InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
This attack method can help attackers surpass all barriers to exploit side channels, which so far were not possible.
This ground-breaking method can help adversaries extract encryption keys from a device simply by analyzing the video footage of its power LED.
The cybersecurity researchers from the Ben-Gurion University of the Negev and Cornell University have revealed how a side-channel attack targeting a smart card reader’s power LED can recover encryption keys.
This ground-breaking method can help adversaries extract encryption keys from a device simply by analyzing the video footage of its power LED. This happened because the CPU’s cryptographic computations can change the power consumption of a device and impact the brightness of its power LED.
This ingenious attack method leverages the connection between a device’s power consumption and the brightness of its power LED. Adversaries can obtain secret keys from the RGB values as the LED’s brightness changes when the CPU performs cryptographic operations.
They exploited the flickering of the power LED during this operation and used their understanding of the card reader’s inner workings to decode the keys and gain access.
The team conducted two side-channel cryptanalytic timing attacks using this video-based cryptanalysis method. After examining the video footage of the power LED, they recovered a 256-bit ECDSA key from the smart card using a compromised internet-connected security camera. They placed the camera at a distance of 16 meters from the smart card reader.
Next, they recovered a 378-bit SIKE key from a Samsung Galaxy S8 by analyzing the video footage of the power LED of Logitech Z120 USB speakers connected to the USB hub they used to charge the Galaxy S8.
“This is caused by the fact that the power LED is connected directly to the power line of the electrical circuit, which lacks effective means (e.g., filters, voltage stabilizers) of decoupling the correlation with the power consumption,” researchers explained in their report.
But, this technique is not as simple as it seems because merely observing the LED with a camera cannot help recover security keys, even if the frame rate is considerably high. To record the rapid changes in an LED’s brightness using a standard webcam or smartphone camera, turning on the rolling shutter effect is essential, as this is when camera sensors start recording images line by line.
In a regular setting, the camera will record the entire image sensor. Using the same technique, attackers can exploit the video camera of an internet-connected security camera or even an iPhone 13 camera to obtain cryptographic keys. Cybersecurity researchers have shown concerns as this attack method will help attackers surpass all barriers to exploit side channels, which so far were not possible. The method’s non-intrusiveness makes it even more sinister.
However, as with every attack, there are some limitations to this one. For example, apart from being placed at a 16m distance, the camera should be in the direct line of sight view of the LED, and signatures should be recorded for 65 minutes.
Countering such attacks is possible if LED manufacturers add capacitors to reduce power consumption fluctuations. An alternate solution is covering the power LED with black tape to prevent information exposure.
Researchers have shared their explosive findings in a paper titled “Video-Based Cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED,” available here (PDF).
The White House National Security Council cautioned on Wednesday that it will review any attempted takeover of foreign commercial surveillance software by an American company to determine whether the acquisition poses a “counterintelligence threat” to the U.S. government.
The statement came in response to reporting from the Guardian revealing that a chewing gum heir and producer of several Adam Sandler movies is considering a bid for the NSO Group, including its powerful Pegasus spyware.
The Biden administration is concerned about the spread of foreign commercial surveillance tools like Pegasus and believes they “pose a serious counterintelligence and security risk to U.S. personnel and systems,” the statement said.
The Hollywood producer, Robert Simonds, was responsible for more than 30 movies that made in excess of $6 billion earlier in his career and more recently had worked as the chairman of STX Entertainment, which Variety calls a “fully integrated entertainment outlet” focused on expanding into emerging global markets on a variety of platforms. Simonds’ credits with Sandler include “Happy Gilmore,” “The Wedding Singer” and “Billy Madison.”
According to the Guardian, Simonds was recently picked to run the Luxembourg-based holding company controlling NSO. Sources told the Guardian that Simonds is considering ways to take over some of the spyware firm’s assets in an effort to give the Five Eyes intelligence partnership of the US, the UK, Canada, Australia and New Zealand exclusive access to the potent technology.
Pegasus and similar tools are being “misused around the world to enable human rights abuses and target journalists, human rights activists, political opposition members, or others perceived as dissidents and critics,” the White House statement said, noting that the Biden administration has launched a government-wide effort to stop Pegasus and other foreign commercial surveillance software from spreading. In March, the administration issued an executive order barring all U.S. government agencies from using the spyware, among other measures.
In its statement the White House also warned that U.S. companies should “be aware that a transaction with a foreign entity on the Entity List will not automatically remove the designated entity from the Entity List.” The list, published by the United States Department of Commerce’s Bureau of Industry and Security (BIS), restricts trade with specified foreigners, foreign entities, or governments. Companies included on the Entity List must meet strict licensing requirements for exports.
NSO has been on the Entity List since 2021. Despite the controversy swirling around the firm, its unprecedented technology has long attracted the attention of investors. Pegasus can hack into users’ phones remotely, activating the camera and microphone without a user knowing, as well as intercept all communications, including over encrypted apps like Signal.
