Security Boulevard

Cary, North Carolina, 20th August 2024, CyberNewsWire

The post INE Security Alert: The Steep Cost of Neglecting Cybersecurity Training appeared first on Security Boulevard.

Authors/Presenters:Yoochan Lee and Jinhan Kwak, Junesoo Kang, Yuseok Jeon, Byoungyoung Lee

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – Pspray: Timing Side-Channel Based Linux Kernel Heap Exploitation Technique appeared first on Security Boulevard.

This is the second post in a series on Identity-Driven Offensive Tradecraft, which is also the focus of the new course we will launch in October. In the previous post, I asked, “How does one discover and abuse new attack paths?” To start answering this question, I made two key arguments:

• Every Attack Path is identity-driven, meaning that it is motivated by, centered around, and strategically guided by the abuse of identity and access management (IAM)
• Every attack path must contain at least one attack vector that abuses a violation of the Clean Source Principle, which dictates that all security dependencies must be as trustworthy as the object being secured.
  To level set, an attack path can be defined as a chain of control relationships with at least one violation of the Clean Source Principle

In this post, I will share a framework I developed for discovering known and unknown attack paths.

Does Clean Source Violation Necessarily Introduce an Attack Vector?

We’ve already established that attack paths are a chain of control relationships with at least one Clean Source Principle violation, but is the opposite also true? Does every Clean Source violation necessarily create an attack path? Logic suggests the answer is “no”, but let’s see why.

The reason lies in the “control” definition. In our context, we define “control” as a relationship that can contribute to compromising the target resource or impacting its operability. I previously explained that I chose the words “contribute to compromising or impacting” rather than “compromise or impact” because we sometimes need to abuse more than one security dependency to fully compromise or impact the target. For example, if multi-factor authentication (MFA) is enforced on an account, we must abuse both authentication factors to gain control.

Therefore, the conclusion was that a set of one or multiple security dependencies can control a resource that depends on it. I’ll note that not every control prerequisite is necessarily a security dependency. For example, you need to establish a connection to a remote host/service to control it, but a network connection is not a security dependency and shouldn’t be a security boundary, at least not in $CurrentYear.

Attack Path Criteria

Two criteria determine whether a set of security dependencies violating the Clean Source Principle introduce an attack path:

• We know how to weaponize the security dependency set to control the dependent resource (or, in other words, we have an attack primitive for abusing it)
• We know that the security dependency set is present in the environment, and the target resource depends on it. To clarify this point, we may learn how to abuse a piece of technology to gain control of resources; however, it does not introduce an attack path if the technology is not used in the environment or the target resources don’t depend on it directly or transitively

I’m not adding the Clean Source violation as a criterion because it is implied and I’ll address it later.

Both criteria are binary, so we can represent security dependencies in a 2x2 matrix:

The top left quadrant is where we want to be: both criteria are met, so any Clean Source violation we identify is abusable. Paths BloodHound finds are in that quadrant — that’s the easy part. The challenge is bringing everything else into that quadrant. How do we achieve that?

Attack Path Discovery Framework Define Target

There are generally two approaches for discovering attack paths:

• Analyzing outbound control — This approach seeks to understand the attacker’s reach given an initial position. I would describe it as exploratory or opportunistic
• Analyzing inbound control — This approach seeks to understand the ways to reach a specific resource, backtracking from a given target. I would describe this approach as intentional or objective-oriented

The latter is more suitable for this framework but requires a well-defined target or targets. As attackers, we would derive that from our red team objectives. The former can also serve a purpose, especially earlier on, for gaining situational awareness.

Map Security Dependencies

Performing reconnaissance, enumeration, and discovery helps discover what is present in an environment and identify the target’s direct and transitive security dependencies. This activity represents an upward shift from the bottom quadrants to the top quadrants.

The bottom left quadrant represents known tradecraft, which is typically easier to discover. For example, we can run SharpHound and AzureHound to collect and ingest data into BloodHound. BloodHound can’t provide complete coverage of all known offensive tradecraft, so other enumeration tools and discovery techniques must be utilized.

