During a keynote at Black Hat 2022, former CISA director Chris Krebs outlined the biggest risk areas for the public and private sectors for the next few years.

BLACK HAT USA — Las Vegas — A potential invasion of Taiwan should be top of mind for any entity, as geopolitical factors will continue to affect cybersecurity risk profiles.

That's the word from Chris Krebs, former director of the US Cybersecurity and Infrastructure Security Agency (CISA) who now runs a consultancy with former Facebook CISO Alex Stamos (the appropriately named Krebs Stamos Group). He took to the stage at Black Hat USA 2022 to talk about what will be driving the risk landscape in the next few years.

Krebs was fired from CISA for insisting the 2020 election was secure and fraudless ("We insist that we were successful — it was a singularly important moment in American history," he said at Black Hat. "And I think we did a pretty damn good job.") In the 18 months since, he has hit the road, talking to officials in the private sector, global governments, and state and local entities.

"I wanted to find consensus on what the trend lines are out there, the market pressures and the coming inflection points that are influencing technology, governments, bad actors, and people," he said.

In addition to geopolitical headwinds, Krebs noted that digital transformation, along with ever-increasing cyber-offensive capabilities from the bad guys, should have both the public and the private sectors on notice — or they risk falling hopelessly behind.

**Taiwan Looms as Geopolitical Pressures Accelerate**

In the last six months alone, there has been an unprecedented collision between geopolitical risks and technology risks — and this will only continue, according to Krebs. In addition to the ongoing war in Ukraine, Taiwan is a hotspot to watch.

"Leaders need to plan out beyond the next two quarters," he noted. "You have to look three to four years out, and every single company out there should be conducting simulation scenarios, impact assessments, tabletop exercises at the executive level around what's happening in the Taiwan Strait."

A Chinese invasion of Taiwan has the potential to impact organizations across the board, especially affecting the technology supply chain, competition and markets, and IT operations.

"Political headwinds have big effects and you have to game these things out," Krebs noted. "I don't know if it's going to happen tomorrow, next year, or three, four years out, but based on the conversations I have with national-security officials, they're pretty confident that's going to come to a head between China and Taiwan."

He added, "And if you want to be in a position to de-risk your operations, you have to start that yesterday."

While nation-state and advanced persistent threats (APTs) tend to be discussed in the context of China, Iran, North Korea, and Russia, Krebs noted that this is about to become a much bigger space to be concerned with.

"Literally every country on the face of this earth is developing capabilities for espionage for domestic surveillance," he warned. "And yeah, they're also looking at capabilities for destruction and disruption. There are going to be splashy, new, and novel events in the near future."

Against this backdrop, companies will also have to tabletop their responses to world events with an eye to ethics, he urged.

"You have to have a set of principles," he said. "You have to establish your values, who you are, what your red lines are. When Russia invaded Ukraine, we were working with a couple of different companies that said, look, we're not impacted by sanctions, so we're good, we don't really need to worry about it. Our take was, when images of war crimes start showing up on TV, and on Twitter and elsewhere, you're going to have a problem. You're continuing to support the Russian war machine."

**Insecurity in the Cloud, by Design**

Krebs also noted that as the COVID-19 pandemic drove an acceleration to the cloud and digital transformation, it became clear that the benefits of insecure products far outweigh the downsides.

"That's because we operate inside a larger ecosystem, inside businesses that are focused on productivity and reducing friction, and they tend to see security as slowing things down when you want to be first to market," he explained. "So we're building more products that are insecure by design because of the market pressures."

Meanwhile, as the ongoing mass migration to the cloud is being done in an effort to increase flexibility, elasticity, productivity, and efficiency, an ancillary result was a reduction in the ability for firms to see what's happening across their infrastructure.

"We've made it more complex, and we've also started adding on additional products, the infrastructure on the platforms, and we have this explosion of software-as-a-service (SaaS) opportunities and options out there," Krebs said. "Those are all opportunities for the bad guys to come in and get what they want. Do you really understand how the cloud works across the various hyperscale vendors and how you interact with it?"

Cybercriminals understand these shifts in business architecture, along with the dependencies and the trust connections housed within the relationships between software services and technology providers; this, he warned, will continue to foment more attacks against the supply chain and managed service providers.

Further complicating matters is the ongoing proliferation of connected things, which all come with potentially insecure cloud apps.

"I think we all agree there's going to be more stuff connected, because we have a pathological need to connect things to the Internet, seemingly," he said. "Three, four years into the future there are going to be more things around you that are collecting and generating data. These things are generating an incredible amount of data exhaust, digital exhaust, and it's becoming more complex, not less."

He noted that William Gibson had this reality pegged when he released the book _Neuromancer_ in 1984.

"He coined the term 'cyberspace,'" Krebs said. "But it's how he described cyberspace that was so captivating — the unthinkable complexity of cyberspace. We're there right now."

**Public Sector Concerns: Security Work to Do**

The next future concern on the Krebs list is the fact that the US government is struggling with balancing market interventions and regulation with the capitalist desire to allow innovation to grow.

"We see an overreliance on checklists and compliance rather than performance-based outcomes, so we're not getting the security-related outcomes we want," he noted, adding that to boot, what oversight does exist isn't implemented well.

