Code property graphs and a threat feed powered by artificial narrow intelligence help developers incorporate AppSec into DevOps.

RSA CONFERENCE 2023 – San Francisco – Application security company Qwiet AI has announced a new threat intelligence feed for its real-time code security analysis tool PreZero to help security teams focus on remediating the fixes that will have the most impact on application security.

The data feed, called Blacklight, analyzes information about exploits that are deployed in the wild. Developers can use the data to see which vulnerabilities to address right away and which ones can wait. Just like a physical black light can reveal where that smell is coming from, Blacklight "exposes what you can't see visually," says Qwiet AI CEO Stuart McClure.

Narrowing the scope of patching is vital, considering the sheer volume of vulnerabilities reported. There were 3,239 high-severity vulnerabilities found in 2022, according to NIST's National Vulnerability Database, putting security teams in the position of having to remediate about 10 a day, every calendar day, to fix just the most serious vulnerabilities. But past research has shown that not all vulnerabilities need to be fixed right away. Only 15% of vulnerabilities get loaded into memory, which suggests 85% aren't reachable by an attacker, according to Sysdig. And of those reachable vulnerabilities, even less are exploitable in practice. In 2022 Qwiet AI, then called ShiftLeft, announced that only 3% of open source vulnerabilities were attackable.

The trick, of course, lies in identifying the 3%. PreZero asks a series of questions to whittle down vulnerabilities to a shorter list of those requiring immediate action: Does the application load the package containing the CVE? Is that package in use by the application? Can an attacker reach that package? And how can the developer mitigate the vulnerability?

A survey of PreZero users found that the new threat feed reduces the average cost per finding by nearly 25%, according to the company.

**Putting Artificial Narrow Intelligence to Work**

PreZero builds a deep neural net out of code property graphs (CPGs), which analyze JavaScript — 58 billion lines of it so far, according to McClure. The CPG is made up of three kinds of data graphs: abstract syntax trees that classify code according to syntax, data flow graphs that map variables from input through to the outputs to see how the data changes, and control flow graphs that track who controls the data and what changes are made.

The artificial narrow intelligence system uses those CPGs to build a model of what good code looks like versus vulnerable code, which it then can apply to new code that's entered into the tool.

"We're gonna go through the typical path, which is the code property graph based on these human-written policies, but we're also going to send that same code sample through our AI model and be able to determine if there's an additional vulnerability in there that the humans didn't catch or the signatures didn't catch," McClure says. "And so that's what really differentiates us."

Qwiet AI shared with Dark Reading a screenshot of a report Blacklight generated on Log4j 2.9.1, one of many versions of the logging utility affected by the Log4Shell vulnerability, to demonstrate the kind of information the feed provides. Potentially the most useful section is remediation advice, which counsels, "Users who want to avoid attacker-controlled JNDI lookups but cannot upgrade to 2.16.0 must ensure that no such lookups resolve to attacker-provided data and ensure that the JndiLookup class is not loaded."

"I've spent my time in the trenches," says Bruce Snell, Qwiet AI director of technical and product marketing. "There's something more visceral about attaching an actual exploit or a threat actor to a vulnerability."

Another interesting feature in PreZero is security insights, which flags code that would open the door to vulnerabilities if it were deployed. That's clearly useful for developers trying to write more secure code, but McClure says the security side also benefits from PreZero.

"The AppSec, cybersecurity, and CISOs would use \[PreZero\] to understand the current state of risk to the business, but then developers use it to actually get the line of code that they need to go fix," he says.

**AI Is Good Business**

Competition does abound. For example, Snyk uses AI in vulnerability scanning, as does GitHub — although the Spider Artificial Intelligence Vulnerability Scanner (SAIVS) falls into the machine learning category.

"We've had this skill shortage for as long as I can remember now, and I think it's actually worse on the AppSec side than it is in the InfoSec side," Snell says. "So having this AI that can, instead of trying to find the needle in a haystack, just produce a stack of needles and say, 'Here's the things that you need to deal with' is going to be huge. And it's really going to be the only way I think that the industry can keep up."

Getting away from signatures is something McClure has been working on since he co-founded Cylance, which he sold to BlackBerry for $1.4 billion in 2018; he's been planning out his vision of the future of AI since at least 2016. To demonstrate his hacking philosophy in action, McClure is co-presenting a technical session "Hacking Exposed — Hacking the Sec into DevOps" with Qwiet AI CTO Chetan Conikee on Wednesday April 26 at 1:15 p.m.

Qwiet AI Builds a Neural Net to Catch Coding Vulnerabilities

Deal strengthens ZeroFox's External Cybersecurity Platform with attack surface management (EASM) and threat intelligence capabilities.

**WASHINGTON, April 17, 2023 (GLOBE NEWSWIRE) --** Today, ZeroFox (Nasdaq: ZFOX), an enterprise software-as-a-service leader in external cybersecurity announced a definitive agreement to acquire LookingGlass Cyber Solutions, Inc., a leader in external attack surface management and global threat intelligence. In today's digital-first world, the rapidly expanding external attack surface has become a veritable playground for cybercriminals and nation-state actors alike, posing an ever-growing threat to enterprise and public sector organizations worldwide. Integrating LookingGlass’s industry-leading attack surface and threat intelligence capabilities into the ZeroFox External Cybersecurity Platform will enable our customers to build a robust security posture by providing world-class visibility into external attack surface assets and vulnerabilities, including improved actionable intelligence to disrupt emergent threats.

As organizations embrace digital transformation, the same externally-available digital platforms these organizations use to do business are equally available to malicious actors, creating new opportunities for exploitation. This escalating threat landscape underscores the urgent need for organizations to adopt comprehensive security strategies emphasizing proactive monitoring, continuous assessment, and remediation of their public attack surface vulnerabilities to defend against the mounting challenges of persistent cyber adversaries.

