Sunday, May 26, 2024

Is Everyone's AI Strategy in Chaos?

When you see the headline “<ex-employee> says <company> AI strategy is in chaos”, what does it really mean? Is any company’s AI strategy NOT in chaos at this point? 

SHOW: 824







  • Google
  • OpenAI
  • Microsoft / Azure / GitHub
  • Amazon / AWS
  • Meta
  • Apple
  • IBM / Red Hat
  • Oracle
  • Snowflake
  • Databricks
  • VCs
  • Startups


from The Cloudcast (.NET)

Friday, May 24, 2024

AWS Security Best Practices, Auditing, and Alarm Use Cases

If your organization operates in an Amazon Web Services (AWS) environment, you may face a series of unique security challenges to protect sensitive data and abide by compliance mandates. To reduce risk, you need to continually mature your security operations and keep up with AWS security best practices. 

In this blog, I’ll dive into common challenges security teams face, how to monitor CloudTrail and GaurdDuty logs, and three AWS security use cases that you can implement for better visibility and protection across your cloud environment.  

Overcoming AWS Security Challenges  

With a shared responsibility model, where AWS is responsible for the security of the cloud infrastructure, the customer is responsible for securing their data and applications within the cloud. Security teams must understand their responsibilities and implement appropriate security controls. 

Protecting AWS environments is challenging because it consists of multiple services, configurations, and dependencies. Especially in multi-account or multi-region deployments, security teams struggle to gain complete visibility and insights into their AWS assets and enforce security policies effectively. Addressing these challenges requires a combination of technology, processes, and expertise.  

  • Security teams need a way to consolidate data into one place to better understand what is happening across the environment and to easily audit log data for AWS security compliance.  
  • Manual processes won’t get the job done quickly and effectively and leave room for human error. To keep pace with the attack surface, security operations centers (SOCs) should leverage automation and orchestration tools to streamline security operations, such as automating security configuration management, incident response, and compliance checks.  

Security teams need to adopt a proactive and holistic approach to security by leveraging best practices, streamlined processes, and trusted security partnerships to safeguard their AWS environments effectively.  

Monitoring CloudTrail and AWS GuardDuty Logs  

A security information and event management (SIEM) is a useful solution for security teams to centrally collect and enrich data across the environment, achieve auditing and compliance standards, and better detect, investigate, and respond to cyberthreats. 

For AWS security best practices, I will dive into the importance of monitoring AWS CloudTrail and GuardDuty logs and provide examples of how to do so using LogRhythm Axon, a cloud-native SIEM platform 

Monitoring AWS CloudTrail Logs 

AWS CloudTrail records API calls made on your AWS account, capturing details such as who made the request, when it was made, and the IP address from which it originated. 

By logging all API calls, security teams can gain insight into who is accessing AWS resources, what actions they are performing, and where these actions originate from.  

CloudTrail Auditing with LogRhythm Axon 

CloudTrail provides an audit trail of all actions taken within your AWS environment. LogRhythm Axon can ingest these logs to monitor and analyze user activity, resource changes, and security events. This will help your team with: 

  • Forensics and Investigation: When incidents occur, CloudTrail logs help investigators trace back actions, identify the source of security breaches, and understand the context. 
  • Compliance and Governance: CloudTrail logs are essential for compliance audits, ensuring adherence to security policies and regulatory requirements. 

By forwarding CloudTrail logs to LogRhythm Axon, you gain real-time visibility into AWS activities, enabling proactive threat detection and incident response. 

Learn more about logging using CloudTrail here. 

Monitoring AWS GuardDuty Logs 

Amazon Guard Duty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior in your AWS accounts and workloads. 

There are several benefits to ingesting GuardDuty logs into a SIEM solution.  

GuardDuty Auditing with LogRhythm Axon 

  • Threat Detection: GuardDuty analyzes network traffic, DNS data, and AWS CloudTrail logs to detect suspicious activities, compromised instances, and potential threats. 
  • Automated Alerts: GuardDuty generates findings based on threat intelligence and anomaly detection. These findings can be ingested by your SIEM for further analysis and alerting. 

By forwarding GuardDuty logs to LogRhythm Axon, you gain real-time visibility into Suspicious AWS activities, enabling proactive threat detection and incident response. 

Learn more about GuardDuty integrations here. 

How LogRhythm Can Help Protect Your AWS Environment  

LogRhythm Axon provides seamless visualization of AWS data, including CloudTrail threats, GuardDuty events, Kubernetes activities, and more. 

Leverage a Custom AWS Dashboard 

Using the cloud-native SIEM, you can take advantage of an AWS dashboard to quickly understand user actions — such as enabling accounts, deleting nodes, and managing users — enhancing your AWS security posture. 

LogRhythm Axon AWS Dashboard

Figure 1: LogRhythm Axon AWS Dashboard. 

Three AWS Alarm Use Cases 

Let’s explore three AWS alarm use cases that can help you improve AWS security monitoring and bolster your defenses. 

1. AWS GuardDuty Access Denied

When GuardDuty detects an unauthorized or suspicious activity, it generates an event log. In the following example, explore a scenario where Access is Denied and how you can detect this potential threat.  