"Congress needs to figure it out as well, and needs to establish select committees in the House and Senate that consolidate oversight over the various departments and agencies, particularly in the civilian branch," Krebs said. "We have 101 civilian agencies, and every single one of them is running their own email service. So, we've got to fix that."

On the law enforcement side, the Department of Justice and FBI have been consistently tackling the ransomware issue, which Krebs called "the right moves."

"They're going more aggressively at the adversary at the command-and-control level," he explained. "But we need to shift from longer-term investigations towards more disruptive actions aimed at imposing costs and eliminating ransomware's ability to extract value from companies here in the US.

Ransomware has become professionalized, he noted, and cyberattackers' capabilities just keep getting better and better.

"The barriers to entry have dropped, and now, they have access to exploits that were the remit of nation-states," he said. "They're profiting, and it's not costing them anything; they're getting their wins. And until we create meaningful consequences, and impose costs on them, they will continue to."

**Workforce Challenges Continue**

When it comes to the infamous lack of qualified people to fill 3 million open cybersecurity roles, the situation is confounding given how rewarding a career it can be, Krebs said.

"The first thing is, it's fun. Second is, it's lucrative," he noted. "We get paid pretty well in this industry. And third, relatedly, it's durable; we're going to be dealing with these challenges for the rest of our lives, perhaps the rest of human history. And then last thing is, these are national security issues. The mission we're doing is incredibly important."

That said, the US workforce over all is becoming increasingly tech-native, which he's optimistic about.

"We're getting critical thinking skills coming along with the technology savviness that we're looking for," he said.

While there's much to think about going forward, and to act on today, Krebs did say that there are reasons to be hopeful about the chances for businesses to keep up with the risk landscape.

"As evidenced by Black Hat USA at 25, we have a maturing industry," he said. "We're producing and generating products that are solving problems. We have technology vendors that are working to solve problems in the infrastructure."

Krebs: Taiwan, Geopolitical Headwinds Loom Large

In her keynote address at Black Hat USA 2022, Kim Zetter gives a scathing rebuke of Colonial Pipeline for not foreseeing the attack.

BLACK HAT USA — Las Vegas — The unprecedented ransomware attack against Colonial Pipeline last year shows that critical infrastructure operators have made little progress in protecting their networks 12 years after the discovery of Stuxnet. Author and journalist Kim Zetter gave a scathing rebuke of Colonial Pipeline during the keynote session opening the second day of Black Hat USA, its leaders had plenty of warnings that could have prevented the crippling attack.

Zetter, who has covered many major cyber-incidents over more than two decades, is author of the book _Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon_ (Crown: 2015). Stuxnet, the malicious worm that security experts discovered at an Iranian uranium enrichment facility in 2010, explicitly targeted the Siemens S7-400 system. The discovery heralded a new generation of targeted attacks, according to Zetter.

"When Stuxnet was discovered in 2010, it shed a light on vulnerabilities and critical infrastructure that few had noticed before," Zetter said. "The security community largely focused on IT networks. They had previously ignored what are known as operational networks, OT networks, industrial control systems, all of those systems that manage pipelines and railways and the electric grid and water treatment plants and manufacturing, and so many other pivotal industries."

Stuxnet was more significant for what it portended than any damage resulting from it at the time. Introduced to a network via a USB drive, Stuxnet consists of worming malware, a Windows LNK file designed to propagate it, and a rootkit that hides the malicious files.

The discovery of Stuxnet shouldn't have come as a surprise back then, but it opened some eyes for the first time, according to Zetter.

"Stuxnet provided stark evidence that physical destruction of critical infrastructure using nothing more than code was possible," she said. "But no one should have been surprised. There have been warnings about the use of digital weapons to disrupt or destroy critical infrastructure a decade prior to Stuxnet."

Zetter said the impact of Stuxnet was significant, pointing to four major changes it brought to security: Stuxnet created a trickle-down effect in the form of techniques and tools, kicked off today's cyber-arms race, established the politicization of security research and cyber-defense, and shed light on the vulnerability of critical infrastructure.

Coinciding with Stuxnet was the discovery of an advanced persistent threat (APT) called Aurora, which exposed the growing capabilities of nation-state hackers, Zetter noted.

"Many of you probably remember this was a widespread espionage campaign by China that hit 34 companies and targeted source code repositories of Google, Adobe, and Juniper," she said. "And \[it\] included one of the first significant supply chain operations targeting the RSA C repository, the engine for its multifactor authentication systems."

**Risks Remain High for Industrial Control Systems**

The high-profile attack that locked up Colonial Pipeline, which distributes 45% of fuel across the US East Coast, forced it to shut down its 5,500 miles of pipeline until it paid over $4.4 million in ransom. Zetter suggested there is no reason last year's ransomware attack should have blindsided the company's top leaders.

"What happened with Colonial Pipeline last year was foreseeable, as was the growing threat of ransomware," Zetter said. "As the company CEO told lawmakers on Capitol Hill months later, although it did have an emergency response plan, that response plan didn't include a ransomware attack — even though ransomware attackers had been targeting critical infrastructure since 2015, so the signs were there if Colonial Pipeline had looked."

