Crowdstrike outage

Tracking the historical global IT outage caused by a cybersecurity provider through carefully selected relevant articles.

To our customers and partners (Crowdstrike)

Technical details about how a content detection improvement caused the biggest global IT outage (Crowdstrike)

Channel File 291 controls how Falcon evaluates named pipe1 execution on Windows systems. Named pipes are used for normal, interprocess or intersystem communication in Windows.

The update that occurred at 04:09 UTC was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks. The configuration update triggered a logic error that resulted in an operating system crash. 

Taviso with some thoughts about someone pointing out the issue was caused due to a NULL pointer. (Tavis Ormandy)

Tech disruptions sparked by software update highlight the fragility of globally connected techhnology (AP)

What I learned from the Microsoft Global IT Outage (Kevin Beaumont)

Technical details in 6 tweets and the reason Windows could not recover itself (Sergio de Los Santos)

Recent job advertisment for Crowdstrike (Linkedin - 22 July, 2024).

Situational Awareness - La Proxima decada

From GPT4 to AGI / from AGI to Superintelligence

En relacion al tema de la IA que muy brevemente expuse en la breve presentacion sobre IA y Ciberseguridad, aqui dejo un extenso documento escrito desde la vision de una de las notables figuras (y muy joven) en IA Leopold Aschenbrenner.

Todo el mundo, no importa cual sea tu interes en IA, deberia leer esto.

Bienvenido al futuro:

All parts of the reading are interesting. Some examples below:

Wetware computing: using living neurons to perform computations

Press release of a Swiss based startup called FinalSpark.

Wetware computing, an exciting new frontier at the intersection of electrophysiology and artificial intelligence, uses living neurons to perform computations. Unlike artificial neural networks (ANNs), where digital weights can be updated instantly, biological neural networks (BNNs) require entirely new methods for network response modification. This complexity necessitates a system capable of conducting extensive experiments, ideally accessible to researchers globally.

The neuroplatform

A team at FinalSpark has developed a groundbreaking hardware and software system, the Neuroplatform, designed to enable electrophysiological experiments on a massive scale. The Neuroplatform allows researchers to conduct experiments on neural organoids, which can last over 100 days. This platform streamlines the experimental process, enabling quick production of new organoids, 24/7 monitoring of action potentials, and precise electrical stimulations. Additionally, an automated microfluidic system ensures stable environmental conditions by managing medium flow and changes without physical intervention.

Unprecedented Data Collection and Remote Access

Over the past three years, the Neuroplatform has been used to study over 1,000 brain organoids, generating more than 18 terabytes of data. A dedicated Application Programming Interface (API) supports remote research via Python libraries or interactive tools like Jupyter Notebooks. The API not only facilitates electrophysiological operations but also controls pumps, digital cameras, and UV lights for molecule uncaging. This setup allows for complex, continuous experiments incorporating the latest deep learning and reinforcement learning libraries.

Energy Efficiency and Future Prospects

The energy efficiency of wetware computing presents a compelling alternative to traditional ANNs. While training large language models (LLMs) like GPT-4 requires significant energy—up to 10 GWh per model—the human brain operates with approximately 86 billion neurons on just 20 W of power. This stark contrast underscores the potential of BNNs to revolutionize computing with their energy-efficient operation.

Scientific publication detailing FinalSpark’s Neuroplatform: “Open and remotely accessible Neuroplatform for research in wetware computing” 

Microsoft chose profit over security - whistleblower says

Exceptional piece of investigative journalism detailing the internal corporate fights to warn about a ticking bomb type of flaw "Golden SAML". 

Single sing-on SAML protocol

I am AD FS and so can you

“Azure was the Wild West, just this constant race for features and functionality,”

“You will get a promotion because you released the next new shiny thing in Azure. You are not going to get a promotion because you fixed a bunch of security bugs.”

Product managers had little motivation to act fast, if at all, since compensation was tied to the release of new, revenue-generating products and features. That attitude was particularly pronounced in Azure product groups, former MSRC members said, because they were under pressure from Nadella to catch up to Amazon.