Log Sample: 

  “eventTime”: “2024-04-17T00:50:00.016097Z”, 

  “eventSource”: “”, 

  “eventName”: “EnableOrganizationAdminAccount”, – User Is Attempting to Enable an Admin Account 

  “awsRegion”: “us-xxxx-x”, 

  “sourceIPAddress”: “x.x.x.x”, 

  “userAgent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36”, 

  “errorCode”: “AccessDenied”, 

  “errorMessage”: “User is not authorized to perform this action.”, Access is Denied 

  “requestParameters”: { 

   “adminAccountId”: “xxxxxxxxxxxx” 

You can detect this threat in LogRhythm Axon and have a Case Created to investigate it further. Below is an example of the rule block that will generate an Alarm for this activity. 

Rule for observing GuardDuty logs in LogRhythm Axon

Figure 2: Rule for observing GuardDuty logs in LogRhythm Axon. 

Below in Figure 3, you can observe details of what tracking this activity looks like using LogRhythm Axon’s Case Management and Single Screen Investigation workflow. This feature helps you drill down further and shows contextual insights across logs, Observations, security analytics, and raw metadata — all in one view. 

LogRhythm Axon’s Case Management workflow for AWS GuardDuty – Access Denied Alarm.   

Figure 3: LogRhythm Axon’s Case Management workflow for AWS GuardDuty – Access Denied Alarm.

2. AWS Kubernetes Unauthorized Deletion Attempt 

Unauthorized attempts in Amazon Elastic Kubernetes Service (EKS) can occur when an entity or user tries to access resources without proper authorization. In the example below, explore a scenario that involves an unauthorized attempt and how you can detect it. 

Log Sample: 


  “eventName”: “DeleteNodegroup”, 

  “awsRegion”: “us-xxx-x”, 

  “sourceIPAddress”: “x.x.x.x”, 

  “userAgent”: “”, 

  “errorCode”: “UnauthorizedAttempt”,    Unauthorized Attempt error code 

  “errorMessage”: “User attempted unauthorized deletion of a node group“, – Error Message  

Below, is an example of the rule block that will generate an Alarm for this activity. 

LogRhythm Axon Alarm details for an AWS Unauthorized Attempt. 

Figure 4: LogRhythm Axon Alarm details for an AWS Unauthorized Attempt.

Security analysts can dive deeper into the Case to investigate this threat. Figure 5 shows key insights into who attempted the unauthorized deletion of the host where the request originated.  

LogRhythm Axon’s Single Investigation Workflow for AWS unauthorized attempt. 

Figure 5: LogRhythm Axon’s Single Investigation Workflow for AWS unauthorized attempt. 

3. AWS CloudTrail High-Severity Alerts 

LogRhythm Axon employs seamless and innovative parsing techniques for all ingested events. Specifically, when it comes to AWS CloudTrail logs, we focus on identifying detected threats. These logs are meticulously labeled and assigned threat severities on a scale of 0 to 10. Leveraging this severity information, you can set up alarms to trigger for high-severity CloudTrail alerts. 

Below is an example of formatting AWS CloudTrail logs as well as assigning a Threat Severity.   

Formatting AWS CloudTrail logs in LogRhythm Axon. 

Figure 6: Formatting AWS CloudTrail logs in LogRhythm Axon.

You can alarm on this in LogRhythm Axon and have a Case Created. Below is an example of the rule block.  

LogRhythm Axon Alarm that triggers based on threat severity of AWS CloudTrail Logs. 

Figure 7: LogRhythm Axon Alarm that triggers based on threat severity of AWS CloudTrail Logs.

See the Case details below, you can analyze relevant meta data such as the user or host involved.  

Investigating a Critical Severity AWS CloudTrail alert in LogRhythm Axon. 

Figure 8: Investigating a Critical Severity AWS CloudTrail alert in LogRhythm Axon.

Streamline Your AWS Security Monitoring 

In the dynamic landscape of cloud computing, robust AWS security best practices are non-negotiable. By following these best practices, organizations can strengthen the security of their AWS environments and better protect their data, applications, and infrastructure from security threats and vulnerabilities.  

Cybersecurity is a challenging job, and there is a shortage of cybersecurity professionals with expertise in cloud security and AWS. You may face challenges in hiring and retaining skilled personnel to effectively protect AWS environments. 

Integrating LogRhythm Axon into your AWS environment helps you gain the ability to detect threats and visualize all your data in one location for an easier security and compliance experience.  

To learn more about how LogRhythm can improve your AWS security monitoring challenges, request more information 

Related Resources  

Enjoy these additional reads for protecting against AWS-related cyberthreats.  

The post AWS Security Best Practices, Auditing, and Alarm Use Cases appeared first on LogRhythm.

from LogRhythm

Hackers Created Rogue VMs to Evade Detection in Recent MITRE Cyber Attack

May 24, 2024NewsroomEndpoint Security / Threat Intelligence

The MITRE Corporation has revealed that the cyber attack targeting the not-for-profit company towards late December 2023 by exploiting zero-day flaws in Ivanti Connect Secure (ICS) involved the actor creating rogue virtual machines (VMs) within its VMware environment.

"The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access," MITRE researchers Lex Crumpton and Charles Clancy said.

"They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server's Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure."

The motive behind such a move is to sidestep detection by obscuring their malicious activities from centralized management interfaces like vCenter and maintain persistent access while reducing the risk of being discovered.

Details of the attack emerged last month when MITRE revealed that the China-nexus threat actor -- tracked by Google-owned Mandiant under the name UNC5221 -- breached its Networked Experimentation, Research, and Virtualization Environment (NERVE) by exploiting two ICS flaws CVE-2023-46805 and CVE-2024-21887.

