Category: Hunters

San Francisco, United States, May 7th, 2024, CyberNewsWire

Hunters, the pioneer in modern SOC platforms, today announced its full adoption of the Open Cybersecurity Schema Framework (OCSF), coupled with the launch of groundbreaking OCSF-native Search capability. This strategic advancement underscores Hunters’ commitment to standardizing and enhancing cybersecurity operations through open, integrated data sharing frameworks.

Uri May, CEO of Hunters, explained the strategic significance of this move, stating, “Adopting OCSF as our primary data model represents a transformative step in our journey to elevate cybersecurity operations. Alongside this, our new advanced OCSF-native search functionality is set to transform how security data is searched and analyzed, offering unprecedented efficiency and precision.”

Democratizing Security Operations with OCSF

The adoption of OCSF provides a unified, standardized language across cybersecurity tools and platforms, simplifying data integration and analysis workflows. The adoption fosters frictionless interoperability and enables enhanced collaboration among cybersecurity professionals, promoting flexibility and innovation by eliminating constraints imposed by proprietary data formats.

“Adopting OCSF will not only enhance our AI-driven security solutions, but also enable seamless data integration across vast and diverse datasets, dramatically improving the speed and accuracy of threat detection and response,” added May.

Some of the benefits of adopting OCSF include:

  • Streamlined Operations and Enhanced Collaboration – practitioners use common security language, promoting efficient sharing of insights and best practices, bolstering collective defense strategies.
  • Breaking Vendor Lock-in and Data Silos – Organizations are not constrained by proprietary data formats from specific vendors.
  • Revolutionizing Threat Hunting and Investigation – By shifting from logs to context-aware events and objects, OCSF enables multi-stage attack analysis and context-rich threat hunting.
  • Accelerating AI and Gen-AI in Security – Standardized data schema accelerates the development of AI-driven security solutions.

OCSF-native Search Functionality: A New Era in Cybersecurity Analytics

Hunters is thrilled to launch their revolutionary OCSF-native search functionality, designed specifically for SOC analysts and threat hunters. This innovative technology addresses the complexities of “query engineering” by leveraging a universal data schema—OCSF—to streamline the search process across diverse data formats and environments. The new search capabilities not only reduces the frustration and errors associated with traditional query syntax but also enhances both general and specialized investigation capabilities, transforming how security teams interact with data and significantly accelerating their operations.

OCSF-Native Search is Revolutionizing Search in the following ways:

  • Event and Object Based Searching: A New Search Paradigm – Hunters SOC platform introduces event and object-based searching, eliminating the complexities of source-specific log formats, by enabling analysts to search cybersecurity events and objects without the need for field normalization or navigating diverse log formats.
  • Democratizing Data Analysis: Equipping Analysts of All Levels for Success – OCSF-native search simplifies the search experience, eliminating the need for SQL proficiency or specialized knowledge in tools like Kibana or KQL. With an intuitive interface tailored to the OCSF model, analysts of all experience levels can quickly become proficient, bypassing traditional complexities and lengthy training sessions. 
  • Entity Investigation Curated Workflows: Investigations with a Single Click – With this new capability analysts can pivot directly from Hunters alerts to Search with a single click, automatically populating and executing queries for deep context. This eliminates the need for manual query building, facilitating a seamless investigative workflow that allows analysts to efficiently explore and analyze security incidents.
  • Timeline Experience: Enhanced Chronological Insight for Security Analysis – A new timeline-based approach to search enables analysts to explore the chronological progression of security events. This feature provides insights into patterns, anomalies, and potential threats, enhancing the investigative workflow. Analysts can identify correlations, track threat evolution, and streamline investigations efficiently.

“Our new search functionality is a game-changer for both experienced and novice security practitioners,” says Yuval Itzchakov, CTO at Hunters. “It elevates SOC operations by providing Tier 1 analysts with the clarity needed for higher-level analysis and democratizes security insights, making advanced investigations accessible to more team members.”

Contributing to the Community – OCSF Mapping

In conjunction with this new product release, Hunters is also proud to contribute to the cybersecurity community by sharing one hundred mappings of security logs to the OCSF schema. This contribution is part of their commitment to fostering an open and collaborative environment where knowledge sharing accelerates innovation and strengthens security postures across the industry. 

The full adoption of OCSF and the launch of our OCSF-native search functionality mark significant milestones in Hunters’ ongoing mission to innovate and automate cybersecurity analytics and operations. By embracing open standards and providing powerful, intuitive search capabilities, they are not only advancing our platform but also contributing to a more interconnected, efficient, and effective cybersecurity ecosystem.

To learn more, visit us at RSAC Booth #4317, Moscone North, or contact us on www.hunters.security 

Contact

Ada Filipek

Hunters

ada.filipek@hunters.ai

 

 

 

 

The post Hunters Announces Full Adoption of OCSF and Introduces OCSF-Native Search appeared first on Cybersecurity Insiders.