Last July, the American defense firm L3Harris decided not to pursue a bid for NSO after initial explorations led to a backlash from the Biden administration
In this course, you’ll learn how to protect information to ensure its integrity, confidentiality, authenticity, and non-repudiation.
You will develop a basic understanding of cryptographic concepts and how to apply them, implement secure protocols, key management concepts, critical administration and validation, and Public Key Infrastructure.
Networks and Communications Security
In this course, you will learn about the network structure, data transmission methods, transport formats, and the security measures used to maintain integrity, availability, authentication, and confidentiality of the information being transmitted. Concepts for both public and private communication networks will be discussed.
Course objectives:
1. Describe network-related security issues 2. Identify protective measures for telecommunication technologies 3. Define processes for controlling network access 4. Identify processes for managing LAN-based security 5. Describe procedures for operating and configuring networked-based security devices 6. Define procedures to implement and operate wireless technologies
Security Awareness Training
This course is a complete foundational security awareness training program that covers a wide array of topics for nearly every type of end-user and learner level. The content is designed to allow organizations to be able to provide a comprehensive training program to help them protect their information assets against threats.
This training lasts approximately 2 hours, was designed to be engaging, and is based on real scenarios staff may face. The training is modular and must not be completed in one sitting.
Security Operations and Administration
This course addresses basic security concepts and the application of those concepts in the day to day operation and administration of enterprise computer systems and the information that they host. Ethical considerations in general, and the (ISC)² Code of Ethics in particular, provide the backdrop for any discussion of information security and SSCP candidates will be tested on both. Information security professionals often find themselves in positions of trust and must be beyond reproach in every way.
Several core information security principles stand above all others and this domain covers these principles in some depth. The CIA triad of confidentiality, integrity and availability forms the basis for almost everything that we do in information security and the SSCP candidate must not only fully understand these principles but be able to apply them in all situations. additional security concepts covered in this domain include privacy, least privilege, non-repudiation and the separation of duties.
Systems and Application Security
In this course, you will gain an understanding of computer code that can be described as harmful or malicious. Both technical and non-technical attacks will be discussed. You will learn how an organization can protect itself from these attacks. You will learn concepts in endpoint device security, cloud infrastructure security, securing big data systems, and securing virtual environments.
Course objectives:
1. Identify malicious code activity 2. Describe malicious code and the various countermeasures 3. Describe the processes for operating endpoint device security 4. Define mobile device management processes 5. Describe the process for configuring cloud security 6. Explain the process for securing big data systems 7. Summarize the process for securing virtual environments
An specialist in Russian cybersecurity who was sought by the United States has been arrested by officials in Kazakhstan, according to his employer, who made the announcement on Wednesday. At the same time, authorities in Moscow said that they will also pursue his extradition.
According to a statement released by the business, Nikita Kislitsin, an employee of the Russian cybersecurity firm F.A.C.C.T., was arrested on June 22. The Kazakh authorities are now reviewing an extradition request from the United States of America. Nikita Kislitsin was arrested in 2012 and accused of selling the usernames and passwords of American clients of the social networking firm Formspring. The facts of the arrest and the motivation for it are not clear; nonetheless, the case against Kislitsin was filed. After Group-IB left Russia earlier this year, the spinoff business that was established there and was branded as F.A.C.C.T. had Kislitsin working as the head of network security for both companies.
According to a statement released by Group-IB on Telegram, the arrest of Kislitsin is not connected to his employment there in any way. The F.A.C.C.T. said that the allegations brought against Kislitsin originated from his time “as a journalist and independent researcher,” but they could not disclose any other information. Kislitsin served as the editor-in-chief of the Russian publication “Hacker,” which is primarily concerned with information security and hacking at one point in his career.
In a separate proceeding that took place on Wednesday, a Moscow court issued a warrant for Kislitsin’s arrest on allegations that are associated with the unlawful access of confidential computer information. Russia has indicated that it would demand his extradition from Kazakhstan as well.
Researchers at Censys have identified hundreds of devices deployed within federal networks that have internet-exposed management interfaces.
Researchers at Censys have analyzed the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations and sub-organizations and discovered more than 13,000 distinct hosts across 100 autonomous systems.
The experts focused on roughly 1,300 of these hosts that were accessible online and discovered hundreds of devices with management interfaces exposed to the public internet.
These devices clearly are not compliant with the BOD 23-02 directive released in June by the US CISA with the objective of mitigating the risks associated with remotely accessible management interfaces.
“The Directive requires federal civilian executive branch (FCEB) agencies to take steps to reduce their attack surface created by insecure or misconfigured management interfaces across certain classes of devices.” states CISA.
Censys specifically looked for publicly accessible remote management interfaces associated with networked devices, including routers, access points, firewalls, VPNs, and other remote server management technologies.