Upon bypassing multi-factor authentication and gaining an initial foothold, the adversary moved laterally across the network and leveraged a compromised administrator account to take control of the VMware infrastructure to deploy various backdoors and web shells to retain access and harvest credentials.

This consisted of a Golang-based backdoor codenamed BRICKSTORM that were present within the rogue VMs and two web shells referred to as BEEFLUSH and BUSHWALK, allowing UNC5221 to execute arbitrary commands and communicate with command-and-control servers.

"The adversary also used a default VMware account, VPXUSER, to make seven API calls that enumerated a list of mounted and unmounted drives," MITRE said.

"Rogue VMs operate outside the standard management processes and do not adhere to established security policies, making them difficult to detect and manage through the GUI alone. Instead, one needs special tools or techniques to identify and mitigate the risks associated with rogue VMs effectively."

One effective countermeasure against threat actors' stealthy efforts to bypass detection and maintain access is to enable secure boot, which prevents unauthorized modifications by verifying the integrity of the boot process.

The company said it's also making available two PowerShell scripts named Invoke-HiddenVMQuery and VirtualGHOST to help identify and mitigate potential threats within the VMware environment.

"As adversaries continue to evolve their tactics and techniques, it is imperative for organizations to remain vigilant and adaptive in defending against cyber threats," MITRE said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Fake Antivirus Websites Deliver Malware to Android and Windows Devices

May 24, 2024NewsroomMalvertising / Endpoint Security

Threat actors have been observed making use of fake websites masquerading as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to propagate malware capable of stealing sensitive information from Android and Windows devices.

"Hosting malicious software through sites which look legitimate is predatory to general consumers, especially those who look to protect their devices from cyber attacks," Trellix security researcher Gurumoorthi Ramanathan said.

The list of websites is below -

  • avast-securedownload[.]com, which is used to deliver the SpyNote trojan in the form of an Android package file ("Avast.apk") that, once installed, requests for intrusive permissions to read SMS messages and call logs, install and delete apps, take screenshot, track location, and even mine cryptocurrency
  • bitdefender-app[.]com, which is used to deliver a ZIP archive file ("") that deploys the Lumma information stealer malware
  • malwarebytes[.]pro, which is used to deliver a RAR archive file ("MBSetup.rar") that deploys the StealC information stealer malware

The cybersecurity firm said it also uncovered a rogue Trellix binary named "AMCoreDat.exe" that serves as a conduit to drop a stealer malware capable of harvesting victim information, including browser data, and exfiltrating it to a remote server.

It's currently not clear how these bogus websites are distributed, but similar campaigns in the past have employed techniques such as malvertising and search engine optimization (SEO) poisoning.

Stealer malware have increasingly become a common threat, with cybercriminals advertising numerous custom variants with varying levels of complexity. This includes new stealers like Acrid, SamsStealer, ScarletStealer, and Waltuhium Grabber, as well as updates to existing ones such as SYS01stealer (aka Album Stealer or S1deload Stealer).

"The fact that new stealers appear every now and then, combined with the fact that their functionality and sophistication varies greatly, indicates that there is a criminal market demand for stealers," Kaspersky said in a recent report.

The development comes as researchers have discovered a new Android banking trojan called Antidot that disguises itself as a Google Play update to facilitate information theft by abusing Android's accessibility and MediaProjection APIs.

"Functionality-wise Antidot is capable of keylogging, overlay attacks, SMS exfiltration, screen captures, credentials theft, device control, and execution of commands received from the attackers," Broadcom-owned Symantec said in a bulletin.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

The Good, the Bad and the Ugly in Cybersecurity – Week 21

The Good | Leaders of Crypto Investment Scam Arrested & Charged for $73 Million Laundering Scheme

This week, the tables were turned on two alleged cyber ‘pig butcherers’ who could now face time in the iron pen. The DoJ indicted Daren Li (41) and Yicheng Zhang (38) for their alleged roles leading a global syndicate that has laundered over $73 million through cryptocurrency investment scams. Both Li and Zhang are charged with conspiracy to commit money laundering and six counts of international laundering. If convicted, they face 20 years in prison on each count.

Source: Department of Justice

Pig butchering scams involve criminals building up trust with targeted victims via social media and messaging or dating platforms to convince them to invest in fraudulent schemes. After falling for the bait, the criminals then steal their victims’ cryptocurrency, draining the compromised wallets.

According to court documents, Li and Zhang transferred millions of their victims’ cryptocurrency to U.S. bank accounts connected to shell companies. The funds were then moved through various domestic and international accounts and crypto platforms in order to obscure their origins. Communications uncovered during the investigation revealed details on the operations, including commissions, victim information, and interactions with U.S. financial institutions.

In 2023 alone, the U.S. Secret Service recovered more than $1.1 billion from scam operations and the IC3 reported that investment fraud investment scams rose from $3.31 billion in 2022 to $4.57 billion last year. As schemes revolving around financial fraud become increasingly common and complex, cyber defenders reiterate the importance of learning how to spot predatory behavior online, staying vigilant with securing digital assets and identities, verifying the legitimacy of brokerages before investing, and reporting suspicions of fraud immediately.