“The acquisition of LookingGlass is a natural extension of our strategy to provide our customers with a single end-to-end platform for protecting their external attack surface from increasingly sophisticated cyberattacks,” said James C. Foster, Chairman and CEO of ZeroFox. “We are bringing together passionate teams that have been partners for years, and proven world-class capabilities across attack surface management, digital risk protection, threat intelligence and breach response to continue our leadership in external cybersecurity.”

With one of the most comprehensive internet-facing attack surface intelligence data lakes, LookingGlass empowers public sector organizations, large enterprises, and industry security alliances at scale by providing extensive discovery, intelligence and cyber defense capabilities. These unique capabilities allow organizations to identify and assess threats in support of remediation strategies against the most sophisticated cyberattacks. The combination of intelligence and action enables some of the world’s largest organizations to inform their security teams about cyber risks ahead of full-fledged attacks.

“The mission at LookingGlass is to protect our customers by providing unmatched attack surface intelligence for global threat visibility and cyberattack disruption,” said Bryan Ware, CEO of LookingGlass. “Joining ZeroFox allows us to expand the capabilities we provide security teams to defend against cybercriminals and nation-state actors.” Ware, a cybersecurity industry veteran, former Assistant Director of CISA at the Department of Homeland Security, the Nation’s cyber defense operations lead, will join the ZeroFox executive team as part of the transaction.

**Transaction Details**

Under the terms of the agreement, ZeroFox will acquire LookingGlass for approximately $26 million, primarily in stock (9.4 million shares), combined with convertible debt and cash, subject to purchase price adjustments and performance earnouts. The acquisition is expected to close within the next 30 days. ZeroFox will provide additional guidance during the Q1 FY24 earnings call.

Stifel Financial Corp. served as exclusive financial advisor to ZeroFox on the transaction.

**Investor Conference Call Information**

ZeroFox will host a conference call to discuss the acquisition today April 17, 2023 at 8:30 a.m. Eastern Time. To access this call via webcast, please use this link: 

**Learn More**

To learn more about ZeroFox solutions, visit our website. Bookmark the ZeroFox Blog to keep up with our expert coverage on the latest in External Cybersecurity.

**About ZeroFox**

ZeroFox (Nasdaq: ZFOX), an enterprise software-as-a-service leader in external cybersecurity, has redefined security outside the corporate perimeter on the internet, where businesses operate, and threat actors thrive. The ZeroFox platform combines advanced AI analytics, digital risk and privacy protection, full-spectrum threat intelligence, and a robust portfolio of breach, incident and takedown response capabilities to expose and disrupt phishing and fraud campaigns, botnet exposures, credential theft, impersonations, data breaches, and physical threats that target your brands, domains, people, and assets. Join thousands of customers, including some of the largest public sector organizations as well as finance, media, technology and retail companies to stay ahead of adversaries and address the entire lifecycle of external cyber risks. ZeroFox and the ZeroFox logo are trademarks or registered trademarks of ZeroFox, Inc. and/or its affiliates in the U.S. and other countries. Visit www.zerofox.com for more information.

**About LookingGlass Cyber Solutions, Inc.**

LookingGlass is the global cybersecurity leader enabling national, industrial, and enterprise-scale decisions with unparalleled, curated intelligence on critical assets, risks, and sectors. For more than a decade, the most advanced organizations in the world have trusted LookingGlass to help them protect their economic and national security interests. Find out how we can help your organization at https://lookingglasscyber.com. 

**Forward-Looking Statements**

Certain statements in this press release are “forward-looking statements” under the Private Securities Litigation Reform Act of 1995. All statements, other than statements of historical fact, that address activities, events or developments that we expect, believe or anticipate will or may occur in the future, including statements related to benefits from the transaction, including expected from revenues and accretiveness of the transaction, and the ability of ZeroFox to achieve its objectives and plans with the acquisition of LookingGlass are forward-looking statements. Forward-looking statements involve risks and uncertainties that could cause actual results to differ materially from those anticipated by these forward-looking statements. The inclusion of any statement in this press release does not constitute an admission by ZeroFox or any other person that the events or circumstances described in such statement are material. These risks and uncertainties include, but are not limited to, the following: our ability to recognize the anticipated benefits of the transaction; the ability of ZeroFox and LookingGlass to consummate the transaction as expected; defects, errors, or vulnerabilities in the ZeroFox platform, the failure of the ZeroFox platform to block malware or prevent a security breach, misuse of the ZeroFox platform, or risks of product liability claims that would harm our reputation and adversely impact our business, operating results, and financial condition; if our enterprise platform offerings do not interoperate with our customers’ network and security infrastructure, or with third-party products, websites or services, our results of operations may be harmed; we may not timely and cost-effectively scale and adapt our existing technology to meet our customers’ performance and other requirements; our ability to introduce new products and solutions and features is dependent on adequate research and development resources and our ability to successfully complete acquisitions; our success depends, in part, on the integrity and scalability of our systems and infrastructure; we rely on third-party cloud providers to host and operate our platform, and any disruption of or interference with our use of these offerings may negatively affect our ability to maintain the performance and reliability of our platform which could cause our business to suffer; we rely on software and services from other parties; we have a history of losses, and we may not be able to achieve or sustain profitability in the future; if organizations do not adopt cloud, and/or SaaS-delivered external cybersecurity solutions that may be based on new and untested security concepts, our ability to grow our business and our results of operations may be adversely affected; we have experienced rapid growth in recent periods, and if we do not manage our future growth, our business and results of operations will be adversely affected; we face intense competition and could lose market share to our competitors, which could adversely affect our business, financial condition, and results of operations; competitive pricing pressure may reduce revenue, gross profits, and adversely affect our financial results; adverse general and industry-specific economic and market conditions and reductions in customer spending, in either the private or public sector, including as a result of inflation and geopolitical uncertainty such as the ongoing conflict between Russia and Ukraine, may reduce demand for our platform or products and solutions, which could harm our business, financial condition and results of operations; the COVID-19 pandemic could adversely affect our business, operating results, and financial condition; if we fail to adapt to rapid technological change, evolving industry standards and changing customer needs, requirements or preferences, our ability to remain competitive could be impaired; one U.S. government customer accounts for a substantial portion of our revenues; and we rely heavily on the services of our senior management team.