Zetter pointed to Critical Infrastructure Ransomware Attacks (CIRA) statistics compiled by Temple University in 2019, just two years before the Colonial Pipeline attack. The researchers counted some 400 ransomware attacks on critical infrastructure in 2020 and 1,246 attacks between Nov. 2013 and July 31, 2022.

"These weren't just attacks on hospitals, which of course had been a big target for ransomware actors in 2016," she said. "But these were also targeting oil and gas facilities. And the attackers weren't just targeting IT systems. They were already going after the OT networks that are controlling the critical processes."

Further, Zetter noted that in 2020, the year before the Colonial Pipeline attack, Mandiant reported that seven ransomware families had struck organizations that operate industrial control systems since 2017. The attacks created major disruptions and production and delivery delays.

Also in 2020, 10 months before the Colonial Pipeline attack, the Cybersecurity & Infrastructure Security Agency (CISA) issued a reminder of the Department of Homeland Security's (DHS) Pipeline Cybersecurity Initiative. The effort, created by DHS in 2018, was a joint effort of CISA, the Transportation Security Administration (TSA), and various federal and private sector stakeholders.

Zetter indicated that it is probably not ironic that DHS announced new cybersecurity requirements for those who own and operate critical pipelines two months after the Colonial Pipeline attack. "I don't mean to beat up on Colonial Pipeline — they're just a convenient example, because the attack was so significant," she said. "But other critical infrastructure is in the same position or worse."

After Colonial Pipeline, Critical Infrastructure Operators Remain Blind to Cyber-Risks

Up-and-coming companies shoot their shot in a new feature introduced at the 25th annual cybersecurity conference.

BLACK HAT USA 2022 -- Las Vegas — At an intimate stage area in the Innovation City section located at the back of the Business Hall, Phylum beat out three other cybersecurity startups to take the title at the inaugural Innovation Spotlight competition, held on Wednesday evening at the 25th Black Hat USA.

The four finalists were Phylum, a software supply chain security company; KeyCaliber, a company that uses asset behavior analytics to help clients prioritize protective measures; Normalyze, which identifies sensitive data and vulnerable access paths ripe for exploitation; and Tromzo, with a product security operating platform (PSOP) for building applications more securely.

Dark Reading's editor-in-chief, Kelly Jackson Higgins, hosted the awards. Judges picked finalists back in July after viewing video submissions from candidates -- companies that were 2 years old or less and had fewer than 50 employees.

**The Final Four**

The finalists presented in alphabetical order, starting with KeyCaliber. Roselle Safran, cofounder and CEO, explained how her company's analytics engine helps continuously identify and protect an organization's most valuable data, aka "crown jewels" — indeed, the company's brand representatives were men dressed in royal robes and costume crowns. Safran said KeyCaliber's software can run on her company's network, on the customer's network, or on premises, a flexibility that meets prospective clients' need to balance resources and security.

    

KeyCaliber's two kings. (Photo by Karen Spiegelman for Dark Reading)

Next up was Normalyze cofounder and CEO Amer Deeba. His company is in a similar risk management space as KeyCaliber, but emphasizes "holistic data security" rather than crown jewels. The company offers "data-first cloud security" that scans for sensitive data on Google Cloud, AWS, and Microsoft Azure. His co-founder, CTO Ravi Ithal, was standing to the side recording his partner's presentation, in a perfect example of the supportive atmosphere of the event.

The specter of Log4j hung over the presentations, none more so than Phylum's. Cofounder and president Peter Morgan said his company focuses on the security of open source packages, using deductive analysis of risk indicators to create what he likened to a "credit score for packages." The company offers a community edition that has "feature parity" with the paid edition, limiting it to one user and five projects at a time. He said the automated analysis takes 12-15 minutes to complete. "We're walking really well, and the system is learning to run as we speak," Morgan said.

The last to present was Harshil Parikh, CEO and cofounder of Tromzo, a product security operating platform designed to make the entire software development pipeline more secure. In response to a question from the judges, Parikh explained that the company wrote its own no-code platform for automating security processes and remediation.

**The Winners**

First, all four finalists were winners in that they got booth space at Black Hat USA, as well as a receptive audience for their presentations and a consultation with an Omdia analyst. There were decision-makers in the audience Wednesday, with a few CEOs filling the seats and a standing-room crowd watching the competition.

Tromzo definitely had the flashiest presentation. Parikh opened by using a DVD as a prop to illustrate the outdated former cutting-edge technology. He closed by tossing the DVD over his shoulder, warning, "Don't get left behind." That jazz might be why Tromzo took first place in the audience poll.

Ultimately, however, the opinions that mattered most in the contest were those of the judges, and they favored the open source-emphasizing Phylum. The seven judges were Ketaki Borade, senior analyst in Omdia’s Infrastructure Security research practice; Trey Ford, deputy CISO at Vista Consulting Group; Hollie Hennessy, senior analyst in Omdia's IoT cybersecurity practice; Maria Markstedter, founder and CEO of Azeria Labs; Lucas Nelson, founding partner at Lytical Ventures; Robert J. Stratton III, principal & strategist at Polymathics and venture partner at Nextgen Venture Partners; and Rik Turner, principal analyst in Omdia's IT security and technology team.