The bottom right quadrant represents unknown tradecraft. It could be commodity, off-the-shelf technologies that we, as operators or as a community, don’t know how to abuse. It could also be proprietary/bespoke technologies for the target organization. Discovering those can be more challenging, as it requires more manual research and reconnaissance, which could involve scouring internal documentation and analyzing artifacts. Moving from the bottom right quadrant to the top right quadrant is essentially learning how things work, which is what hacking used to be all about.

Relying solely on existing tooling would completely ignore the bottom right quadrant and likely guarantee missing attack paths. Custom-built solutions and less commonly used technologies are typically more prone to vulnerabilities. Also, even if the target organization uses only stock technologies, we still need to learn how they are used to map their security dependencies. Remember that security dependencies are found not only in technology but also in people and processes, and those are almost always unique to the target organization.

Weaponize for Control

The second criterion is knowing how to abuse the security dependencies to gain control of the dependent resource. Learning or developing the required attack primitives represents a leftward shift from the right quadrants to the left quadrants.

When targeting commodity, off-the-shelf technology, if new attack primitives are required, it is achieved through security research and tradecraft development. However, there is a plethora of known attacks against stock technologies and because the criterion is “knowing” how to abuse security dependencies to gain control, it can also be achieved through learning (did I mention we are launching a new course about identity-driven offensive tradecraft?). The bottom right quadrant represents such activities because we learn and develop tradecraft while not knowing if it is present in the target environment.

When targeting internally developed solutions, security assessments, red team operations, and penetration testing help discover attack primitives for abusing the technology and, as I mentioned, the people and processes. The top right quadrant represents this activity because we know the people, processes, and technology are present in the target environment, and we develop the required attack primitives with a specific target in sight.

Identify Clean Source Violations

Now that we have a clear view of the target’s security dependencies and know how to abuse them to gain control, we need to identify Clean Source violations. Remember, security dependencies always exist, but without a Clean Source violation, they are not an attack path. There is nothing wrong with Domain Admins having admin access to a domain controller (DC); that is expected behavior.

We’re looking for a security dependency that is less trustworthy than the dependent resource, so the obvious next step is to assign a trustworthiness level to every node. We’ll keep it simple by using only three levels:

• More trustworthy than the target, marked in green
• Less trustworthy than the target, marked in red
• Same as the target, marked in purple

Let’s consider the following scenario:

The Production DB Server is the target. It has two security dependencies: the Domain Admins group and another dependency that we don’t know how to abuse. Because we don’t know how to abuse it, it does not meet the attack path criteria, so we can disregard it. The DA User is a member of the Domain Admins group and has a session on a compromised workstation.

Now, we can assign trustworthiness levels to the dependencies. The trustworthiness should be assigned based on the security controls enforced on the dependency. Domain Admins are more trustworthy than the target and can be marked green. In line with the Clean Source Principle, security best practices dictate that Domain Admins must use Privileged Access Workstations (PAW) because normal workstations lack the security controls required to protect privileged accounts. Therefore, the Compromised Workstation can be marked red.

What about the DA User? You could argue that it is missing a security control preventing it from establishing a session on a less trustworthy workstation, and therefore it is less trustworthy than the Domain Admins group. Members of the Domain Admins group should log into Privileged Access Workstations (PAW) only. It could also be that, despite that, the DA User is still more trustworthy than the target. Regardless, the Compromised Workstation is less trustworthy, and it is sufficient for introducing an attack path.

Conclusion

Attack paths must include at least one clean source violation that we know how to abuse. Discovering attack paths requires acquiring capabilities to identify and abuse security dependencies to gain control of the dependent resources. Ultimately, assigning trustworthiness levels relative to a well-defined target allows for pinpointing Clean Source violations and identifying attack paths.

In the next post, we will apply this framework to a broadly used technology to demonstrate it.

Navigating the Uncharted: A Framework for Attack Path Discovery was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Navigating the Uncharted: A Framework for Attack Path Discovery appeared first on Security Boulevard.

