Aggregator

申请截止时间（2024年8月31日）之前填写并提交《申请书》电子版

我们距离能做「慢思考」的 AI，还有多远。

SpaceX 要在澳大利亚回收星舰，涉及美国出口管制；微软敦促美国国会打击 AI 深度伪造行为；META 发布开源模型 Meta SAM 2

文章底部有福利！

Multifactor authentication (MFA) has formally been around for more than two decades, gaining the most...

The post Is Your MFA Broken? appeared first on Axiad.

The post Is Your MFA Broken? appeared first on Security Boulevard.

Ransomware has been a daunting threat to organizations worldwide for decades. Recent trends show that ransomware attacks continue to grow more advanced and persistent. It’s become increasingly clear that no one is spared as cybercriminals carry out attacks that even target the children of corporate executives to force ransom payments. Despite the high-profile takedowns of criminal ransomware networks in “Operation Endgame” and “Operation Duck Hunt,” the most notorious ransomware groups remain tenacious, quickly regrouping after disruptions and aggressively launching new attacks.

The Zscaler ThreatLabz team has just released its latest research on this critical ransomware threat landscape in the ThreatLabz 2024 Ransomware Report, shedding light on new data and trends. ThreatLabz analyzed 4.4 million ransomware attacks blocked by the Zscaler cloud, amounting to a 17.8% year-over-year increase, and conducted extensive analysis of ransomware samples and attack data. The report offers valuable insights into primary attack targets, the most dangerous ransomware families, and the evolving tactics and demands of ransomware threat actors. Most shockingly, it reveals that ThreatLabz uncovered a record-breaking USD$75 million ransom payment.This blog post will summarize select findings from the report. For a comprehensive understanding of the ransomware landscape and how to strengthen your organization’s defenses against this pervasive threat, download the Zscaler ThreatLabz 2024 Ransomware Report.

5 key ransomware findingsThe ThreatLabz team tracks ransomware activity extensively to identify and understand how these threats are evolving. The following subset of findings highlight some of the most prominent trends and targets.

Top ransomware trends1. The number of extorted companies based on analysis of malicious data leak sites grew by 57.8% year-over-year, despite law enforcement actions that include criminal arrests, indictments, and seized infrastructure. The report breaks down the most significant law enforcement operations against ransomware groups and initial access brokers over the past year.

2. The use of voice-based social engineering to gain entry into networks is on the rise—a technique made popular by Scattered Spider and the Qakbot threat group.

3. The exploitation of vulnerabilities continues to be a prevalent attack vector for ransomware, emphasizing the critical need for measures like prompt patching and unified vulnerability management, reinforced by a zero trust architecture.

Top ransomware targets4. The manufacturing, healthcare, and technology sectors were the top targets of ransomware attacks between April 2023 and April 2024, while the energy sector experienced a 527.27% year-over-year spike.

5. The United States, United Kingdom, Germany, Canada, and France were the top five countries targeted by ransomware in the same time period.

Delve into these findings and more data in the full report.

$75M ransom payment uncoveredThreatLabz identified 19 new ransomware families this year, increasing the total number tracked to 391 over the past decade, as cataloged in the ThreatLabz GitHub repository.

With new and emerging ransomware groups come new and ever-evolving methods to maximize their operational impact and financial gains. This was evidenced by the record-breaking $75 million ransom payment uncovered by ThreatLabz. The report discloses the threat group behind this unprecedented payment—also named by ThreatLabz as one of the top five ransomware families that will be a big threat to businesses in the year ahead. Learn about their strategic approach and why ThreatLabz predicts similar strategies will gain traction among other threat actors.The report also shares comprehensive insights into the tactics, potential impacts, and recent activities of other ransomware families that ThreatLabz has identified as high-risk and noteworthy for 2024-2025.

Stopping ransomware starts with zero trustThe growing volume and cost of ransomware attacks found in this year’s report is a stark reminder that organizations must prioritize robust ransomware defenses. The Zscaler Zero Trust Exchange™ platform addresses this challenge by offering a holistic approach to stopping ransomware.The Zscaler ThreatLabz 2024 Ransomware Report provides essential guidance to this end, including:

Fighting AI with AI: Learn about Zscaler’s AI-powered cyberthreat protection capabilities needed to combat AI-driven threats.
Zero trust architecture advantages: Learn how the Zero Trust Exchange stops ransomware at every stage of the attack cycle:
Minimize the attack surface: By replacing exploitable VPN and firewall architectures with a zero trust architecture, it hides users, applications, and devices behind a cloud proxy, making them invisible and undiscoverable from the internet.
Prevent compromise: The platform uses TLS/SSL inspection, browser isolation, advanced sandboxing, and policy-driven access controls to prevent access to malicious websites and detect unknown threats before they reach the network, reducing the risk of initial compromise.
Eliminate lateral movement: Leveraging user-to-app (and app-to-app) segmentation, users connect directly to applications, not the network, eliminating lateral movement risk. It can also help find and stop possible attackers from moving around through identity threat detection and response (ITDR) and deception capabilities.
Stop data loss: Inline data loss prevention measures, combined with full inspection, effectively thwart data theft attempts.