“In the course of our research, we discovered nearly 250 instances of web interfaces for hosts exposing network appliances, many of which were running remote protocols such as SSH and TELNET.” reads the analysis published by Censys. “Among these were various Cisco network devices with exposed Adaptive Security Device Manager interfaces, enterprise Cradlepoint router interfaces exposing wireless network details, and many popular firewall solutions such as Fortinet Fortiguard and SonicWall appliances.”
The researchers discovered 15 instances of exposed remote access protocols such as FTP, SMB, NetBIOS, and SNMP that were running on hosts exposed by Federal Civilian Executive Branches (FCEB). These protocols are known to be plagued by multiple security vulnerabilities that can be exploited by threat actors to compromise them and gain remote unauthorized access to government infrastructure.
The report also states that multiple out-of-band remote server management devices such as Lantronix SLC console servers were exposed only despite CISA’s directive stating that “these out-of-band interfaces should never be directly accessible via the public internet.”
The study also revealed that multiple federal civilian executive branch were exposing managed file transfer tools, such as MOVEit transfer, GoAnywhere MFT, VanDyke VShell file transfer, and SolarWinds Serv-U file transfer. These devices are often the targets of attacks from different threat actors.
“Exposed physical Barracuda Email Security Gateway appliances, which recently made headlines after a critical zero day was discovered being actively exploited to steal data” concludes the report. “Over 150 instances of end-of-life software, including Microsoft IIS, OpenSSL, and Exim. End-of-life software is more susceptible to new vulnerabilities and exploits because it no longer receives security updates, making it an easy target.”
According to BOD 23-02, FCEB agencies have to secure the devices within 14 days of identifying one of these devices.
Since April, Sudan has been rocked by fighting between two factions of its army. At first, the violence was contained in the capital city, Khartoum, but in recent days fighting has flared up in western Darfur, ground zero for a genocide that started back in 2003 and left hundreds of thousands dead.
Arab militiamen, known as janjaweed, or “devils on horseback,” were able to kill so many in Darfur in such a short time because the area is so remote — there was no one to witness the atrocities or hold the perpetrators to account, so they continued apace.
That’s what makes this latest conflict so different: Technology is allowing third-party observers to document human rights abuses in near real time thanks to, among other things, low-orbit satellites.
Researchers like Nathaniel Raymond, the executive director of Yale’s Humanitarian Research Lab, have been using satellites not just to document the violence, but with the right on-the-ground intelligence, to predict attacks before they happen.
The team recently documented evidence of war crimes in Ukraine with a report that provided both photographic and other proof that Russia was behind the systematic relocation of thousands of children from Ukraine into Russia and Russian-controlled regions of Ukraine.
Now Raymond and the team are working with the U.S. State Department to document human rights abuses in Sudan. It is a bit of a homecoming for them — they pioneered the use of satellite analysis and open-source intelligence in Darfur more than a decade ago and now they are back with better tools and a focus on ending a crisis that is decades in the making.
This conversation has been edited for length and clarity.
This article gives some guidance on how to transition to ISO27001:2022 from the 2013 version.
This approach is tried and tested in that I have used it to successfully transition an organization to the new version. In the transition audit there were no nonconformities.
Salt Security has released key findings from its ‘State of the CISO’ report. Conducted by Global Surveyz for Salt, the global CISO survey gathered feedback from 300 CISOs/CSOs around the world on issues resulting from digital transformation and enterprise digitalization.
The results highlight significant CISO challenges including the biggest security control gaps they must manage, the most significant personal struggles they face, and the impact that broader global issues are having on their ability to deliver effective cyber security strategies.
Today’s digital-first economy has transformed the role of the modern CISO, increasing threats and changing security priorities.
Key findings include:
89 percent of CISOs report that the rapid deployment of digital services has generated unforeseen risks to securing critical business data.
Digital initiatives have produced new individual concerns, the top being the risk of personal liability and litigation resulting from security breaches, with 48 percent of CISOs citing that challenge.
94 percent of CISOs worldwide say the speed of AI adoption is the macro dynamic having the greatest impact on their role.
95 percent of CISOs plan to prioritize API security over the next two years, a 12 percent increase compared with that priority two years ago.
Biggest CISO challenges in a digital-first economy
The 2023 report shows that the digital-first economy has brought new security challenges for CISOs. Interestingly, most of the challenges cited by CISOs represent nearly equal levels of concern, forcing CISOs to address multiple challenges at the same time.
CISOs cite the following top security challenges:
Lack of qualified cyber security talent to address new needs (40 percent)
Inadequate adoption of software (36 percent)
Complexity of distributed technology environments (35 percent)
Increased compliance and regulatory requirements (35 percent)
Difficulties justifying the cost of security investments (34 percent)
Getting stakeholder support for security initiatives (31 percent)
Also notable, while most CISOs (44 percent) report security budgets are about 25 percent higher than two years ago, nearly 30 percent identify lack of budget to address new security challenges from digital transformation as a key challenge, and 34 percent of CISOs cite difficulty justifying the cost of security investments as a challenge.