Supply Chain Security Startup Phylum Wins the First Black Hat Innovation Spotlight

Even among businesses with cyber insurance, they lack coverage for basic costs of many cyberattacks, according to a BlackBerry survey.

Organizations lack sufficient levels of cyber-insurance coverage to protect themselves in case of a ransomware attack, with just 14% of businesses with 1,400 or fewer employees boasting coverage limits above $600,000.  

These were among the findings of a BlackBerry and Corvus Insurance survey of 450 business decision-makers for IT and security solutions, which also revealed more than a third (37%) of respondents currently lack coverage for any ransomware payment demands.

Nearly six in 10 (59%) of respondents said they hoped the government would cover damages when future attacks are linked to other nation-states, and fully half of small to medium-size business (SMB) respondents said they hoped Uncle Sam would increase financial aid in all ransomware incidents.

Gary Davis, senior director of cybersecurity at BlackBerry, says these statistics were the most surprising — and concerning — findings from the survey.

"I think that would establish a dangerous precedent and only encourage more nefarious attacks," he says.

Davis explains he believes the best option for SMBs is to hire a cybersecurity managed service provider (MSP) to deliver the essential capabilities required by insurance providers in the most affordable and comprehensive way possible.

"Demonstrating compliance will go a long way toward an effective negotiation with the insurance providers," he says. "Also, I would encourage SMBs to share their security posture insights with their insurance provider."

The good news is, most organizations are happy to share this type of information.

"To me, that’s very much akin to how many car insurers operate today when they offer better rates for those willing to have a device in their car that reports their driving behavior to the insurance company," Davis says. "Hopefully, sharing these details will have a similar impact on what insurance providers charge for cyber insurance."

**Cyber Insurance Lacking Critical Coverage**

The survey also revealed that the increased software requirements demanded by insurance brokers is making cyber insurance harder to get — more than a third of respondents said they had been denied coverage due to unfulfilled endpoint detection and response (EDR) software requirements.

Overall, the findings indicated that even when organizations do have cyber insurance, the coverage lacks critical elements, with 43% of survey respondents not covered for auxiliary costs, including court fees or employee downtime.

Davis points out he has not seen any evidence that the bad actors are slowing down, which suggests that organizations of every size and type should increasingly rely on cyber insurance as another means of helping to combat the problem.

"Ideally, we will also see stronger ties between cybersecurity vendors and insurance providers to collaborate on ways we can help companies minimize their risk of being successfully attacked," he says.

**As Cyber-Insurance Market Evolves, Complications Arise**

The BlackBerry report follows a June study by Proofpoint, which found less than half of CISOs at US-based organizations said they have cyber insurance and are confident that it will be there when needed.

The increasing volume of ransomware and other cyberthreats is jacking up the price of cyber insurance, while insurers are simultaneously starting to demand more direct access to organizational metrics and measures.

They argue this access will allow them to make more accurate risk assessments – however, some businesses may be loath to reveal such closely held information, in part because it may wind up preventing them from receiving coverage.

At the same time, some insurers are pulling out of the market, including global insurance giant AXA, which said in May that it would stop reimbursing French companies for ransomware payments to cybercriminals.

Amid a dynamic environment where insurers have started to charge more for policies and begun setting higher requirements, debates over standards, baseline security controls, and new exclusions and limitations on coverage types continue to wreak havoc on this burgeoning market.

Cyber-Insurance Fail: Most Businesses Lack Ransomware Coverage

More than 1 million instances of firewalls running Cisco Adaptive Security Appliance (ASA) software have four vulnerabilities that undermine its security, a researcher finds.

BLACK HAT USA — Las Vegas — Cisco's enterprise-class firewalls have at least a dozen vulnerabilities — four of which have been assigned CVE identifiers — that could allow attackers to infiltrate networks protected by the devices, a security researcher from vulnerability management firm Rapid7 plans to say in a presentation at the Black Hat USA conference on Aug. 11.

The vulnerabilities affect Cisco's Adaptive Security Appliance (ASA) software, the operating system for the company's enterprise-class firewalls, and its ecosystem. The most significant security weakness (CVE-2022-20829) is that the Adaptive Security Device Manager (ASDM) binary packages are not digitally signed, which — along with the failure to verify a server's SSL certificate — allows an attacker to deploy customized ASA binaries that can then install files onto administrators' computers.

Because administrators just expect the ASDM software to come preinstalled on devices, the fact that the binaries are not signed gives attackers a significant supply chain attack, says Jake Baines, lead security researcher at Rapid7.

"If someone buys an ASA device on which the attacker has installed their own code, the attackers don't get shell on the ASA device, but when an administrator connects to the device, now \[the attackers\] have a shell on \[the administrator's\] computer," he says. "To me, that is the most dangerous attack."

The dozen security weaknesses include issues that impact devices and virtual instances running the ASA software, as well as vulnerabilities in the Firepower next-generation firewall module. More than 1 million ASA devices are deployed worldwide by Cisco's customers, although a Shodan search shows that only about 20% have the management interface exposed to the Internet, Baines says.

As a supply chain attack, the vulnerabilities would give threat actors the ability to compromise a virtual device at the edge of the network — an environment that most security teams would not analyze for security threats, he says.

