These research efforts demonstrate the wide range of applications for RNNs in cybersecurity, highlighting their effectiveness in areas such as intrusion detection, malware analysis, user behavior modelling, spam detection, network traffic analysis, and vulnerability detection. By leveraging the capabilities of RNNs, researchers are striving to enhance cybersecurity measures and mitigate emerging threats.
In an era of rapid technological change security practitioners look to connect and adapt to increase and maintain organizational security strength. A healthy paranoia is necessary and the conceptualization of overall strategy must converge with the adept orchestration of security monitoring and controls. This blog is about that convergence where I seek to build a complementary security content that relates to my Paranoid Pawn YouTube channel videos. Please subscribe!
Saturday 10 June 2023
Unlocking the Potential: Recurrent Neural Networks (RNNs) at the Forefront of Cybersecurity
In the ever-evolving landscape of cybersecurity, a remarkable technology has taken center stage, capturing the imagination of researchers and paving the way for groundbreaking advancements. Enter Recurrent Neural Networks (RNNs), a cutting-edge innovation that has garnered significant attention for its ability to process sequential data with unparalleled precision. With applications tailored specifically for the realm of cybersecurity, RNNs are revolutionizing threat detection and fortifying our digital defenses. Let's embark on a journey into this captivating field, exploring real-world examples that underscore the transformative power of RNNs, backed by compelling research.
Intrusion Detection Systems (IDS): The constant battle to safeguard our networks from unauthorized access and malicious attacks has ushered in a new era of defense with the aid of RNNs. Research studies have harnessed the immense potential of deep learning and network security, uncovering innovative approaches to intrusion detection. A notable study titled "A Deep Learning Approach for Network Intrusion Detection System" (Shone et al. 2018) illuminates the effectiveness of RNNs in accurately detecting and classifying network intrusions. By dissecting intricate network traffic patterns, these intelligent systems exhibit an unparalleled ability to swiftly identify and neutralize threats in real-time, ensuring the integrity of our digital infrastructure.
Malware Detection: The battlefield against nefarious software has witnessed a seismic shift with the advent of RNNs. Researchers have delved into the intricacies of malware analysis, leveraging the power of RNNs to combat this persistent threat. Research papers, including "Word Embedding Techniques for Malware Classification" (Chandak, 2020) and "Detecting Android malware using Long Short-term Memory (LSTM)" (Ravi et al., 2018), underscore the potential of RNNs to unravel sequential patterns within code or traffic and learn patterns that distinguish between benign and malicious behavior. By accurately classifying and identifying malware, RNN-powered models empower cybersecurity professionals with the tools needed to combat ever-evolving threats, ensuring the safety of our digital ecosystems.
User Behavior Analysis: Anomaly detection lies at the heart of identifying insider threats and thwarting malicious activities. RNNs, equipped with their ability to model and analyze user behavior, have emerged as a formidable ally in this pursuit. The paper "Behavioral Based Insider Threat Detection Using Deep Learning" (Afzal et al., 2018) delves into this intriguing realm, illuminating the role of RNNs in learning normal behavior patterns and promptly detecting deviations. With this advanced framework, organizations can fortify their digital realms, safeguarding sensitive information from internal risks.
Spam and Phishing Detection: In the relentless battle against email-based cyberattacks, RNNs have emerged as an indispensable tool. Researchers have dedicated extensive efforts to combating spam and phishing attempts, harnessing the power of RNNs to shield users from fraudulent schemes. A prime example is the paper "A hybrid DNN–LSTM model for detecting phishing URLs" (Ozcan et al., 2021), which unveils an innovative hybrid RNN framework that meticulously analyses sequential patterns within email content. By accurately identifying phishing emails, RNN-powered systems provide users with a robust defense, ensuring the security of their online communications.
Network Traffic Analysis: Gaining insights into network flows and uncovering hidden cyber threats require sophisticated tools capable of analyzing vast amounts of data. RNNs have emerged as a powerful solution in this domain. Research studies, such as "An Intrusion Detection System Using a Deep Neural Network With Gated Recurrent Units" (Xu et al., 2018), have introduced novel RNN-based approaches that leverage the sequential nature of network data to identify anomalies and potential threats. Notably, the system excelled in detecting Denial of Service (DOS) attacks, achieving detection rates of 99.98% on KDD 99 and 99.55% on NSL-KDD.
Vulnerability Detection: RNNs have been utilized in research on vulnerability detection. The paper "Deep security analysis of program code" (Sonnekalb et al. 2022) explores the use of RNNs to analyze sequences of code snippets and identify potential vulnerabilities in software.