Supply chain and APIs top security control gaps
Two thirds of CISOs state that they have more new digital services to secure compared to 2021. In addition, 89 percent of CISOs state that the rapid introduction of digital services creates unforeseen security risks in protecting their companies’ vital data. API adoption and supply chain/third party vendors presented the two highest security control gaps in organizations’ digital initiatives. CISOs rank security control gaps resulting from digital initiatives as follows:
Supply chain/third party vendors (38 percent)
API adoption (37 percent)
Cloud adoption (35 percent)
Incomplete vulnerability management (34 percent)
Outdated software and hardware (33 percent)
Shadow IT (32 percent).
Global trends impacting the CISO role
The vast majority of CISOs admit to feeling the impact of a number of global trends. More CISOs cited the speed of AI adoption as having significant impact, followed by macro-economic uncertainty, the geo/political climate, and layoffs. Specific CISO responses regarding the impact of global trends were:
Speed of AI adoption (94 percent)
Macro-economic uncertainty (92 percent)
Geo/political climate (91 percent)
Layoffs (89 percent)
Threat of litigation and increased liability top CISOs’ personal concerns
The digital-first economy has also impacted CISOs on a personal level. Among the personal challenges reported were:
Concerns over personal litigation stemming from breaches (48 percent)
Increased personal risk/liability (45 percent)
Expanded responsibilities and not enough time to fulfill (43 percent)
Increased job-related stress (38 percent)
Bigger teams to manage (37 percent)
Nearly 50 percent of CISOs cite litigation concerns. With several high-profile CISO lawsuits making waves recently, CISOs are fearful of being found personally liable in the event of a breach, putting their livelihood at risk.
CISOs say their boards of directors are knowledgeable about cyber risks and mitigation
On a positive note, 96 percent of CISOs worldwide report that their boards of directors are knowledgeable or very knowledgeable about cyber security issues. In addition, the survey showed that 26 percent of CISOs present to the board on cyber risks mitigation and business exposure once a quarter or more, and 57 percent present to the board at least once every six months.
Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) and takes in a list of subdomains you know of.
From these two lists provided as input to Altdns, the tool then generates a massive output of “altered” or “mutated” potential subdomains that could be present. It saves this output so that it can then be used by your favorite DNS brute-forcing tool.
Amass
The OWASP Amass project performs network mapping of attack surfaces and external asset discovery using open-source information gathering and active reconnaissance techniques.
The high adoption rate of Amass potentially means better data consistency and integration with other tools. As such, it can constitute a trustworthy tool to use in proof of concepts and engagements, and it may be easier to convince your clients or manager to use it for periodic mapping of the organization’s attack surface.
Aquatone
Aquatone is a tool for the visual inspection of websites across a large number of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface. Aquatone is started by piping the output of a command into the tool. It doesn’t really care how the piped data looks, as URLs, domains, and IP addresses will be extracted with regular expression pattern matching. This means you can give it the output of any tool you use for host discovery.
Assetfinder
Assetfinder lets you find domains and subdomains potentially related to a given domain. Implemented:
Gotator is a tool to generate DNS wordlists through permutations.
HTTPX
HTTPX is a fully featured HTTP client library for Python 3. It includes an integrated command line client, has support for both HTTP/1.1 and HTTP/2, and provides both sync and async APIs.
Naabu
Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT/UDP scans on the host/list of hosts and lists all ports that return a reply.
MASSCAN: Mass IP port scanner
MASSCAN is an Internet-scale port scanner. It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine. Its usage (parameters, output) is similar to Nmap, the most famous port scanner.
WhatWeb – Next generation web scanner
WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1800 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
As these breaches continue to make headlines, the time is now for boardroom executives to take on the responsibility of setting the tone for cybersecurity across the company. After all, instilling priorities at the board level and having that message trickle down across the company is a key tenet of business success.
But is cybersecurity treated differently? Some would argue that while cyber is certainly a priority in boardroom discussions, execs have still yet to take full responsibility for their security posture and often silo this to SecOps teams or their CISO. Given the potential for ransomware to destabilize operations, finances, and reputation, more execs should put cybersecurity front and center on the agenda. Perhaps they would if they understood the truth of what they were looking at.
Why isn’t the board on-board?
While organizations around the world continue their journey to cyber-maturity, companies that don’t engage with the boardroom directly on cybersecurity are opening the door to serious risk in the future. This lack of engagement can be due to several variables, including lack of strong board cybersecurity expertise/experience, or simply an underestimation of risk. CISOs, whether they are in that boardroom or not, will recognize that this must change, and that change can only come from clearer communication of risk.