Additional information concerning these, and other risks, is described under the “Risk Factors,” “Management’s Discussion and Analysis of Financial Condition and Results of Operations of ZeroFox”, and “Management’s Discussion and Analysis of Financial Condition and Results of Operations of IDX” sections of our final prospectus filed with the Securities and Exchange Commission (the “SEC”) pursuant to Rule 424(b) under the Securities Act of 1933 on April 12, 2023, in connection with our registration statement on Form S-1 and in subsequent reports that we file with the SEC. We expressly disclaim any obligation to update any of these forward-looking statements, except to the extent required by applicable law.

ZeroFox to Acquire LookingGlass, Broadening Global Attack Surface Intelligence Capabilities

Consider adding some security-through-obscurity tactics to your organization's protection arsenal to boost protection. Mask your attack surface behind additional zero-trust layers to remove AI's predictive advantage.

If you read articles about how threat actors can use artificial intelligence (AI), you've probably noticed they fall into two categories: improving deception capabilities and automating malicious coding.

The first case argues that generative AI using large language models (LLMs) can create phishing and smishing lures that are more believable (registration required). Given that 90% of successful cyberattacks begin with phishing, AI improving deceptive lures is cause for major concern. Imagine the convincing communications the new GPT-4 model, which hired people to solve Captcha challenges for it, might write.

The second topic, AI writing malware (which it has done), strikes me as less disturbing. In this case, experts argue that LLMs may write polymorphic malware or make it easier for less-skilled adversaries to create malicious code. However, we live in a world where over 450,000 new variants of malware and potentially unwanted applications (PUAs) are registered every day. It's hard to see how low-skilled users adding to that number would significantly change the threatscape. Simply creating more malware is an easily automated task. AI must create better malware to pose a greater threat.

**Adversarial AI Threat Potential**

I think the threat potential of adversarial AI is far greater than today's double whammy of _better phishing_ and _more malware_. Take a moment to put on your threat actor hat and envision what malicious AI might soon achieve. What tools do adversaries typically use, and can well-trained AI improve their effectiveness?

**Training AI to Hack**

Consider the untapped AI training potential of vulnerability scanning tools such as Acunetix or exploitation frameworks such as Metasploit. These tools automate the reconnaissance and exploitation stages of the cyber kill chain. Today, these tools require human guidance and direction. Advanced persistent threats (APTs) using them to target organizations are focused on the environment of a single victim. The tools do much of the lifting, but people must interpret the results and react accordingly. What if these programs simply supplied their information to a larger data lake for AI to ingest?

We can see how LLMs use massive data sets to create effective, generative AI. The GPT-3 model is advanced enough to predict syllable and word combinations, then construct seemingly intelligent responses to queries. AI can write an essay, haiku, or report on any topic with a simple prompt. Of course, the model doesn't actually know what it's saying. It has simply trained on language data long enough to accurately predict which word should come next in a response.

Imagine an AI that trains on security exploitation as deeply as LLMs train on language. Picture an AI training on all known CVEs, the NIST Cybersecurity Framework, and the OWASP Top 10 as part of its core data set. To truly make this AI dangerous, it should also train on data lakes generated by popular hacking tools. For example, use Nmap for a few million networks and train the AI to recognize correlations between open ports, OS versions, and domains. Run Nessus vulnerability scans in thousands of environments and feed the results to the AI to "learn" patterns of enterprise security flaws. This approach may be beyond the reach of small-time hackers but is certainly within the grasp of state-sponsored threat groups and governments.

Once this malicious AI is well-trained, it may predict vulnerable software and hardware combinations as accurately as ChatGPT chooses words. It may scan an environment, detect several problems, and return a ranked list of possible exploitation techniques. Or it could compromise the environment, then hand access over to threat actors. While better phishing and more malware present immediate problems, they are negligible compared with the potential dangers of a fully weaponized AI.

**Security Through Obscurity**

Fortunately, organizations can mitigate much of the threat posed by malicious AIs by hiding business infrastructure. As defined by Gartner, zero-trust network access (ZTNA) solutions offer a resilient defense. Think of a cloud-based zero-trust environment as a proxy between users and business resources. Using this configuration, apps, data, and services are hosted on a network separate from users. To access business resources, users must go through an app connector that performs extensive identity analysis. Once a user passes identity and context verifications, the proxy architecture connects them directly to the resource in the cloud.

It's important to note that users are never granted access to the network that hosts the apps, data, and services. They're only connected to the single resource requested in the verified transaction. This approach hides the rest of the network infrastructure and available resources from the secured session. There is no opportunity for an initiator to perform lateral movement, or larger reconnaissance of the environment.

This approach hamstrings adversarial AI trained to discover vulnerabilities in an enterprise environment. With business infrastructure hidden behind a secure cloud-proxy service, the AI cannot see the environment, or know what is exploitable. The AIs ability to find exploitation opportunities relies upon it having an extensive overview of the hardware and software running the business infrastructure.

What about users? An adversarial AI may crack an individual endpoint, such as a laptop or home router. However, controlling these devices does little to offer AI access to the larger business environment. Compromised devices and identities must still pass context analysis before connecting to resources. Access requests will be denied if they come at an odd time or display other suspicious features. If the AI can reasonably mimic a legitimate request from a compromised identity, it is limited to accessing the handful of resources available to that user.

