Security firms analyze attack paths and seek out weak identities to find compromise vectors and critical assets that need better controls.

As companies struggle with finding and closing off the paths that attackers could use to infiltrate and compromise their IT environments, security providers are rushing to offer security posture management — also known as exposure management — capabilities in their products.

Security posture management firm Cymulate announced in June its threat exposure management platform that takes data from a variety of sources — including an inventory of the company's assets, its vulnerabilities, potential attack paths, and adversaries tactics — to create a measure of risk. Last week, exposure management firm Tenable announced the release of identity-focused features in its Tenable One platform that can analyze Active Directory and Azure AD instances to find identity-based weaknesses, such as over-permissioned accounts, orphaned users, and anomalous identities.

Giving companies the ability to analyze combined vulnerability and identity data from the current corporate IT environment is a critical part of measuring exposure, says Nico Popp, chief product officer at Tenable.

"If you bring vulnerability management and identity exposure together, then you can actually do really interesting things," he says. "The two together let you really allow us to think as an attacker moving laterally across your environment to basically reach your most important assets."

Exposure management is a relatively young industry segment that has taken off, driven by predictions from analyst firms, such as Gartner, that companies will shift from vulnerability management, attack-surface management, and privileged-account management to the more holistic capability of managing their exposure to threats.

For organizations, exposure management promises better ways to secure their changing information technology environments as attacks evolve. Focusing on not just vulnerabilities and weak identities, but also validating the threats that certain weaknesses represent, can help firms tackle the most critical security issues before they are exploited.

Combining a variety of data — such as the severity of the vulnerabilities, the value of the affected assets, and an attacker's ability to utilize an exploited system — allows companies to better gauge risk, says Erik Nost, a senior analyst in the security and risk group at Forrester Research.

"Organizations are all looking to inventory what they have and provide some perspective as to what they need to worry about," he says. "With attack path analysis, organizations can understand how attacks could be chained, how a vulnerability in an asset might relate to a certain family of malware, and if there are identities that live on this box that, if compromised, could then allow attackers to move to other boxes."

**Exposure Focuses Increasingly on Identity**

While vulnerability management firms have a natural evolution to exposure management, identity management and privileged access management (PAM) providers are increasingly transitioning as well. Typically, exposure management has been about vulnerabilities and misconfigurations, but many companies still have weaknesses due to overentitled accounts or users with a lot of standing privileges.

These are vulnerabilities as well, says Grady Summers, executive vice president of product at SailPoint Technologies.

"For so long, identity management was viewed as this compliance thing," he says. "But now customers are saying, can you show me all the overentitled access or the orphaned access or uncorrelated access — they're just realizing they had this blind spot to it."

Attack surface management and attack-simulation companies are likely to shift their focus to exposure management as well. Cymulate, formerly a breach and attack simulation company, has shifted to continuous threat exposure management (CTEM), an acronym coined by Gartner, as a way of extending its focus on attack surface and validation of vulnerabilities, says Carolyn Crandall, chief security advocate for Cymulate.

"Now, security teams are getting hit by more threats ... \[exposure management\] helps them get ahead of the attackers by better prioritizing the vulnerabilities that need remediation," she says. "There's much more pressure now to do testing ... \[to see if\] we get the outcomes we expected, and if not, how do we quickly understand those and then change."

**Adding Attack Paths Validates Threats**

A key component of exposure management is validating that particular vulnerabilities are both reachable and exploitable by attackers. To determine whether a critical asset is at risk, companies have focusing on constructing the potential path an attacker could take through the environment, using vulnerabilities in different systems to reach an end goal. Such attack paths validate that the combination of vulnerability scanning, analyzing permissions and identities, and measuring the criticality of assets results in a measurable risk.

A common attack path might involve compromising a Web server using an exploit for Log4J, escalating privileges, and then accessing a database. Using simulations to determine if that attack is viable helps organizations prioritizing patching and the implementation of new controls, says Mike DeNapoli, a cybersecurity architect and director at Cymulate.

"We can recreate this attack in a production-safe way — actually run it and determine 'is this merely viable, but we have controls that will compensate for these gaps,' or 'is this validated and this is an attack path that a threat actor could use,'" he says.

Often, compromising identity is a shorter way to achieve the same end, which is why it is so important to exposure management, says Tenable's Popp.