**Full Access**

"If you have access to the virtual machine, you have full access inside the network, but more importantly, you can sniff all the traffic going through, including decrypted VPN traffic," Baines says. "So, it is a really great place for an attacker to chill out and pivot, but probably just sniff for credentials or monitor the traffic flowing into the network."

Baines discovered the issue when he was investigating the Cisco ASDM to get "a level set on how the GUI (graphical user interface) works" and pull apart the protocol, he says.

A component installed on administrators' systems, known as the ASDM launcher, could be used by attackers to deliver malicious code in Java class files or through the ASDM Web portal. As a result, attackers could create a malicious ASDM package to compromise the administrator's system through installers, malicious Web pages, and malicious Java components.

The ASDM vulnerabilities discovered by Rapid7 include a known vulnerability (CVE-2021-1585) that allows an unauthenticated remote code execution (RCE) attack, which Cisco claimed was patched in a recent update, but Baines discovered it remained.

In addition to the ASDM issues, Rapid7 found a handful of security weaknesses in the Firepower next-generation firewall module, including an authenticated remote command injection vulnerability (CVE-2022-20828). The Firepower module is a Linux-based virtual machine hosted on the ASA device, and it runs the Snort scanning software to classify traffic, according to Rapid7's advisory.

"The final takeaway for this issue should be that exposing ASDM to the internet could be very dangerous for ASA that use the Firepower module," the advisory states. "While this might be a credentialed attack, as noted previously, ASDM's default authentication scheme discloses username and passwords to active MitM \[machine-in-the-middle\] attackers."

Updating can be complex for Cisco ASA appliances, presenting a problem for companies in mitigating the vulnerabilities. The most widely deployed version of the ASA software is five years old, Baines says. Only about half a percent of installations updated their ASA software within seven days to the latest version, he adds.

"There is no auto-patch feature, so the most popular version of the appliance operating system is quite old," Baines says.

Cisco has had to deal with security issues in its other products as well. Last week, Cisco disclosed a trio of vulnerabilities in its RV series of small business routers. The vulnerabilities could be used together to allow an attacker to execute arbitrary code on Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers without authenticating first.

4 Flaws, Other Weaknesses Undermine Cisco ASA Firewalls

Eighteen companies, led by Amazon and Splunk, announced the OCSF framework to provide a standard way for sharing threat detection telemetry among different monitoring tools and applications.

BLACK HAT USA – LAS VEGAS – Amazon Web Services (AWS) and Splunk are leading an industry effort of 18 systems and security vendors to standardize how different monitoring systems share security alerts. The goal is to deliver a simplified and vendor-agnostic taxonomy to help security teams ingest and analyze security data faster.

The companies announced the Open Cybersecurity Schema Framework (OCSF) during the Black Hat USA conference on Wednesday in Las Vegas. The participating companies are Broadcom (Symantec), Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler.

Detecting and stopping today's cyberattacks requires coordination across cybersecurity tools, but many of these tools are not interoperable and there are too many different data formats. The OCSF specification will normalize security telemetry across various security products and services, said Mark Ryland, director of the office of the CISO at AWS, in a blog post announcing the project.

"Security teams have to correlate and unify data across multiple products from different vendors in a range of proprietary formats," Ryland wrote. "Instead of focusing primarily on detecting and responding to events, security teams spend time normalizing this data as a prerequisite to understanding and response."

OCSF, which extends the ICD Schema specifications originally developed by Broadcom’s Symantec division, offers a collection of data types, an attribute dictionary, and taxonomy written in JSON, according to an overview of the specification available on GitHub. Contributors can utilize and extend the framework and map the various data ingestion and normalization schemas in a common threat detection language.

"As practitioners, one of the most challenging problems in technology is connecting finding and event information across multiple vendor tools, operating systems, and versions," says Jamie Scott, product manager at Endor Labs. "A standard data format will reduce cost and accelerate incident triage for our industry as a whole," 

**An Extensible Framework for Interoperability**

As an open source project, OCSF seeks to provide an extensible framework for providing interoperable core security schema not tied to a specific provider, Splunk distinguished engineer Paul Agbabian wrote in a white paper documenting OCSF. Licensed under the Apache License 2.0, OCSF features an agnostic storage format, data collection, and extract, transform, and load (ETL) processes. The schema browser represents categories, event classes, dictionaries, data types, profiles, and extensions.  

"Vendors and other data producers can adopt and extend the schema for their specific domains," Agbabian explained in a separate blog post. "Data engineers can map existing schemas to help security teams simplify data ingestion and normalization so that data scientists and analysts can work with a common language for threat detection and investigation."

"Having a common data format for these events to be shared across tooling will make both consumers and producers lives’ easier. Producers can more easily integrate with other solutions and consumers can aggregate and triage incidents," Scott says.

The OCSF shares some similar taxonomy with the widely used MITRE ATT&CK Framework, according to the white paper, though it also noted some stark differences. The most notable is that OCSF is extensible by vendors and customers, while MITRE releases all content for ATT&CK.

An Enterprise Strategy Group and Information Systems Security Association (ISSA) survey found that 77% of cybersecurity professionals want to see the industry forge support for open standards. The same survey found that 85% see integration among products as essential. 