This identity-level ZTNA approach to access eliminates much of an organization's attack surface and minimizes the danger of what remains — moving organizational infrastructure behind a cloud-based zero trust exchange strips adversarial AI of its predictive and knowledge-based advantage. Organizations can achieve security through obscurity by hiding everything malicious AI knows how to exploit.

Cybersecurity Survival: Hide From Adversarial AI

As email attackers move to more targeted and sophisticated attacks, email security needs to understand the organization, not past attacks, to keep up with attacker innovation and stop novel threats on the first encounter.

In an evolving threat landscape email remains the primary target for cyberattacks, and traditional methods of email security are no longer adequate. Solutions that rely on historical attack data can only catch what they've seen before and remain inevitably on the back foot, racing to match the pace of innovation of cybercriminals — in fact, they take an average of 13 days to recognize novel attacks.\*

**An Escalating Threat Landscape**

Phishing attacks are advancing in frequency and sophistication as attackers experiment with two key ingredients: malware delivery and social engineering. Regarding delivery, there is a surge in cybercriminals "hitching a ride" off legitimate infrastructure like OneDrive and SharePoint to conceal malware, exploiting their trusted reputations to bypass security tools. On the human side, attackers are using generative AI technologies to impersonate trusted contacts — including damaging business email compromises and realistic spear-phishing. Worryingly, Darktrace found that the average linguistic complexity of phishing emails has increased by 17% since the release of ChatGPT.  

These trends demonstrate a shift in the attack landscape: from high-frequency, low-impact, generic phishing tactics to more targeted, sophisticated, and higher-impact attacks that can evade security tools relying on rules and signatures.

    

Figure 1: The progression of attacks and relative coverage of email security tools.

What's more, email security for the digital age needs to stretch beyond the inbox, for a full picture of every user across their email, account, and apps. Effectively, tools that only focus on blocking known threats from the inbox are no longer enough.

**The Industry Picture**

Traditional gateways and many modern integrated cloud email security (ICES) providers have something in common: They look to previous threat intelligence in order to predict the next attack. Some newer vendors apply AI to this flawed approach, looking for direct matches and using "data augmentation" to identify similar-looking emails. Despite leveraging AI, this approach is still historically focused and therefore blind to novel threats.

These tools are also resource-intensive, requiring continuous policy maintenance and manual triage of held-but-legitimate emails. The stage is set for email security that autonomously separates bad from good and continuously adapts to every organization — technology that fits the definition of "set and forget".

**The Shift Toward Behavioral AI**

The industry is experiencing a seismic shift from "secure" email gateways to intelligent AI-driven approaches.

Only a complex understanding of each employee's everyday interactions can accurately determine whether or not an email belongs in their inbox. This approach understands behaviors — how each person uses their inbox and what constitutes 'normal' for each user — in order to detect what's not normal.

Within the threat landscape, this approach builds on native email security to tackle the high-level attacks that use novel or seemingly legitimate infrastructure.

    

Figure 2: Native email security plus AI covers more types of attacks.

Full confidence in detection allows for a precise and targeted response — action that removes only the riskiest parts of an email rather than taking a blanket ban out of caution — to minimize risk without disrupting normal business operations.

**A Full Picture for Every User**

Existing email tools focus solely on inbound email, which doesn't take into consideration the significant potential damage of an account compromise. Today's email security can't be limited to the inbox alone — it needs to comprise a full understanding of a user's behavior across email and beyond.

To have complete context of a single user, it's crucial to understand their activity on apps, networks, and devices for a full-picture view of identity-based attacks. Understanding a user in the context of their organization — including network, cloud, and endpoint data — connects email security with the enterprise and external attack surface for a richer picture of potential attacks.

**Bringing the End User Into the Loop**

In the digital age, security is everyone's responsibility. Email security needs to educate and engage employees at the right level, giving them the context they need to make the right decisions, without overwhelming them or giving them too much control.

The tools that succeed best will be those that can leverage AI to improve employees' security consciousness — with contextual banners, explainable digests, and bespoke actions to neutralize risky elements — bringing the end user into the loop to harden defenses. By empowering employees with information, while still leaving critical decisions to the security team, organizations can further strengthen their security posture, while lifting security teams out of firefighting mode towards higher-level more strategic decision-making .

The new frontline of email security fights cybercrime with intelligent AI, and organizations that fail to get ahead of the curve may end up paying the price. For CISOs, the question is not if they should upgrade their email protections, but when – how much longer can they risk depending on email security that's stuck in the past?

**About the Author**

    

As VP of Product at Darktrace, Dan Fein has helped customers quickly achieve a complete and granular understanding of Darktrace's product suite. Dan has a particular focus on Darktrace email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a bachelor's degree in computer science from New York University.

\*Thirteeen days mean average of phishing payloads active in the wild between the response of Darktrace/email compared to the earliest of 16 independent feeds submitted by other email security technologies. (https://darktrace.com/news/darktrace-email-defends-organizations-against-evolving-cyber-threat-landscape)

The New Frontier in Email Security: Goodbye, Gateways; Hello, Behavioral AI

The Russian-speaking threat actor behind a backdoor known as Tomiris is primarily focused on gathering intelligence in Central Asia, fresh findings from Kaspersky reveal.
"Tomiris's endgame consistently appears to be the regular theft of internal documents," security researchers Pierre Delcher and Ivan Kwiatkowski said in an analysis published today. "The threat actor targets government and

The Russian-speaking threat actor behind a backdoor known as Tomiris is primarily focused on gathering intelligence in Central Asia, fresh findings from Kaspersky reveal.

"Tomiris's endgame consistently appears to be the regular theft of internal documents," security researchers Pierre Delcher and Ivan Kwiatkowski said in an analysis published today. "The threat actor targets government and diplomatic entities in the CIS."

The Russian cybersecurity firm's latest assessment is based on three new attack campaigns mounted by the hacking crew between 2021 and 2023.