"If there is a very important customer database managed by Nico, and Nico is a privileged user, but his identity has a lot of weaknesses — maybe his password is on the Dark Web, or maybe he doesn't have MFA (multifactor authentication) — then that's a risk," he says. "If Nico gets compromised, which is a pure identity attack, then my customer database will get compromised, because the attacker, who can now pose as Nico, can fully access my customer database."

Exposure Management Looks to Attack Paths, Identity to Better Measure Risk

Guardrails need to be set in place to ensure confidentiality of sensitive information, while still leveraging AI as a force multiplier for productivity.

At the end of June, cybersecurity firm Group-IB revealed a notable security breach that impacted ChatGPT accounts. The company identified a staggering 100,000 compromised devices, each with ChatGPT credentials that were subsequently traded on illicit Dark Web marketplaces over the course of the past year. This breach prompted calls for immediate attention to address the compromised security of ChatGPT accounts, since search queries containing sensitive information become exposed to hackers.

In another incident, within a span of less than a month, Samsung suffered three documented instances in which employees inadvertently leaked sensitive information through ChatGPT. Because ChatGPT retains user input data to improve its own performance, these valuable trade secrets belonging to Samsung are now in the possession of OpenAI, the company behind the AI service. This poses significant concerns regarding the confidentiality and security of Samsung's proprietary information.

Because of such worries about ChatGPT's compliance with the EU's General Data Protection Regulation (GDPR), which mandates strict guidelines for data collection and usage, Italy has imposed a nationwide ban on the use of ChatGPT.

Rapid advancements in AI and generative AI applications have opened up new opportunities for accelerating growth in business intelligence, products, and operations. But cybersecurity program owners need to ensure data privacy while waiting for laws to be developed.

**Public Engine Versus Private Engine**

To better comprehend the concepts, let's start by defining public AI and private AI. Public AI refers to publicly accessible AI software applications that have been trained on datasets, often sourced from users or customers. A prime example of public AI is ChatGPT, which leverages publicly available data from the Internet, including text articles, images, and videos.

Public AI can also encompass algorithms that utilize datasets not exclusive to a specific user or organization. Consequently, customers of public AI should be aware that their data might not remain entirely private.

Private AI, on the other hand, involves training algorithms on data that is unique to a particular user or organization. In this case, if you use machine learning systems to train a model using a specific dataset, such as invoices or tax forms, that model remains exclusive to your organization. Platform vendors do not utilize your data to train their own models, so private AI prevents any use of your data to aid your competitors.

**Integrate AI Into Training Programs and Policies**

In order to experiment, develop, and integrate AI applications into their products and services while adhering to best practices, cybersecurity staff should put the following policies into practice.

**User Awareness and Education:** Educate users about the risks associated with utilizing AI and encourage them to be cautious when transmitting sensitive information. Promote secure communication practices and advise users to verify the authenticity of the AI system.

*   **Data Minimization:** Only provide the AI engine with the minimum amount of data necessary to accomplish the task. Avoid sharing unnecessary or sensitive information that is not relevant to the AI processing.
*   **Anonymization and De-identification:** Whenever possible, anonymize or de-identify the data before inputting it into the AI engine. This involves removing personally identifiable information (PII) or any other sensitive attributes that are not required for the AI processing.

**Secure Data Handling Practices:** Establish strict policies and procedures for handling your sensitive data. Limit access to authorized personnel only and enforce strong authentication mechanisms to prevent unauthorized access. Train employees on data privacy best practices and implement logging and auditing mechanisms to track data access and usage.

**Retention and Disposal:** Define data retention policies and securely dispose of the data once it is no longer needed. Implement proper data disposal mechanisms, such as secure deletion or cryptographic erasure, to ensure that the data cannot be recovered after it is no longer required.

**Legal and Compliance Considerations:** Understand the legal ramifications of the data you are inputting into the AI engine. Ensure that the way users employ the AI complies with relevant regulations, such as data protection laws or industry-specific standards.

**Vendor Assessment:** If you are utilizing an AI engine provided by a third-party vendor, perform a thorough assessment of their security measures. Ensure that the vendor follows industry best practices for data security and privacy, and that they have appropriate safeguards in place to protect your data. ISO and SOC attestation, for example, provide valuable third-party validations of a vendor's adherence to recognized standards and their commitment to information security.