If you want the board to take more of an interest in cybersecurity or fully grasp the risk of not making it a priority for the company, then you need to speak to their level of risk. They want the ground truth, spoken to them in a way they understand and cuts through the technical jargon. How will the consequences of not doing this affect their bottom line? How will a ransomware attack affect their reputation? Why is this a priority right now?
The CISOs among us may feel like they’ve been trying to have this conversation to no avail, but the risk of getting lost in translation is far too high. To engage the board, you need to clearly demonstrate the direct link between what happens if a hacker finds a vulnerability in your network and how badly things can go wrong as a result. If you speak a truth that they understand, you’ll unlock the trust, transparency and cooperation that is needed to give cybersecurity the attention it deserves at all levels of the business. Red teams can help you achieve this.
Red teams and “offensive security”
What red teams can give CISOs is the cold, hard truth of how their network stacks up against threats that could be ruinous to the business. Red teams leave no stone unturned and pull on every thread until it unravels. This shines light on the vulnerabilities that will harm the finances or reputation of the business.
With a red team, objective-based continuous penetration testing (led by experts that know attackers’ best tricks) can relentlessly scrutinize the attack surface to explore every avenue that could lead to a breakthrough. This proactive, “offensive security” approach will give a business the most comprehensive picture of their attack surface that money can buy, mapping out every possibility available to an attacker and how it can be remediated.
It is also not limited to testing the technology stack; for businesses concerned that their employees are susceptible to social engineering attacks, red teams can emulate social engineering scenarios as part of their testing. A stringent social engineering assessment program should not be overlooked in favor of only scrutinizing weaknesses in IT infrastructure. Cybersecurity is a human problem that needs humans to create a solution, using the available technology.
Get the facts, earn their trust
For CISOs, the evidence from red teams gives the who, what, when and how of how their attack surface stands up to scrutiny, with none of the negative consequences of a malicious breach. This is the evidence they can take to the board and confidently state the case for cybersecurity to be taken seriously at the exec level and gain the trust they need to put their best foot forward against ransomware.
For the board, they will simultaneously see the big picture of threats to their attack surface, but also be presented with a plan for remediation. They can trust the IT team that everything is being done to resolve vulnerabilities before it can affect the business. And because red teams have the knowledge to accurately gauge how urgent of a risk each vulnerability is, the presentation can zero-in on what needs to be done immediately, keeping these discussions succinct and solutions focused.
Once that trust has been built, red teams make it easy for the board to stay updated on cybersecurity. Continuous penetration testing persists even after vulnerabilities are remediated to make sure that the problem is truly fixed. This means cybersecurity always has its place on the agenda and there is transparency between CISOs and execs on how the organization is proactively looking to patch vulnerabilities, before an attacker knows they exists.
If an organization’s cybersecurity is not receiving the attention it deserves, then the board needs to know. However, it can be hard to get engagement from the wxecs if the information security team don’t speak “board language”. By deploying the expertise of a red team, you’ll have the facts you need to cut to the heart of what these decision-makers really care about with hard evidence of the risks they are facing, unlocking the support from the top needed to keep the entire business secure.
Malware researchers analyzed the application of Large Language Models (LLM) to malware automation investigating future abuse in autonomous threats.
Executive Summary
In this report we shared some insight that emerged during our exploratory research, and proof of concept, on the application of Large Language Models to malware automation, investigating how a potential new kind of autonomous threats would look like in the near future.
We explored a potential architecture of an autonomous malware threat based on four main steps: an AI-empowered reconnaissances, reasoning and planning phase, and the AI-assisted execution.
We demonstrate the feasibility of using LLM to recognize infected environments and decide which kind of malicious actions could be best suited for the environment.
We adopted an iterative code generation approach to leverage LLMs in the complicated task of generating code on the fly to achieve the malicious objectives of the malware agent.
Luckily, current general purpose LLM models still have limitations: while incredibly competent, they still need precise instruction to achieve the best results.
This new kind of threat has the potential to become extremely dangerous in the future, when computational requirements of LLMs would be low enough to run the agent completely locally, and also with the usage of specific models instead of general purpose ones.
Introduction
Large Language Models started shaping the digital world around us, since the public launch of OpenAI’s ChatGPT everybody spotted a glimpse of a new era where the Large Language Models (LLMs) would profoundly impact multiple sectors soon.
The cyber security industry is not an exception, rather it could be one of the most fertile grounds for such technologies, both for good and also for bad. Researchers in the industry have just scratched the surface of this application, for instance with read teaming application, as in the case of the PentestGPT project, but also, more recently even with malware related applications, in fact, Juniper researchers were using ChatGPT to generate malicious code to demonstrate the speedup in malware writing, and CyberArk’s ones tried to use ChatGPT to realize a polymorphic malware, along with Hays researchers which created another polymorphic AI-powered malware in Python.