"Cybersecurity is ready to move on from silos and into an open, integrated era of inter-operability and cooperation," Aghabian noted.

**Normalizing Security Telemetry**

The project is open to other providers wishing to participate and contribute, according to Ryland.

"We see value in contributing our engineering efforts and also projects, tools, training, and guidelines to help standardize security telemetry across the industry," he wrote. "Although we as an industry can’t directly control the behavior of threat actors, we can improve our collective defenses by making it easier for security teams to do their jobs more efficiently."

The status of the OCSF and when vendors will begin testing wasn’t immediately apparent. And it remains to be seen to what extent the vendors will ultimately contribute to OCSF and implement it.

"The biggest threat to an early-stage effort like OCSF is the steering committee composition itself. Since the committee is made largely of vendors, representative consumer organizations will need a seat at the table to help drive adoption across vendors," Scott says. "As the OCSF continues to collaborate with the industry, it should ensure that the steering committee has reserved spots for industry practitioners who are willing to make an investment in their mission."

Erkang Zheng, founder and CEO of cyber operations platform provider JupiterOne, is pledging to embrace and participate in extending OCSF.

"Over time, we will continue to contribute to the OCSF initiative by extending the framework to cover both time-series event data and stateful/structural asset data, leveraging JupiterOne’s open-source data model," Zheng wrote. "Our hope in participating in this initiative is to inspire more cross-industry collaboration."

Scott adds: "Solving a problem like this is a journey that will require learnings across the industry. But the destination makes the journey worth it."

New Cross-Industry Group Launches Open Cybersecurity Framework

Ransomware gang gained access to the company's VPN in May by convincing an employee to accept a multifactor authentication (MFA) push notification.

Cisco has confirmed a breach of its network, where the attacker used voice phishing to convince an employee to accept a malicious multifactor authentication (MFA) push. The breach resulted in cyberattackers gaining access to the company's virtual private network (VPN) and the theft of an unspecified number of files from its network, the company stated on Aug. 10.

The attacker compromised a Cisco employee's personal Google account, which gave them access to the worker's business credentials through the synchronized password store in Google Chrome. To bypass the MFA protecting access to Cisco's corporate VPN, the attacker attempted voice phishing, or vishing, and repeatedly pushed MFA authentication requests to the employee's phone. Eventually, the worker either inadvertently, or through alert fatigue, accepted the push request, giving the attacker access to Cisco's network.

Cisco acknowledged the incident in a brief press statement, maintaining that the company discovered the breach on May 24 but "did not identify any impact to our business as a result of the incident."

"\[W\]e took immediate action to contain and eradicate the bad actors, remediate the impact of the incident, and further harden our IT environment," a company spokesman said in the statement sent to Dark Reading. "No ransomware has been observed or deployed and Cisco has successfully blocked attempts to access Cisco's network since discovering the incident."

Breaches of technology companies have become commonplace, often as part of supply chain attacks. In one of the original supply chain attacks, in 2011, two state-sponsored groups linked to China compromised security vendor RSA to steal critical data underpinning the security of the company's SecurID tokens. In the most significant modern attack, the Russia-linked Nobelium group — which is Microsoft's designation — compromised SolarWinds and used a compromised update to compromise the company's clients.

The attack on Cisco likely had multiple goals, Ilia Kolochenko, founder of cybersecurity startup ImmuniWeb, said in a statement sent to Dark Reading.

"Vendors usually have privileged access to their enterprise and government customers and thus can open doors to invisible and super-efficient supply chain attacks," he said, adding that "vendors frequently have invaluable cyber threat intelligence: bad guys are strongly motivated to conduct counterintelligence operations, aimed to find out where law enforcement and private vendors are with their investigations and upcoming police raids."

While some security experts characterized the attack as "sophisticated," Cisco pointed out that it was a social-engineering play.

"The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user," the Cisco Talos team stated in an analysis of the attack. "Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN."

With access established, the attacker then tried to move through the network by escalating privileges and logging into multiple systems. The threat actor installed several tools, such as remote access software LogMeIn and TeamViewer, as well as offensive security tools, such as Cobalt Strike and Mimikatz, both in wide use by attackers.

In addition, the attacker had extensive access to Cisco's network, using the compromised account to access "a large number of systems" and compromised several Citrix servers to get privileged access to domain controllers, according to the Cisco Talos analysis. The attacker used already existing remote desktop protocol (RDP) accounts to access systems, removing firewall rules to prevent them from blocking access.

While Cisco maintains that the attackers did not impact its products, services, or sensitive customer or employee data, the company did acknowledge that on Aug. 10, the threat actors published a list of files stolen from the network during the incident. While the attackers demanded a ransom, according to one press report, Cisco stated that the attackers did not deploy ransomware. The threat actor did install a number of offensive tools and payload to a variety of systems on Cisco's network.

Cisco believes the threat actor is an initial access broker — an adversary that gains unauthorized access to corporate networks and then sells that access as a service on the Dark Web. The threat actor appears to have "ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators," Cisco's Talos group stated.

The threat actor, or its affiliates, spoke in English with various international accents and dialects, and claimed to be part of a support organization known to the worker, the targeted employee told Cisco, according to the Talos analysis.