The ProPublica article reveals internal practices at Microsoft that prioritized new features over security for years, aiming to establish Azure as the leading cloud platform. This approach involved downplaying security issues, which enabled state actors to exploit these vulnerabilities. When Russian hackers breached SolarWinds' network management software, they did leverage post-exploit weaknesses, as the Golden SAML that Andrew was trying to warn about during years,  to steal sensitive data and emails from the CLOUD.

Finally, these practices contributed to the Exchange compromise by Chinese actors, which eventually led to a highly critical report from the Cyber Safety Review Board.

Ref: https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russian-hackers

How long does a fraudulent website remain active?

Update on 14/6/24 - both sites remain active.

According to my paper published in 2017, the median lifespan of a fraudulent website was one and a half years."

Let's revisit this topic with these two examples of fraudulent websites targeting Swiss luxury watches.

Fraudulent web: https://REDACTEDjeweler.com/

The domain is already older than 1 year according to Domaintools:

Fraudulent website: https://REDACTEDtte.com/

Domain was registered around 265 days ago:

I won't be linking the fraudulent websites to prevent anyone from accidentally visiting them. However, as of the time of this post, both websites are still active. Let's see how long they manage to stay online, providing us with real-time insights into the lifespan of such deceptive sites.

Threat actors using AI models

OpenAI, the company whose mission is: to build a safe and beneficial AGI, has released a report: AI and covert influence operations: latest trends 

It seems it is the first of a series of report to show they combat the abuse of their platform. Few notes:

Attacker trends

• Content generation: All of the actors described in this report used our models to generate content (primarily text, occasionally images such as cartoons). Some appear to have done so to improve the quality of their output, generating texts with fewer language errors than would have been possible for human operators. Others appeared more focused on quantity, generating large volumes of short comments that were then posted on third-party platforms. 

• Mixing old and new: All of these operations used AI to some degree, but none used it exclusively. Instead, AI-generated material was just one of many types of content they posted, alongside more traditional formats, such as manually written texts, or memes copied from across the internet.

• Faking engagement: Some of the campaigns we disrupted used our models to create the appearance of engagement across social media - for example, by generating replies to their own posts to create false online engagement, which is against our Usage Policies. This is distinct from attracting authentic engagement, which none of the networks described here managed to do.

• Productivity gains: Many of the threat actors that we identified and disrupted used our models in an attempt to enhance productivity. This included uses that would be banal if they had not been put to the service of deceptive networks, such as asking for translations and converting double quotes to single quotes in lists.

Defender trends

• Defensive design: Our models are designed to impose friction on threat actors. We have built them with defense in mind: for example, our latest image generation model, DALL-E 3, has mitigations to decline requests that ask for a public figure by name, and we’ve worked with red teamers—domain experts who stress-test our models and services—to help inform our risk assessment and mitigation efforts in areas like deceptive messaging. We have seen where operators like Doppelganger tried to generate images of European politicians, only to be refused by the model.

• AI for defenders: Throughout our investigations, we have built and used our own AI-powered models to make our detection and analysis faster and more effective. AI allows analysts to assess larger volumes of data at greater speeds, refine code and queries, and work across many more languages effectively. By leveraging our models’ capabilities to synthesize and analyze the ways threat actors use those models at scale and in many languages, we have drastically improved the analytical capabilities of our investigative teams, reducing some workflows from hours or days to a few minutes. As our models improve, we’ll continue leveraging their capabilities to improve our investigations too.

Case studies:

• Bad Grammar: Unreported Russian threat actor posting political comments in English and Russian on Telegram
• Doppelganger: Persistent Russian threat actor posting anti-Ukraine content across the internet
• Spamouflage: Persistent Chinese threat actor posting content across the internet to praise China and criticize its critics
• International Union of Virtual Media (IUVM): Persistent Iranian threat actor generating pro-Iran, anti-Israel and anti-US website content
• Zero Zeno: For-hire Israeli threat actor posting anti-Hamas, anti-Qatar, pro-Israel, anti-BJP, and pro-Histadrut content across the internet.

IO: (Covert) Influence Operations

Inteligencia Artificial y Ciberseguridad

Presentación que incluye un recopilatorio de las ideas más interesantes sobre Inteligencia Artificial y Ciberseguridad, abarcando tanto a pioneros de la IA como a figuras relevantes del panorama actual.

 

Inteligencia Artificial y Ciberseguridad.pdf from Emilio Casbas

Resumen: 

Slide 3: 2001: Odisea en el espacio. Secuencia 1:40.30 - 1:43

Magistral secuencia de Stanley Kubric presentando de forma magistral el temor y la fascinacion con la IA avanzada.

De como la IA toma consciencia para protegerse a si misma. Todas las demas capacidades de la IA (como gobernar la nave, leer los labios...) son una realidad hoy dia.

Diapositiva 7: 74% de alcanzar la AGI.

Video de un perro robot encima de una pelota de Yoga

https://eureka-research.github.io/dr-eureka/

Diapositiva 9: Mision de OpenAI: building safe and beneficial AGI

Mision de Google: Don't be evil

Diapositiva 10: Moravec (1998)

Representacion del dibujo: La capacidad de los ordenadores esta representada como el nivel del mar que crece continuamente cubriendo todos los paisajes que estan caracterizados como competencias humanas. Como se puede ver las artes y las ciencias todavia estan lejos de ser alcanzadas por la IA pero competencias como juegos de ajedrez, go, memorizar, conducion, traduccion han sido o estan siendo alcanzadas por la IA. Como veis son todos dominios enfocados, y cada vez, la IA, nos gana en un mayor numero de dominios o competencias enfocadas.

Ejemplos que en el 98 eran desafios para la IA:

• reconocer amigos en una foto: reconocimiento facial conseguido
• andar por una habitacion desordenada: roomba en todas las casas

En la actualidad, el agua esta cubriendo todo.

Diapositiva 11: Max Tegmark

El instituto del futuro de la vida intento para durante 6 meses toda la industria de la IA a traves de una carta firmada por miles de cientificos y personas relevantes en el campo de la IA. El objetivo era evaluar los riesgos y preparar planes de contingencia. Esta llamada no tuvo exito.

Diapositiva 12: La singularidad o explosion de inteligencia por Max Tegmark.

El nivel del agua ha ido creciendo sin cesar, tal como Moravec predijo, algunas de las colinas, como el ajedrez, han sido bien sumergidas. Al nivel que el agua sigue creciendo, en algun momento, se puede alcanzar un punto de inflexion (o momento critico), el cual supondra un cambio dramatico. Este nivel critico que puede alcanzar el agua sera cuando las maquinas, sean capaces de disenar Inteligencia Artificial. Antes de alcanzar este nivel, el incremento del nivel del agua esta causado por humanos que mejoran las maquinas, despues el increment0 puede venir de maquinas mejorandose asi mismas, mucho mas rapido de lo que los humanos podrian hacerlo, sumergiendo rapidamente toda la tierra. Y esta es la fascinante y controvertida idea de la singularidad. Explosion de inteligencia.

Recursos usados y para consultar:

https://www.youtube.com/watch?v=o1mK1ciSXjE

https://dle.rae.es/inteligencia

https://ocw.mit.edu/courses/res-6-013-ai-101-fall-2021/pages/video-and-supporting-materials/

https://lifearchitect.ai/agi/

https://openai.com/research/

https://futureoflife.org/open-letter/pause-giant-ai-experiments/

https://www.youtube.com/watch?v=ISkAkiAkK7A

https://www.youtube.com/watch?v=Yq0QkCxoTHM

https://www.europol.europa.eu/media-press/newsroom/news/new-report-finds-criminals-leverage-ai-

for-malicious-use-%e2%80%93-and-it%e2%80%99s-not-just-deep-fakes

https://nypost.com/2022/03/17/deepfake-video-shows-volodymyr-zelensky-telling-ukrainians-to-surrender/

https://www.secretservice.gov/investigation/Preparing-for-a-Cyber-Incident/BEC#:~:text=The%20BEC%20scheme%20affects%20large%20global%20corporations%2C%20governments%2C,global%20daily%20losses%20estimated%20at%20approximately%20%248%20million.

https://www.europol.europa.eu/cms/sites/default/files/documents/Spotlight-Report_Online-fraud-schemes.pdf

https://www.theguardian.com/technology/article/2024/may/10/ceo-wpp-deepfake-scam

https://arstechnica.com/information-technology/2024/02/deepfake-scammer-walks-off-with-25-million-

in-first-of-its-kind-ai-heist/

https://elie.net/talk/how-large-language-models-are-reshaping-the-cybersecurity-landscape-rsa-2024

https://explodingtopics.com/blog/ai-statistics

Revolution in the SIEM Market: Key Acquisitions, Mergers, and Innovations Shape the Future of SecOps

•  Palo Alto Networks to acquire IBM QRadar were making headlines on 15 May 2024. QRadar used to be the SIEM market share leader many years ago.

• LogRhythm and Exabeam to merge announcement on the same day. Allie Mellen, principal analyst of Forrester wrote Opposites attract blog article.

• 1 day later, Google enter for the first time, as Visionary, on the Gartner Magic Quadrant for Security Information and Event Management (SIEM).

Chronicle is now Google Security Operations. Say goodbye to legacy SIEMS

As cloud deployments for infrastructure, applications, and security have gained popularity, SecOps has had to evolve. Although many SIEM vendors claimed to offer cloud-native solutions, these were often superficial adjustments rather than genuine innovations addressing cloud security needs. At RSA 2019, Microsoft introduced "Azure Sentinel" (now Microsoft Sentinel) and Google introduced "Chronicle" (now Google Security Operations). Despite their progress, both have yet to fully address issues of coverage, effectiveness, and timeliness.

Europol report highlights the presence of numerous dangerous crime gangs across the EU.

Europol's first report on the most threatening criminal networks active in the EU, unveils the presence of 821 dangerous criminal gangs across the EU, primarily engaged in drug trafficking and other illicit activities. These organizations operate transnationally, posing significant challenges to law enforcement. Efforts to combat them require enhanced coordination and initiatives to protect legal officials from intimidation and bribery.

There is a special section dedicated to Cyber-Attacks (pag 36) that highlights the disruption of lockbit ransomware group as case example:

Few points to highlight from the report:

• Agile: The most threatening criminal networks exhibit remarkable agility. (pag 10).
• LBS: Legal Business Structures. 86% of the most threatening criminal networks make use of LBS.
• Some sectors particularly at risk; all sectors potentially affected: Three sectors are particularly affected by criminal infiltration or abuse: construction, hospitality and logistics (i.e. transport and import/export companies).  The data show clearly that LBS are infiltrated or misused by criminal networks across almost all sectors, including tourism, recycling, wellness and sports, retail and cultural associations.The data show clearly that LBS are infiltrated or misused by criminal networks across almost all sectors, including tourism, recycling, wellness and sports, retail and cultural associations.
• The most threatening criminal networks in the EU use real estate as one of the main industries to launder their illicit profits (41 %).
• Main nationalities of the criminal networks are: Albania, Belgium, France, Germany, Italy, the Netherlands, Poland, Spain, Türkiye and Ukraine. Most criminal networks are made up of both EU and non-EU nationals.
• 82% focus on one criminal activity, such as drug trafficking or organised property crime. The remaining 18% are truly poly-criminal networks active in multiple main crime areas.
• Frauds (mainly investment and romance): is the second most common activity of the most threatening criminal networks. (pag 30).
• Money laundering activities take place in more than 80 countries.  (pag 45)

Pag 45

• The criminal networks that use countermeasures against law enforcement strategically as part of their day-to-day operations mostly use technologies such as encrypted applications or devices (EncroChat or SkyECC) on which they use code language to communicate.

