Category Archives: security

LinkedIn Live: Inside the threat hunt, turning signals into evidence

Posted on by
Reply

I recently moderated a live event (which has been recorded and can be accessed here, with registration), about how to do threat hunting using Corelight’s Investigator tool. My partner is Mark Overholser, who is their technical marketing engineer. Mark is an accomplished threat hunter and veteran of numerous Black Hat SOC tours of duty, so he has seen a lot of wonky circumstances go across his screens.

We talk about why being proactive is important in learning how to hone your investigations, how to use the MITRE ATT&CK foundation (shown above) and schema to hone your focus and guide your efforts.  (I wrote about the evolution of ATT&CK for CSO back in 2021 here), We also discuss how to drill down to suss out what is going on across your network. .

Corelight also has an excellent threat hunting guide that is keyed to the ATT&CK categories, with loads of suggestions to how you can leverage it to help in your hunts.

CSOonline: CASB buyer’s guide

Posted on by
Reply

Since I began examining cloud access security brokers in 2018, a lot has happened. CASBs sit between an organization’s endpoints and cloud resources, acting as a gateway that monitors everything that goes in or out, providing visibility into what users are doing in the cloud, enforcing access control policies, and looking out for security threats.

Some vendors have begun incorporating additional features into core CASB functionality, such as data loss prevention (DLP), secure web gateway (SWG), cloud security posture management (CSPM), and user and entity behavior analytics (UEBA). Other CASB vendors have been purchased by main-line security vendors have purchased CASB solutions: Oracle (Palerra), IBM (Gravitant), Microsoft (Adallom), Forcepoint (Skyfence), Proofpoint (FireLayers), Symantec (Skycure) and McAfee (Skyhigh Networks). The market has matured, although this is a matter of degree since even the longest-running vendors have only been selling products for a few years. It has also evolved to the point where many analysts feel CASB will be just as important in the near future just as firewalls once were back in the day when PCs were being bought by the truckloads.

There are three deployment modes: forward proxy, reverse proxy and API-based. Most experts say that API-based CASBs provide better functionality, but organizations need to make sure that the vendor’s list of application programming interface (API) connections matches up with the organization’s inventory of cloud apps.

In this updated story for CSOonline, I talk about what are these products, why enterprises are motivated to purchase and deploy them,  what features you should look for that are appropriate for your network. what are your decision points in the purchase process, and links to many of the major CASB vendors.

CSOonline: CSPM Buyer’s guide

Posted on by
Reply

(originally posted 6/21)

Every week brings another report of someone leaving an unsecured online storage container filled with sensitive customer data. Thanks to an increasing number of unintentional cloud configuration mistakes and an increasing importance of cloud infrastructure, we need tools that can find and fix these unintentional errors. That is where cloud security posture management (CSPM) tools come into play. These combine threat intelligence, detection, and remediation that work across complex collections of cloud-based applications. You can see a few of them above.

Vendors have been incorporating CSPM functions into their overall CNAPP or SSE platforms, including CrowdStrike, Palo Alto Networks, Wiz, Zscaler and Tenable. This means that the modern standalone CSPM tool has all but disappeared. In my latest revision on the category for CSOonline, I  mention some of the issues involving purchase decisions and mention three vendors that are still selling these tools.

 

Podcast: with Sam Whitmore on offensive agentic AI tactics

Posted on by
1

This week I spoke to Sam Whitmore of MediaSurvey about two eports that came out this month, one from the Google Threat Intel group and one from Anthropic, the makers of Claude AI

The Google report says that “adversaries are no longer leveraging AI just for productivity gains, they are deploying novel AI-enabled malware in active operations. Malware threat groups are using LLMs during their execution to dynamically generate scripts on demand and hide their own code from detection.” They are also using social engineering pretexts to bypass security guardrails. That is pretty scary stuff.

The Anthropic report found ways that threat actors manipulate Claude Code to automate the orchestration of reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations largely autonomously. The researchers claim that this is the first documented attack without much human intervention or control at huge scale and showed how Claude agents were able to decompose these multiple attack stages into smaller parts. One small issue: the events depicted in this report happened about a year ago, using tools that now seem ancient given the rapid state of things in the AI world.