The Bad | Threat Actors Exploit Legitimate Cloud Services to Deliver Malware in Emerging Campaign

In a new attack campaign, popular cloud storage services like Google Drive and Dropbox are being exploited to stage malicious payloads. Dubbed “CLOUD#REVERSER”, security researchers this week broke down how the campaign uses VBScript and PowerShell to perform command and control-like (C2) activities within the storage platforms to manage file uploads and download.

Attacks begin with a phishing email containing a ZIP archive file that includes an executable disguised as a Microsoft Excel file. This is done through making use of the hidden right-to-left override (RLO) Unicode character (U+202E) so that the order of the characters in the string are reserved. In this case, the victims receiving the email would see the file name RFQ-101432620247fl*U+202E*xslx.exe as RFQ-101432620247flexe.xlsx and open the file thinking it is a legitimate Excel spreadsheet. This is not a new trick, but it is less commonly seen in 2024.

Executing this file drops a total of eight payloads, one of which includes a decoy Excel file and an obfuscated VBScript that displays the .xlsx file to continue the deception. From there, a series of additional scripts allow the threat actor to establish persistence on the system, connect to the actor-controlled Google Drive and Dropbox accounts, fetch files from the storage services, and maintain connection to the actor’s command and control (C2) server.

CLOUD#REVERSER Stage 1 (VirusTotal)

These developing attacks highlight the trend of threat actors abusing SaaS platforms to deliver malicious payloads under the guise of legitimate network traffic. By embedding multi-stage downloaders that run code within widely-used cloud platforms, the threat actors can ensure they have persistent access for data exfiltration while keeping a low profile.

Singularity™ Cloud Security
Improve prioritization, respond faster, and surface actionable insights with Singularity™ Cloud Security, the comprehensive, AI-powered CNAPP from SentinelOne.

The Ugly | Military & Government Orgs Repeatedly Targeted by New PRC-Linked Threat Actor Over 6 Years

Details on a previously undocumented threat group called “Unfading Sea Haze” emerged this week when cybersecurity researchers reported on a series of attacks across countries bordering the South China Sea. So far, eight high-level organizations in critical sectors have been repeatedly targeted over the last six years with the attackers’ exploiting poor credential hygiene and unpatched devices and web services in particular.

Unfading Sea Haze is currently not linked to any known APT group, but appears to share similar goals, techniques, geopolitical victimology, and choice of tools known to be associated with Chinese-speaking threat actors. This includes the use of Gh0st RAT malware and running a tool called SharpJHandler, often employed by PRC-based APT41.

So far, Unfading Sea Haze has been observed sending spear phishing emails containing Windows shortcut (LNK) files. When launched, these files execute commands to retrieve the next-stage payload, a backdoor called “SerialPktdoor”, which then runs PowerShell scripts and manages files remotely. Also characteristic of Unfading Sea Haze attacks is use the Microsoft Build Engine (MSBuild) to execute files filelessly and minimize the risk of detection, and scheduled tasks to load a malicious DLL and establish persistence.

Other tools in the group’s arsenal include “Ps2dllLoader”, keylogger called “xkeylog”, a web browser data stealer, a monitoring tool keyed to the presence of portable devices, and a custom data exfiltration program named “DustyExfilTool”. The widely varied and complex toolkit points to a certain level of sophistication. Researchers note that the combination of both custom and commercial tools is indicative of a cyber espionage campaign, aimed at gathering sensitive information from military and government entities.

Organizations can mitigate the risks threat groups like Unfading Sea Haze pose with the SentinelOne Singularity platform.

Good security hygiene such as timely patch management, strong authentication methods, and secure credentials is also highly recommended.

from SentinelOne

How Do Hackers Blend In So Well? Learn Their Tricks in This Expert Webinar

May 24, 2024The Hacker NewsCybersecurity Webinar

Don't be fooled into thinking that cyber threats are only a problem for large organizations. The truth is that cybercriminals are increasingly targeting smaller businesses, and they're getting smarter every day.

Join our FREE webinar "Navigating the SMB Threat Landscape: Key Insights from Huntress' Threat Report," in which Jamie Levy — Director of Adversary Tactics at Huntress, a renowned cybersecurity expert with extensive experience in combating cyber threats — breaks down the latest cyber threats to SMBs like yours and explains what you can do about them.

Here's a sneak peek of what you'll learn:

  1. Attackers are Blending In: Cyber attackers are getting smarter. They are increasingly using legitimate tools to disguise their activities, making it harder for traditional security measures to detect them. Learn how these techniques work and what you can do to detect these hidden threats.
  2. Ransomware on the Rise: Following the takedown of Qakbot, there has been a significant increase in ransomware attacks. New groups are emerging and aggressively fighting for dominance. Find out about the latest findings on these new threats and learn about strategies to protect your company.
  3. New Industries in the Crosshairs: Cyber threats are no longer just targeting large companies. Healthcare and manufacturing face unique challenges, from specialized ransomware attacks to business email compromise. Learn about these industry-specific threats and how to protect against them.

This webinar is a must for all SMEs looking to improve their cyber security. If you attend, you gain:

  • Critical knowledge: equip your team with the latest information on emerging threats and effective defense strategies.
  • Expert Insights: Learn from one of the top experts in the field and get answers to your pressing cybersecurity questions.
  • Actionable Strategies: Take away practical steps you can implement immediately to protect your organization.

Don't miss this opportunity to stay one step ahead of cyber threats. Click here to register for the webinar and secure your seat today!

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

DevOps Dilemma: How Can CISOs Regain Control in the Age of Speed?


The infamous Colonial pipeline ransomware attack (2021) and SolarWinds supply chain attack (2020) were more than data leaks; they were seismic shifts in cybersecurity. These attacks exposed a critical challenge for Chief Information Security Officers (CISOs): holding their ground while maintaining control over cloud security in the accelerating world of DevOps. The problem was emphasized by the Capital One data breach (2019), Epsilon data breach (2019), Magecart compromises (ongoing), and MongoDB breaches (2023-), where hackers exploited a misconfigured AWS S3 bucket. Strong collaboration between CISOs and DevOps teams on proper cloud security configurations could have prevented the breaches.

More than the fight against hackers and the consequences of their attacks, several important problems stand out —the evolution of CISO's role and responsibilities and the challenge of improving cloud security, and how security operations teams collaborate with business units in the frenzy of digital transformation.

Observing SecOps vs. DevOps conflicts within organizations of different types, we'll try to navigate a complex landscape of cybersecurity leadership, particularly their dynamic relationship with the Chief Technology Officer (CTO). As the role of CISO becomes more important than ever, we will focus on further empowering CISOs to become influential voices in decision-making, ensuring security is taking its rightful place in DevOps practices.

We will also suggest some ways for CISOs to communicate with IT leadership, in order to educate and increase awareness of pressing security matters. Ultimately, only strong partnerships between CISOs, DevOps teams, and IT management can improve development processes that fuel innovation without compromising security.

The stakes for a CISO are higher than ever

Imagine a race car speeding down the development track. The CTO, at the wheel, pushes for breakneck innovation. But in the backseat, the CISO sweats, gripping the metaphorical handbrake of security. This is the ever-present dilemma for CISOs in the age of DevOps: maintaining control over security in a lightning-fast development environment.

We can agree that previously, security often came as an afterthought, bolted onto applications long after they were built. DevOps, while promoting agility, can introduce vulnerabilities if security isn't taken care of from the start. Successful development teams focused on speed might unintentionally introduce security gaps. Legacy security approaches, reliant on manual processes and limited resources, simply can't keep up with the breakneck pace of DevOps.


One view of the modern view of IT management places the CTO at the forefront of tech-related business concerns, including moving all the infrastructure to the cloud, while the CISO focuses on security, and securing the cloud becomes one of the top priorities. The pace of change and the completely new architecture, in the case of the cloud, present new challenges for CISOs who face a constantly changing environment. It's important to adapt their communication style to effectively collaborate with CTOs who are increasingly focused on bringing innovations and driving business growth.

Real-world consequences for CISO

The Securities and Exchange Commission (SEC) filing alleges that SolarWinds failed to disclose adequate material information to investors regarding cybersecurity risks. The filing states that the company and its CISO Timothy Brown only disclosed generic and hypothetical risks despite internal knowledge of specific deficiencies in SolarWinds' cybersecurity practices and a heightened threat possibility.

The most infamous cases that everyone should be aware of, SolarWinds and Uber breaches, weren't just data breaches. They were wake-up calls. Legal repercussions for security failures are a growing concern, with the SEC mandating public companies to disclose incidents within four days and requiring detailed security plans. This puts immense pressure on CISOs like Joe Sullivan (Uber's former Chief Security Officer) and Timothy G. Brown (SolarWinds' former CISO), who could face criminal charges for failing to implement adequate safeguards.

These incidents underscore the delicate balancing act that CISOs face in the age of DevOps. DevOps methodologies prioritize speed and agility, which can be at odds with the need for rigorous security practices. Can CISOs navigate this tightrope more effectively while still ensuring innovation doesn't come at the expense of security?

CISO needs to bridge the gap

In the early days of DevOps, CISOs often felt like passengers without seatbelts in a new, fast-paced world, where speed reigned supreme and security lagged behind. Promoting security practices without impacting development velocity can be challenging. The CISO's influence empowers them to collaborate effectively with DevOps teams and ensure security is not an afterthought.

Here are the top activities that a CISO can engage in to bridge the gap:

  1. Engage external authority - like auditors: Partnering with reputable security firms and making them your allies provides expertise and hard evidence to support your concerns. These independent assessments can not just identify vulnerabilities - but provide proof of potential risks and evidence that the business could be taken down.
  2. Practical tests via Red Teaming Exercises: Red teaming exercises are like security fire drills. By giving a pentester team a card-balance to complete the mission, these exercises showcase the potential impact of a breach on the organization. Seeing sensitive financial data compromised, or all wallpapers in an organization changed via one GPO or terraform access - can be a powerful wake-up call for the CTO and development teams, highlighting the importance of robust security measures.
  3. Implement regular vulnerability scans and continuous external attack surface monitoring for the entire perimeter: Professional assessments of cloud environments (AWS, Azure, etc.) uncover security misconfigurations that could leave the organization vulnerable. These assessments provide concrete data that can be used to influence decisions around security investments and DevSecOps practices.
  4. Bring your C-suite together to define clear roles and responsibilities for a simulated incident response exercise, fostering a collaborative environment where everyone works together to resolve a worst-case scenario. This will not only strengthen your defenses but also earn you the loyalty of the C-suite: Tabletop exercises for breach crises are a great tool for identifying gaps in communication or awareness of emergency procedures in case of a breach. As part of the tabletop exercise, use the opportunity to review responsibilities and communications and utilize the RACI matrix as a tool to define how to improve communications across CISO/CTO/CIO and other executive functions for security matters.
  5. Legal team as your best friends: Understand how compliance and regulation are evolving so that you can help shape a security strategy that minimizes future risk exposure. Lawyers always welcome new friends.
  6. Strengthen your security posture: By partnering with an MDR provider, you gain a valuable ally in the fight against cyber threats. They can handle the day-to-day tasks and provide specialized knowledge when needed, allowing your in-house team to focus on high-level security strategies with peace of mind.

Performed regularly, these activities will demonstrate how security can proactively reduce risk, building the credibility of the CISO and the team he engages to build a bridge between security and development. These activities drive collaboration and information sharing so that as teams work together, they will begin to share responsibility for keeping things secure. So, instead of feeling like a passenger, the CISO becomes a proactive partner, ensuring security is considered from the beginning, allowing innovation to thrive on a safe foundation within the IT department.

How a CISO can amplify their voice in the DevOps сonversation

When CISOs can't amplify their voice, the consequences can be dire. Inadequate security practices expose the organization to legal and regulatory risks. More importantly, they leave the door open for costly breaches, as happened with SolarWinds, that stifle innovation and erode customer trust.

  1. Security leadership often requires bridging the gap between technical details and broader business objectives. Training programs focused on clear communication and negotiation could empower him to collaborate more effectively with colleagues and secure crucial resources for the security team. Security assessments, industry reports, and real-world breach examples can quantify the potential financial impact of security failures, making the conversation about risk mitigation a compelling business discussion.
  2. By demonstrating how robust security practices can enhance innovation, improve customers' trust, and ultimately drive business growth, CISOs can find common ground with CTOs who prioritize agility and efficiency. Aligning security recommendations with the CTO's existing goals, such as faster development cycles, fosters a win-win situation. Here, CISOs can leverage their understanding of the cloud environment by equipping themselves with specialized AWS cloud training courses. This not only strengthens their technical expertise but also allows them to speak the same language as their DevOps counterparts, facilitating smoother collaboration on secure and efficient cloud deployments.
  3. Open communication and trust are the cornerstones of effective collaboration. Regularly discussing security implications throughout the development lifecycle, not just as a last-minute hurdle, allows CISOs to address concerns and prevent potential roadblocks in time. So, speaking the CTO's language is key in this role.
  4. Managed Detection and Response (MDR) goes beyond just being a security tool. It acts as an amplifier for the CISO's voice within the DevOps conversation. The breakneck pace of DevOps can leave even the most skilled CISOs feeling like they're constantly playing catch-up. Security teams are stretched thin, struggling to monitor complex environments, detect sophisticated threats, and keep pace with the ever-evolving threat landscape. This is where MDR by UnderDefense emerges as a powerful force multiplier for CISOs in the DevOps environment.

Here's how MDR empowers CISOs to influence secure development:

  • 24/7 Watch Compliance and Proactive Threat Detection: MDR services provide continuous monitoring and advanced threat intelligence, allowing CISOs to proactively address security concerns before they become problems. This frees security teams to focus on strategic initiatives and fosters a collaborative environment where security is preventative, not reactive.
  • Early Warning System for Security Gaps: MDR goes beyond traditional monitoring by detecting anomalies in access patterns, user behavior, and system configurations. This allows for identifying potential insider threats or misconfigurations introduced by DevOps teams. By providing real-time alerts of potential security risks, CISOs can work with development teams to address them before they become exploitable vulnerabilities.

Assessments, tabletop exercises, and the ability to bring in outside experts, such as an MDR team, will highlight any communication gaps within the organization. Deciding what needs to be communicated and escalated to whom is extremely important to utilize resources effectively and raise visibility to important security concerns. Identifying the key categories of concern and who needs to be informed and involved is key to successful security operations and a successful business. Reviewing and formalizing communications can save time during an emergency such as a breach.

The RACI matrix is just one example, highlighting the importance of establishing clear communication models within DevOps. By implementing such models and integrating them into security policies, CISOs can gain significant leverage, ensuring security is woven into the fabric of DevOps, not bolted on as an afterthought.

Finally, the matrix emphasizes a crucial aspect of a CISO's role: establishing strong support by the Board. This alignment is essential for establishing security as a strategic priority and securing the resources needed for a robust security posture.

A Strong security team is still essential

The fast pace of DevOps can leave even the most skilled CISOs struggling to keep pace with threats. MDR empowers CISOs to transition from reactive firefighting to proactive threat hunting. Instead of patching vulnerabilities after a breach, MDR helps identify and remediate them before they can be exploited. This proactive approach minimizes security risks and fosters a culture of "security by design" within the DevOps pipeline.

While MDR adds significant value, it doesn't replace a strong internal security team. Security professionals remain vital for:

  • Maintaining Situational Awareness: The security team interprets data and alerts generated by MDR, providing context and prioritizing threats.
  • Responding to Incidents: Security personnel with deep incident response expertise are crucial for effectively containing and remediating security breaches.
  • Managing Security Requirements: The security team ensures that security requirements are integrated into the DevSecOps pipeline, fostering a culture of "security by design."

We've also prepared the most comprehensive MDR Buyer's Guide by UnderDefense for your attention, which equips you to choose the perfect MDR partner, safeguarding your data and business operations. It provides vendor-agnostic expert insights to help you make informed decisions.