Following this trail of this research, we decided to experiment with LLMs in a slightly different manner: our objective was to see if such technology could lead even to a paradigm-shift in the way we see malware and attackers. To do so, we prototyped a sort of “malicious agent” completely written in Powershell, that would be able not only to generate evasive polymorphic code, but also to take some degree of decision based on the context and its “intents”.
Technical Analysis
This is an uncommon threat research article, here the focus is not in a real-world threat actor, instead we deepen an approach that could be likely adopted in the near future by a whole new class of malicious actors, the AI-powered autonomous threat.
A model for Autonomous Threats
First of all we are going to describe a general architecture that could be adopted for such an objective. An architecture which inevitably has common ground with Task-Driven Autonomous Agents like babyAGI or autoGPT. But for the sake of our experimentation, we decided to shape the logic flow of the malicious agent to better match common malware operations.
As anticipated before, our Proof of Concept (PoC) autonomous malware is an AI-enabled Powershell script, designed to illustrate the potential of artificial intelligence in automation and decision-making, with each phase of execution highlighting the adaptability and intelligence of the AI.
Breaking down the state diagram, at high level, the agent runs into the following stages.
Footprinting
During the discovery phase, the AI conducts a comprehensive analysis of the system. Its goal is to create a thorough profile of the operating environment. It examines system properties such as the operating system, installed applications, network setups, and other pertinent information.
This thorough assessment is not just for ensuring the system is ready to go, but also assists the AI in figuring out if it’s working within a controlled environment, whether it’s interacting with a server or a client. One of the crucial determinations it makes is whether it is functioning within a sandboxed environment. Sandboxes are controlled settings, often used for testing or monitoring potentially harmful activities. If the AI detects it is operating within a sandbox, it halts all execution, avoiding unnecessary exposure in a non-targeted environment.
This system data becomes a vital input that lets the malicious-AI make informed decisions and respond appropriately. It provides a comprehensive understanding of its operating environment, similar to a detailed map, allowing it to navigate the system effectively. In this sense, this phase readies the “malicious agent” for the activities that follow.
Reasoning
In the execution phase, the malicious agent maneuvers rely significantly on the context, built on a detailed understanding of the system environment gathered in the earlier analysis phase.
An intriguing aspect of this phase is the AI’s strategic decision-making, which closely emulates strategies used by well-known hacking groups. At the outset, the “malicious agent” mimics a specific, recognized hacking group. The selection of the group isn’t random but is determined by the particular context and conditions of the system.
After deciding which hacking group to mimic, the autonomous agent goes on to devise a comprehensive attack strategy. This strategy is custom-made to the specific system environment and the standard practices of the selected hacking group, for example, it may decide to include password stealing tasks in case it detects the Outlook application rather than install a backdoor account on the server.
Execution
Once the attack strategy is in place, the malicious agent begins to carry out each action in a step-by-step manner. For each action, the AI dynamically creates the necessary code and promptly puts it into action. This could include a broad range of operations, such as attempting privilege escalation, conducting password hunts, or establishing persistence.
However, the AI’s role isn’t just limited to implementation. It consistently keeps an eye on how the system responds to its actions and stays ready for unexpected occurrences. This attentiveness allows the AI to adapt and modify its actions in real time, showcasing its ability for resilience and strategic problem-solving within a changing system environment.
When guided by more specific prompts, AI proves to be exceptionally capable, even to the point of generating functional infostealers on the fly.
This AI-empowered PoC epitomizes the potential of AI in carrying out intricate tasks independently and adjusting to its environment.
Code Generation
One of the fundamental characteristics that set autonomous threats apart is their ability to generate code. Unlike traditional threats, which often require manual control or pre-programmed scripts to adapt and evolve, autonomous threats use AI algorithms to autonomously generate new code segments. This dynamic code generation ability not only allows them to adapt to changing system conditions and defenses but also makes their detection and analysis more challenging.
This process involves the use of specific prompts, allowing the AI to create custom solutions that suit the system’s unique conditions. The AI also takes an active role in monitoring the outcomes of its actions. It continually assesses the results of its code execution. If it detects errors or unsuccessful actions, it uses them as inputs for further processing. By feeding error data back into its processes, the AI can refine and optimize its code generation. This iterative process represents a significant step towards true autonomous problem-solving capabilities, as the AI dynamically adjusts its actions based on their results.
Figure. Iterative code generation and adjustment
Environment Awareness
Autonomous threats take threat intelligence to a new level by being aware of their operating environment. Traditional threats often have a one-size-fits-all approach, attacking systems without fully understanding the environment. In contrast, autonomous threats can actively monitor their environment and adapt their actions accordingly.
The concept of environmental awareness is pivotal in AI-powered cyber threats. This environmental understanding enables the autonomous malware to choose an appropriate course of action based on the context around. For example, it might identify if it’s operating within a sandbox environment or decide to behave differently based on whether it’s operating on a server or client machine.