The key to the behavior chronicled in both reports was how AI assumed some pretty human role-play: the human operators claimed that they were employees of legitimate cybersecurity firms and convinced Claude that they were playing a capture-the-flag, a common white-hat technique.

Both reports show just how the bad guys can use agentic AI to be more effective at stealing data than any group of human operators. The challenge will be stopping these and even more advanced threats going forward.

Watch out for browser cache smuggling

Posted on by
2

Browser caches can be difficult to secure, because our insatiable hunger for web content means our browsers often deposit files there that could turn out to be trouble. In the past, malware actors would try to poison web server caches — these were holding areas that the servers put aside to deliver frequently requested pages or pieces of content, such as large image files.

“Think of cache poisoning as poisoning a town’s shared well—everyone who draws from it is affected,” said Satnam Narang, senior staff research engineer at Tenable. “Browser cache smuggling, however, is like getting a meal kit with a hidden poisonous ingredient. It sits harmlessly in your private kitchen until you are tricked into following the recipe and cooking it yourself.” Cooked, indeed. The attacker hides an executable program inside a misnamed file that appears to be storing an image in the cache. Marcus Hutchins wrote about this recently.

Cache Smuggling has been around for years, but lately it is being paired with zero-click malware that makes the deposit and then the activation without any user intervention. Or as Marcus documents, a misleading pop-up instructs a user to do a series of Windows commands that bring this all about in the background. Or a phishing email that tells you how you have a large reward just waiting for your click to approve.

I recently got one of these emails from the Facebook User Privacy Settlement, asking me to activate a debit card. I was about to hit the delete key when I thought I should investigate further, and found out that I was wrong: the email offer was legit and moments later, I was now about $38 richer. Woo-hoo!

One way to fix this across the enterprise is to use one of the class of enterprise browsers that encrypt the cache, or can place global policies when a user brings up one of their browsers. Island.io and Authentic8.com are two of these vendors. A consumer version is available from Opera or Brave that provides various content blockers, which can stop the smuggling route.

Another mechanism is to make use of various network defensive tools (such as is available from one of my clients, Corelight). These can monitor odd network flows, such as unexpected uses of PowerShell, which often are clues that some hanky-panky is going on.

Three new malware variants you might BOLO

Posted on by
Reply

Of all men’s miseries the bitterest is this: to know so much and to have no power.

That was something attributed to the Greek philosopher Herodotus, who lived in what is now Turkey and Italy more than 2400 years ago. It is a fitting name for a new kind of Android banking trojan that is making the rounds. The trojan works by inserting a small but randomly variable delay between keystrokes, to make them appear as to be typed by a (relatively poor) human typist. It has other features, such as being able to steal 2FA codes sent via SMS (yet another reason not to use this transport method), intercept everything that’s displayed on the screen, grab the lockscreen PIN or pattern, and install executable files. The malware looks like an ordinary mobile banking app but there is nothing ordinary about it.

But Herodotus isn’t the only bad news bear that is out there. How about the RedTiger malware that steals data by flooding targeted systems with hundreds of processes and random files to confuse forensic examiners. That essentially buries any warnings to make it harder for security personnel to figure out where the pony is in this massive alert pile. And another malware that goes by the name CoPhish — it hides Microsoft Copilot commands within phishing the HTML text of emails. That text is designed to not be displayed if you are just reading them in your browser or email client.

What these three attack methods show is that the bad guys are getting better at hiding in plain sight, using AI methods and more subtle mechanisms to distribute their malware and then try to remain out of sight for several months while the attacker moves about trying to document the soft center of your network that will be compromised.

So you have been warned. Pick a better MFA method than SMS texts to get your pin codes. (My favorite is Authy, but there are plenty of others.)  Make sure to carefully vet any downloaded app to your phone before you start using it, and at the install time, please pay attention to the warnings about what permissions it requires to ensure that it isn’t grabbing everything it can. And don’t reply to any text message involving money that comes out of the blue, whether from your bank, your long-lost cousin traveling abroad, or someone who is acting friendly (want to join me for dinner). It’s a jungle out there, and sadly an old Greek guy was spot on about how much we know but still don’t have any power to do anything about it.