Cisco Confirms Data Breach, Hacked Files Leaked

Industry standards would provide predictable and understandable IoT security frameworks.

The Internet of Things industry's lack of cybersecurity standards is nothing new. We’ve been at this for years. However, with the number of devices expected to surpass 25.4 billion by 2030, and given the recent increase in cyberattacks and threats, it’s clear the situation has risen to crisis levels.

This perfect storm of threats can be extinction-level events for organizations and have detrimental effects on natural resources, economies, governments, and much more. Unfortunately, such threats often begin with unsecured connected devices. Acting as a double-edged sword, connected devices play a crucial role industrywide in day-to-day business operations and solutions, but pose a grave security risk to both enterprises and consumers.

Whose responsibility is it to keep these applications secure? The public sector often points the finger at vendors and brands, but it also has a responsibility to carefully research and choose its vendors and partners. Technology companies, for their part, are responsible for helping to mitigate vulnerabilities and privacy and security flaws. While both the private and public sectors can agree that we must address these issues and create a more secure environment, the solution, however, is where the real challenges lie.

**Synchronized Security Standards**

There are many reasons why today’s devices and mobile applications are insecure, but they all boil down to one thing: There hasn’t been one set of cybersecurity standards until now. IoT product manufacturers must make it a priority to test and certify their products against these security standards to show their consumers that their product offerings have gone through a security certification process. For innovation to evolve, there’s a critical need to follow a set of global, synchronized security standards that will keep everyone on the same page and bring clarity to the future of IoT security.

Brands and manufacturers can hire the best security leadership, bolster security infrastructure, and even mandate companywide cybersecurity training, but it's simply not enough. An industry standard would provide predictable and understandable frameworks to incorporate security into mobile apps and IoT devices — from inception, to testing and third-party validation before going to market, to end use.

With more unique cybersecurity events happening as major world events occur, the time has come to double down on security efforts. Testing and third-party validation is the way to go, giving peace of mind to organizations, partners, and customers.

**Hackers' Affinity for IoT devices**

It’s a never-ending game of cat and mouse — as innovation increases and we become ever-more connected, hackers continue to bring their A games. With more connected devices and buildings becoming interoperable, hackers have become more sophisticated, using connected devices to gain access to — and wreak havoc on — critical infrastructure. Both B2B and B2C businesses must prioritize offering customers secured products, and customers should be made aware of such options and processes. Transparency of security processes and availability of secured products is crucial to achieving a more secure world.

**Remote Working – It's Not All Fun and Games**

The global pandemic summoned the age of remote work. As a result, there's been an uptick in employees using personal smartphones and laptops while logging in to company VPNs to perform their job duties. This presents an increasingly high security risk, but organizations that provide managed devices with a zero-trust model in mind, secured VPNs, and connected devices that have undergone certification and testing will avoid potential security breaches.

**Lack of Data-Sharing Across the Industry**

Today's data-sharing efforts across the industry are insufficient and shine a light on a critical aspect of today’s cybersecurity challenges: sharing and making use of information. The time has come for the global industry to unite, collaborate, and embrace a set of baseline security requirements. This includes data sharing, to help build a more secure cybersecurity landscape and, therefore, a safer world. This can be achieved through testing and third-party validation of IoT devices, in addition to fostering a community — a global think tank of security thought leaders — that is tenaciously looking to advance the greater security ecosystem through sharing crucial data and engaging in creative brainstorming.

**Forming a United Front to Fight Cybercrime**

Many in the cybersecurity industry have found themselves at a crossroads: Either continue operating as individual entities, all pining for the same goals, or begin tackling cybercrime head-on as a united front by joining those that have already unified under a harmonized set of security standards.

Further implementing standardized solutions industrywide will not only create additional industry standards, but will also continue to hold companies accountable to those standards. Such security standards and guidelines are centered on compliance, transparency, and visibility. By further cultivating a community in which ideas about security solutions are shared, organizations can be on — or close to — the same page and therefore in a more secure place. Harmonizing standards and solutions brings higher visibility and clarity to the state of security at any given point in time and paints a better picture of what the future holds. Hackers have a harder time keeping up, and, as an added bonus, the industry is able to foster greater transparency with partners and customers.

The Time Is Now for IoT Security Standards

The new open source tools are designed to help defense, identity and access management, and security operations center teams discover vulnerable network shares.

Network shares in Active Directory environments configured with excessive permissions pose serious risks to the enterprise in the form of data exposure, privilege escalation, and ransomware attacks. Two new open source adversary simulation tools PowerHuntShares and PowerHunt help enterprise defenders discover vulnerable network shares and manage the attack surface.

The tools will help defense, identity and access management (IAM), and security operations center (SOC) teams streamline share hunting and remediation of excessive SMB share permissions in Active Directory environments, NetSPI's senior director Scott Sutherland wrote on the company blog. Sutherland developed these tools.

PowerHuntShares inventories, analyzes, and reports excessive privilege assigned to SMB shares on Active Directory domain joined computers. The PowerHuntShares tool addresses the risks of excessive share permissions in Active Directory environments that can lead to data exposure, privilege escalation, and ransomware attacks within enterprise environments.