These research efforts demonstrate the wide range of applications for RNNs in cybersecurity, highlighting their effectiveness in areas such as intrusion detection, malware analysis, user behavior modelling, spam detection, network traffic analysis, and vulnerability detection. By leveraging the capabilities of RNNs, researchers are striving to enhance cybersecurity measures and mitigate emerging threats.
These research efforts demonstrate the wide range of applications for RNNs in cybersecurity, highlighting their effectiveness in areas such as intrusion detection, malware analysis, user behavior modelling, spam detection, network traffic analysis, and vulnerability detection. By leveraging the capabilities of RNNs, researchers are striving to enhance cybersecurity measures and mitigate emerging threats.
Monday 5 June 2023
Book Review: "An AI Product Manager's Handbook" - An Effective Wholistic 10,000 foot View
Book Review: "An AI Product Manager's Handbook" - An Effective Wholistic 10,000 foot View
In the ever-evolving landscape of artificial intelligence (AI), the role of a product manager has become increasingly crucial. "An AI Product Manager's Handbook" attempts to serve as a comprehensive guide for professionals seeking to navigate this complex domain. However, while the book covers a range of relevant topics, readers wanting a deeper exploration into the application of engineering and technology AI will still be searching after the read (which I consider a very good thing). This book delivers on being a great way to see the entire forest before parachuting into it.
Moving on, the book delves into the role of a product manager in an AI-focused organization, highlighting the unique challenges and responsibilities they face. It explores the process of defining AI product goals, prioritizing features, and managing the development lifecycle. The content is well-organized and the concepts are adequately explained, although the material lacks much coverage of AI security (which, to be fair, deserves its own book).
One of the book's strengths lies in its coverage of ethical considerations and responsible AI practices. It delves into the importance of fairness, transparency, and accountability in AI systems, emphasizing the need for product managers to consider the potential social impact of their products (which, to be fair, also deserves its own book). I am seeing a potential series for this author.
Moreover, the book does contain trends in AI and takes a look at the highest growth areas from research companies like McKinsey, Forrester and Gartner. Product Mangers will also gain insights on the shortest pathways to AI enablement. The author underscores the importance of having solid use cases when enabling AI in your organization. These use cases will help your product viability and impact KPIs and ROI.
In conclusion, "An AI Product Manager's Handbook" really delivers on originality and and breadth of topics promised. It covers the essential aspects of AI product management, and offers unique insights and provides practical guidance that sets it apart as something with core relevance to what is taking place now with these disruptive technologies. The book's style and topics are engaging and will elevate the reader quickly into the headspace of advancing their product with AI.
....and before we can secure AI, use it for security, or secure ourselves against it as well, we have to learn about it.
Wednesday 6 October 2021
To Heck with Vulnerability - 2020
Once each year closes it can be nice to take a step back and at the end of 2020, as if a viral pandemic wasn’t bad enough, we had to deal with digital weaknesses that left us open to more human attacks against our digital infrastructure.
One of the things I’d like to point out about vulnerability is that the vulnerabilities reported for a current year may or may not be the ones that the the most frequent top attacks are actually using to actively exploit targets for that year.
The grand majority of top vulnerabilities reported by the US Cybersecurity & Infrastructure Agency that were used by attackers for exploit in 20202 were not reported in 2020 but earlier. Which proves that the longer organizations take to patch, the longer the vulnerability will be useful to attackers thereby increasing the general global attack surface.
The vulnerabilities disclosed by year is looking like a Bull Market. Something tells me there won't be any crash in this trajectory line.
CVE stands for Common Vulnerabilities and Exposures. CVE numbers are assigned by a CVE Numbering Authority (CNA) - MITRE is the primary CNA now. The names of each vulnerability follow a naming convention of CVE-[Year Reported]-[Arbitrary Digits].
The vulnerabilities that I cover in my video CVE Rogues Gallery [2020 Edition] - Vulnerabilities and Exposures can be seen here:
Based on government data reported by the US Cybersecurity Infrastructure Security Agency, (CISA), in their exciting and newly revised Alert (AA21-209A) (as of August 2021), the majority of top vulnerabilities that were identified as used by attackers for exploit in 2020 were not reported in 2020 but earlier.
In 2020, more than 66 percent of the top CVEs used were reported in previous years. Only about 33% of the top CVEs targeted for attack that fell onto this list were actually reported in 2020. Patching quickly and remediating ahead of the curve is still extremely important. Attackers can easily discover your weak spots. And the point is, those threat actors don’t care when the CVEs were published or released, they just hope you are late to remediate.