Tomiris first came to light in September 2021 when Kaspersky highlighted its potential connections to Nobelium (aka APT29, Cozy Bear, or Midnight Blizzard), the Russian nation-state group behind the SolarWinds supply chain attack.

Similarities have also been unearthed between the backdoor and another malware strain dubbed Kazuar, which is attributed to the Turla group (aka Krypton, Secret Blizzard, Venomous Bear, or Uroburos).

Spear-phishing attacks mounted by the group have leveraged a "polyglot toolset" comprising a variety of low-sophistication "burner" implants that are coded in different programming languages and repeatedly deployed against the same targets.

Besides using open source or commercially available offensive tools, the custom malware arsenal used by the group falls into one of the three categories: downloaders, backdoors, and information stealers -

*   **Telemiris** - A Python backdoor that uses Telegram as a command-and-control (C2) channel.
*   **Roopy** - A Pascal-based file stealer that's designed to hoover files of interest every 40-80 minutes and exfiltrate them to a remote server.
*   **JLORAT** - A file stealer written in Rust that gathers system information, runs commands issued by the C2 server, upload and download files, and capture screenshots.

Kaspersky's investigation of the attacks has further identified overlaps with a Turla cluster tracked by Google-owned Mandiant under the name UNC4210, uncovering that the QUIETCANARY (aka TunnusSched) implant had been deployed against a government target in the CIS by means of Telemiris.

"More precisely, on September 13, 2022, around 05:40 UTC, an operator attempted to deploy several known Tomiris implants via Telemiris: first a Python Meterpreter loader, then JLORAT and Roopy," the researchers explained.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

"These efforts were thwarted by security products, which led the attacker to make repeated attempts, from various locations on the filesystem. All these attempts ended in failure. After a one-hour pause, the operator tried again at 07:19 UTC, this time using a TunnusSched/QUIETCANARY sample. The TunnusSched sample was blocked as well."

That said, despite the potential ties between the two groups, Tomiris is said to be separate from Turla owing to differences in their targeting and tradecrafts, once again raising the possibility of a false flag operation.

On the other hand, it's also highly probable that Turla and Tomiris collaborate on select operations or that both the actors rely on a common software provider, as exemplified by Russian military intelligence agencies' use of tools supplied by a Moscow-based IT contractor named NTC Vulkan.

"Overall, Tomiris is a very agile and determined actor, open to experimentation," the researchers said, adding "there exists a form of deliberate cooperation between Tomiris and Turla."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering

Is Elon Musk's "maximum truth-seeking AI" achievable? Overcoming bias in artificial technologies is crucial for cybersecurity, but doing it could be a challenge.

Concerns over bias in emerging artificial intelligence (AI) tools received a fresh airing recently when billionaire Elon Musk talked about his plans to create a "maximum truth-seeking AI" as an alternative to OpenAI's Microsoft-backed ChatGPT and Google's Bard technologies. 

In an interview with Fox News' Tucker Carlson earlier this month, Musk expressed concern over what he described as ChatGPT being trained to lie and to be politically correct, among other things. He described a so-called "TruthGPT" as a third option that would be unlikely "annihilate humans," and would offer the "best path to safety" compared with the other generative AI tools.

Musk has offered no timetable for his planned chatbot. But he has already established a new AI firm called X.AI, and has reportedly begun hiring AI staff from ChatGPT creator OpenAI as well as from Google and its parent, Alphabet.

Meanwhile, of course, AI bias affects cybersecurity risk as well. 

**Surfacing a Familiar Concern**

Musk's comments to Carlson echoed some of the sentiments that he and hundreds of other tech leaders, ethicists, and academicians expressed in an open letter to AI companies in March. The letter urged organizations involved in AI research and development to pause their work for at least six months, so policymakers have an opportunity to put some guardrails around the use of the technology. In making their argument, Musk and the others pointed to the potential for biased AI tools flooding "our information channels with propaganda and untruth" as one of their main concerns.

Suzannah Hicks, data strategist and scientist at the International Association of Privacy Professionals (IAPP) says the fundamental problem with bias in AI and machine learning is that it stems from human decision-making. All AI models learn from extremely large data sets and are not programmed explicitly to respond in specific ways. Typically, bias happens in the data that humans choose to input into the model.

"If biased data is entered into the model, then the output will likely contain bias as well," Hicks says. "Bias can also be introduced through data omission or by data scientists choosing a variable as a proxy for something other than what the data element is," she says. As an example, Hicks points to a machine learning algorithm that might take the number of "clicks" a user makes when browsing Netflix as a proxy for a positive indicator. "I may be clicking on movies to read their description and decide I don’t like it, but the model may misinterpret the click as an indicator of a 'like,'" she says.

Similarly, a lending service that uses AI to determine credit eligibility might end up denying a disproportionately high number of loans to people in a high-crime ZIP code if the ZIP code was part of the data set in the AI tool's learning model. "In this case, the ZIP code is being used as a proxy for human behavior, and by doing so produces a biased result," Hicks says.

Andrew Barratt, vice president at Coalfire, says his own testing of a text-to-image generation tool provided one example of the bias that exists in emerging AI technologies. When he asked the tool to generate a photorealistic image of a happy man enjoying the sun, the tool only generated Caucasian skin tones and features, though the input he provided contained no racial context. He says one concern going forward is that providers of AI platforms seeking to monetize their technologies could introduce bias into their models in a way that is favorable to advertisers or platform providers.

Whenever you monetize a service, you typically want to maximize the monetization potential with any further evolution of that service, says Krishna Vishnubhotla, vice president of product strategy at Zimperium. Often that evolution can start deviating from the original goals or evolution path — a concern that Musk vocalized about ChatGPT in his interview with Carlson. "Herein lies the issue that Elon talks about," Vishnubhotla says.