**Formalize an AI Acceptable Use Policy (AUP):** An AI acceptable use policy should outline the purpose and objectives of the policy, emphasizing the responsible and ethical use of AI technologies. It should define acceptable use cases, specifying the scope and boundaries for AI utilization. The AUP should encourage transparency, accountability, and responsible decision-making in AI usage, fostering a culture of ethical AI practices within the organization. Regular reviews and updates ensure the policy's relevance to evolving AI technologies and ethics.

**Conclusions**

By adhering to these guidelines, program owners can effectively leverage AI tools while safeguarding sensitive information and upholding ethical and professional standards. It is crucial to review AI-generated material for accuracy while simultaneously protecting the inputted data that goes into generating response prompts.

How to Safely Architect AI in Your Cybersecurity Programs

Hack The Box launches Capture The Flag competition, including offensive and defensive challenges, to unite teams as cyberattacks increase in 2023 to unprecedented levels.

**London, Monday 3rd July, 2023** **—** Hack The Box, a disruptive cybersecurity upskilling, certification and talent assessment platform, has announced its upcoming global Capture The Flag (CTF) competition, designed specifically for corporate teams. Running from July 14 to July 16 2023, the competition will include offensive and defensive cybersecurity challenges, offering a valuable resource for cybersecurity teams seeking to fortify their skills as the regularity and severity of cyber attacks increase.  

Cyberattacks have risen by 7% in the first quarter of 2023 compared to 2022, and the threat landscape is becoming more diverse and complex for cyber professionals to protect against. In response, Hack The Box has designed its latest online global competition to help cybersecurity professionals learn the latest techniques in defending their organization using real-world scenarios. As cyberattacks grow in number and sophistication, businesses need cybersecurity teams to stay ahead, relying on a range of skills in the offensive and defensive space. 

Themed "The Great Escape," competitors are thrust into a distant dystopian future in a race to colonise Mars. They will be competing to establish Mars as a democracy by hacking into the opponent’s infrastructure, as the opposing team only wishes to occupy the planet for the elites.  

In preparation for the event, participants will have access to interactive workshops before the CTF kicks off, which feature defensive security tactics. The competition itself consists of over 30 challenges covering various domains, including web, cloud, pwn, crypto, forensics, reversing, and machines, all based on real-world scenarios. The CTF offers gamified upskilling, encouraging interactive learning experiences that keep participants engaged and motivated. Corporate IT and security teams can sharpen their hacking skills, showcase their expertise, and compete for the top spot on the global leaderboard.  

**Haris Pylarinos, CEO at Hack The Box, says:** "This competition offers a unique opportunity for not only IT and infosec  teams to enhance their offensive and defensive cybersecurity skills while being part of an immersive storyline, but to include interns and new hires needing to upskill and learn from each other. A business' cybersecurity relies as much on offensive and pre-emptive strategies as it does on those teams that address cyberattacks once they have happened. This inclusive approach to cyber training ensures cyber professionals are as prepared as possible in an ever-changing threat landscape."

**Pablo Ruiz Encinas, Security Consultant at Mnemonic, participated in the 2022 Hack The Box Business CTF and said:** "We used the HTB Business CTF to get our interns into the hacking world at the same time as the new hires and the more experienced members sharpened their skills. It was fun as well as rewarding to spend that weekend working together and sharing knowledge. I will definitely join for similar events in the future." 

**Gabe Lawrence, VP of Information Security Cyber Protection at Toyota, commented:** "There's a stigma of cybersecurity being magic or as easy as it’s portrayed in shows, but it's not. Hack The Box has helped us learn to address that stigma and get prepared for anything by updating our skills and knowledge base. We use the Dedicated Labs instances for CTFs we host every Friday afternoon. It's a fun and casual way for the team to gather and work together to solve challenges — and our favorite way to end the work week!"

In 2022, participation included 657 different businesses competing across 84 countries and territories. This was a 75% YoY team participation increase from 2021 to 2022, demonstrating the demand for immersive team learning. For 2023, over 500 teams have already joined to compete.

To join HTB's Business CTF 2023: The Great Escape, corporate teams can register for free here.   

Hack The Box's CTF 2023: The Great Escape is sponsored by Snyk and ExpressVPN.  