Deleting your private data will get easier: thanks California

Posted on by
4

Most of us have seen those annoying pop-up screens when browsing the web that ask us to accept some turgid privacy policies or approve the use of cookies to track our sessions. California and a few other states are trying to make things more secure and protect our privacy by introducing new regulations that will go into effect in the coming months or years. One of these technologies is called a universal opt-out preference signal or sadly the acronym OOPS. California’s explanation can be found here.

The universal part of the deal is that many websites will recognize these signals, so users don’t have to individually opt-out of tracking for each website that they visit where they are buying something online or sharing their personal information (such as a social network). CalOOPS will make this mandatory in January 2027. That is a long ways off to wait for this convenience. Several other states are moving to enact similar laws, although it is a long road ahead. The OOPS signals are already not required in six of the 19 states that have privacy protections — just showing how much of a crazy quilt our privacy picture is and will continue to be.

The OOPS laws are just one of a triad of regulations that were enacted earlier this month in California. The others required major social media platforms to provide users with a clear way to delete their accounts and ensure that the data in your account would be completely wiped. The third law requires data brokers to more stringent standards, including how deletion requests are handled by a new service called DROP. Those two go into effect in January 2026. Husch Blackwell (who does an excellent job tracking state privacy laws) has more info on this page describing the three laws.

DROP stands for Data Removal and Opt-Out Platform, and it will be a central place where consumers can begin the process of removing their data from multiple data brokers. If you have ever tried this on your own, you probably know how frustrating the process can be: first, the brokers are numerous and many of which are companies that you probably never heard of. Here is a list of more than 600 of them. Then, once you can find one, they make this deletion action as obscure as possible, or put you through various pathways (download a special app, submit a web form) that don’t inspire confidence. And realistically, how many brokers are you going to do this with anyway? And finally, is Facebook et al. a broker or a social network or just all-around evilness?

Remember the do-not-track phone settings on your phone? Probably not, because these were for the most part ineffective, and not mandatory. These new laws have enforcement provisions. We’ll see if that matters in the end.

Browser vendors with privacy controls are one answer, such as Brave, DuckDuckGo, or extensions such as PrivacyBadger (which I wrote about here). I have been using Opera Air, which has an ad blocker built in. There are two problems. First, these browser-based tools don’t always work on some websites that require pop-ups as part of a normal workflow, or the websites don’t want you to run ad blockers, because they lose revenue from displaying the ad banners. And second, as you might have guessed, there are no federal data privacy laws, and given the state of our Congress, chances are slim that we will see any soon. That means that laws could be enacted that work at cross-purposes.

I would be interested in hearing any strategies that work for you.

 

CSOonline: 12 Attack Surface Management tools reviewed

Posted on by
Reply

Potential Attack Surface Management buyers need to understand how various network and other infrastructure changes happen and how they can neutralize them.

Periodic scans of the network are no longer sufficient for maintaining a hardened attack surface. Continuous monitoring for new assets and configuration drift are critical to ensure the security of corporate resources and customer data.

New assets need to be identified and incorporated into the monitoring solution as these could potentially be part of a brand attack or shadow IT. Configuration drift could be benign and part of a design change, but also has the potential to be the result of human error or the early stages of an attack. Identifying these changes early allows for the cybersecurity team to react appropriately and mitigate any further damage.

I review 12 different ASM tools and also provide some questions to ask your team and the vendors about their ASM offerings in this updated article for CSOonline.

 

CSOonline: 5 steps for deploying agentic AI red teaming

Posted on by
Reply

Building secure agentic systems requires more than just securing individual components; it demands a holistic approach where security is embedded within the architecture itself. For my latest article for CSO Online, I delve into the world of using agentic AI for red teaming exercises. It is very much a work in progress. Many vendors of defensive AI solutions are still in their infancy when it comes to protecting the entirety of a generative AI model and the attack space is enormous.