**Cybersecurity Bias in Artificial Intelligence**

While Musk et al didn't specifically call out the implications of AI bias on cybersecurity, that's been a topic for some time, and it's worth revisiting in the era of ChatGPT. As Aarti Borkar, a former IBM and Microsoft executive and now with a venture capital fund, noted in a groundbreaking column for Fast Company in 2019, with AI becoming a prime security tool, bias is a form of risk.

"When AI models are based on false security assumptions or unconscious biases, they do more than threaten a company’s security posture," Borkar wrote. "AI that is tuned to qualify benign or malicious network traffic based on non-security factors can miss threats, allowing them to waltz into an organization’s network. It can also over-block network traffic, barring what might be business-critical communications."

With ChatGPT being enthusiastically introduced into cybersecurity products, the risk of faulty hidden bias could contribute even more to false positives, abuse of privacy, and cyber defense that has gaping holes. And to boot, cybercriminals could also poison the AI to influence security outcomes.

"If the AI were to be hacked and manipulated to provide information that’s seemingly objective but is actually well-cloaked biased information or a distorted perspective, then the AI could become a dangerous … machine," according to the Harvard Business Review.

So the question becomes whether there really can be completely unbiased AI, and what it would take to get there.

**Eliminating Bias in AI**

The first step to eliminating data bias is to understand the potential for it in AI and machine learning, Hicks says. This means understanding how and what data variables get included in a model.

Many so-called "black-box" models, such as neural networks and decision trees, are designed to independently learn patterns and make decisions based on their data sets. They don't require the user or even the developer to fully understand how it might have arrived at a particular conclusion, she says. 

"AI and machine leaning rely on black-box models a great deal, because they can handle vast amounts of data and produce very accurate results," Hicks notes. "But it’s important to remember they are exactly that — black boxes — and we have no understanding of how they come to the result provided."

The authors of a World Economic Forum blog post last October argued that open source data science (OSDS) — where stakeholders collaborate in a transparent way — might be one way to counter bias in AI. Just as open source software transformed software, OSDS can open up the data and models that AI tools use, the authors said. When data and AI models are open, data scientists would have an opportunity to "identify bugs and inefficiencies, and create alternate models that prioritize various metrics for different use cases," they wrote.

**The EU's Proposed AI Risk Classification Path**

The European Union's proposed Artificial Intelligence Act is taking another approach. It calls for an AI classification system in which AI tools are classified based on the level of risk they present to health, safety, and an individual's fundamental rights. AI technologies that present an unacceptably high risk, such as real-time biometrics ID systems, would be banned. Those deemed as presenting limited or minimal risk, such as video games and spam filters, would be subject to some basic oversight. High-risk AI projects, such as autonomous vehicles, would be subject to rigorous testing requirements and show evidence of adherence to specific data quality standards. Generative AI tools such as ChatGPT would be subject to some of these requirements as well.

**The NIST Approach**

In the US, the National Institute of Standards and Technology (NIST) has recommended that stakeholders broaden the scope of where they look when searching for sources of bias in AI. In addition to machine learning processes and the data used in training AI tools, the industry should consider the societal and human factors, NIST said in a special publication on the need for standards to identify and manage bias in AI. 

"Bias is neither new nor unique to AI and it is not possible to achieve zero risk of bias in an AI system," NIST noted. To mitigate some of the risk, NIST will develop standards for "identifying, understanding, measuring, managing, and reducing bias."

Rethinking Safer AI: Can There Really Be a 'TruthGPT'?

With 60% of organizations taking more than four days to resolve cybersecurity issues, Unit 42’s Global Incident Response Service dramatically reduces time to remediate threats.

**SANTA CLARA, Calif., April 24, 2023 –** Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, today announced the expansion of its Unit 42 Digital Forensics and Incident Response Service. The Global Digital Forensics and Incident Response service combines depth of incident response experience with the breadth of AI-powered solutions, including Cortex® XDR® and XpanseTM, and Prisma® Cloud, to equip enterprises to respond immediately and recover faster than most any digital forensics and incident response (DFIR) service in the market.

To help organizations better respond to complex threats, Palo Alto Networks’ unique knowledge of security and a deep understanding of advanced attacker behavior enables Unit 42 to undertake a rigorous investigation with rapid response. According to Wendi Whitmore, senior vice president of Palo Alto Networks Unit 42, “No other security vendor in the industry can match Palo Alto Networks’ telemetry or our breadth of products to stop attacks in real-time. We analyze data from thousands of customers globally, generating over 500 billion daily events. This massive dataset enables responders to contextualize threats and respond effectively. Coupled with our expertise in cloud threats, SOC automation, and network security, this advanced intelligence helps companies recover and emerge stronger than before.”

Unit 42 specializes in cyber DFIR and responds to thousands of customer events annually from ransomware incidents to the rising cloud attacks. Backed by a global team of incident responders, threat intelligence experts, and consultants, Unit 42 has handled some of the largest data breaches in history.

According to the recent Unit 42 Cloud Threat report, more than 60% of organizations take over four days to resolve security issues, while threat actors typically exploit a misconfiguration or vulnerability within hours. Unit 42 recently engaged with a large enterprise customer after a zero-day vulnerability allowed an authentication bypass and remote code execution (RCE) exploit. The threat actor leveraged the vulnerability to drop web shells and launch a crypto miner onto the client's unpatched CRM system hosted on a popular cloud service provider (CSP). Through unauthorized access, the threat actor stole a CSP credential that provided access to sensitive databases, which they made publicly available on the Internet. As part of the investigation, Unit 42 leveraged Cortex XDR to ingest the CSP CloudTrail logs for rapid threat hunting and analysis and Prisma Cloud to assess the client's CSP environment. Using Prisma Cloud, Unit 42 assisted the client in remediating the CSP misconfigurations and implementing security best practices during the incident, in real-time, improving their security posture overall.