**About Hack The Box:**

Hack The Box is a leading gamified cybersecurity upskilling, certification, and talent assessment platform enabling individuals, businesses, government institutions, and universities to sharpen their offensive and defensive security expertise. Launched in 2017, Hack The Box brings together the largest global cybersecurity community of more than 2m platform members and is on a mission to create and connect cyber-ready humans and organizations through highly engaging hacking experiences that cultivate out-of-the-box thinking. Offering a fully guided and exploratory skills development environment, Hack The Box is the ideal solution for cybersecurity professionals and organizations to continuously enhance their cyber-attack readiness by improving their red, blue, and purple team capabilities. Rapidly growing its international footprint and reach, Hack The Box is headquartered in the UK, with additional offices in Greece and the US.

Global Hacking Competition Addresses Critical Increase in Cybersecurity Threats for Businesses

GDPR is halting Meta's new Threads app from entering EU markets, portending a broader struggle over the right ways to collect user data on social apps.

Upcoming data privacy regulations are preventing Meta's new microblogging app "Threads" from launching in European Union (EU) markets. Experts say this is only the beginning of the privacy battle facing the Twitter clone.

Meta's attempted coup d'etat against the Twitter kingdom launched on Wednesday in over 100 countries, earning tens of millions of users in only its first day live. That, despite being unavailable to major markets within the EU.

The holdup has to do with "complexities with complying with some of the laws coming into effect next year," Instagram CEO Adam Mosseri hinted on July 5. Mosseri's statement may refer to the new antitrust-oriented Digital Markets Act, but experts also expect Threads to collide head-on with consumer privacy regulations, thanks to its wanton collection of just about every kind of personal data imaginable.

    

Source: Search Engine Journal

"It seems likely that they're worried about the risk of rolling out something new that very clearly violates General Data Protection Regulation (GDPR) guidelines," says Aaron Mendes, CEO and co-founder of PrivacyHawk. But Threads' slow rollout doesn't preclude it from flourishing in the future. "Facebook has a reputation of rolling things out over time — they like to get stuff out fast, and then get information in and iterate."

**Everything Threads Will Know About You**

Meta has a history of conflict with regulators, owing to its liberal approach to consumer privacy. The EU has already fined the media giant to the tune of nine figures or more on multiple occasions.

Judging by its entry in the Apple app store, it's no wonder that Threads is being shielded from EU scrutiny. Browsing history, geolocations, health and financial information, and much more are all up for grabs. There's even a dedicated category for "sensitive information" which, according to Apple's documentation, includes "racial or ethnic data, sexual orientation, pregnancy or childbirth information, disability, religious or philosophical beliefs, trade union membership, political opinion, genetic information, or biometric data."

According to Mendes, there's no reason for users to suddenly freak out. For one thing, even the most egregious data collectors now provide settings for users to toggle what kinds of information they're willing to divulge. And at the end of the day, he points out, "Threads is effectively Instagram. You use Instagram to log into it. So it's all the same data collection, all the same protocols."

Threads does distinguish itself from its parent platform in its supplemental privacy policy. One rule of particular note: It'll only be possible to delete a Threads account by deleting the Instagram account associated with it.

Few of the tens of millions of people who've already signed up for Threads — or the hundreds of millions to come — are likely to know about this rule before it's too late. It just goes to show how "the customers are very, very disempowered," says Jim Killock, executive director of the Open Rights Group. "It's worth remembering that people have invested thousands and thousands of hours into building their networks on these platforms. We wouldn't tolerate this sort of behavior anywhere else."

**Can Meta Keep Up With GDPR?**

Even those who hold no quarter for Meta's approach to privacy may find certain GDPR regulations overly restrictive.

"EU laws make it very difficult to roll out a product, because of how they handle data sharing outside of EU borders," Mendes says. In May, for example, Meta got handed a colossal 1.3 billion Euro fine for transferring EU citizens' data to US servers, "which is kind of required to operate a service."

Initially, the Privacy Shield program provided a framework for data transfer between the US and EU, but the European Court of Justice struck it down on July 16, 2020. A new Trans-Atlantic Data Privacy Framework was agreed on in March, but hasn't been enacted yet.

Even if the EU has good reason to want to maintain legal control over its citizens' data, Mendes says, it's unduly difficult for global brands to keep all their data in one place, "unless you create a copy of your product that's completely siloed and works in the EU, separate from the one that you have, let's say, in the United States, which is an engineering nightmare, because now you have to maintain two versions of your product."

"There's never a simple balance," Killock admits. "It's about respecting the desires of customers on one hand, and on the other hand ensuring that companies can do business."

In some cases, he says, rules can help both regulators and users without being overly restrictive to companies. He points to the UK's right to data portability law as a way to foster competition, and naturally discourage Meta's more unsavory practices. "Whether we're talking about moderation standards or privacy standards, it allows people escape routes, and that creates actual commercial pressure on these companies to behave better."

"That," he thinks, "will empower not just users but also regulators to say: 'Look, people don't like this practice, you shouldn't be doing it."

Meta's Rush to Topple Twitter Sets Up Looming Privacy Debate

US and Canadian government agencies find that new variants of the malware are increasingly being utilized.

An advisory from the Cybersecurity and Infrastructure Security Agency (CISA), several US organizations, and the Canadian Center for Cyber Security (CCCS) warns of Truebot malware variants that are increasingly being utilized by threat actors against various organizations in the US and Canada.

Truebot, alternatively known as Silence.Downloader, is a botnet used by malicious cybergroups such as Cl0p ransomware cybergang to gather information from the victims they target. Older variants of Truebot were mainly distributed by threat actors by phishing email attacks in the form of malicious attachments. Newer versions of the malware allow these threat actors to gain initial access by exploiting a remote code execution (RCE) vulnerability in Netwrix Auditor — otherwise listed as CVE-2022-31199.

Cyber-threat actors are also using phishing campaigns with malicious hyperlinks to deliver their Truebot variants. The agencies urge those searching for this kind of malicious activity to apply vendor patches to the 10.5 version of Netwrix Auditor and to use the outlined guidance in the joint advisory.

"Any organization identifying indicators of compromise (IOCs) within their environment should urgently apply the incident responses and mitigation measures detailed in this CSA and report the intrusion to CISA or the FBI," the organizations stated. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Truebot Malware Variants Abound, According to CISA Advisory

Malware spoofed file management applications thanks to elevated permissions, enabling exfiltration of sensitive data with no user interaction, researchers find.

Two separate malicious apps loaded with spyware were found lurking in the Google Play store, loaded with zero-click spyware leading back to China.

Together, both applications tracked to the same developer, affected an estimated 1.5 million users, according to a new security alert from Pradeo. Google removed the apps within hours of being notified, the researchers add.

**Spyware Apps Relied on Elevated Permissions**

Most malicious apps rely on the victim to actually use it to successfully deliver malware, but these relied on permissions instead, according to Pradeo.

"Often, users install applications they end up not even using," the security alert said. "For most malware, that means the attack is unsuccessful. To overcome that obstacle, File Manager and File Recovery and Data Recovery can, through the advanced permissions they use, induce the restart of the device. This then permits the apps to launch and execute themselves automatically at restart."

Pradeo researcher Roxane Suau explained to Dark Reading that in addition to file manager applications, junk cleaner apps are also often spoofed for malicious purposes because of the elevated permissions required for them to perform their tasks.

Beyond sneaky permissions, the spyware apps misrepresented the amount of data collected, which raises flags about the security controls on applications available in the Google Play store, according to Melissa Bischoping, director at endpoint security research at Tanium.

**BYOD Policies Increase Risk**

"Users are often encouraged to place trust in the data privacy and safety reports on an app's page in the store, and this kind of deception undermines trust in all apps, not just the ones analyzed in the Pradeo reporting," Bischoping says. "There are over 3.5 million apps in the store, so it would be a herculean effort to perform deep-dive analysis of how each app complies with its stated privacy and security practices. That said, this type of glaring inaccuracy demonstrates a need for tighter vetting and control over what is published."

The damage these malicious applications can do to enterprises increases dramatically with bring your own device (BYOD) policies in the mix, Bischoping points out.

"A 'bring your own device' policy often results in unmanageability of mobile devices for large organizations," she explains. "Because of this, you cannot control what apps an employee may install or how much access they grant those apps. It's important to weigh the risk/reward of allowing mobile access to corporate data from personal devices."

Enterprise-owned devices should have controls in place to restrict these applications from being downloaded, Mike Parkin, senior technical engineer with Vulcan Cyber, tells Dark Reading.

"With enterprise-owned devices, they should be doing this already," Parkin says. "If they own the device, they have every right to restrict what goes onto it."

For organizations with BYOD policies, imposing restrictions on downloading apps is more difficult, Parkin adds, since the user owns the device and may balk at restrictions. "Though it would be appropriate for them to publish their expectations and, when necessary, block infected devices from accessing enterprise assets."

While malicious applications are hardly anything new, John Gallagher, vice president at Viakoo Labs, hopes incidents like these two spyware apps discovered in the Google Play Store will encourage enterprise security teams to take a look at their own policies.