"PowerHuntShares will inventory SMB share ACLs configured with 'excessive privileges' and highlight 'high risk' ACLs \[access control lists\]," Sutherland wrote.

PowerHunt, a modular threat hunting framework, identifies signs of compromise based on artifacts from common MITRE ATT&CK techniques and detects anomalies and outliers specific to the target environment. The tool automates the collection of artifacts at scale using PowerShell remoting and perform initial analysis. 

Network shares configured with excessive permissions can be exploited in several ways. For example, ransomware can use excessive read permissions on shares to access sensitive data. Since passwords are commonly stored in cleartext, excessive read permissions can lead to remote attacks against databases and other servers if these passwords are uncovered. Excessive write access allows attackers to add, remove, modify, and encrypt files, such as writing a web shell or tampering with executable files to include a persistent backdoor.   

"We can leverage Active Directory to help create an inventory of systems and shares," Sutherland wrote. "Shares configured with excessive permissions can lead to remote code execution (RCE) in a variety of ways, remediation efforts can be expedited through simple data grouping techniques, and malicious share scanning can be detected with a few common event IDs and a little correlation (always easier said than done)."

New Open Source Tools Launched for Adversary Simulation

Threat actors can abuse weaknesses in HTTP request handling to launch damaging browser-based attacks on website users, researcher says.

BLACK HAT USA – LAS VEGAS – A security researcher who previously demonstrated how attackers can abuse weaknesses in the way websites handle HTTP requests warned that the same issues can be used in damaging browser-based attacks against users.  

James Kettle, director of PortSwigger, described his research as shedding new light on so-called desync attacks that exploit disagreements in how a website's back-end and front-end servers interpret HTTP requests. Previously, at Black Hat USA 2019, Kettle showed how attackers could trigger these disagreements — over things like message length, for instance — to route HTTP requests to a back-end component of their choice, steal credentials, and invoke unexpected responses from an application and other malicious actions. Kettle also has previously shown how HTTP/2 implementation errors can put websites at risk of compromise.

Kettle's new research focuses on how threat actors can exploit the same improper HTTP request handling issues to also attack website users and steal credentials, install backdoors, and compromise their systems in other ways. Kettle said he had identified HTTP handling anomalies that enabled such client-side desync attacks on sites such as Amazon.com, those using the AWS Application Load Balancer, Cisco ASA WebVPN, Akamai, Varnish Cache servers, and Apache HTTP Server 2.4.52 and earlier.

The main difference between server-side desync attacks and client-side desync is that the former requires attacker-controlled systems with a reverse proxy front end and at least partly malformed requests, Kettle said in a conversation with Dark Reading following his presentation. A browser-powered attack takes place within the victim's Web browser, using legitimate requests, he said. Kettle showed a proof-of-concept where he was able to store information such as authentication tokens of random users on Amazon in his shopping list as an example of what an attacker would be able to do. Kettle discovered he could have gotten each infected victim on Amazon's site to relaunch the attack to others.

"This would have released a desync worm — a self-replicating attack which exploits victims to infect others with no user interaction, rapidly exploiting every active user on Amazon," Kettle said. Amazon has since fixed the issue.

Cisco opened a CVE for the vulnerability (CVE-2022-20713) after Kettle informed the company about it and described the issue as allowing an unauthenticated, remote attacker to conduct browser-based attacks on website users. "An attacker could exploit this vulnerability by convincing a targeted user to visit a website that can pass malicious requests to an ASA device that has the Clientless SSL VPN feature enabled," the company noted. "A successful exploit could allow the attacker to conduct browser-based attacks, including cross-site scripting attacks, against the targeted user."

Apache identified its HTTP request smuggling vulnerability (CVE-2022-22720) as tied to a failure "to close inbound connection when errors are encountered discarding the request body." Varnish described its vulnerability (CVE-2022-23959) as allowing attackers to inject spurious responses on client connections.

In a whitepaper released today, Kettle said there were two separate scenarios where HTTP handling anomalies could have security implications,

One was first-request validation, where front-end servers that handle HTTP requests use the Host header to identify which back-end component to route each request to. These proxy servers often have a whitelist of hosts that people are allowed to access. What Kettle discovered was that some front-end or proxy servers only use the whitelist for the first request sent over a connection and not for subsequent requests sent over the same connection. So, attackers can abuse this to gain access to a target component by first sending a request to an allowed destination and then following up with a request to their target destination.

Another closely related but far more frequent issue that Kettle encountered stemmed from first-request routing. With first-request routing, the front-end or proxy server looks at the HTTP request's Host header to decide where to route the request to and then routes all subsequent requests from the client down to the same back end. In environments where the Host header is handled in an unsafe way, this presents attackers with an opportunity to target any back-end component to carry out a variety of attacks, Kettle said.

The best way for websites to mitigate client-side desync attacks is to use HTTP/2 end-to-end, Kettle said. It's generally not a good idea to have a front end that supports HTTP/2 and a back end that is HTTP/1.1. "If your company routes employee's traffic through a forward proxy, ensure upstream HTTP/2 is supported and enabled," Kettle advised. "Please note that the use of forward proxies also introduces a range of extra request-smuggling risks beyond the scope of this paper."

Source

DARKReading