure out whether a project meets CFO targets, but remember that anything sold as a service has to include a profit margin for the seller. The cloud has not replaced every data center, not because of CIO intransigence but because the cloud isn’t always cheaper. NaaS wouldn’t always be cheaper either, so a NaaS-based project is going to have to prove it’s a better strategy than capital purchasing would be. Your trip to the CFO’s office just got more complicated. Another issue with NaaS is cost control. With traditional networking, you pay a fixed amount for fixed capacity. Your cost is predictable. Any kind of consumption-based pricing risks generating some truly eye-popping bills if the usage is greater than expected, and most such systems really don’t make it easy to ensure that excess usage doesn’t happen. Serverless cloud computing customers are already whining over multi-hundred-percent cost overruns. It seems like you can either face your CFO during project approval or face your CFO when you blow your budget. The latter isn’t likely a great career move for you.

What You Need to Know About Ransomware Insurance

Ransomware insurance is like any other type of cyber insurance. "Cyber insurance is about assessing the cyber risk, determining the potential losses due to attacks, and then obtaining coverage," said Bhavani Thuraisingham, a professor at the University of Texas at Dallas, as well as the executive director of the university’s Cyber Security Research and Education Institute. The unique challenge with ransomware is that once an attacker gets into the system, they have access to everything within. "[They aren't] just stealing your data but crippling your system by encrypting all of the data and files so that you can't have access unless you pay them a ransom," she explained. "It's like someone breaking into your house and stealing your jewelry, but also kidnapping your child and demanding a ransom," Thuraisingham quipped. Ransomware insurance is generally sold along with, or in addition to, a general cyber insurance policy. The appropriate cyber liability insurance policy depends primarily on the applicant's industry and operations, observed Jack Dowd an account executive at insurance provider The Dowd Agencies. 

Ensuring digital maturity in the boardroom

Becoming digitally mature allows organisations to future-proof their business. Something that became clear during the pandemic was that the ability to remain agile is paramount. Digital transformation enables this. Utilising cloud technologies gives enterprises the freedom and flexibility to work wherever and however it is necessary. From here, businesses can further foster a flexible culture, promoting a better work-life balance for employees. However, as society climbs back to normal, many within the boardroom will understand that there are more benefits to digital transformation than remote working. Scalability is an essential factor. Technology is not bound to physical restrictions, digital services and solutions can be increased, enhanced and altered at a moment’s notice. This not only helps to keep organisations agile, but also provides the foundations of future growth. These increased levels of scalability and agility combine to enable greater growth and profitability for businesses. Efficient and cost effective processes allow leaders to focus on wider business opportunities, and greater access to data produces better decision making, faster. 

Ransomware Landscape: Notorious REvil Is Only One Operator

Many ransomware-wielding attackers will first attempt to contact victims directly and get them to pay a ransom, promising that if the organization does so quickly, then attackers will never leak their data or attempt to "name and shame" them. Hence the number of victims who simply pay remains unknown. Furthermore, the damage caused by a single attack from a more sophisticated ransomware operation, such as REvil, can be severe. Miami-based Kaseya's software is used by a number of managed service providers to manage clients' endpoints, and up to 60 MSPs and 1,500 of their clients were infected by REvil - aka Sodinokibi - ransomware just in that single attack. REvil has also been tied to the attack against meat-processing giant JBS - who paid attackers an $11 million ransom - and many other attacks. Another operation, called DarkSide, claimed credit for the May attack against Colonial Pipeline Co., which supplies 45% of the fuel used along the East Coast. Shortly after the attack, DarkSide claimed it would shut down its ransomware-as-a-service operation because of unwanted publicity and attention.

Quote for the day:

"It is the responsibility of leadership to provide opportunity, and the responsibility of individuals to contribute." -- William Pollard

No comments:

Post a Comment