**The Unit 42 Digital Forensics and Incident Response Service includes:**

*   Assessments: To evaluate and test controls against real-world threats proactively, Unit 42 offers many assessments, including compromise assessments, ransomware readiness assessments, attack surface assessments, and more. 
*   IR Preparedness: Helping organizations pressure test technical controls, network security, response playbooks, and more. Services include Penetration Testing, Purple Teaming and Tabletop exercises. 
*   Incident Response: Quickly jumpstart an intelligence-led investigation, deploying Palo Alto Networks tools within minutes to contain threats and gather the evidence needed to analyze an incident fully. Unit 42 IR services include cloud incident response, expert malware analysis, and ransomware investigation. 
*   Managed Threat Hunting: Offers round-the-clock monitoring from Unit 42 experts to discover attacks anywhere in an organization. Threat hunters work on an organization’s behalf to discover advanced threats, such as state-sponsored attackers, cybercriminals, malicious insiders, and malware. 
*    Managed Detection and Response: Combines Cortex XDR with Unit 42's industry-leading threat intelligence to offer continuous 24/7 threat detection, investigation and response.

In the Forrester Wave™: Cybersecurity Incident Response Services, Q1 2022 Forrester noted that organizations “…seeking support in preparing for and responding to incidents in sprawling cloud environments should look at Palo Alto Networks.” 

**About Unit 42** 

Palo Alto Networks Unit 42 brings together world-renowned threat researchers, elite incident responders, and expert security consultants to create an intelligence-driven, response-ready organization passionate about helping you proactively manage cyber risk. Together, our team serves as your trusted advisor to help assess and test your security controls against the right threats, transform your security strategy with a threat-informed approach, and respond to incidents in record time so that you get back to business faster. 

Approved by Cybersecurity Insurance Plans Unit 42 is on the approved vendor panel of more than 70 major cybersecurity insurance carriers. If you need to use Unit 42 services in connection with a cyber insurance claim, Unit 42 can honor any applicable preferred panel rate in place with the insurance carrier. For the panel rate to apply, just inform Unit 42 at the time of the request for service. 

Under Attack? Get in touch with the Unit 42 Incident Response team at start.paloaltonetworks.com/contact-unit42.html or call North America Toll-Free: 866.486.4842 (866.4.UNIT42), EMEA: +31.20.299.3130, UK: +44.20.3743.3660, APAC: +65.6983.8730, or Japan: +81.50.1790.0200. 

Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram. 

**About Palo Alto Networks** 

Palo Alto Networks is the world’s cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we’re committed to helping ensure each day is safer than the one before. It’s what makes us the cybersecurity partner of choice. 

At Palo Alto Networks, we’re committed to bringing together the very best people in service of our mission, so we’re also proud to be the cybersecurity workplace of choice, recognized among Newsweek’s Most Loved Workplaces (2021 and 2022), Comparably Best Companies for Diversity (2021), and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com. 

Palo Alto Networks, Cortex, Cortex XDR, Cortex Xpanse, Prisma Cloud, Unit 42 and the Palo Alto Networks logo are trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available.

Palo Alto Networks Takes Aim At Cyberattacks With the Expansion of Unit 42's Digital Forensics & Incident Response Service Globally

Powered by Cribl, a CrowdStrike Falcon Fund partner, and available to CrowdStrike Falcon platform customers.

**AUSTIN, Texas and RSA Conference 2023, SAN FRANCISCO, April 24, 2023** – CrowdStrike (Nasdaq: CRWD) today introduced CrowdStream, powered by open observability company Cribl, which transforms how customers can get any data, from any security or IT source, directly into the CrowdStrike Falcon platform to solve XDR, log management and AI-based analytics challenges in a rapid, cost effective way.

Organizations struggle to get the complete visibility across the security and IT data sources needed to effectively stop increasingly sophisticated adversaries as they move across attack surfaces to breach organizations. Collecting and routing this siloed data is creating a heavy burden of complexity and cost, especially as data volumes continue to exponentially grow across ever-multiplying data sources.

CrowdStream is a new native platform capability that directly connects any data source into the CrowdStrike Falcon platform using Cribl’s observability pipeline technology. By sitting between data sources and their destination, CrowdStream provides an elegant and cost-effective way to get data into the CrowdStrike Falcon platform to greatly accelerate the adoption of XDR and log management, as well as aggregating the required data to train advanced AI/ML models.

CrowdStream transforms an organization’s ability to unify siloed security and IT data by:

• **Easily connect and rout****e** data from any source into the CrowdStrike Falcon platform, accelerating the adoption of XDR and log management by minimizing the complexity and cost of onoboarding data sources.

• **Unify data within the CrowdStrike Falcon platform for insights** and near-instant search at petabyte scale to provide the rich visibility and aggregated telemetry needed to eliminate threats, run deep analytics and hunt for adversaries.

• **Cut log management costs** by sending the right data (and only the right data) to a modern log management solution such as CrowdStrike Falcon LogScale. Recently, a large financial institution switched to CrowdStrike Falcon LogScale and saved at least $5 million dollars over three years in infrastructure and licensing costs.

• **Consolidate** point products by centralizing and normalizing data within the CrowdStrike Falcon platform to continuously address new security and IT use cases with fully integrated capabilities built on a unified data model.

“Cybersecurity is ultimately a data problem. Today’s adversary techniques are growing more sophisticated including the use of initial access, lateral movement, privilege escalation, defense evasion and data extortion. However, organizations are still struggling to effectively and efficiently collect the right data from a variety of security and IT point products they deploy to root out and shut down threats from adversaries,” said Michael Sentonas, president at CrowdStrike. “For organizations to stay ahead of these threats, it is imperative they have real-time visibility and data at their fingertips. We see the CrowdStream technology as a game-changer that significantly improves our customer’s ability to get the right data, from any source, directly into the CrowdStrike Falcon platform to solve the hardest security and IT challenges in an elegant, cost-effective way.”