The main takeaway: collaboration is a key

While the CISO's influence engine equips them with powerful tools, security remains a collaborative effort. Building bridges with the CTO and fostering open communication with development teams are the cornerstones of a truly secure DevOps environment. By wielding their influence effectively and collaborating across departments, CISOs can ensure security becomes an integral part of the DevOps process, enabling innovation to flourish without sacrificing safety on the security highway.

The breakneck pace of DevOps can create a security dilemma – a speed bump on the security highway. Here, the CISO plays a critical role as an architect, not an enforcer. Their expanding influence engine equips them with the tools to navigate this complex landscape. Security assessments, red teaming exercises, and collaboration with security consultants empower CISOs to advocate for robust security measures without hindering innovation.

However, the true game-changer in this scenario is MDR. It acts as a force multiplier for the CISO within the DevOps conversation. By providing 24/7 monitoring, proactive threat detection, and early warnings of security gaps, MDR empowers CISOs to shift from reactive firefighting to proactive threat hunting. This not only safeguards the organization but also fosters a culture of "security by design" within the DevOps pipeline.

In essence, the solution to the DevOps dilemma lies in a powerful combination: the evolving role of the CISO, wielding an expanded influence engine, and the force-multiplying capabilities of MDR. UnderDefense offers a cutting-edge MDR solution that gives real-time visibility into your security posture, equipping you to proactively detect and respond to security incidents and ultimately safeguarding your organization.

By embracing collaboration and leveraging these tools, CISOs can ensure security seamlessly integrates with DevOps, enabling innovation to speed down the highway without encountering security roadblocks.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Google Detects 4th Chrome Zero-Day in May Actively Under Attack - Update ASAP

May 24, 2024NewsroomVulnerability / Browser Security

Google on Thursday rolled out fixes to address a high-severity security flaw in its Chrome browser that it said has been exploited in the wild.

Assigned the CVE identifier CVE-2024-5274, the vulnerability relates to a type confusion bug in the V8 JavaScript and WebAssembly engine. It was reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of Chrome Security on May 20, 2024.

Type confusion vulnerabilities occur when a program attempts to access a resource with an incompatible type. It can have serious consequences as it allows threat actors to perform out-of-bounds memory access, cause a crash, and execute arbitrary code.

The development marks the fourth zero-day that Google has patched since the start of the month after CVE-2024-4671, CVE-2024-4761, and CVE-2024-4947.

The tech giant did not disclose additional technical details about the flaw, but acknowledged that it "is aware that an exploit for CVE-2024-5274 exists in the wild." It's not clear if the shortcoming is a patch bypass for CVE-2024-4947, which is also a type confusion bug in V8.

With the latest fix, Google has resolved a total of eight zero-days have been resolved by Google in Chrome since the start of the year -

Users are recommended to upgrade to Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux to mitigate potential threats.

Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Thursday, May 23, 2024

Announcing Docker Desktop Support for Windows on Arm: New AI Innovation Opportunities

Docker Desktop now supports running on Windows on Arm (WoA) devices. This exciting development was unveiled during Microsoft’s “Introducing the Next Generation of Windows on Arm” session at Microsoft Build. Docker CTO, Justin Cormack, highlighted how this strategic move will empower developers with even more rapid development capabilities, leveraging Docker Desktop on Arm-powered Windows devices.

2400x1260 docker desktop support for windows on arm

The Windows on Arm platform is redefining performance and user experience for applications. With this integration, Docker Desktop extends its reach to a new wave of hardware architectures, broadening the horizons for containerized application development.

Justin Cormack announcing Docker Desktop support for Windows on Arm devices with Microsoft Principal TPM Manager Jamshed Damkewala in the Microsoft Build session "Introducing the next generation of Windows on Arm." 
Justin Cormack announcing Docker Desktop support for Windows on Arm devices with Microsoft Principal TPM Manager Jamshed Damkewala in the Microsoft Build session “Introducing the next generation of Windows on Arm.” 

Docker Desktop support for Windows on Arm

Read on to learn why Docker Desktop support for Windows on Arm is a game changer for developers and organizations.

Broader accessibility

By supporting Arm devices, Docker Desktop becomes accessible to a wider audience, including users of popular Arm-based devices like the Microsoft devices. This inclusivity fosters a larger, more diverse Docker community, enabling more developers to harness the power of containerization on their preferred devices.

Enhanced developer experience

Developers can seamlessly work on the newest Windows on Arm devices, streamlining the development process and boosting productivity. Docker Desktop’s consistent, cross-platform experience ensures that development workflows remain smooth and efficient, regardless of the underlying hardware architecture.

Future-proofing development

As the tech industry gradually shifts toward Arm architecture for its efficiency and lower power consumption, Docker Desktop’s support for WoA devices ensures we remain at the forefront of innovation. This move future-proofs Docker Desktop, keeping it relevant and competitive as this transition accelerates.

Innovation and experimentation

With Docker Desktop on a new architecture, developers and organizations have more opportunities to innovate and experiment. Whether designing applications for traditional x64 or the emerging Arm ecosystems, Docker Desktop offers a versatile platform for creative exploration.

Market expansion

Furthering compatibility in the Windows Arm space opens new markets and opportunities for Docker, including new relationships with device manufacturers and increased adoption in sectors prioritizing energy efficiency and portability while supporting Docker’s users and customers in leveraging the dev environments that support their goals.