A severe design flaw in Google Workspace’s domain-wide delegation feature discovered by threat hunting experts from Hunters’ Team Axon, can allow attackers to misuse existing delegations, enabling privilege escalation and unauthorized access to Workspace APIs without Super Admin privileges. Such exploitation could result in theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain. Hunters has responsibly disclosed this to Google and worked closely with them prior to publishing this research. 

Domain-wide delegation permits a comprehensive delegation between Google Cloud Platform (GCP) identity objects and Google Workspace applications. In other words, it enables GCP identities to execute tasks on Google SaaS applications, such as Gmail, Google Calendar, Google Drive, and more, on behalf of other Workspace users.

The design flaw, which the team at Hunters has dubbed “DeleFriend,” allows potential attackers to manipulate existing delegations in GCP and Google Workspace without possessing the high-privilege Super Admin role on Workspace, which is essential for creating new delegations. Instead, with less privileged access to a target GCP project, they can create numerous JSON web tokens (JWTs) composed of different OAuth scopes, aiming to pinpoint successful combinations of private key pairs and authorized OAuth scopes which indicate that the service account has domain-wide delegation enabled. 

The root cause lies in the fact that the domain delegation configuration is determined by the service account resource identifier (OAuth ID), and not the specific private keys associated with the service account identity object. 

Additionally, no restrictions for fuzzing of JWT combinations were implemented on the API level, which does not restrict the option of enumerating numerous options for finding and taking over existing delegations.

This flaw poses a special risk due to potential impact described above and is amplified by the following:

  • Long Life: By default, GCP Service account keys are created without an expiry date. This feature makes them ideal for establishing backdoors and ensuring long-term persistence.
  • Easy to hide: The creation of new service account keys for existing IAMs or, alternatively, the setting of a delegation rule within the API authorization page is easy to conceal. This is because these pages typically host a wide array of legitimate entries, which are not examined thoroughly enough.
  • Awareness: IT and Security departments may not always be cognizant of the domain-wide delegation feature. They might especially be unaware of its potential for malicious abuse.
  • Hard to detect: Since delegated API calls are created on behalf of the target identity, the API calls will be logged with the victim details in the corresponding GWS audit logs. This makes it challenging to identify such activities. 

“The potential consequences of malicious actors misusing domain-wide delegation are severe. Instead of affecting just a single identity, as with individual OAuth consent, exploiting DWD with existing delegation can impact every identity within the Workspace domain,” says Yonatan Khanashvili of Hunters’ Team Axon.

The range of possible actions varies based on the OAuth scopes of the delegation. For instance, email theft from Gmail, data exfiltration from the drive, or monitor meetings from Google Calendar.

In order to execute the attack method, a particular GCP permission is needed on the target Service Accounts. However, Hunters observed that such permission is not an uncommon practice in organizations making this attack technique highly prevalent in organizations that don’t maintain a security posture in their GCP resources. “By adhering to best practices, and managing permissions and resources smartly, organizations can dramatically minimize the impact of the attack method” Khanashvili continued. 

Hunters has created a proof-of-concept tool (full details are included in the full research) to assist organizations in detecting DWD misconfigurations, increasing awareness, and reducing DeleFriend’s exploitation risks. Using this tool, red teams, pen testers, and security researchers can simulate attacks and locate vulnerable attack paths of GCP IAM users to existing delegations in their GCP Projects to evaluate (and then improve) the security risk and posture of their Workspace and GCP environments. 

Hunters’ Team Axon has also compiled comprehensive research that lays out exactly how the vulnerability works as well as recommendations for thorough threat hunting, detection techniques, and best practices for countering domain-wide delegation attacks.

Hunters responsibly reported DeleFriend to Google as part of Google’s “Bug Hunters” program in August, and are collaborating closely with Google’s security and product teams to explore appropriate mitigation strategies. Currently, Google has yet to resolve the design flaw.

Read the full research here, and follow Hunters’ Team Axon on Twitter.

About Hunters

Hunters delivers a Security Operations Center (SOC) Platform that reduces risk, complexity, and cost for security teams. A SIEM alternative, Hunters SOC Platform provides data ingestion, built-in and always up-to-date threat detection, and automated correlation and investigation capabilities, minimizing the time to understand and respond to real threats. Organizations like Booking.com, ChargePoint, Yext, Upwork and Cimpress leverage Hunters SOC Platform to empower their security teams. Hunters is backed by leading VCs and strategic investors including Stripes, YL Ventures, DTCP, Cisco Investments, Bessemer Venture Partners, U.S. Venture Partners (USVP), Microsoft’s venture fund M12, Blumberg Capital, Snowflake, Databricks, and Okta.

Contact

Yael Macias – yael@hunters.security 

The post Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable for Takeover, Says Cybersecurity Company Hunters appeared first on Cybersecurity Insiders.