“Cribl is a proud CrowdStrike Falcon Fund partner, as we were one of CrowdStrike’s first investments. We see this expanded strategic partnership with CrowdStrike as another step to solving the massive data problem that cybersecurity teams face today,” said Clint Sharp, co-founder and CEO, Cribl. “By making the process of data collection for the CrowdStrike Falcon platform easier, CrowdStream will revolutionize the way that organizations quickly gain value from XDR and log management.”

**Additional Resources**

• For more information on CrowdStream, please visit the CrowdStrike blog and Cribl website.

**About Cribl**

Cribl makes open observability a reality for today’s tech professionals. The Cribl product suite defies data gravity with radical levels of choice and control. Wherever the data comes from, wherever it needs to go, Cribl delivers the freedom and flexibility to make choices, not compromises. It’s enterprise software that doesn’t suck, enables tech professionals to do what they need to do, and gives them the ability to say “Yes.” With Cribl, companies have the power to control their data, get more out of existing investments, and shape the observability future. Founded in 2017, Cribl is a remote-first company with an office in San Francisco, CA. For more information, visit www.cribl.io or our LinkedIn, Twitter, or Slack community.

**About CrowdStrike**

CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike: We stop breaches.

CrowdStrike Introduces CrowdStream to Accelerate and Simplify XDR Adoption

Categories: Podcast
This week on Lock and Code, we speak with Courtney Brown about a mental health nonprofit's use of AI to speak to people suffering emotional distress. 



(Read more...)




The post Removing the human: When should AI be used in emotional crisis? Lock and Code S03E09 appeared first on Malwarebytes Labs.

In January, a mental health nonprofit admitted that it had used Artificial Intelligence to help talk to people in distress. 

Prompted first by a user's longing for personal improvement—and the difficulties involved in that journey—the AI tool generated a reply, which, with human intervention, could be sent verbatim in a chat box, or edited and fine-tuned to better fit the situation. The AI said:

“I hear you. You’re trying to become a better person and it’s not easy. It’s hard to make changes in our lives, especially when we’re trying to do it alone. But you’re not alone. There are people here who care about you and want to help you. I’m proud of you for making the decision to try to improve your life. It takes a lot of courage and strength. I send you love and support as you go through this journey.”

This was experimental work from Koko, a mental health nonprofit that integrated the GPT-3 large language model into its product for a short period of time that is now over. In a video demonstration posted on Twitter earlier this year, Koko co-founder Rob Morris revealed that the nonprofit had used AI to provide "mental health support to about 4,000 people" across "about 30,000 messages." Though Koko pulled GPT-3 from its system after a reportedly short period of time, Morris said on Twitter that there are several questions left from the experience. 

"The implications here are poorly understood," Morris said. "Would people eventually seek emotional support from machines, rather than friends and family?"

Today, on the Lock and Code podcast with host David Ruiz, we speak with Courtney Brown, a social services administrator with a history in research and suicidology, to dig into the ethics, feasibility, and potential consequences of relying increasingly on AI tools to help people in distress. For Brown, the immediate implications draw up several concerns. 

> "It disturbed me to see AI using 'I care about you,' or 'I'm concerned,' or 'I'm proud of you.' That made me feel sick to my stomach. And I think it was partially because these are the things that I say, and it's partially because I think that they're going to lose power as a form of connecting to another human."

But, importantly, Brown is not the only voice in today's podcast with experience in crisis support. For six years and across 1,000 hours, Ruiz volunteered on his local suicide prevention hotline. He, too, has a background to share. 

Tune in today as Ruiz and Brown explore the boundaries for deploying AI on people suffering from emotional distress, whether the "support" offered by any AI will be as helpful and genuine as that of a human, and, importantly, whether they are simply afraid of having AI encroach on the most human experiences. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Removing the human: When should AI be used in emotional crisis? Lock and Code S03E09

Print management software provider PaperCut said that it has "evidence to suggest that unpatched servers are being exploited in the wild," citing two vulnerability reports from cybersecurity company Trend Micro.
"PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01

Threat Intel / Cyber Attack

Print management software provider PaperCut said that it has "evidence to suggest that unpatched servers are being exploited in the wild," citing two vulnerability reports from cybersecurity company Trend Micro.

"PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01:29 AEST / 13th April 15:29 UTC," it further added.

The update comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical flaw (CVE-2023-27350, CVSS score - 9.8) to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

Cybersecurity company Huntress, which found about 1,800 publicly exposed PaperCut servers, said it observed PowerShell commands being spawned from PaperCut software to install remote management and maintenance (RMM) software like Atera and Syncro for persistent access and code execution on the infected hosts.

Additional infrastructure analysis has revealed the domain hosting the tools – windowservicecemter\[.\]com – was registered on April 12, 2023, also hosting malware like TrueBot, although the company said it did not directly detect the deployment of the downloader.

TrueBot is attributed to a Russian criminal entity known as Silence, which in turn has historical links with Evil Corp and its overlapping cluster TA505, the latter of which has facilitated the distribution of Cl0p ransomware in the past.

"While the ultimate goal of the current activity leveraging PaperCut's software is unknown, these links (albeit somewhat circumstantial) to a known ransomware entity are concerning," Huntress researchers said.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

"Potentially, the access gained through PaperCut exploitation could be used as a foothold leading to follow-on movement within the victim network, and ultimately ransomware deployment."

Users are recommended to upgrade to the fixed versions of PaperCut MF and NG (20.1.7, 21.2.11, and 22.0.9) as soon as possible, regardless of whether the server is "available to external or internal connections," to mitigate potential risks.

Customers who are unable to upgrade to a security patch are advised to lock down network access to the servers by blocking all inbound traffic from external IPs and limiting IP addresses to only those belonging to verified site servers.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel