Category: Detect

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In recent months, a cybercrime group known as Blacktail has begun to make headlines as they continue to target organizations around the globe. The group was first spotted by the Unit 42 Team at Palo Alto Networks earlier this year. Since February, the group has launched multiple attacks based on their latest ransomware campaign labeled Buhti.

An interesting detail about the organization is that they do not make their own strains of malware. Rather, they opt to repurpose pre-existing strains to achieve their end goal of monetary gain. Two of the most popular tools that have been used by the cybercrime group are LockBit 3.0 for targets using Windows OS and Babuk for targets using Linux OS. Both LockBit 3.0 and Babuk are strains of ransomware that encrypt files on a victim’s machine and demand payment in exchange for decrypting the files. These tools allow Blacktail to operate using a RaaS (ransomware as a service) model which falls in line with their goal of monetary gain.

Lockbit 3.0 is the latest version of the Lockbit ransomware which was developed by the Lockbit group in early 2020. Since its launch it has been linked to over 1400 attacks worldwide. This has led to the group receiving over $75 million in payouts. This ransomware is most distributed through phishing attacks where the victim clicks on a link which starts the download process.

Babuk is a ransomware that was first discovered in early 2021. Since then, it has been responsible for many cyber-attacks that have been launched against devices using Linux OS. This strain of ransomware serves a similar purpose to Lockbit 3.0 and its main purpose is to compromise files on a victim’s machine and make them inaccessible until the ransom is paid.

Recently, this group has been seen leveraging two different exploits. The first is CVE-2023-27350 which allows attackers to bypass the authentication required to utilize the Papercut NG 22.05 on affected endpoints. They leverage this vulnerability to install programs such as Cobalt Strike, Meterpreter, Sliver, and ConnectWise. These tools are used to steal credentials and move laterally within the target network. The second vulnerability, CVE-2022-47986, which affects the IBM Aspera Faspex File Exchange system allows attackers to perform remote code execution on the target devices.

Blacktail represents a significant threat in the world of cybercrime, employing a wide range of sophisticated methods to attack its victims. From phishing and social engineering to ransomware campaigns and APT attacks, their tactics demonstrate a high level of expertise and organization. To counter such threats, individuals, businesses, and governments must prioritize cybersecurity measures, including robust firewalls, regular software updates, employee training, and incident response plans. The fight against cybercrime requires constant vigilance in order to stay one step ahead of the attackers.

Reference:

https://heimdalsecurity.com/blog/buhti-ransomware-blacktails-newest-operation-affects-multiple-countries/

The post Blacktail: Unveiling the tactics of a notorious cybercrime group appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

While cryptocurrencies have been celebrated for their potential to revolutionize finance, their anonymous nature has also been exploited for illicit activities. From drug dealing and arms trafficking to funding terrorism, black market activities have thrived under the cloak of cryptocurrency’s pseudonymity. According to a report by Chainalysis in 2023, around $21 billion in crypto transactions were linked to illegal activities.

Money laundering, too, has found a home in the crypto space. Overall, between 2017 and 2021, crooks laundered over $33 billion worth of cryptocurrency.

Moreover, tax evasion has surged with crypto’s rise. Crypto traders evading their tax obligations could be costing the Internal Revenue Service upwards of $50 billion annually.

Law enforcement’s response to technological challenges

While the majority of cryptocurrency transactions remain legitimate, these dark sides of cryptocurrency cannot be ignored. Regulatory and law enforcement agencies worldwide have an urgent task ahead: to develop robust mechanisms to combat these illicit uses while supporting the technology’s legitimate growth. We should craft and use Blockchains that are safe and advantageous to everyone except lawbreakers.

There is a long-standing tradition of law enforcement agencies modifying their approaches to chase criminals who exploit the newest technologies for illicit purposes. This adaptability was evident when technologies like fax machines and pagers were invented. Throughout history, the legal system has consistently demonstrated its ability to adapt and grow in order to confront emerging technological challenges.

Even though Blockchain represents a revolutionary development in the finance and tech spheres, it is merely the latest example of how law enforcement must continually innovate and adapt to new technologies. Given this perspective, it is hard to argue that Bitcoin and other coins pose an insurmountable problem for law enforcement.

As Blockchain technology is still young, we have a unique opportunity to enhance law enforcement’s understanding of it and improve its security. Individuals interested in Blockchain should assist law enforcement in understanding and harnessing the potential of this technology.

A practical approach to achieving this is implementing a public-private information-sharing process like the one employed to exchange cybersecurity threat details. These dialogues can establish a mechanism through which the Bitcoin community can contribute their knowledge to help law enforcement overcome challenges encountered during cybercrime investigations.

Challenges for law enforcement in investigating cryptocurrency crimes

Still, certain features of Bitcoin and other popular cryptocurrencies present substantial challenges for law enforcement. Collaborating with distant international counterparts, each with its distinct policies often complicates investigative efforts. Identifying an individual from a Bitcoin address is also not easy. Cryptocurrency exchanges operating in different jurisdictions, the use of mixers and tumblers to obfuscate transactions, and the rapid evolution of technology pose significant hurdles for investigators.

The greatest obstacle in any cybercrime investigation is attributing a specific person to a virtual offense. Prosecutors often attempt to link a particular MAC or IP address, or an email address, to a specific individual. This becomes significantly more challenging when someone utilizes Tor, proxies, or employs privacy coins like Monero.

Another complication arises from the fact that many email providers, as well as cell phone companies, either cannot or do not find it necessary to validate the information their users provide them.

One potential solution to overcome these challenges is to employ data analysis from multiple sources, aiming to isolate and identify the single offender in the crowd.

Advantages of Blockchain for law enforcement

Despite the various challenges it presents, the Blockchain actually offers several advantages to law enforcement. One of the notable benefits is the ability to trace all transactions associated with a particular Bitcoin address, including records dating back to its initial transaction.

Cases like Silk Road, Mt. Gox, and others have showcased the proficiency of law enforcement agencies in tracing transactions on the Blockchain. Carl Force, a DEA agent, faced accusations of pilfering Bitcoins during the Silk Road investigation. During the trial, a chart was presented as evidence, demonstrating how law enforcement successfully tracked the funds across the Blockchain, despite Carl Force’s attempts to divide the transactions among multiple addresses.

Contrary to popular belief, Bitcoin is not as anonymous as many people think. Each Bitcoin address may serve as an account number for an individual. If a person can be linked to a specific address, it becomes possible to access information about all the transactions associated with that person.

If an individual utilizes a crypto wallet to interact with the Blockchain, the wallet organization will associate the address with the individual, similar to how a bank keeps records of its customers and their accounts.

New software tools can identify patterns in Blockchain transactions, such as repeated transactions between specific addresses or sudden large transactions, indicating potential illegal activity and leading to particular people.

The Blockchain operates as a peer-to-peer system, where no single entity has exclusive authority to remove records. It functions as a publicly accessible ledger of data blocks, and it cannot be revised or tampered with. This ability allows law enforcement to track the flow of funds in a manner that was previously impossible.

Law enforcement agencies often face a significant challenge when dealing with phone and Internet companies due to varying regulations regarding the retention of customer data. The process of locating the specific provider that possesses the information needed to trace a high-level cyber-criminal can be time-consuming, spanning multiple providers and even different countries.

Furthermore, there is always a risk that the trail may have gone cold by the time the relevant provider is identified. In contrast, the Blockchain serves as a permanent repository for all data. It retains information indefinitely, ensuring that it is always accessible. This eliminates the need for extensive investigations across multiple providers and offers a streamlined way to obtain the required data.

The Third Party Doctrine states that individuals should not expect confidentiality for data shared with third parties such as ISPs, banks, etc., creating complications for law enforcement. It enables law enforcement to obtain records from ISPs, banks, and cellphone carriers through a subpoena rather than a search warrant. However, Blockchain operates differently in this regard. There are no such complications when it comes to Blockchain. It is straightforward to utilize Blockchain and trace transactions without needing a subpoena. The Blockchain is intentionally designed to be open and accessible to all, eliminating the need for legal procedures to access its data.

When evidence emerges in a foreign country, U.S. law enforcement is required to adhere to the Mutual Legal Assistance Treaty (MLAT) procedure in order to seek assistance from foreign agencies. One significant example highlights the Department of Justice engaging in a legal battle against Microsoft. This case revolved around the question of whether the DOJ possesses the authority to access data stored in a Microsoft data center located in Ireland. Microsoft argued that the DOJ could not employ a search warrant to obtain overseas data and must follow the MLAT procedure instead. However, with Blockchain, such issues do not arise as it allows access from anywhere in the world without the need for MLAT.

Final thoughts

It is an undeniable reality that illegal money transfers will persist. It is impossible to completely eliminate criminals from utilizing Blockchain or the internet as a whole. However, what we can strive for is to develop solutions that make it increasingly challenging for illicit parties to thrive. Law enforcement should concentrate their efforts on the specific areas of the Blockchain where criminal activities frequently emerge. Individuals must collaborate and devise innovative strategies that law enforcement can adopt to combat these challenges effectively.

The post Law enforcement’s battle against Cryptocurrency crime appeared first on Cybersecurity Insiders.

Executive summary

Credential harvesting is a technique that hackers use to gain unauthorized access to legitimate credentials using a variety of strategies, tactics, and techniques such as phishing and DNS poisoning. Phishing is the most frequent type of cyber threat and can lead to more harmful attacks such as ransomware and credential harvesting.

According to recent research, phishing assaults targeted credential harvesting in 71.5% of cases in 2020. 72% of employees admitted to clicking on a phishing email’s malicious link, making it easy for attackers to gather credentials.

Phishing is a type of social engineering attack that tricks victims into disclosing personal information or downloading malicious software. It is one of the most difficult cyber threats to eliminate as it relies on human defenses, and organizations must consistently teach personnel to spot the newest phishing techniques. 

The Managed Extended Detection and Response (MXDR) SOC team received an alert regarding a user clicking on a suspicious URL in an email and the subsequent traffic was allowed. However, ProofPoint effectively rewrote the URL to prevent some of the potential threats. The SOC team notified the customer about the successful phishing attack by creating an investigation report containing all the events between the attack and lockout.

Investigation

Initial alarm review

Indicators of Compromise (IOC)

The first alert was triggered when a user clicked on a link contained in a phishing email, which was permitted to pass through. The email’s content was crafted to deceive the user into divulging their login credentials. Because the link’s URL did not have a signature indicating a poor reputation on Open-Source Intelligence (OSINT), ProofPoint did not intercept the initial click.

Expanded investigation

Events search / Event deep dive

While investigating phishing cases, you must check all recipients who received the same phishing email and who clicked the attachment URL, and whether the firewall allowed the HTTP URL request or not. A review of the previous ninety days of events revealed there was one additional recipient, however, logs showed the email was quarantined after user’s click. The first click on the malicious URL by the initial user was allowed. However, ProofPoint’s URL defense feature conducted a heuristic behavioral-based analysis and determined the URL to be malicious. As a result, the second click by the initial user and any subsequent clicks by other users were effectively blocked by ProofPoint.

After conducting an OSINT analysis, it was determined that the sender’s email fails to pass DMARC (Domain Message Authentication Reporting and Conformance), and MX record authentication. This raises concerns regarding the legitimacy of the email. Also, OSINT searches indicate that both recipient emails have been compromised, though the exact time remains unknown.

DMARC is a protocol used to authenticate emails and prevent phishing attacks by verifying the sender’s domain. It checks if the sender’s domain matches the domain in the emails “From” header. If they do not match, the email is fraudulent and can be rejected or marked as spam. On the other hand, MX records are DNS records that specify the mail server responsible for accepting email messages on behalf of a domain. Attackers can use MX records to redirect email traffic to a fraudulent mail server and steal sensitive information. Therefore, DMARC and MX records are crucial in preventing phishing attacks by ensuring that email traffic is directed to legitimate mail servers and verifying the authenticity of email senders.

Further investigation into the email’s URL using advanced tools like Urlscan.io and screenshotmachine.com identified it as malicious – attempting to extract user outlook credentials. However, the attachments’ file hash has no OSINT record, which renders static analysis impossible to determine whether the file attachment poses a threat or not. Therefore, it would be a good option to identify the file by analyzing it with a full sandbox* analysis.

A sandbox is a controlled environment used to test software and applications without affecting the host system. Sandboxing is important because it helps to identify and mitigate potential security vulnerabilities, viruses, and malware. It also minimizes the risk of damage to the production system by limiting the impact of potential threats to the sandbox, providing an extra layer of security against malicious activity.

Reviewing for additional indicators

At this point, the attacker tried to get “Initial Access (tactic)” into the network by using a “phishing” technique based on the Mitre Att&ck Framework.

During the initial access phase of a cyberattack, attackers use techniques like exploiting vulnerabilities or phishing to gain their first foothold in a network. This foothold then enables them to conduct further attacks. To prevent this, organizations should have a robust defense strategy and perform regular security assessments.

ProofPoint approach

ProofPoint’s URL Defense feature works to protect users from malicious links. This feature uses a two-step approach to ensure maximum protection.

Firstly, if a URL doesn’t have any known malicious signatures, ProofPoint’s URL Defense feature allows the user to click on it using a “URL rewritten” feature. This feature prevents many types of malicious activity, but it’s important to note that until ProofPoint’s heuristic-based analysis determines whether the URL has any potentially malicious behavior, the user may be vulnerable to credential loss if they share their credentials.

Once the user clicks on a URL, ProofPoint’s system analyzes the destination website to identify any potential signs of malicious behavior. If any suspicious activity is detected, access to the website is blocked, and a warning message is displayed to the user. However, if the system doesn’t detect any malicious behavior, the user is able to proceed to the destination website.

It’s important to note that ProofPoint’s URL Defense feature provides significant protection against malicious links, but it may not be able to detect every instance of phishing or malware-based attacks. Therefore, users should remain vigilant when clicking on links in emails and take additional security measures such as multi-factor authentication and employee training to help mitigate the risk of credential loss.

Response

Building the investigation

An investigation was created by following the incident response process. The investigation included identifying the incident, finding the root cause of the incident and Indicators of compromise. Then we made recommendations to the customer on mitigation/remediation steps. We communicated with the customer to ensure necessary actions are executed.

Recommended mitigation steps were:

• Resetting the account password to a stronger one
• Removing the email and email attachments
• Enabling Multi-Factor Authentication (MFA).
• Blocking the URL domain and IP.
• Running an antivirus scan on the asset.

Incident response is an organizational approach and process to manage cybersecurity breaches, incidents, or cyberattacks. It includes multiple steps:

• Identifying an incident/attack
• Minimizing damage
• Eradicating the root cause
• Minimizing recovery cost and time
• Learning lessons from the incident
• Taking preventative action

Customer interaction

The MXDR team responded quickly to the incident and worked with the customer to identify the problem. They confirmed that someone lost their account credentials, but fortunately, no suspicious logins were detected before the account was disabled. The company confirmed they followed the recommended steps, so the email and attachments were quarantined, the URL blocked, and the affected device was scanned by antivirus.

The post Stories from the SOC: Fighting back against credential harvesting with ProofPoint appeared first on Cybersecurity Insiders.

Executive Summary

Killnet is a hacktivist group based in Russia that has been active since at least 2015. The group is known for launching DDoS attacks on a diverse range of industries, including state and local governments, telecommunications, and defense.

Killnet has been linked to several high profile attacks, including distributed denial-of-service (DDoS) attacks against U.S. airports and Elon Musk’s Starlink satellite broadband service.

The motivations behind these attacks vary, but recently, they have primarily targeted those who are the most vocal supporters of Ukraine and its political agenda.

The aim of this threat hunt is to create a virtual attack environment that simulates Killnet’s tactics, techniques, and procedures (TTPs). Subsequently, detections and threat hunt queries will be written to proactively identify the emulated TTPs while compensating for the limitations of traditional IOC historical searches.

The results of the threat hunt will include high-level dashboards, code, and network artifacts generated from the attack range, which will be used to explain how a hypothesis was formed. The outcomes will also contain the pseudo and translated query logic in a format that can be utilized by tools such as Suricata, Snort, Splunk, and Zeek. The query output will then be employed to confirm the initial hypothesis generated.

Network Artifacts

To emulate the attack, cc.py was utilized to generate continuous HEAD requests against an Apache server, refer to Appendix A for further details. Once the attack was launched, the captured log traffic was examined, as shown in Figure 1 and Figure 2. Upon reviewing the HEAD HTTP traffic, it was discovered that the digits between the ranges of 11-12 appeared after “HEAD /?” consistently. This pattern will serve as the basis for our first hypothesis, as outlined in the next section.

Figure 3 also contains the Apache logs that were generated on the server as the attack script kept trying to access different files in the ‘/var/www/html/’ directory. The script reiterates in a brute force type style, until CPU resources are rendered exhausted by sheer traffic volume.

Figure 1 –Wireshark – Dynamically Generated 11-12 Digits

Figure 2 –Wireshark – Forged Referrer & Anonymized IPs

Figure 3 – Splunk – Apache Server Error Logs – Failed File Access Attempts

Detection Guidance

Perl compatible regular expressions can be used to leverage the context derived from the packet capture during threat analysis, as shown in Figure 1. This allows us to write Suricata/Snort rules that will match observed patterns in headers. Detections tend to scale more than hunt queries and can be applied strategically on a per sensor basis. Specifically, the following rule will match any instance when an HTTP HEAD request containing 11-12 digits has been captured by a network sensor on a forward looking basis. This serves as our first hypothesis to identify the usage of DDoS HEAD floods:

alert tcp any any -> any any (msg:”Killnet cc.py DDoS HTTP HEAD Flood”; content:”HEAD”; depth:4; content:” /?”; distance:0; content:” HTTP/1.1|0d0a|Host: “; distance:0; fast_pattern; content:”.”; distance:1; within:3; content:”.”; distance:1; within:3; content:”.”; distance:1; within:3; content:”|0d0a|Referer: https://”; distance:0; content:”|0d0a|Accept-Language: “; distance:0; content:”|0d0a|Accept-Charset: “; distance:0; content:”|0d0a|Connection: Keep-Alive|0d0a0d0a|”; distance:0; pcre:”/^HEADx20/?[0-9]{11,12}x20HTTP/”; sid:10000001;)

Hypothesis #1

Hunting Process

The following is a Splunk hunt query that utilizes the Zeek/Bro dataset to identify “High connections from common source over a short amount of time”. The query breaks the time column (shown in Figure 2) into 1-second chunks. Once an appropriate threshold has been established, the “where count > 10” statement can be adjusted accordingly to search retroactively within the last 7 days from when the activity was first observed. This query serves as our second hypothesis to identify the usage of DDoS HEAD floods:

index=zeek sourcetype=zeek_conn | eval datetime=strftime(ts,”%Y-%m-%d %H:%M:%S”) | bucket span=1s datetime | stats count by datetime, id.orig_h | where count > 10 | rename datetime as “Date & Time” id.orig_h as “Attacker IP”

Hypothesis #2

Appendix A – Adversary Emulation

Cc.py is a Python tool publicly available on the internet that can be used for Layer 7 DDoS attacks. The tool, created by a student in 2020, uses various dynamic characteristics to launch DDoS attacks against web assets. The script automates the process of using open proxy servers to relay attacks while maintaining anonymity, which can render traditional IP-based blocking techniques ineffective.

Figure 4 depicts a Python function called “head” that performs an HTTP HEAD request to a target server. The function takes two arguments: “event” and “proxy type”. These arguments control the flow of the request and specify the type of open proxy to leverage. Additionally, the code concatenates the variables where the forged/randomized headers will be used.

Figure 4 – cc python script

To generate a dynamic list of compromised open proxies that will be used to relay attacks on behalf of the attacker, the following command is utilized:

python3 cc.py –down –f proxy.txt –v 5

Once the list is generated, the following command is used to launch an attack against a server running Apache web server within the attack range. The command specifies the use of the “head” module and sets the duration of the attack to 30 seconds. The “head” module floods the target server with continuous HTTP HEAD requests until it is knocked offline.

python3 cc.py –url http:// -f proxy.txt –m head –v 4 –s 30

Appendix B – IOCs

At OTX pulse was created listing over the 12K+ indicators from this research.

https://otx.alienvault.com/pulse/642dd6df987a88229012d214

References

https://github.com/Leeon123/CC-attack

https://securityresearch.samadkhawaja.com/

The post Threat Hunt: KillNet’s DDoS HEAD Flood Attacks – cc.py appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

OpenAI’s flagship product, ChatGPT, has dominated the news cycle since its unveiling in November 2022. In only a few months, ChatGPT became the fastest-growing consumer app in internet history, reaching 100 million users as 2023 began.

The generative AI application has revolutionized not only the world of artificial intelligence but is impacting almost every industry. In the world of cybersecurity, new tools and technologies are typically adopted quickly; unfortunately, in many cases, bad actors are the earliest to adopt and adapt.

This can be bad news for your business, as it escalates the degree of difficulty in managing threats. 

Using ChatGPT’s large language model, anyone can easily generate malicious code or craft convincing phishing emails, all without any technical expertise or coding knowledge. While cybersecurity teams can leverage ChatGPT defensively, the lower barrier to entry for launching a cyberattack has both complicated and escalated the threat landscape.

Understanding the role of ChatGPT in modern ransomware attacks

We’ve written about ransomware many times, but it’s crucial to reiterate that the cost to individuals, businesses, and institutions can be massive, both financially and in terms of data loss or reputational damage.

With AI, cybercriminals have a potent tool at their disposal, enabling more precise, adaptable, and stealthy attacks. They’re using machine learning algorithms to simulate trusted entities, create convincing phishing emails, and even evade detection.

The problem isn’t just the sophistication of the attacks, but their sheer volume. With AI, hackers can launch attacks on an unprecedented scale, exponentially expanding the breadth of potential victims. Today, hackers use AI to power their ransomware attacks, making them more precise, adaptable, and destructive.

Cybercriminals can leverage AI for ransomware in many ways, but perhaps the easiest is more in line with how many ChatGPT users are using it: writing and creating content. For hackers, especially foreign ransomware gangs, AI can be used to craft sophisticated phishing emails that are much more difficult to detect than the poorly-worded message that was once so common with bad actors (and their equally bad grammar). Even more concerning, ChatGPT-fueled ransomware can mimic the style and tone of a trusted individual or company, tricking the recipient into clicking a malicious link or downloading an infected attachment.

This is where the danger lies. Imagine your organization has the best cybersecurity awareness program, and all your employees have gained expertise in deciphering which emails are legitimate and which can be dangerous. Today, if the email can mimic tone and appear 100% genuine, how are the employees going to know? It’s almost down to a coin flip in terms of odds.

Furthermore, AI-driven ransomware can study the behavior of the security software on a system, identify patterns, and then either modify itself or choose the right moment to strike to avoid detection.

Trends and patterns in ChatGPT-themed cybercrimes

While the vast majority of people use ChatGPT for benign or beneficial purposes, the notable uptick in ChatGPT-themed suspicious activities is cause for concern. These threats include the creation of malicious code, phishing schemes, and of course ransomware — often exploiting the advanced capabilities of ChatGPT to enhance their effectiveness.

The majority of patterns and trends in these activities are not ransomware-related; however, they provide invaluable insights for security experts to proactively respond to these challenges.

Creation of malware using ChatGPT

A self-proclaimed novice reportedly created a powerful data-mining malware using just ChatGPT prompts within a few hours.

ChatGPT imposters

Malware operators and spammers read the news, too, and are following trends and high-engagement topics, leading to an increase in malicious ChatGPT imposters.

Malware campaigns using ChatGPT

ChatGPT is everywhere. Meta took steps to take down more than 1,000 malicious URLs that were found to leverage ChatGPT.

Cybercriminals using ChatGPT

ChatGPT cybercrime is popular with hackers. A thread named “ChatGPT – Benefits of Malware” appeared on a popular underground hacking forum, indicating that cybercriminals are starting to use ChatGPT.

ChatGPT-themed lures

Watch out: hackers are using ChatGPT-themed malware to take over online accounts.

ChatGPT phishing attacks

Finally, these phishing attacks are the most concerning for organizations defending against ransomware. The ChatGPT “Banker” phishing attack involves fake webpages and a trojan virus.

Copycat Chatbots and their threat to Cybersecurity

The success and visibility of OpenAI’s ChatGPT inevitably leads to another cybersecurity concern — the rise of copycat chatbots. These are AI models developed by other groups or individuals seeking to mimic the functionalities and capabilities of ChatGPT, often with less stringent ethical guidelines and fewer protective measures.

There are two key issues that arise from these imitation chatbots. First, they often lack the advanced protective guardrails that have been incorporated into ChatGPT, leaving them more open to misuse. These bots could easily become tools for generating malicious code, crafting phishing emails, or designing ransomware attacks.

Next, these copycat chatbots are frequently hosted on less secure platforms, which may be susceptible to cyber-attacks. Hackers could potentially compromise these platforms to gain control of the chatbots and manipulate their capabilities for nefarious purposes.

Copycat chatbots present the risk of amplifying misinformation and fostering cybercrime. As they lack the same level of scrutiny and oversight as ChatGPT, they could be used to disseminate deceptive content on a large scale.

Proactive measures you can take to combat AI-enhanced ransomware threats

Despite the escalating threat, the outlook is not hopeless.

As always, good security hygiene can go a long way in bolstering your defenses. The advice hasn’t changed, but it bears repeating.

Regular updates and patches: Ensure that all your software, including your operating system and applications, are up to date.

Avoid suspicious emails/links: Be wary of emails from unknown sources and don’t click on suspicious links. Remember, AI can be used to mimic trusted contacts.

Back up your data: Regularly backing up data is a simple yet effective way of mitigating the potential damage of a ransomware attack. The more data you have backed up, the easier it is to recover from a potential disaster.

Promote a culture of security awareness: Learn about the latest threats and techniques used by hackers. The better your company and all employees understand these tactics, the easier it will be to recognize and avoid potential threats.

If you do fall victim to a ransomware attack, don’t panic. Disconnect from the internet, report the incident to local authorities, and consider seeking professional help to mitigate the damage. In most cases, paying the ransomware is not recommended.

While AI can pose a threat when in the hands of hackers, it can also be a potent ally in your defense. AI-driven cybersecurity solutions are becoming more prevalent and can help you combat these advanced threats. These solutions use machine learning to recognize patterns, anticipate threats, and respond in real-time. By adopting AI-based security tools, you’re not just reacting to cyber threats, but proactively defending against them.

How AT&T Cybersecurity can help defend against ransomware

If your company lacks cybersecurity expertise, you may consider hiring trusted and experienced consultants to help you out. Take control by proactively making your company a place that cybercriminals do not want to visit.

With AT&T Cybersecurity incident response service, you’ll be well-positioned to:

• Prevent data breaches
• Quickly respond to attacks and mitigate impact
• Minimize impacts of a potential breach
• Quickly analyze and recover from the breach
• Mitigate security risk
• Improve incident response
• Leverage an “all hands on deck” approach, which includes in-depth digital forensic analysis, breach, support and compromise detection

The post Rise of AI in Cybercrime: How ChatGPT is revolutionizing ransomware attacks and what your business can do appeared first on Cybersecurity Insiders.

A way to manage too much data

To protect the business, security teams need to be able to detect and respond to threats fast. The problem is the average organization generates massive amounts of data every day. Information floods into the Security Operations Center (SOC) from network tools, security tools, cloud services, threat intelligence feeds, and other sources. Reviewing and analyzing all this data in a reasonable amount of time has become a task that is well beyond the scope of human efforts.

AI-powered tools are changing the way security teams operate. Machine learning (which is a subset of artificial intelligence, or “AI”)—and in particular, machine learning-powered predictive analytics—are enhancing threat detection and response in the SOC by providing an automated way to quickly analyze and prioritize alerts.

Machine learning in threat detection

So, what is machine learning (ML)? In simple terms, it is a machine’s ability to automate a learning process so it can perform tasks or solve problems without specifically being told do so. Or, as AI pioneer Arthur Samuel put it, “. . . to learn without explicitly being programmed.”

ML algorithms are fed large amounts of data that they parse and learn from so they can make informed predictions on outcomes in new data. Their predictions improve with “training”–the more data an ML algorithm is fed, the more it learns, and thus the more accurate its baseline models become.

While ML is used for various real-world purposes, one of its primary use cases in threat detection is to automate identification of anomalous behavior. The ML model categories most commonly used for these detections are:

Supervised models learn by example, applying knowledge gained from existing labeled datasets and desired outcomes to new data. For example, a supervised ML model can learn to recognize malware. It does this by analyzing data associated with known malware traffic to learn how it deviates from what is considered normal. It can then apply this knowledge to recognize the same patterns in new data.

Unsupervised models do not rely on labels but instead identify structure, relationships, and patterns in unlabeled datasets. They then use this knowledge to detect abnormalities or changes in behavior. For example: an unsupervised ML model can observe traffic on a network over a period of time, continuously learning (based on patterns in the data) what is “normal” behavior, and then investigating deviations, i.e., anomalous behavior.

Large language models (LLMs), such as ChatGPT, are a type of generative AI that use unsupervised learning. They train by ingesting massive amounts of unlabeled text data. Not only can LLMs analyze syntax to find connections and patterns between words, but they can also analyze semantics. This means they can understand context and interpret meaning in existing data in order to create new content.

Finally, reinforcement models, which more closely mimic human learning, are not given labeled inputs or outputs but instead learn and perfect strategies through trial and error. With ML, as with any data analysis tools, the accuracy of the output depends critically on the quality and breadth of the data set that is used as an input.

A valuable tool for the SOC

The SOC needs to be resilient in the face of an ever-changing threat landscape. Analysts have to be able to quickly understand which alerts to prioritize and which to ignore. Machine learning helps optimize security operations by making threat detection and response faster and more accurate.

ML-powered tools automate and improve the analysis of large amounts of event and incident data from multiple different sources in near real time. They identify patterns and anomalies in the data and then prioritize alerts for suspected threats or critical vulnerabilities that need patching. Analysts use this real-time intelligence to enhance their own insights and understand where they can scale their responses, or where there are time-sensitive detections they need to investigate.

Traditional threat detection methods, such as signature-based tools that alert on known bad traffic can be augmented with ML. By combining predictive analytics that alert based on behavioral anomalies with existing knowledge about bad traffic, ML helps to reduce false positives.

ML also helps make security operations more efficient by automating workflows for more routine security operations response. This frees the analyst from repetitive, manual, and time-consuming tasks and gives them time to focus on strategic initiatives.

New capabilities enhance threat intelligence in USM Anywhere

The USM Anywhere platform has long utilized both supervised and unsupervised machine learning models from AT&T Alien Labs and the AT&T Alien Labs Open Threat Exchange (OTX) for most of its curated threat intelligence. The Open Threat Exchange is among the largest threat intelligence sharing platforms in the world. Its more than 200,000 members contribute new intelligence to the platform on a daily basis.

Alien Labs uses ML models in several ways, including to automate  the extraction of indicators of compromise (IOCs) from user threat intelligence submissions in the OTX and then enrich these IOCs with context, such as associated threat actors, threat campaigns, regions and industries being targeted, adversary infrastructure, and related malware.

The behind-the-scenes capabilities in USM Anywhere have been reinforced by new, high-value machine learning models to help security teams find today’s most prevalent threats.

These new models help the platform generate higher-confidence alerts with less false positives and provide advanced behavioral detections to facilitate more predictive identification of both insider and external threats. Its supervised models can identify and classify malware into clusters and families to predict behaviors. They can also detect obfuscated PowerShell commands, domain generation algorithms, and new command-and-control infrastructure.

Since the platform has an extensible architecture, new models can be introduced as the threat landscape dictates, and existing models can be continuously refined.

For more on how machine learning is transforming today’s SOC and to learn how the USM Anywhere platform’s own analytics capabilities have evolved, tune in to our webinar on June 28.

Register now!

The post Toward a more resilient SOC: the power of machine learning appeared first on Cybersecurity Insiders.

Introduction

In recent years, the field of cybersecurity has witnessed a significant influx of professionals from non-Information Technology (IT) backgrounds who are making the leap into this dynamic industry. As a cybersecurity technical developer and instructor, I have had the privilege of delivering many customers in-person and virtual training courses and meeting numerous individuals seeking to transition into cybersecurity from diverse non-IT related fields.

I can remember Cindy, a lawyer in a large firm, not really finding fulfillment after a “boring” eighteen months at the firm. Also, Ann, an actress with over 17 successful years of movie and theater experience, wanting to get into the industry for higher income to support her daughter. Then Richard, a radiologist tired of the customer abuse he was receiving and wanting more in life.

Everything starts with the right mindset at the onset; and not every career in cybersecurity is deeply technical.

Cybersecurity is a broad field and cybersecurity professionals may do their jobs in a variety of ways. This includes the following roles – keeping in mind that at least two of them are not 100% technical.

• They can have roles that protect a company’s internal networks and data from outside threat actors as information security professionals.
• They can have roles in risk management where they can confirm businesses take appropriate measures to protect against cybercrime.
• They can have roles where they can confirm businesses comply with local, state, and federal cybersecurity and data protections laws.

Aside from being super solid on the OSI Model, hands-on TCP/IP, networking skills, a couple of industry certifications, a drive to self-study, some basic coding and a couple of bootcamps, an aspiring cybersecurity professional must also consider their skills. They bring things to the table from the fields where they come from, which are useful, fully transferable and appreciated!

Sometimes as “seasoned professionals” we forget to investigate fresh ways to pivot in incident response (IR) scenarios for example.

Technical skills can, with some education, hands-on practice, and self-study, be mastered, but the main ones that you will need for the transition are not going to be found in the classroom, or in the computer screen. These are the face-to-face interactions we have with friends, family, coworkers, and strangers. In other words, the soft skills; those skills that cannot be coded or productized but indeed can be monetized. 

Transitioning from entertainment/law/health and many other industries to the cybersecurity field does bring valuable transferable skills. In this article I aim to explore the many valuable skills career changers bring to the table and highlight seven essential skills they must possess to successfully embark on this exciting and amazing journey.   

Attention to detail:

Actors pay great attention to detail, focusing on nuances in dialogue, characterization, and stage directions. In cybersecurity, meticulousness is essential when reviewing code, identifying vulnerabilities, conducting security assessments, and analyzing logs. Her ability to spot inconsistencies and pay attention to minute details can be valuable.

Radiology technicians work with complex medical imaging equipment, where precision and attention to detail are crucial. This skill translates well to the cybersecurity field, where professionals need to analyze large amounts of data, identify vulnerabilities, and detect potential threats with accuracy.

Lawyers pay great attention to detail when reviewing legal documents, contracts, and evidence. This attention to detail can be valuable in cybersecurity, where professionals must review policies, analyze security controls, and identify potential vulnerabilities. They can also contribute to ensuring cybersecurity practices align with legal and regulatory standards.

Communication and persuasion skills:

Radiology technicians often collaborate with radiologists, other healthcare professionals, and patients, conveying complex medical information effectively. This communication skill is essential in the cybersecurity field, where professionals need to explain technical concepts to non-technical stakeholders, present findings, and provide guidance on security measures.

Ann, as an actress, she has likely honed excellent verbal and nonverbal communication skills. This skill is crucial in cybersecurity, as professionals need to effectively convey complex technical concepts to non-technical stakeholders, write clear reports, and collaborate with team members.

Lawyers are skilled in written and oral communication, as they draft legal documents, argue cases, and negotiate on behalf of their clients. In cybersecurity, effective communication is vital for conveying complex technical concepts, presenting findings to stakeholders, and advocating for security measures. Cindy’s ability to articulate and persuade can be beneficial in this field.

Analytical thinking, research skills, and adaptability:

Lawyers are trained to analyze complex legal issues, conduct thorough research, and extract relevant information from vast amounts of data. These analytical and research skills can be applied to cybersecurity, where professionals need to investigate security incidents, analyze threats, and evaluate legal implications of cybersecurity practices.

Radiology technicians analyze and interpret medical images, looking for abnormalities and making diagnostic decisions. This analytical mindset is highly relevant in cybersecurity, where professionals need to assess and analyze complex systems, identify patterns, and evaluate potential risks and vulnerabilities.

Actors often face diverse roles and quickly adapt to different characters, settings, and situations. This adaptability translates well to the dynamic and ever-evolving nature of the cybersecurity field. The ability to learn and adapt to new technologies, methodologies, and threats is crucial for success.

Problem-solving and critical thinking:

Actors regularly encounter challenges during rehearsals and performances and need to find creative solutions. This skillset is valuable in cybersecurity, where professionals face intricate problems related to system vulnerabilities, breaches, and data protection. Ann can leverage her creative problem-solving abilities to analyze and mitigate risks effectively.

Lawyers are trained to identify and solve legal problems by applying critical thinking skills. This ability to assess situations, identify key issues, and propose logical solutions is valuable in the cybersecurity field, where professionals encounter complex technical challenges and need to mitigate security risks.

Radiology technicians often encounter challenges while operating imaging equipment, troubleshooting technical issues, or adapting to unique patient circumstances. This problem-solving ability is valuable in the cybersecurity field, where professionals face complex security issues, breaches, and emerging threats. Richard can leverage his experience to approach cybersecurity challenges systematically.

Compliance, legal, and regulatory knowledge:

In the healthcare field, radiology technicians must adhere to strict privacy and compliance regulations, such as HIPAA (Health Insurance Portability and Accountability Act). This familiarity with regulatory frameworks and data protection can be advantageous in the cybersecurity field, where professionals must navigate various compliance requirements, such as GDPR (General Data Protection Regulation) or PCI DSS (Payment Card Industry Data Security Standard).

With a background in law, Cindy possesses a strong understanding of legal frameworks, regulations, and compliance requirements. This knowledge is crucial in the cybersecurity field, where professionals must navigate various laws and regulations pertaining to data privacy, intellectual property, and cybersecurity standards.

In the entertainment industry, as an actress, Ann has encountered contracts and agreements throughout her career, such as talent contracts, license agreements, or production contracts. She may have developed an understanding of copyright laws, trademarks, intellectual property (IP) and trade secrets during her career. This knowledge can be valuable in cybersecurity where professionals need to safeguard sensitive information, protect proprietary systems, and ensure compliance with IP laws. In the same manner, she will have a solid understanding of the importance of data protection, confidentiality, and consent, when working with sensitive information in the cybersecurity field.

Ethical mindset and ethical hacking skills:

Integrity and an ethical mindset are fundamental prerequisites for success in the cybersecurity industry. Professionals in this field handle sensitive information and possess immense power to protect or exploit digital assets. Career changers should understand the ethical considerations surrounding cybersecurity and uphold the principles of integrity, confidentiality, and privacy.  

Additionally, possessing strong ethical hacking skills can be advantageous. Ethical hackers, known as penetration testers or white hat hackers, play a crucial role in identifying vulnerabilities within systems and networks, helping organizations fortify their defenses against malicious actors.

Teamwork and collaboration:

This is the one that is most transferable for all three “non-IT related” fields. Perhaps it’s time that we in cybersecurity put on our humble hats on accept our new brothers and sisters where we will always find a plethora of unique experiences directly transferable and are 1000% “IT Related”. Career changers can bridge the gap between technical and non-technical teams, fostering a more secure and productive environment.

Conclusion:

By honing their analytical abilities, career changers can excel in threat analysis, incident response, and vulnerability assessment—key areas in which cybersecurity professionals are in high demand.

As the cybersecurity industry continues to grow rapidly, individuals from non-IT backgrounds are increasingly venturing into this field. While career changers bring diverse perspectives, they must possess certain essential skills to thrive in the cybersecurity domain.

Adaptability, analytical thinking, communication and collaboration, and an ethical mindset, are crucial abilities that aspiring cybersecurity professionals must acquire. By embracing these skills, career changers can successfully transition into this exciting industry, contribute to the ever-expanding and cross-pollinated disciplines of the cybersecurity workforce, and help safeguard digital ecosystems against emerging threats.

The very last thing is job interview preparation. That goes without saying. If you’re transferring internally to a cybersecurity position, or if you are coming in new, nailing the interview is paramount. The hard skills will get you the interview; the “soft” skills will get you the dream job of your future. Interview practice is another topic that plays a huge role in getting hired, but mastering the interview is another topic for another day.

We must act NOW and push for diversity and engrain it into our everyday life. If we hire people from diverse backgrounds, we gain the benefit of different viewpoints and different ways of thinking that we had not thought about. This will enrich and make it where we can go to work and have fun while doing already challenging tasks. 

The post Cybersecurity is not a tool or software piece; is a state of mind: Bridging the gap for career changers appeared first on Cybersecurity Insiders.

I. Introduction

AI’s transformative power is reshaping business operations across numerous industries. Through Robotic Process Automation (RPA), AI is liberating human resources from the shackles of repetitive, rule-based tasks and directing their focus towards strategic, complex operations. Furthermore, AI and machine learning algorithms can decipher the huge sets of data at an unprecedented speed and accuracy, giving businesses insights that were once out of reach. For customer relations, AI serves as a personal touchpoint, enhancing engagement through personalized interactions.

As advantageous as AI is to businesses, it also creates very unique security challenges. For example, adversarial attacks that subtly manipulate the input data of an AI model to make it behave abnormally, all while circumventing detection. Equally concerning is the phenomenon of data poisoning where attackers taint an AI model during its training phase by injecting misleading data, thereby corrupting its eventual outcomes.

It is in this landscape that the Zero Trust security model of ‘Trust Nothing, Verify Everything’, stakes its claim as a potent counter to AI-based threats. Zero Trust moves away from the traditional notion of a secure perimeter. Instead, it assumes that any device or user, regardless of their location within or outside the network, should be considered a threat.

This shift in thinking demands strict access controls, comprehensive visibility, and continuous monitoring across the IT ecosystem. As AI technologies increase operational efficiency and decision-making, they can also become conduits for attacks if not properly secured. Cybercriminals are already trying to exploit AI systems via data poisoning and adversarial attacks making Zero Trust model’s role in securing these systems is becomes even more important.

II. Understanding AI threats

Mitigating AI threats risks requires a comprehensive approach to AI security, including careful design and testing of AI models, robust data protection measures, continuous monitoring for suspicious activity, and the use of secure, reliable infrastructure. Businesses need to consider the following risks when implementing AI.

Adversarial attacks: These attacks involve manipulating an AI model’s input data to make the model behave in a way that the attacker desires, without triggering an alarm. For example, an attacker could manipulate a facial recognition system to misidentify an individual, allowing unauthorized access.

Data poisoning: This type of attack involves introducing false or misleading data into an AI model during its training phase, with the aim of corrupting the model’s outcomes. Since AI systems depend heavily on their training data, poisoned data can significantly impact their performance and reliability.

Model theft and inversion attacks: Attackers might attempt to steal proprietary AI models or recreate them based on their outputs, a risk that’s particularly high for models provided as a service. Additionally, attackers can try to infer sensitive information from the outputs of an AI model, like learning about the individuals in a training dataset.

AI-enhanced cyberattacks: AI can be used by malicious actors to automate and enhance their cyberattacks. This includes using AI to perform more sophisticated phishing attacks, automate the discovery of vulnerabilities, or conduct faster, more effective brute-force attacks.

Lack of transparency (black box problem): It’s often hard to understand how complex AI models make decisions. This lack of transparency can create a security risk as it might allow biased or malicious behavior to go undetected.

Dependence on AI systems: As businesses increasingly rely on AI systems, any disruption to these systems can have serious consequences. This could occur due to technical issues, attacks on the AI system itself, or attacks on the underlying infrastructure.

III. The Zero Trust model for AI

Zero Trust offers an effective strategy to neutralize AI-based threats. At its core, Zero Trust is a simple concept: Trust Nothing, Verify Everything. It rebuffs the traditional notion of a secure perimeter and assumes that any device or user, whether inside or outside the network, could be a potential threat. Consequently, it mandates strict access controls, comprehensive visibility, and continual monitoring across the IT environment. Zero Trust is an effective strategy for dealing with AI threats for the following reasons:

• Zero Trust architecture: Design granular access controls based on least privilege principles. Each AI model, data source, and user is considered individually, with stringent permissions that limit access only to what is necessary. This approach significantly reduces the threat surface that an attacker can exploit.
• Zero Trust visibility: Emphasizes deep visibility across all digital assets, including AI algorithms and data sets. This transparency enables organizations to monitor and detect abnormal activities swiftly, aiding in promptly mitigating AI-specific threats such as model drift or data manipulation.
• Zero Trust persistent security monitoring and assessment: In the rapidly evolving AI landscape, a static security stance is inadequate. Zero Trust promotes continuous evaluation and real-time adaptation of security controls, helping organizations stay a step ahead of AI threats.

IV. Applying Zero Trust to AI

Zero Trust principles can be applied to protect a business’s sensitive data from being inadvertently sent to AI services like ChatGPT or any other external system. Here are some capabilities within Zero Trust that can help mitigate risks:

Identity and Access Management (IAM): IAM requires the implementation of robust authentication mechanisms, such as multi-factor authentication, alongside adaptive authentication techniques for user behavior and risk level assessment. It is vital to deploy granular access controls that follow the principle of least privilege to ensure users have only the necessary access privileges to perform their tasks.

Network segmentation: This involves dividing your network into smaller, isolated zones based on trust levels and data sensitivity, and deploying stringent network access controls and firewalls to restrict inter-segment communication. It also requires using secure connections, like VPNs, for remote access to sensitive data or systems.

Data encryption: It is crucial to encrypt sensitive data both at rest and in transit using robust encryption algorithms and secure key management practices. Applying end-to-end encryption for communication channels is also necessary to safeguard data exchanged with external systems.

Data Loss Prevention (DLP): This involves deploying DLP solutions to monitor and prevent potential data leaks, employing content inspection and contextual analysis to identify and block unauthorized data transfers, and defining DLP policies to detect and prevent the transmission of sensitive information to external systems, including AI models.

User and Entity Behavior Analytics (UEBA): The implementation of UEBA solutions helps monitor user behavior and identify anomalous activities. Analyzing patterns and deviations from normal behavior can detect potential data exfiltration attempts. Real-time alerts or triggers should also be set up to notify security teams of any suspicious activities.

Continuous monitoring and auditing: Deploying robust monitoring and logging mechanisms is essential to track and audit data access and usage. Utilizing Security Information and Event Management (SIEM) systems can help aggregate and correlate security events. Regular reviews of logs and proactive analysis are necessary to identify unauthorized data transfers or potential security breaches.

Incident response and remediation: Having a dedicated incident response plan for data leaks or unauthorized data transfers is crucial. Clear roles and responsibilities for the incident response team members should be defined, and regular drills and exercises conducted to test the plan’s effectiveness.

Security analytics and threat intelligence: Leveraging security analytics and threat intelligence platforms is key to identifying and mitigating potential risks. Staying updated on emerging threats and vulnerabilities related to AI systems and adjusting security measures accordingly is also essential.

Zero Trust principles provide a strong foundation for securing sensitive data. However, it’s also important to continuously assess and adapt your security measures to address evolving threats and industry best practices as AI becomes more integrated into the business.

V. Case studies

A large financial institution leverages AI to augment customer support and streamline business processes. However, concerns have arisen regarding the possible exposure of sensitive customer or proprietary financial data, primarily due to insider threats or misuse. To address this, the institution commits to implementing a Zero Trust Architecture, integrating various security measures to ensure data privacy and confidentiality within its operations.

This Zero Trust Architecture encompasses several strategies. The first is an Identity and Access Management (IAM) system that enforces access controls and authentication mechanisms. The plan also prioritizes data anonymization and strong encryption measures for all interactions with AI. Data Loss Prevention (DLP) solutions and User and Entity Behavior Analytics (UEBA) tools are deployed to monitor conversations, detect potential data leaks, and spot abnormal behavior. Further, Role-Based Access Controls (RBAC) confine users to accessing only data relevant to their roles, and a regimen of continuous monitoring and auditing of activities is implemented.

Additionally, user awareness and training are emphasized, with employees receiving education about data privacy, the risks of insider threats and misuse, and guidelines for handling sensitive data. With the institution’s Zero Trust Architecture continuously verifying and authenticating trust throughout interactions with AI, the risk of breaches leading to loss of data privacy and confidentiality is significantly mitigated, safeguarding sensitive data and maintaining the integrity of the institution’s business operations.

VI. The future of AI and Zero Trust

The evolution of AI threats is driven by the ever-increasing complexity and pervasiveness of AI systems and the sophistication of cybercriminals who are continually finding new ways to exploit them. Here are some ongoing evolutions in AI threats and how the Zero Trust model can adapt to counter these challenges:

Advanced adversarial attacks: As AI models become more complex, so do the adversarial attacks against them. We are moving beyond simple data manipulation towards highly sophisticated techniques designed to trick AI systems in ways that are hard to detect and defend against. To counter this, Zero Trust architectures must implement more advanced detection and prevention systems, incorporating AI themselves to recognize and respond to adversarial inputs in real-time.

AI-powered cyberattacks: As cybercriminals begin to use AI to automate and enhance their attacks, businesses face threats that are faster, more frequent, and more sophisticated. In response, Zero Trust models should incorporate AI-driven threat detection and response tools, enabling them to identify and react to AI-powered attacks with greater speed and accuracy.

Exploitation of AI’s ‘`black box’ problem: The inherent complexity of some AI systems makes it hard to understand how they make decisions. This lack of transparency can be exploited by attackers. Zero Trust can adapt by requiring more transparency in AI systems and implementing monitoring tools that can detect anomalies in AI behavior, even when the underlying decision-making process is opaque.

Data privacy risks: As AI systems require vast amounts of data, there are increasing risks related to data privacy and protection. Zero Trust addresses this by ensuring that all data is encrypted, access is strictly controlled, and any unusual data access patterns are immediately detected and investigated.

AI in IoT devices: With AI being embedded in IoT devices, the attack surface is expanding. Zero Trust can help by extending the “never trust, always verify” principle to every IoT device in the network, regardless of its nature or location.

The Zero Trust model’s adaptability and robustness make it particularly suitable for countering the evolving threats in the AI landscape. By continuously updating its strategies and tools based on the latest threat intelligence, Zero Trust can keep pace with the rapidly evolving field of AI threats.

VII. Conclusion

As AI continues to evolve, so too will the threats that target these technologies. The Zero Trust model presents an effective approach to neutralizing these threats by assuming no implicit trust and verifying everything across your IT environment. It applies granular access controls, provides comprehensive visibility, and promotes continuous security monitoring, making it an essential tool in the fight against AI-based threats.

As IT professionals, we must be proactive and innovative in securing our organizations. AI is reshaping our operations and enabling us to streamline our work, make better decisions, and deliver better customer experiences. However, these benefits come with unique security challenges that demand a comprehensive and forward-thinking approach to cybersecurity.

With this in mind, it is time to take the next step. Assess your organization’s readiness to adopt a Zero Trust architecture to mitigate potential AI threats. Start by conducting a Zero Trust readiness assessment with AT&T Cybersecurity to evaluate your current security environment and identify any gaps. By understanding where your vulnerabilities lie, you can begin crafting a strategic plan towards implementing a robust Zero Trust framework, ultimately safeguarding your AI initiatives, and ensuring the integrity of your systems and data.

The post Understanding AI risks and how to secure using Zero Trust appeared first on Cybersecurity Insiders.

In today’s fast-paced digital landscape, businesses proactively seek innovative ways to optimize their networks, enhance operational efficiency, and reduce costs. Network Functions Virtualization (NFV) emerges as a transformative technology that leads the charge.

NFV revolutionizes traditional, hardware-based network functions by converting them into flexible, software-based solutions. Virtual Network Functions (VNFs) can be deployed on commodity servers, cloud infrastructure, or even in data centers, freeing businesses from the constraints of specialized, proprietary hardware.

NFV simplifies network operations and significantly reduces hardware costs by allowing network functions, such as firewalls, load balancers, and routers, to run on general-purpose servers. This leads to substantial savings in both capital expenditure (CAPEX) and operational expenditure (OPEX).

Furthermore, NFV equips businesses with the agility and flexibility necessary to adapt quickly to changing network demands. Unlike traditional hardware-based network functions, which are static and require manual configuration, VNFs can be rapidly deployed, scaled, or modified to accommodate fluctuating network requirements. This provides a level of scalability and agility that was previously unattainable.

NFV also streamlines network management and automation. With NFV Management and Orchestration (MANO) systems, businesses can centrally manage and orchestrate VNFs, reducing the complexity and manual effort associated with network administration. This simplifies the deployment and management of network services, improves efficiency, and minimizes the risk of errors.

Moreover, NFV contributes to more sustainable and environmentally friendly operations by reducing energy consumption. By consolidating multiple network functions onto shared infrastructure, NFV lowers energy usage and cooling requirements.

The NFV architecture, standardized by the European Telecommunications Standards Institute (ETSI), provides a blueprint for implementing and deploying NFV solutions. It comprises three main components:

• Virtual Network Functions (VNFs): Software implementations of network functions deployable on Network Function Virtualization Infrastructure (NFVI). Each VNF runs on generic server hardware and interconnects with other VNFs to create extensive networking communication services.
• NFV Infrastructure (NFVI): The environment hosting the VNFs. It includes the hardware resources and the software layers that abstract, pool, and manage the physical resources.
• NFV Management and Orchestration (MANO): The framework orchestrating and managing physical and/or virtual resources that support the VNFs. The MANO layer consists of the NFV Orchestrator, VNF Manager, and Virtualized Infrastructure Manager (VIM).

This architecture decouples network functions from proprietary hardware appliance which is how NFV enhances network flexibility, scalability, and service deployment speed, while cutting costs and energy consumption.

NFV not only brings cost savings and efficiency but also fosters innovation. The ability to quickly and easily deploy new network functions enables businesses to experiment with new services and features, accelerating innovation and enhancing competitiveness.

NFV represents a paradigm shift in networking. By transforming rigid, hardware-based network functions into flexible, software-based solutions, NFV equips businesses with the agility, cost-efficiency, and innovation potential necessary to thrive in the digital age. Embracing NFV is a strategic move for businesses looking to future-proof their networks and maintain a competitive edge in the digital era. Don’t let your current network setup hold you back; explore the possibilities NFV offers with AT&T Cybersecurity and transform your network infrastructure today.

The post What is NFV appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In the vast realm of digital investigations, there exists a fascinating technique known as recycle bin forensics. Delving into the depths of this captivating field unveils a world where seemingly deleted files can still reveal their secrets, allowing digital detectives to reconstruct user activities and uncover valuable information. So, let’s embark on a journey to demystify recycle bin forensics and understand its role in the realm of cybersecurity.

Recycle bin forensics is a specialized branch of digital forensics that focuses on the retrieval and analysis of deleted files from the recycle bin or trash folder. This intriguing technique holds the potential to unlock a treasure trove of evidence, shedding light on cybercrimes and aiding in the investigation process.

To comprehend the intricacies of recycle bin forensics, it’s essential to grasp how the recycle bin functions.

When you delete a file on your computer, it often finds its way to the recycle bin or trash folder. It’s a convenient feature that allows you to recover accidentally deleted files with a simple click. But did you know that even after you empty the recycle bin, traces of those files may still linger on your system?

Welcome to the fascinating realm of recycle bin forensics, where digital detectives can uncover valuable information and shed light on a user’s activities.

Location of Deleted files

C:RECYCLED          Win 95/98/Me

C:RECYCLER          Win NT/2000/ XP

C:$Recycle.bin         Win Vista and later

Metadata file

INFO2(Win 95/98/Me)

C:RECYCLERSID*INFO2 (Win NT/2000/XP) (SID denotes security identifier)

Windows Vista and later

C:Recycle.binSID*$I******(Contains Metadata)

C:Recycle.binSID*$R******(Contents of deleted file)

Both files will be renamed to a random 6-character value. These directories are hidden by default; however, you can access them using command prompt with elevated privileges (Run as administrator) on your windows system using command dir /a.

Recycle bin forensics assumes a critical role in digital investigations, enabling law enforcement agencies, cybersecurity experts, and forensic analysts to piece together the puzzle. By analyzing deleted files, forensic professionals can reconstruct a timeline of events, unearth vital evidence, and recover seemingly lost data, aiding in the pursuit of justice.

Unveiling the secrets hidden within the recycle bin requires specialized tools and techniques. Forensic software empowers investigators to extract deleted files, even after the recycle bin has been emptied. Through careful analysis of file metadata, paths, and content, digital detectives can gain insights into file origins, modifications, and deletions, painting a clearer picture of the user’s activities.

One such utility we will be using is $IPARSE which can be downloaded here.

Steps to find metadata related to a deleted file ($I****** file)

• Run command prompt as administrator

• cd .. (Twice)

• after that use command dir /a and check if you are able to see $RECYCLE.BIN directory

• cd $RECYCLE.BIN to go inside the directory and use command  dir /a

now you will see multiple entries starting with S in the list of directories.

To check users associated with the SID directories you can use command wmic useraccount get name,sid

It will list all the users associated with SID’s. After that copy any SID by selecting and using ctrl C (as well you can use tab key to autocomplete the SID after typing first few characters of SID).

Now, to move into the SID directory:
 

cd SID (paste the copied value)

for example, if the SID directory name was S-1-5-32

• cd S-1-5-32

after that use command dir /a to list the components of that directory you shall see $I and $R files. In certain cases, only $I****** file will be available.

For illustration purposes, we are using files acquired from other systems.

• Now, create a folder and give a path to copy the file. Syntax would be file name “path” ($IABTIOW.doc “D:DesktopTest filesi filesTESTOutput”), you can alternatively use the copy command.

• Copy the file/folder name (while inside the said directory) and copy to path (where you wish to copy the said file or folder). The path can be copied by going in folder and clicking the address bar – your file will be copied and the associated software will try to open it, but won’t be able to open (like photos app for png/jpeg files)

• Extract and run the $Iparse utility you downloaded. Browse the directory/folder you copied $I files in. Now, browse to the directory where you want to put the result file at and provide a file name.

Click on save. After that, you should be able to see an interface like below:

Then click parse. It will display the file for you if it has successfully parsed it – the output file will be in .tsv format. You can open the .tsv file with notepad or notepad++. Now, you will be able to see details pertaining to the said $I file.

While recycle bin forensics is a powerful tool, it is not without its challenges and limitations. As time progresses and new files are created and deleted, older remnants in the recycle bin may be overwritten, making the recovery of certain deleted files more challenging or even impossible. Additionally, the effectiveness of recycle bin forensics can vary based on the operating system and file system in use, presenting unique obstacles.

To protect sensitive information and thwart potential recovery through recycle bin forensics, implementing secure data deletion practices is vital. Merely emptying the recycle bin offers no guarantee of permanent erasure. Instead, employing specialized file shredding or disk wiping tools can ensure that deleted data is securely overwritten, rendering it irretrievable.

In conclusion, recycle bin forensics is a remarkable field that uncovers the hidden remnants of deleted files, holding the potential to transform investigations. As we navigate the digital landscape, understanding the power of recycle bin forensics reminds us of the importance of safeguarding our digital footprint. Through knowledge, diligence, and secure practices, we can protect our sensitive information and fortify the realm of cybersecurity for the benefit of all.

The post Digital dumpster diving: Exploring the intricacies of recycle bin forensics appeared first on Cybersecurity Insiders.