"The ability of an application to have its download numbers inflated, to have more permissions than it needs, and for it to violate personal information policies and laws, are all existing attack vectors," Gallagher says. "These newly discovered threats may push more organizations to screen company-provided devices for such apps, or to monitor their network traffic to detect issues."

Spyware Gamed 1.5M Users of Google Play Store

Users need to patch the latest SQL injection vulnerability as soon as possible. Meanwhile, Cl0p's data extortion rampage gallops on.

Yet another critical SQL injection vulnerability has been disclosed and patched in Progress Software's MOVEit Transfer software — the fourth such flaw revealed in the space of a month.

The security bug (CVE-2023-36934) is distinct from the former zero-day flaw that's being exploited with resounding success by the Cl0p ransomware gang. But like that bug, it could allow unauthenticated cyberattackers to access MOVEit Transfer databases, and from there execute malware, manipulate files, or exfiltrate information.

"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content," according to the Progress advisory on the bug.

The flaw hasn't been exploited in the wild so far, according to the advisory — but given its severity, users are urged to patch it as soon as possible, along with two high-severity vulnerabilities (CVE-2023-36932 and CVE-2023-36933) disclosed at the same time.

The bugs affect MOVEit Transfer versions 12.1.10 and earlier, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and earlier, 14.1.7 and earlier, and 15.0.3 and earlier.

The other SQL vulnerabilities revealed since early June are CVE-2023-35708 and CVE-2023-35036, as well as CVE-2023-34362, which is Cl0p's target and was discovered Memorial Day weekend.

Speaking of the Cl0p campaign, the extortion gang is galloping on, claiming 200+ victims so far, including government agencies. The blast radius of the campaign has been widened by compromised third-party vendors exposing their downstream customers.

Progress said this week that it plans to release MOVEit product updates every two months from now on.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

MOVEit Transfer Faces Another Critical Data-Theft Bug

Not yet — but it can help make incremental progress in reducing vulnerability backlogs.

Organizations worldwide are in a race to adopt AI technologies into their cybersecurity programs and tools. A majority (65%) of developers use or plan on using AI in testing efforts in the next three years. There are many security applications that will benefit from generative AI, but is fixing code one of them?

For many DevSecOps teams, generative AI represents the holy grail for clearing their increasing vulnerability backlogs. Well over half (66%) of organizations say their backlogs are comprised of more than 100,000 vulnerabilities, and over two-thirds of static application security testing (SAST) reported findings remain open three months after detection, with 50% remaining open after 363 days. The dream is that a developer could simply ask ChatGPT to "fix this vulnerability," and the hours and days previously spent remediating vulnerabilities would be a thing of the past.

It's not an entirely crazy idea, in theory. After all, machine learning has been used effectively in cybersecurity tools for years to automate processes and save time — AI is hugely beneficial when applied to simple, repetitive tasks. But applying generative AI to complex code applications has some flaws, in practice. Without human oversight and express command, DevSecOps teams could end up creating more problems than they solve.

**Generative AI Advantages and Limitations Related to Fixing Code**

AI tools can be incredibly powerful tools for simple, low-risk cybersecurity analysis, monitoring, or even remedial needs. The concern arises when the stakes become consequential. This is ultimately an issue of trust.

Researchers and developers are still determining the capabilities of new generative AI technology to produce complex code fixes. Generative AI relies on existing, available information in order to make decisions. This can be helpful for things like translating code from one language to another, or fixing well-known flaws. For example, if you ask ChatGPT to "write this JavaScript code in Python," you are likely to get a good result. Using it to fix a cloud security configuration would be helpful because the relevant documentation to do so is publicly available and easily found, and the AI can follow the simple instructions.

However, fixing most code vulnerabilities requires acting on a unique set of circumstances and details, introducing a more complex scenario for the AI to navigate. The AI might provide a "fix," but without verification, it should not be trusted. Generative AI, by definition, can't create something that is not already known, and it can experience hallucinations that result in fake outputs.

In a recent example, a lawyer is facing serious consequences after using ChatGPT to help write court filings that cited six nonexistent cases the AI tool invented. If AI were to hallucinate methods that do not exist and then apply those methods to writing code, it would result in wasted time on a "fix" that can't be compiled. Additionally, according to OpenAI's GPT-4 whitepaper, new exploits, jailbreaks, and emergent behaviors will be discovered over time and be difficult to prevent. So careful consideration is required to ensure AI security tools and third-party solutions are vetted and regularly updated to ensure they do not become unintended backdoors into the system.