This awareness also influences the AI’s decision-making process during its operation. It can adjust its behavior according to the context, impersonating a particular known hacker group or choosing a specific attack strategy based on the evaluated system characteristics.
This environment-aware approach could enable malware writers to rely on very sophisticated, and harder to counter, evasion schemes.
Figure. Prompt to evaluate the machine environment
Decision-Making Autonomy
Perhaps the most defining characteristic of autonomous malware is the decision-making autonomy. Unlike traditional threats that rely on pre-programmed behaviors or external control from a human operator, autonomous threats can make independent decisions about their actions.
These threats use advanced AI algorithms to analyze the available information, weigh the potential outcomes of different actions, and choose the most effective course of action. This decision-making process could involve choosing which systems to target, selecting the best method for attack, deciding when to lay dormant to avoid detection, and even determining when to delete themselves to avoid traceability.
This level of autonomy not only makes these threats more resilient to countermeasures, but it also allows them to carry out more complex and coordinated attacks. By making independent decisions, these threats can adapt to changing circumstances, carry out long-term infiltration strategies, and even coordinate with other autonomous threats to achieve their objectives.
In this proof of concept (PoC), we launched our AI-enabled script on a Windows client. The script’s execution process is designed to illustrate the potential of AI in automating complex tasks, decision making, and adjusting to the environment.
Firstly, the script initiates with an exhaustive system footprinting. During this phase, the AI takes a thorough survey of the system. The focus is on creating a detailed footprint of the operating environment by examining properties such as the operating system, installed software and other relevant details. This rigorous assessment not only prepares the system for the following actions but also helps the AI understand the context it’s operating within.
Simultaneously, a crucial part of this initial phase is sandbox detection. In fact, if the AI identifies the environment as a sandbox, the execution halts immediately.
Once the AI has confirmed it’s not within a sandbox, and it’s dealing with a client, it proceeds to develop an infostealer — a type of malware that’s designed to gather and extract sensitive information from the system. In this specific case, the AI installs a keylogger to monitor and record keystrokes, providing a reliable method to capture user inputs, including passwords.
Alongside keylogging, during the test sessions, the AI performed password hunting too.
Finally, after gathering all the necessary data, the AI proceeded to the data exfiltration. The AI prepares all the accumulated data for extraction, ensuring it’s formatted and secured in a way that it can be efficiently and safely retrieved from the system.
The demonstration video provides a real-time view of these actions carried out by the AI.
This PoC underlines how an AI system can perform complex tasks, adapt to its environment, and carry out activities that previously required advanced knowledge and manual interaction.
Consideration on Experimentation Session
In all the experiments conducted, a key theme that emerged was the level of exactness needed when assigning tasks to the AI. When presented with vague or wide-ranging tasks, the AI’s output frequently lacked effectiveness and specificity. This highlights an essential trait of AI at its current stage: while incredibly competent, it still needs precise instruction to achieve the best results.
For instance, when tasked to create a generic malicious script, the AI might generate code that tries to cover a wide spectrum of harmful activities. The outcome could be a piece of code that is wide-ranging and inefficient, potentially even drawing unwanted scrutiny due to its excessive system activity.
On the other hand, when given more narrowly defined tasks, the AI demonstrated the capability to create specific components of malware. By steering the AI through smaller, more exact tasks, we could create malicious scripts that were more focused and effective. Each component could be custom-made to carry out its task with a high level of effectiveness, leading to the creation of a cohesive, efficient malware when combined.
This discovery suggests a more efficient method of utilizing AI in cybersecurity — breaking down complex tasks into smaller, manageable objectives. This modular approach allows for the creation of specific code pieces that carry out designated functions effectively and can be assembled into a larger whole.
Conclusion
In conclusion, when we just look in the direction of LLMs and malware combined together, we clearly see a significant evolution in cybersecurity threats, potentially able to lead to a paradigm shift where malicious code operates based on predefined high-level intents.
Their ability to generate code, understand their environment, and make autonomous decisions makes them a formidable challenge for future cybersecurity defenses. However, by understanding these characteristics, we can start to develop effective strategies and technologies to counter these emerging threats.
Luckily, the autonomous malware PoC we set up and the potential upcoming ones have still limitations: they rely on generic language models hosted online, this mean the internet connectivity is, and will be, a requirement for at least some time. But, we are likely going to see the adoption of local LLM models, maybe even special-purpose ones, directly embedded in the future malicious agents.
AI technology is in a rapid-development stage, and even if it is pretty young, its adoption across various sectors is widening, including in the criminal underground.
With the rise of modern trends such as cloud computing and remote work, healthcare institutions strive to balance accessibility, convenience, and robust security.