Ransomware prevention checklist: Access the latest best practices to mitigate ransomware risk and protect your organization from existing and emerging threats.

Get your copy of the Zscaler ThreatLabz 2024 Ransomware Report today. As ransomware threats persist, understanding the latest trends and potential implications of these attacks and assessing your risk will help your organization protect itself against ransomware in 2024 and beyond.

The post ThreatLabz Ransomware Report: Unveiling a $75M Ransom Payout Amid Rising Attacks appeared first on Security Boulevard.

Clutch Security is the latest cybersecurity startup looking to secure and manage non-human identity.

We Can Do Better

As a Detection Engineer and Threat Hunter, I love MITRE ATT&CK and I whole-heartedly believe that you should too. However, there’s something about the way that some folks leverage MTIRE ATT&CK that has me concerned. Specifically, it is the lack of both precision and accuracy in how mappings are sometimes applied to controls. While we can debate the utility and validity of using MITRE ATT&CK as a “coverage map” or “benchmark” of any kind, the reality is that many teams, organizations, and security products use MITRE ATT&CK (for good reasons) to assess, measure, and communicate breadth and depth of detection and/or prevention capability. If that’s the case, then it seems pertinent to talk about how we can do a better job of presenting a more realistic picture of coverage through closer examination of the quality of our mappings. In this article, I’ll present an argument for why precision and accuracy matter, provide some examples of common mistakes and how to fix them, and finally share some ideas and recommendations for thinking about how to map detections properly moving forward.

Why Accuracy & Precision Matter

Accuracy and precision are not just inherently desirable traits; they are essential for the effective use of the MITRE ATT&CK framework within any organization. Accurate and precise mappings are crucial for maximizing the framework’s utility. To understand their importance, let’s first define these terms.

In this context, “accuracy” refers to whether the applied Tactic, Technique, or Sub-Technique correctly represents the activity identified by the detection. Imagine a literal map with cities in the wrong states, states in the wrong regions, and countries in the wrong parts of the world. Such a map would be unreliable for understanding our location or navigating to a new one.

Similarly, inaccurate mappings in threat detection lead to a distorted understanding of our security posture and undermine the integrity and utility of our efforts. This can result in misallocated resources, focusing on areas that don’t need attention while neglecting those that do. Such outcomes are detrimental to Threat Hunters and Detection Engineers, who already face a shortage of useful and actionable tools to understand and navigate the threat landscape effectively. Accurate mappings are therefore critical for these professionals to communicate the value of their work and make informed decisions.

In this context, “precision” refers to the level of specificity or granularity in a given mapping. The ATT&CK Framework is structured as a hierarchy of abstractions: Tactics encompass Techniques, which in turn encompass Sub-Techniques. For Detection Engineers and Threat Hunters, descending this hierarchy results in more granular and specific categories, thereby increasing their usefulness.

To use the metaphor of a literal map, a precision problem would be akin to a map of a country that only shows states or provinces but omits cities and towns. Such a map might help you understand the general direction needed to travel from one state to another, but it would be inadequate for navigating to a specific city within a state.

Similarly, imprecise mappings in threat detection provide only a “general idea” of our security posture and potential areas of focus. While this may offer some strategic insight, it ultimately falls short of being highly actionable. Precise mappings, down to the most granular elements of the ATT&CK Framework, are essential for making informed, effective decisions in threat detection and response.

Without placing explicit and intentional attention on the quality of mappings from detections to ATT&CK, individual errors can add up, giving us a “view of the world” that simply isn’t realistic or useful (can you even imagine what’s happening on the security vendor side?! If it is in their best interest to stretch the truth, do we really know how realistic their coverage is?).

Common Mistakes

Unlike with a world map, to the average observer, it is not always obvious when there is a lack of accuracy or precision. Mapping detection capabilities to MITRE ATT&CK properly is not easy. The ATT&CK Framework is a vast and deep source of knowledge that, despite being quite granular, still has gaps and is still subject to some degree of expert interpretation. In this section, we’ll highlight a few examples of both accuracy and precision error using Sigma rules from the SigmaHQ repository.

Example 1:

Name: Process Launched Without Image Name

Tactic: Defense Evasion

Technique(s): None

Sub-Technique(s): None

This is the most classic precision error; assigning a Tactic but not attributing it to a particular Technique or Sub-Technique.

• T1036: Masquerading should be added.
  - While there are Sub-Techniques within T1036 that are similar, they are not the same, so no Sub-Technique can be assigned.

Example 2:

Name: Activate Suppression of Windows Security Center Notifications

Tactic: Defense Evasion

Technique(s): T1112: Modify Registry

Sub-Technique(s): None

This is a nuanced precision error; this detection is missing a Sub-Technique which overlaps with but does not mutually exclude T1112.

• T1562.001: Impair Defenses: Disable or Modify Tools should be added here.

Example 3:

Name: Unusual Child Process of dns.exe

Tactic: Initial Access

Technique(s): T1133 External Remote Services

Sub-Technique(s): None

This is an accuracy error.

• T1133 should be removed because this Technique is for remote *access services such as VPN, RDP, VNC, SSH. Also, with T1133, you’re more likely to need “Valid Accounts”, which are not present in this activity.
• 1190: Exploit Public-Facing Application should be added instead.

Example 4:

Name: PetitPotam Suspicious Kerberos TGT Request

Tactic: Credential Access

Technique(s): T1187: Forced Authentication

Sub-Technique(s): None

Almost accurate, but not quite! PetitPotam is an example of T1187, but this detection is not identifying PetitPotam, just something (Rubeus) that is likely to happen after PetitPotam is used.

• T1187 is invalid.
• T1078.002: Valid Accounts: Domain Accounts is probably more accurate.

Example 5:

Name: Potential BlackByte Ransomware Activity

Tactic: Execution, Defense Evasion, Impact

Technique(s): T1140: Deobfuscate/Decode Files or Information, T1485: Data Destruction, T1498: Network Denial of Service

Sub-Technique(s): T1059.001: Command and Scripting Interpreter: PowerShell

This is primarily an accuracy error; the rule and the threat that it detects are kind of dense, so it would be easy to get confused.

• This detection looks for specific Powershell commands related to BlackByte’s Defense Evasion.
  - T1562.001 Impair Defenses: Disable or Modify Tools should be added.
  - T1027.010: Obfuscated Files or Information: Command Obfuscation should be added.
  - T1140 should be removed, as this is not an example of deobfuscation.
• The commands in question are not part of the “encryption routine”.
  - Impact is not a valid Tactic for this detection.
  - T1485 and T1498 are not valid Techniques in this instance.
  - T1486: Data Encrypted for Impact would be more valid if the commands were part of the encryption routine, but they are not.

Don’t believe me? Look at what the research article, referenced in the rule, suggests for these specific commands (bottom of article).

Getting It Right

While it may seem like nit-picking, these small errors, when compounded across hundreds of rules, can lead to a significant misrepresentation of reality. Although there is no definitive formula for mapping rules accurately, there are several high-level principles that can enhance the accuracy and precision of our mappings.

Keep It Simple

• Focus on what is immediately observable and not on what could likely be inferred from the data.
  - For example, detecting execution of a malware/tool that exhibits a Technique is not the same thing as detecting the Technique itself.
• Less Techniques is better than more Techniques.
  - Detections that look like they could be mapped to multiple Techniques at the same time are also likely not specific enough to qualify for a single Technique.
• Map to Sub-Techniques where possible.
  - Only use a Technique when there’s no other option.

Don’t Be Greedy

• Not all Techniques/Sub-Techniques can be detected with logs and telemetry.
  - Most Techniques within the Recon and Resource Development Tactics are fundamentally un-detectable through internal logs and telemetry.
• Not every detection needs to be tagged with a Technique/Sub-Technique.
  - If it’s not obvious which Technique or Sub-Technique applies to your detection, refrain from mapping it.
• Avoid mapping rules to Techniques/Sub-Techniques that you don’t fully understand.
  - Find the boundaries of your knowledge, accept that you’ve hit a wall, and keep learning to move beyond them.

Become A Better Researcher

• Improve your ability to find, interpret, and understand research on malware, tools, techniques, and vulnerabilities.
  - Focus on the broader context rather than getting lost in the bits, bytes, and assembly.
  - Learn how to read Proof of Concept (PoC) code or use an LLM to help you interpret code.
• Set up a lab environment for testing.
  - Use Atomic Red Team tests to get more hands-on exposure to simple Techniques.
  - Experiment with writing malware tools to better understand the ins and outs of operating systems.

Am I suggesting that getting mappings done properly is simple? No.
Is this asking a lot of practitioners? Probably, yes.
Should you do it anyway? Absolutely.

One of my many personal mottos has always been “there’s no free lunch when it comes to solving hard problems”. In other words, we don’t always realize that the “easy buttons” made available to us through modern technology were only made possible by the people who came before us, the people who actually did put in some seriously hard work somewhere earlier down the line to pave the way for everyone else.

Getting It Right With SnapAttack

Even though Detection Engineering and Threat Hunting have been around for years, it still feels like most of us are stuck at the starting line. At SnapAttack, we’ve been putting in the work to solve the hard problem of Threat Detection, enabling customers to stand on our shoulders and start ahead of us, and giving them the tools to grow their capabilities beyond us. While I’m not here to give you the hard sell, it would be negligent to not mention at least a few things that we do at SnapAttack that are relevant to this article’s topic.

1. Pre-Written Tested Detections
   - A core component of our solution is a growing library of pre-written Sigma rules that we develop and test against Sandbox sessions conducted by our own Threat Research team.
   - Yes, we map the rules to ATT&CK and even adjust the mappings on rules that we don’t write ourselves but pull in to the library.
2. MITRE ATT&CK Prioritization & Coverage Reporting
   - First, the platform uses best-in-breed Threat Intelligence to prioritize Techniques & Sub-Techniques according to an organization’s industry and region.
   - Next, we import your existing rules to understand current coverage.
    — We have an additional service that helps you map rules to ATT&CK and/or check the accuracy and precision of your existing mappings.
   - Finally, we display all this information in actionable reports and dashboards that help you implement detection capability for the highest priority threats first.
    — ATT&CK Navigator JSON files look good, but they aren’t functional.
3. Research Sandbox
   - The platform includes a basic Sandbox that enables operators to do hands-on-keyboard research without having to spin up their own lab environment.
    — SnapAttack’s internal threat research team uses the Sandbox to understand threats, build new detections from scratch, and test detections.
    — Platform users can also leverage the Sandbox to enhance their existing research capabilities or simply consume Sandbox reports to boost their knowledge.
4. Atomic Red Team Tests
   - Detection content in our platform is programmatically tied back to Atomic Red Team Tests that we pull in from the community and develop ourselves through the Sandbox.
    — This gives advanced operators the ability to simulate simple but specific attacks to explore log visibility and detection capability at an individual level.

If any of this sounds even remotely interesting — please reach out for a demo of our platform today! We’d love to show you exactly how we can help you detect more threats faster with SnapAttack.

• Platform | Purple Teaming Platform, SnapAttack
• Book a Demo with SnapAttack

Detection Rules & MITRE ATT&CK Techniques was originally published in SnapAttack on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Detection Rules & MITRE ATT&CK Techniques appeared first on Security Boulevard.

A hacker exploited a misconfiguration in Proofpoint's email protection platform to send millions of spoofed phishing emails from companies like IBM, Nike, and Disney looking to steal money and credit card information from victims.

The post Proofpoint Platform Exploited to Send Millions of Spoofed Phishing Emails appeared first on Security Boulevard.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a VMware ESXi bug to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an authentication bypass VMware ESXi vulnerability, tracked as CVE-2024-37085 (CVSS score of 6.8), to its Known Exploited Vulnerabilities (KEV) catalog. This week, Microsoft warned that multiple ransomware gangs are […]

What does the recent CrowdStrike outage tell us about the state of digital resiliency?

Related: CrowdStrike’s consolation backfires

On a resiliency scale of one to 10, most enterprises are at about two. This was clear over the weekend when over … (more…)

The post GUEST ESSAY: CrowdStrike outage fallout — stricter regulations required to achieve resiliency first appeared on The Last Watchdog.

The post GUEST ESSAY: CrowdStrike outage fallout — stricter regulations required to achieve resiliency appeared first on Security Boulevard.

This blog post explores the impact of the Paris 2024 Summer Olympics on Internet traffic in France and beyond, concentrating on web activity during the opening ceremony and the initial days of competition. Let the games continue.

According to the study, around 400 stolen GenAI credentials are being sold by threat actors per day.

A new version of the Mandrake Android spyware has been found in five apps on Google Play, which have been downloaded over 32,000 times since 2022. Researchers from Kaspersky discovered a new version of the Mandrake Android spyware in five app on Google Play, totaling over 32,000 downloads between 2022 and 2024. Researchers from Bitdefender […]

Download the Due Diligence Questionnaire for a comprehensive guide to understanding best security practices and monitoring SaaS applications logs.

The post Strengthen SaaS Security Through Due Diligence appeared first on AppOmni.

The post Strengthen SaaS Security Through Due Diligence appeared first on Security Boulevard.

With sufficient privileges in Active Directory, attackers only have to create an "ESX Admins" group in the targeted domain and add a user to it.

This blog post explores the impact of the Paris 2024 Summer Olympics on Internet traffic in France and beyond, concentrating on web activity during the opening ceremony and the initial days of competition. Let the games continue