• Cyber expertise required: Cyber-service and technological solution providers offer critical support to networks involved in fraud schemes. Specifically, they devise mass mailing and phishing campaigns, create fake websites, advertisements and social media accounts, and support other cyber-based processes related to investment frauds and online fraud schemes. Networks involved in cyber-attacks play a critical role in programming malware, ransomware and hosting botnets. These individuals also occupy a crucial position in networks engaged in drug trafficking, extortion and racketeering and money laundering. They support the networks by advising them on online means for the movement of money and cryptocurrency payments (pag 56).

Pag 57

This report marks a significant milestone in enhancing our comprehension of the primary characteristics of criminal networks posing the highest risk to EU's internal security. It represents the first comprehensive evaluation at the EU level from the perspective of criminal actors, drawing upon recent data provided by EU Member States and third countries. Each of the 821 identified highly threatening criminal networks exhibits unique traits, including composition, structure, criminal activities, territorial influence, longevity, cooperation methods, and other factors. However, what distinguishes one network as more threatening than another are key capabilities encapsulated in the ABCD model: Agile, Borderless, Controlling, Destructive.

Key insights from the report by the Cyber Safety Review Board on the Microsoft Exchange Online incident of Summer 2023

What: a threat actor compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world.

Who: The actor—known as Storm-0558 and assessed to be affiliated with the People’s Republic of China

How: —accessed the accounts using authentication tokens that were signed by a key Microsoft had created in 2016.

When: In May and June 2023

Why: in pursuit of espionage objectives— This intrusion compromised senior United States government representatives working on national security matters, including the email accounts of Commerce Secretary Gina Raimondo, United States Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon.

Context: SEV-0 rating intrusion. The hightes urgency level. This meant that the incident required robust comunication, visibility, and coordination across Microsoft and up to its most senior leadership, including its Board of Directors.

The U.S. Department of Homeland Security (DHS) has issued the findings and recommendations report of the Cyber Safety Review Board (CSRB) concerning the review of the summer 2023 Microsoft Exchange Online Intrusion. This report is invaluable from all perspectives, particularly for professionals working in the CyberDetection field.

Following an initial review of the report, below are some of the key insights gleaned:

• Biggest risk of using cloud infrastructure

Pag 11

• Must-have custom detection to alert on potential anomalous access to mailboxes

Pag 14

Pag 16

Pag 17

• 2 main mistakes that left the cloud vulnerable to intrusions

Microsoft's failure to implement automated signing key rotation and lack of an alerting system for aging keys in its consumer MSA identity infrastructure left it vulnerable to intrusions, as read on:

Pag 11

• The criticality of storing log data for threat hunting or forensic analysis

Pag 15

Pag 16

Pag 25

• Victim notification via email is a flawed system

Pag 18

Out of the 46 different hypotheses being investigated, which one ranked as the top one?

Pag 20

• Microsoft's security culture was deemed inadequate, supported by substantial evidence and analysis.

Pag 22

• Given the reported $17.4 billion in revenue for the third quarter of 2023 (Azure), this sentence is alarming from a business standpoint.

Pag 22

• Microsoft customers lack crucial information necessary to conduct their own risk assessments regarding the security of Microsoft Cloud environments.

Pag 23

• Despite the absence of any mention of Microsoft's Security Copilot in the report, Microsoft persistently promotes the utilization of artificial intelligence as a revolutionary asset for organizations, enabling them to thwart cyberattacks at machine speed.

STRATEGY RELATED STATEMENTS TO TAKE INTO CONSIDERATION

• To prioritize security improvements over feature developments.

Pag 24

• Course of business of pay per advanced logging capabilities should stop.

Pag 24

Microsoft has not yet determined how Storm-0558 obtained the 2016 MSA key and says that it is continuing to investigate. 

Source: https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf

Securing hybrid environments: maximizing cybersecurity and cost efficiency with SIEM over EDR

In today's hybrid environments, where organizations operate a mix of on-premises and cloud infrastructure, cybersecurity teams face daunting challenges in monitoring and securing their digital assets. While both Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) solutions play crucial roles in defending against cyber threats, understanding their respective advantages is essential for maximizing cybersecurity effectiveness. This article explores the complexities of operating SIEM in hybrid environments, introduces the EDR topic, and highlights the advantages of SIEM over EDR in this context.