**To Trust or Not to Trust?**

It's an interesting dynamic to see the rapid adoption of generative AI play out at the height of the zero-trust movement. The majority of cybersecurity tools are built on the idea that organizations should never trust, always verify. Generative AI is built on the principle of inherent trust in the information made available to it by known and unknown sources. This clash in principles seems like a fitting metaphor for the persistent struggle organizations face in finding the right balance between security and productivity, which feels particularly exacerbated at this moment.

While generative AI might not yet be the holy grail DevSecOps teams were hoping for, it will help to make incremental progress in reducing vulnerability backlogs. For now, it can be applied to make simple fixes. For more complex fixes, they'll need to adopt a verify-to-trust methodology that harnesses the power of AI guided by the knowledge of the developers who wrote and own the code.

Can Generative AI Be Trusted to Fix Your Code?

The company, one of four finalists in Black Hat USA's 2023 startup competition, looks for the vulnerabilities an attacker could actually access.

As the Log4j vulnerability demonstrated in a visceral way, open source code is inextricable from modern software. Developers incorporate components, snippets, and libraries from sources like GitHub when writing their own programs so they don't have to reinvent the wheel every time they build a cart. But that means most software has dependencies even its developers don't know about, which can lead to not realizing when a vulnerability report applies to their mission-critical applications — or to scrambling to fix a severe vulnerability that is completely cut off from any source code and thus harmless.

"With 90% of code in modern applications being open source and 95% of vulnerabilities being found in transitive dependencies \[the software packages automatically brought in by OSS\], security teams struggle to prioritize the right risks for engineering to work on," says Endor Labs CEO and co-founder Varun Badhwar. And that's the company's focus: prioritizing risk across open source software, CI/CD pipelines, and secrets.

Endor does this using dependency life cycle management, which takes into account a variety of metrics to calculate an overall risk score that a company can use to set security policies. It emphasizes how a dependency is used in the organization rather than the severity of a vulnerability. Even the worst vuln, the thinking goes, doesn't matters if an attacker can't actually get to it.

**Why Reachability Analysis?**

The company calls its approach "reachability analysis." By building a complete inventory of software and then tracing every path to a vulnerability, Endor says it can determine which vulnerabilities need to be fixed right away and which can be set aside. Users can query the Endor Labs platform using DroidGPT, a chatbot that is now in beta, to figure out which open source package they can use in place of a more vulnerable one.

Where Endor really stands out, Badhwar says, is with its staff: A third of the R&D team have earned doctorates. The focus on specialization carries through to the company's "decision to tackle one problem at a time to solve it in the right way," he says.

    

DroidGPT search results for cryptographic packages in Go. (Source: Endor Labs)

That first problem was open source dependencies. "We made the decision to start there and invest heavily in reachability analysis before we move forward into other solutions," Badhwar says.

The next focus areas will be prioritized secret scanning and supply chain management/configuration posture management, he adds.

**Return of the Contest**

The four finalists in the Black Hat Startup Spotlight — Endor Labs, Gomboc, Binarly, and Mobb — will present their business models to a panel of judges at the Mandalay Bay in Las Vegas on Wednesday, Aug. 9. (Of the finalists, Endor Labs is the only one that also made the finals at the 2023 RSAC Innovation Sandbox.) Dark Reading's editor-in-chief, Kelly Jackson Higgins, will host the event, which begin at 4:30 p.m. PT.

If you're attending Black Hat in person, Endor Labs hopes to attract you to its booth with a platform demo, a cute mascot, and Star Wars keychain/bottle openers. You might also get an invite to Endor Labs' event at the Topgolf driving range and sports bar.

Speaking of Endor, the swag is a clue to the inspiration for the company's name. No, it doesn't refer to the Canaanite village where the biblical Saul consulted a witch. In this case, Endor is the forest moon in the Star Wars universe where Ewoks live. The company's security research team is even named "Station 9" after a research station on Endor.

As Badhwar says, "The story behind the name is simple — we're just huge nerds."

**Speed Round**

**Website:** https://www.endorlabs.com/  
**Founded:** 2022  
**Funding stage:** Seed  
**Total funding raised so far:** $25M  
**Number of employees:** 50  
**If the company were a band, what would its band name be, and what kind of band would it be:** "We would simply be named The Ewoks and play futuristic synth-rock."  
**Pineapple on pizza, yea or nay?:** "We posted this question to the company Slack, and it almost sparked a civil war, but the result was an exact 50/50 split, which our marketing team will break and decide YES on pineapple on pizza." — Thuy Nguyen, director of demand generation at Endor Labs

Startup Spotlight: Endor Labs Focuses on Reachability

**SAN FRANCISCO, July 6, 2023 —** Black Hat, the producer of the cybersecurity industry’s most established and in-depth security events, today announced Maria Markstedter, Founder of Azeria Labs; Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA); Viktor Zhora, Deputy Chairman of the State Service of Special Communication and Information Protection of Ukraine on Digital Development, Digital Transformations, and Digitalization; and Kemba Walden, Acting National Cyber Director in the Office of the National Cyber Director, as Keynote speakers for the Black Hat USA 2023 event. 

The first day of Briefings on Wednesday, August 9 will feature two separate Keynotes, with the opening Keynote taking place at the beginning of the day, and the second Keynote taking place at the end of the day. The third Keynote will take place at the beginning of the final day of Briefings on Thursday, August 10.

**Black Hat USA 2023 Keynote lineup:**

*   Maria Markstedter is the Founder of Azeria Labs, where she runs a popular blog that teaches the community about Arm, from the instruction set to reverse engineering and exploit development. Markstedter will give her talk, “Guardians of the AI Era: Navigating the Cybersecurity Landscape of Tomorrow,” on Wednesday, August 9 at 9:00 AM. This talk will cover challenges AI brings to the cybersecurity industry and how cybersecurity professionals can evolve with the AI revolution and use it to their advantage.She has worked in various cybersecurity sectors, including threat intelligence, pentesting, and reverse engineering, and previously served as the Chief Product Officer of Corellium, an Arm virtualization startup. 
*   Jen Easterly is the Director of the Cybersecurity and Infrastructure Security Agency (CISA), where she was nominated by President Biden in April 2021, and unanimously confirmed by the Senate in July 2021. As Director, Easterly leads CISA’s efforts to understand, manage, and reduce risk to the cyber and physical infrastructure Americans rely on every day. In 2021, Easterly presented her Keynote, "Hacking the Cybersecurity Puzzle," at Black Hat USA, covering ways that hackers, the government, and private sector could work together to confront cyber threats. For Black Hat USA 2023, Easterly will present her talk with Viktor Zhora. Their talk will feature a fireside chat format and take place on Wednesday, August 9 at 4:20 PM.
*   Viktor Zhora is the Deputy Chairman of the State Service of Special Communication and Information Protection of Ukraine on Digital Development, Digital Transformations, and Digitalization. Since January 2021, Zhora has been responsible for cybersecurity in the Ukrainian digital infrastructure, supervising digital transformation and cybersecurity projects, CERT-UA, and the State Cyber Protection Center. He is a graduate of both the Institute of Physics and Technology of the National Technical University of Ukraine and the Institute of Software Systems of the National Academy of Science of Ukraine, as well as an author of numerous scientific publications on information security.
*   Kemba Walden is the Acting National Cyber Director in the Office of the National Cyber Director. Walden served as the inaugural Principal Deputy National Cyber Director for eight months, during which she co-led the organization, overseeing the development and growth of the office. During her tenure, the Office of the National Cyber Director drafted the National Cybersecurity Strategy, managed implementation of Executive Order 14028 – _Improving the Nation’s Cybersecurity_, and spearheaded the first ever National Cyber Workforce and Education Strategy. Her talk will be presented on Thursday, August 10 at 9:00 AM. 

For registration and additional information on Black Hat USA 2023, please visit https://www.blackhat.com/us-23/.

**About Black Hat**

For over 25 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe, and Asia. More information is available at: blackhat.com. Black Hat is brought to you by Informa Tech.

**About Informa Tech**

Informa Tech is a market leading provider of integrated research, media, training, and events to the global Technology community. We're an international business of more than 600 colleagues, operating in more than 20 markets. Our aim is to inspire the Technology community to design, build, and run a better digital world through research, media, training, and event brands that inform, educate, and connect. Over 7,000 professionals subscribe to our research, with 225,000 delegates attending our events and over 18,000 students participating in our training programmes each year, and nearly 4 million people visiting our digital communities each month. For more information, please visit www.informatech.com.

Source

DARKReading