Top Routinely Exploited Vulnerabilities 2020: CISA Alert (AA21-209A): https://us-cert.cisa.gov/ncas/alerts/aa21-209a
But make no mistake, it isn’t just Critical and High severity CVEs that you need to worry about, - even low and medium severity vulnerabilities, when chained together can lead to full compromise.
General recommendations that are in-line with protecting against these vulnerabilities are:
Don’t leave services on if you don’t need them
Make patching and upgrading a priority
Don’t allow users administrative credentials just because they want it. Make sure there is a business need. Their primary login should be a standard user account and not an administrator account
Train users to understand that they are part of the security stack of your organization. The security controls that you have implemented in your organization don’t have magic powers and still require users to act cautiously, with mindful deliberation and with security in mind.
The best advice is to have a serious and responsive upgrade and patching program, a dedicated Vulnerability Management practice, Incident Response Management, a solid implementation of defense-in-depth with your Security Stack and cyber hygiene.
Sunday 12 September 2021
Building a Common Language - CVSS (Common Vulnerability Scoring System)
As our complex societies, business environments and economies work together to exchange and secure data, build ideas and solve problems so that we may protect and improve quality of life, our human workflows are often thwarted by not using a common industry language. Sometimes we do not even have a common language to use.
When we think of risk, vulnerability management and threat intelligence, the standard frameworks in active development come to mind.
In Vulnerability Management, the Common Vulnerability Scoring System (CVSS) has become the widely adopted standard, solidified in 2005 (now almost 17 years ago) by the National Infrastructure Advisory Council (NIAC). Initially, the NIAC passed ownership of the CVSS standard to the Forum of Incident Response and Security Teams (FIRST), a non-profit organization established in 1990 in response to the cyber risk exposed by the Wank Worm just a few years earlier.
Now FIRST Maintains and grows this standard and encourages feedback from the information security community.
A link to the final report by the NIAC can be accessed from the Cybersecurity & Infrastructure Security agency (CISA): https://www.cisa.gov/publication/niac-common-vulnerability-scoring-final-report
Since 2007, Europe has, year over year has taken the lead in FIRST membership growth. Asia and the United States membership grow have both been increasing but at different rate. As of this year Asia has caught up with the United States in membership numbers. South America has also dramatically increased its regional membership numbers year after year. Asia and Europe have had the most impressive increased since 2015.
FIRST Membership growth by year: https://www.first.org/about/history
CVSS Industry Use Cases
To onlookers outside of the industry, there is much needed translation. Use cases are often the best ways to help in our understanding something that initially seems so abstract.
- National Vulnerability Database Analysts: These analysts use the CVSS to attribute scores to newly disclosed and discovered vulnerabilities. The vulnerabilities and their assigned CVSS score can be found in the National Vulnerability Database (NVD).
- Security Analysts, Security Researchers, Auditors, Pen-testers, Threat Actors: Red-teamers, blue-teamers, and threat actors alike have access to rely on CVSS scoring in order to understand system vulnerability, plan attacks and implement countermeasures. (choose the light)
- Makers and providers of vulnerability scanning, and Endpoint Detection and Response Platforms: They can leverage the NVD feed to provide CVSS scoring for host and device scans.
- Makers, providers, users of SIEM and Log Collection platforms: They can attempt to detect CVEs being actively exploited and apply a severity score that correlates to a perceived vulnerability to address countermeasures during and after attack.
A link to resources to detailed information can be found here:
- CVSS Current Specification: https://www.first.org/cvss/specification-document
- CVSS User Guide: https://www.first.org/cvss/user-guide
CVSS Versions and Release Dates
Like some people say, "Nothing is perfect". I think we all know by now, how right that is. It definitely goes without saying, but I'll say it anyway!
Historically CVSSv1-3 however, seem to lack the ability to describe, in sufficient detail, vulnerabilities related to Internet-of-Things (IoT) like medical devices, grid, automobile, aircraft, drone and generally - embedded systems. In CVSSv3.1 released in 2019 contains a framework for extending CVSS.
The CVSS does not have specialized scoring for industry verticals, thus does not have the language or the scope to accurately measure risk, only severity ratings of software vulnerabilities.
Mapping CVSS to MITRE ATT&CK
The intertwining of Vulnerability Management and Cyber Threat Intel is uncontestable. It is natural when thinking about security weaknesses that we should easily imagine that lurking in the obfuscated digital shadows is a threat actor, an attacker, waiting to exploit those weaknesses.
The great work that MITRE has accomplished in describing the tactics, techniques and procedures (TTPs) of real-world attacks, and then being able to corelate those with attack groups (nation state attackers, cybercriminals and hacktivists) builds a dossier that allows us, the security community, to threat map based on victim-profile (Industry Segment) to anticipate the anticipated modus operandi of attack groups that typically target a given industry.
A link to their work can be found here: https://dl.acm.org/doi/fullHtml/10.1145/3465481.3465758
Additionally, in October 2020, MITRE released a rubric (xlsm on github) for effectively applying CVSS to medical devices. The U.S. Food and Drug Administration has officially qualified this rubric as one of several Medical Device Development Tools (MDDTs) on its website.
MITRE CVSS Rubric for Medical Devices: https://github.com/mitre/md-cvss-rubric-tools
US FDA MDDTs: https://www.fda.gov/medical-devices/science-and-research-medical-devices/medical-device-development-tools-mddt
Common Languages Change and Evolve
As common languages like CVSS and ATT&CK continue to evolve and change to meet industry requirements they don't need to be perfect, they just need to be adaptive.
Thursday 11 March 2021
TryHackMe: Nessus Room Writeup
On TryHackMe, the Nessus room not only introduces us to vulnerability scanning but it is a reminder that even the home user, student and hobbyist can run a cybersecurity vulnerability scanner at home with Tenable Nessus Essentials.
Nessus Scanner requires about 30GB of initial disk space. That disk space requirement will grow over time because Nessus will store the results from each scan into its database. Also as Nessus plugins get released and updated, that will also cause the data storage size to increase.
The Nessus room consists of 5 tasks:
Introduction - where you learn about Nessus scanner’s basic purpose
Installation - where you learn how to install Nessus on Kali Linux
Navigation and Scans - where you learn to move about the console
Scanning! - Lab with a target machine that you can run scans against
Scanning a Web Application! - Lab where you perform a specialized web app scan
The last 3 of the above tasks are those that require responses in the room. Make sure that when you work in this lab you are using your own Kali Linux machine (or VM) and connecting to the Nessus room labs with openVPN. This is because the minimum Hardware Requirements (https://docs.tenable.com/nessus/Content/HardwareRequirements.htm) for Nessus is 30GB of disk space for Nessus itself. The AttackBox on TryHackMe has 25GB of disk space (at the time of publishing this writeup) in total which will not accommodate the Nessus installation.
Navigation and Scans
THM: What is the name of the button which is used to launch a scan?
THM: What side menu option allows us to create custom templates?
THM: What menu allows us to change plugin properties such as hiding them or changing their severity?
THM: In the 'Scan Templates' section after clicking on 'New Scan', what scan allows us to see simply what hosts are alive?
THM: One of the most useful scan types, which is considered to be 'suitable for any host'?
THM: What scan allows you to 'Authenticate to hosts and enumerate missing updates'?
THM: What scan is specifically used for scanning Web Applications?
Scanning!
THM: Create a new 'Basic Network Scan' targeting the deployed VM. What option can we set under 'BASIC' (on the left) to set a time for this scan to run? This can be very useful when network congestion is an issue.
New Scan button > Basic Network Scan > Settings > Schedule
THM: Under 'DISCOVERY' (on the left) set the 'Scan Type' to cover ports 1-65535. What is this type called?
After the scan completes, which 'Vulnerability' in the 'Port scanners' family can we view the details of to see the open ports on this host?
If you click on the above line-item, you will navigate to a detail page that shows which ports have been detected:
THM: What Apache HTTP Server Version is reported by Nessus?
To find the version of Apache HTTP Server click on the below line-item:
You will find the version in the following detail view:
Scanning a Web Application!
This scan you will set up like the Basic Network Scan but you will select the Web Application Tests as the Scan Type.
- New Scan button > Web Application Tests
- Enter the ip into the target text field
- Click Save
- Launch the scan and wait for results
In the vulnerabilities Tab of the scan you will notice a grouping of 2 vulnerabilities:
Click on the HTTP (Multiple Issues) line-item and you will see the following:
Then click on the line item “HTTP Server Type and Version” and you will see the plugin ID as shown below:
THM: What authentication page is discovered by the scanner that transmits credentials in cleartext?
Click on the line item “Web Server (Multiple Issues)”.
Then click on the line-item “Web Server Transmits Cleartext Credentials:
Under the Output section you will see the page that transmits cleartext Credentials:
THM: What is the file extension of the config backup?
Click on the “Backup Files Disclosure” vulnerability line-item:
The extension can be found under the Output section in the vulnerability detail:
THM: Which directory contains example documents? (This will be in a php directory)
THM: What vulnerability is this application susceptible to that is associated with X-Frame-Options?
Subscribe to:
Posts (Atom)