Darktrace launches AI-driven vulnerability detection, alert system Newsroom

Read Time:39 Second

AI-focused cybersecurity vendor Darktrace has announced the release of Newsroom, a new detection and warning system for critical vulnerabilities that uses open-source intelligence (OSINT) sources to identify threats posed to businesses. Newsroom leverages deep and AI-assisted knowledge of a customer’s external attack surface to gauge its exposure to detected vulnerabilities and provides a summary of exploits, affected software and assets within the organization, Darktrace stated. It also provides vulnerability mitigation guidance specific to businesses, while early adoption has revealed insight on remote code injection flaws in Citrix Gateway/Citrix ADC, CentOS Web Panel 7 Servers, and Zoho ManageEngine products, according to the vendor. Darktrace Newsroom is now available as part of the Darktrace PREVENT product range.

To read this article in full, please click here

Read More

Cyberwar Lessons from the War in Ukraine

Read Time:1 Minute, 28 Second

The Aspen Institute has published a good analysis of the successes, failures, and absences of cyberattacks as part of the current war in Ukraine: “The Cyber Defense Assistance Imperative ­ Lessons from Ukraine.”

Its conclusion:

Cyber defense assistance in Ukraine is working. The Ukrainian government and Ukrainian critical infrastructure organizations have better defended themselves and achieved higher levels of resiliency due to the efforts of CDAC and many others. But this is not the end of the road—the ability to provide cyber defense assistance will be important in the future. As a result, it is timely to assess how to provide organized, effective cyber defense assistance to safeguard the post-war order from potential aggressors.

The conflict in Ukraine is resetting the table across the globe for geopolitics and international security. The US and its allies have an imperative to strengthen the capabilities necessary to deter and respond to aggression that is ever more present in cyberspace. Lessons learned from the ad hoc conduct of cyber defense assistance in Ukraine can be institutionalized and scaled to provide new approaches and tools for preventing and managing cyber conflicts going forward.

I am often asked why where weren’t more successful cyberattacks by Russia against Ukraine. I generally give four reasons: (1) Cyberattacks are more effective in the “grey zone” between peace and war, and there are better alternatives once the shooting and bombing starts. (2) Setting these attacks up takes time, and Putin was secretive about his plans. (3) Putin was concerned about attacks spilling outside the war zone, and affecting other countries. (4) Ukrainian defenses were good, aided by other countries and companies. This paper gives a fifth reasons: they were technically successful, but keeping them out of the news made them operationally unsuccessful.

Read More

Stress pushing CISOs out the door

Read Time:54 Second

Nearly half of CISOs will change jobs by 2025 due to stress caused by the risk of being breached while trying to retain staff, according to the Gartner report, Predicts 2023: Cybersecurity Industry Focuses on the Human Deal. The research firm found that the stressors of the cybersecurity world make the job of a cybersecurity professional unsustainable. This includes the knowledge that there are only two possible outcomes: get hacked or don’t. “The psychological impact of this is profound, directly affecting decision quality and performance of cybersecurity leaders and their teams,” found Gartner.

Although burnout is nothing new, it did become more visible and common during and after COVID-19. For CISOs it is worse as more than 50% are challenged with work demands that lead to a poor work-life balance at least once a month. A leader recovering from the stress of a data breach could last less than five years on the job — the average tenure of a cybersecurity leader according to a 2020 Gartner research report.

To read this article in full, please click here

Read More

Stories from the SOC  – The case for human response actions

Read Time:3 Minute, 46 Second

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.

Executive summary

As we move towards more automation, we should remember the risk of over-automating, or at least make a conscious decision to accept the risks. This is especially important in automating response actions, which left unchecked could wreak havoc with day-to-day business operations.

Investigation

The alarm

One evening after normal business hours, an alarm came in indicating a software package attempting to execute on a server was auto-mitigated by SentinelOne. The software package was behaving in a way that was taken as attempting to evade detection by the SentinelOne agent and therefore rated as “Malicious” by the SentinelOne Artificial Intelligence logic. Since the server on which the software package was attempting to execute had a “Protect” policy applied, the auto-mitigation steps for a dynamically detected “Malicious” rating included killing and quarantining the process.

A “policy” setting in SentinelOne is the defined level of automated response activity the endpoint detection and response tool (EDR) has permission to perform for each grouping of assets. Whereas a “Detect” policy will create an alert that can be managed for post-investigation response actions, a policy setting of “Protect” will take automated response actions. The intrusion level of those automated response actions can be customized, but they all perform an automated action without a person looking at the situation first.

The below image is for an alarm for malware which ended up being process automation software

but nonetheless was automitigated (process killed) by SentinelOne as shown in the log excerpt below.

The business impact

The next morning, with business hours back in full swing, the customer reached out to us concerned about the result of the automated response action. The customer stated that the software package is a critical part of their business infrastructure and should never be stopped from executing. The software had been running on that same server the prior several months, since entering SOC monitoring.

The customer questioned why after several months with the SentinelOne agent running on the server did the agent suddenly believe the software package was malicious. We were not able the answer the question specifically since the decision-making behind identifying and rating a process as “Malicious” versus “Suspicious” or benign is a proprietary logic.

What we could state is that any EDR solution worth its price will continually update indicator of compromise (IOC) signatures. Any worthwhile EDR solution will also include not only static detection but also behavior-based dynamic detection. In the case of SentinelOne, there is the pre-execution behavior analysis that allows for process termination pre-execution as well. And of course, any software package run on a server is subject to updates for security, efficiency, or product feature upgrades.

Taken as a whole, it means any endpoint being protected is a very dynamic battleground with the potential for an updated software package that did not trigger IOC rules yesterday triggering tehm today. Or a non-updated software package may suddenly be identified as potently malicious due to updated machine learning IOC behavior analysis. Remember when JNDI calls were considered benign?

Lessons learned

Just as we learn the CIA security triad is a balancing act between confidentiality, integrity and availability, there is a balance to be struck between the use of immediate automated response actions and the slower reasoning of human evaluation prior to response actions. An EDR solution will immediately and infallibly carry out the policy which it has been programmed to implement, but in a ruthless fashion. A human evaluation will take longer, but it can consider prior history, the validity of the triggering IOCs in context, and the nuances of how selecting one response action over another might impact your overall business.

Automation, machine learning, artificial intelligence, and the like have their place. Their benefits will no doubt increase as technology develops. But the human component will always be necessary. The MXDR SOC and our customers (being the humans that we are) must work together to define the critical assets and business processes that should never be touched by automated intrusion. We must also work together to find the space in your environment where those swift and ruthless automated response actions are an advantage. And it is a very human decision to conclude how much risk we can tolerate in each implementation.

Read More

Defense in depth — the Microsoft way (part 82): INVALID/BOGUS AppLocker rules disable SAFER on Windows 11 22H2

Read Time:20 Second

Posted by Stefan Kanthak on Feb 22

Hi @ll,

in Windows 11 22H2. some imbeciles from Redmond added the following
(of course WRONG and INVALID) registry entries and keys which they
dare to ship to their billion world-wide users:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSrpGp]
“RuleCount”=dword:00000002
“LastWriteTime”=hex(b):01,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSrpGpDLL]

JFTR: the time stamp is 100ns past…

Read More

Multiple vulnerabilities in Audiocodes Device Manager Express

Read Time:20 Second

Posted by Eric Flokstra on Feb 22

# Product Name: Device Manager Express
# Vendor Homepage: https://www.audiocodes.com
# Software Link:
https://www.audiocodes.com/solutions-products/products/management-products-solutions/device-manager
# Version: <= 7.8.20002.47752
# Tested on: Windows 10 / Server 2019
# Default credentials: admin/admin
# CVE-2022-24627, CVE-2022-24628, CVE-2022-24629, CVE-2022-24630,
CVE-2022-24631, CVE-2022-24632
# Exploit:…

Read More

Sumo Logic keep api credentials on endpoints

Read Time:20 Second

Posted by dammitjosie— via Fulldisclosure on Feb 22

security bug:

go sumologic.com (big company, many customer)

make free account

log in account, make access key – help.sumologic.com/docs/manage/security/access-keys/
<http://help.sumologic.com/docs/manage/security/access-keys/>

download collector for windows –
help.sumologic.com/docs/send-data/installed-collectors/collector-installation-reference/download-collector-from-static-url/

<…

Read More