Accelerating developer innovation with Microsoft’s investment in WoA dev tooling

Windows on Arm is arguably as successful as it has ever been. Today, multiple Arm-powered Windows laptops and tablets are available, capable of running nearly the entire range of Windows apps thanks to x86-to-Arm code translation. While Windows on Arm still represents a small fraction of the entire Windows ecosystem, the development of native Arm apps provides a wealth of fresh opportunities for AI innovation.

Microsoft’s investments align with Docker’s strategic goals of cross-platform compatibility and user-centric development, ensuring Docker remains at the forefront of containerization technologies in a diversifying hardware landscape.

Expand your development landscape with Docker Desktop on Windows Arm devices. Update to Docker Desktop 4.31 or consider upgrading to Pro or Business subscriptions to unlock the full potential of cross-platform containerization. Embrace the future of development with Docker, where innovation, efficiency, and cross-platform compatibility drive progress.

Learn more

from Docker

3 new ways to use Google AI on Android at work

Learn how new Google AI on Android features can boost employee productivity, help developers to build smarter tools and improve business workflows.

from AI

New Frontiers, Old Tactics: Chinese Espionage Group Targets Africa & Caribbean Govts

The China-linked threat actor known as Sharp Panda has expanded their targeting to include governmental organizations in Africa and the Caribbean as part of an ongoing cyber espionage campaign.

"The campaign adopts Cobalt Strike Beacon as the payload, enabling backdoor functionalities like C2 communication and command execution while minimizing the exposure of their custom tools," Check Point said in a report shared with The Hacker News. "This refined approach suggests a deeper understanding of their targets."

The Israeli cybersecurity firm is tracking the activity under a new name Sharp Dragon, describing the adversary as careful in its targeting, while at the same time broadening its reconnaissance efforts.

The adversary first came to light in June 2021, when it was detected targeting a Southeast Asian government to deploy a backdoor on Windows systems dubbed VictoryDLL.

Subsequent attacks mounted by Sharp Dragon have set their sights on high-profile government entities in Southeast Asia to deliver the Soul modular malware framework, which is then used to receive additional components from an actor-controlled server to facilitate information gathering.

Evidence suggests the Soul backdoor has been in the works since October 2017, adopting features from Gh0st RAT – malware commonly associated with a diverse range of Chinese threat actors – and other publicly available tools.

Another set of attacks attributed to the threat actors has targeted high-level government officials from G20 nations as recently as June 2023, indicating continued focus on governmental bodies for information gathering.

Key to Sharp Panda's operations is the exploitation of 1-day security flaws (e.g., CVE-2023-0669) to infiltrate infrastructure for later use as command-and-control (C2) servers. Another notable aspect is the use of the legitimate adversary simulation framework Cobalt Strike over custom backdoors.

What's more, the latest set of attacks aimed at governments in Africa and the Caribbean demonstrate an expansion of their original attack goals, with the modus operandi involving utilizing compromised high-profile email accounts in Southeast Asia to send out phishing emails to infect new targets in the two regions.

These messages bear malicious attachments that leverage the Royal Road Rich Text Format (RTF) weaponizer to drop a downloader named 5.t that's responsible for conducting reconnaissance and launching Cobalt Strike, allowing the attackers to gather information about the target environment.

The use of Cobalt Strike as a backdoor not only minimizes the exposure of custom tools but also suggests a "refined approach to target assessment," Check Point added.

In a sign that the threat actor is continuously refining its tactics, recent attack sequences have been observed using executables disguised as documents to kick-off the infection, as opposed to relying on a Word document utilizing a remote template to download an RTF file weaponized with Royal Road.

"Sharp Dragon's strategic expansion towards Africa and the Caribbean signifies a broader effort by Chinese cyber actors to enhance their presence and influence in these regions."

The findings come the same day Palo Alto Networks uncovered details of a campaign codenamed Operation Diplomatic Specter that has been targeting diplomatic missions and governments in the Middle East, Africa, and Asia since at least late 2022. The attacks have been linked to a Chinese threat actor dubbed TGR-STA-0043 (formerly CL-STA-0043).

The shift in Sharp Dragon's activities towards Africa is part of larger efforts made by China to extend its influence throughout the continent.

"These attacks conspicuously align with China's broader soft power and technological agenda in the region, focusing on critical areas such as the telecommunication sector, financial institutions, and governmental bodies," SentinelOne security researcher Tom Hegel previously noted in September 2023.

The development also follows a report from Google-owned Mandiant that highlighted China's use of proxy networks referred to as operational relay box networks (ORBs) to obscure their origins when carrying out espionage operations and achieve higher success rates in gaining and maintaining access to high-value networks.

"Building networks of compromised devices allows ORB network administrators to easily grow the size of their ORB network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations," Mandiant researcher Michael Raggi said.

One such network ORB3 (aka SPACEHOP) is said to have been leveraged by multiple China-nexus threat actors, including APT5 and APT15, while another network named FLORAHOX – which comprises devices recruited by the router implant FLOWERWATER – has been put to use by APT31.

"Use of ORB networks to proxy traffic in a compromised network is not a new tactic, nor is it unique to China-nexus cyber espionage actors," Raggi said. "We have tracked China-nexus cyber espionage using these tactics as part of a broader evolution toward more purposeful, stealthy, and effective operations."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News