Source of the picture

Complexities of operating SIEM in hybrid environments

• Data integration challenges: Integrating security data from disparate sources across hybrid environments, including on-premises servers and cloud platforms, poses significant challenges for SIEM operations. Ensuring seamless data ingestion, normalization, and correlation across diverse environments is essential for effective threat detection and response.
• Compliance and Governance Complexity: Managing compliance requirements across hybrid environments requires robust monitoring, reporting, and auditing capabilities. SIEM solutions must support compliance with regulations spanning multiple cloud providers and geographic regions, adding complexity to governance and risk management processes. For instance: regional instances of SIEM data only for Switzerland, APAC or restricted EMEA regions poses unique challenges to data governance.
• Network Visibility: Hybrid environments encompass complex network architectures, including virtual private clouds, multi-cloud deployments, and interconnected on-premises networks. Maintaining visibility into network traffic (without incurring on high costs) and communication patterns is essential for detecting and mitigating threats effectively.

EDR solutions focus on monitoring and securing endpoints, such as desktops, laptops, servers, and mobile devices, against advanced threats and malware. EDR platforms provide real-time visibility into endpoint activities, enabling rapid detection, investigation, and response to security incidents at the endpoint level. While EDR solutions excel in endpoint-focused threat detection and response, their scope is limited compared to the broader visibility offered by SIEM.

In the dynamic landscape of hybrid environments, achieving robust cybersecurity while managing costs is paramount for organizations. One strategy to balance these priorities involves leveraging SIEM solutions over EDR, particularly by harnessing the concept of security-relevant telemetry.

Security-relevant telemetry refers to the collection of essential security data, such as logs, network traffic, and endpoint activities, that are indicative of potential threats. By focusing on telemetry that directly contributes to threat detection and response, organizations can optimize their cybersecurity investments and avoid unnecessary data collection, usually tied to compliance related activities, that may inflate costs.

Security-relevant telemetry provides contextual insight into security events and incidents, enabling more accurate threat detection and response. By correlating telemetry data across diverse sources, including on-premises servers and cloud platforms, organizations can gain a holistic view of their hybrid environment's security posture without the need for additional security tools or solutions.

SIEM solutions offer centralized visibility into security-relevant telemetry across hybrid environments, enabling organizations to monitor and analyze essential security data in real-time. By aggregating and correlating telemetry data from diverse sources, SIEM enhances threat detection capabilities while minimizing costs associated with managing multiple security tools or platforms.

Prioritizing SIEM's security-relevant telemetry over EDR allows organizations to optimize their cybersecurity investments by focusing resources on data that directly contribute to threat detection and response. By eliminating unnecessary data collection and analysis, organizations can reduce operational costs associated with managing and maintaining security tools, ultimately maximizing cost efficiency in hybrid environments.

Organizations should conduct a thorough assessment of their security telemetry needs and rationalize data collection efforts to focus on security-relevant telemetry. This involves identifying critical security data sources and configuring SIEM solutions to prioritize telemetry that aligns with threat detection and response objectives.

To maintain cost efficiency over time, organizations should continuously optimize their telemetry collection and analysis processes based on evolving cybersecurity requirements and threat landscapes. This includes refining correlation rules, adjusting data retention policies, and leveraging automation to streamline telemetry management operations.

While both SIEM and EDR solutions are essential components of a robust cybersecurity strategy, organizations operating in hybrid environments can benefit significantly from leveraging the advantages offered by SIEM over EDR. By providing centralized visibility, comprehensive threat detection, and seamless integration with cloud environments, SIEM empowers organizations to effectively monitor, detect, and respond to security threats across diverse on-premises and cloud infrastructure. As organizations continue to navigate the complexities of hybrid environments, investing in robust SIEM solutions will be essential for maximizing cybersecurity effectiveness and safeguarding against evolving threats.