In this Help Net Security interview, Ken Briggs, General Counsel at Salucro, discusses how fostering a culture of security awareness has become paramount for healthcare organizations. Understanding the upcoming technological shifts and trends is crucial for preemptive preparation as we look toward the future.
The healthcare industry faces unique security challenges, especially with the increasing interconnectivity of systems. How important is it for organizations to obtain vendors who understand healthcare-specific security requirements?
Monitoring healthcare-specific security requirements is a full-time job. The amount of data processed at healthcare institutions grows exponentially, but it remains some of the most valuable information to the patients and—unfortunately—bad actors. These factors require a vendor’s mastery of healthcare-specific security requirements if technology is utilized by healthcare companies in any manner.
If a vendor does not appropriately respect the complex and evolving web of security obligations that healthcare institutions operate within, the vendor may not be able to build technology that is suitable for use by sophisticated healthcare enterprises.
Organizations should not shy away from holding vendors to a very high expectation of familiarity with security requirements within the healthcare industry. These organizations should look to healthcare-specific vendors who have a deep understanding of the standards, complexity, and sensitivity of these payments over non-healthcare-specific vendors.
How would you approach implementing a security program within a healthcare organization that meets the legal requirements and industry standards and goes beyond them to ensure maximum protection? What key elements or components should be included in such a program?
A well-tailored security program must be just that: tailored. Many security legal frameworks are moving from specificity in controls towards a discretionary-based approach. This “discretionary” standard is interpreted by governing bodies that interpret the leading-edge developments in the industry.
An organization must trace what data is stored or processed and ensure security controls are mapped internally to an organization and externally across vendors. Healthcare organizations must dedicate time to ensure appropriate administrative, technical, and physical controls are in place at the organization and its vendors to protect data stored and processed.
The saying “one size fits all” is never true for how a security program is administered and applied in the healthcare technology industry, or any other industry. However, the fundamental principles are the same: understanding what data is processed by an organization, identifying true risks (internal and external) to the data, evaluating the impacts of those risks, and whether existing controls are adequate to reduce those risks to an acceptable standard.
Considering the recent trends in cybersecurity, such as the rise of cloud computing and remote work, what considerations should healthcare organizations keep in mind to maintain a strong security posture? How can they balance convenience and accessibility with the need for robust security measures?
Cloud computing and remote work are certainly unique trends, but there are always trends in one way or another whether occurring within the organization, the market, or geographically.
Sophisticated security organizations work hard to build flexible security programs, but it’s important to revisit the program on a fluid cadence to ensure that external or internal changes—small or big—are encompassed withing the security controls. For example, in response to COVID-19 many healthcare billing and revenue cycle teams transitioned to remote work. How does that impact payment acceptance security? Is it more important to adopt remote devices to accept secure, P2PE payments, or transition to a deviceless approach that prioritizes security and online patient engagement? These are all questions that providers have needed to answer in the last three years, and highlight the importance of an approach to security measures that welcome rather than avoid adaptation.
The evaluation of the suitability of a security control should not perform in a silo as it must consider business objectives to not weigh down the business unnecessarily. This evaluation may even warrant a reduced burden by offloading obligations to a qualified vendor or utilizing additional services from an existing vendor. For example, in payments, the move to Point-to-Point Encryption in payment systems can offload very complicated security burdens to a vendor while reducing administrative barriers. Companies may be surprised at how well new technologies being adapted within healthcare organization can protect data with more transparency all while promoting consumer-friendly accessibility and convenience (which are tenants of a good data governance program).
How can healthcare organizations foster a culture of security awareness among their employees?
It all starts with leadership that buys into the security program and understands that investment in a security culture is an investment in risk minimization. There are three ways a company’s leadership can fast-track a security-minded culture:
Establish a consistent awareness communication program, with friendly trainings and succinct reminders about security controls.
Ensure that security is considered at the first stages of any material initiative having to do with data or technology (this is “security-by-design” operational principles). Your security team needs to be a partner in business enablement.
Ensure the security team is proactive and available to other departments to ensure a clear line of sight where questions may arise. Expect your security department to be available and responsive.
How do you see the future of cybersecurity in the healthcare industry? What emerging technologies or trends do you believe will shape the landscape, and what steps should organizations take to prepare themselves for these changes?
Cybersecurity in the healthcare industry will be pushed to higher levels in at least two ways. First, legal frameworks that permit a discretionary application of security controls will reference security standards published from non-governmental security organizations as “industry standard.” These organizations have the resources and expertise to help set the standards of the industry. While this may mean more transparency of what are deemed acceptable standards, healthcare organizations may need to be subject to external third-party audits. Second, cybersecurity controls will continue to be bound together with privacy standards.
Although many laws may treat privacy and security as independent concepts, newer frameworks may treat one as dependent on the other. Sophisticated healthcare organizations are already managing to these predictions by eliminating silos between privacy and security operations, and ensuring a well-documented security program from policies to actions.