The Department of Defense's (DoD) approach to Zero Trust leverages automation and analytics using tailored controls to address risk. In part two of our series on the DoD's Zero Trust security model, we continue to explore the crucial framework for defending against modern cyber threats. 

The post Embracing Zero Trust: DoD’s New Cybersecurity Paradigm (Part 2) appeared first on Security Boulevard.

Cybersecurity concerns in operational environments have also heightened the importance of asset inventory management. The November 2023 Aliquippa water plant in Pennsylvania cyberattack, which managed to access and shut down a pressure regulation pump, causing disruption in the municipal water supply, reminds us of the potential consequences of inadequate OT security measures. This attack targeted the plant’s OT systems, specifically a PLC-HMI system manufactured by Unitronics. Furthermore, regulatory bodies impose strict compliance requirements on industries to ensure safety and security. So, noncompliance can result in hefty fines and legal procedures for the organization. A strong OT asset inventory management system effectively helps organizations meet these regulatory requirements. For instance, by maintaining an updated and comprehensive OT asset inventory, organizations in the energy sector can ensure they adhere to industry standards and regulatory requirements, such as those set by NERC (North American Electric Reliability Corporation) for critical infrastructure protection. This compliance helps prevent hefty fines and legal procedures that result from non-compliance​ Thus a comprehensive asset inventory is the foundation for identifying vulnerabilities and implementing effective security controls. Key Components of OT Asset Inventory Management An effective OT asset inventory management system comprises several key components: Implementing an OT Asset Inventory Management System To implement a robust OT asset inventory management system, organizations should: Challenges in OT Asset Inventory Management Several challenges can complicate OT asset inventory management: Best Practices for Effective OT Asset Inventory Management To overcome these challenges and maximize the benefits of OT asset inventory management, organizations should adopt the following best practices: Benefits of Robust OT Asset Inventory Management A well-implemented OT asset inventory management system offers numerous benefits: OT asset inventory management is a necessity for ensuring the smooth and secure operation of modern industrial systems. By implementing strong inventory management practices, organizations can boost operational efficiency, strengthen security posture, make informed decisions, and simplify compliance efforts. As the technology evolves, the integration of AI, and advanced analytics will further improve the effectiveness of OT asset inventory management. For organizations looking to better their OT asset inventory management capabilities, Sectrio offers innovative solutions customized to the unique challenges of industrial environments. Whether you’re just beginning your asset inventory journey or seeking to upgrade your existing systems, Sectrio’s expertise can help you navigate the complexities of modern OT environments. With the right tools and partners, you can transform your asset inventory process into a strategic advantage for your organization.

The post A Comprehensive Outlook on OT Asset Inventory Management appeared first on Security Boulevard.

To put it in simple words, it’s an all-inclusive catalog of all your hardware, software, and network components. Far from being just a list, this inventory is the backbone of efficient operations, robust security, and smart decision-making. From manufacturing plants to power grids, organizations across industries are discovering the game-changing benefits of maintaining an accurate and up-to-date OT asset inventory. Let’s explore the numerous benefits that a well-maintained OT asset inventory can bring to your organization: Enhanced Visibility and Control A complete OT asset inventory provides greater oversight of your industrial environment: Enhanced Security One of the primary advantages of having a robust OT asset inventory is the significant boost it provides to your organization’s security posture. Here’s how: Improved Operational Efficiency An accurate OT asset inventory can streamline various operational processes, leading to increased efficiency: Better Compliance Management Operating through the complex web of industry regulations can be unsettling. However, a well-maintained OT asset inventory is your compass, simplifying compliance management and reducing regulatory risks. Here’s how: Informed Decision-Making Data-driven decisions are necessary for success in modern industry. An OT asset inventory provides the insights needed for smarter, more strategic choices: Cost Savings Smart asset management translates to significant savings. A well-maintained OT asset inventory helps organizations cut costs and optimize resources in several ways: Improved Risk Management Effective risk management is crucial in industrial settings. A comprehensive OT asset inventory empowers organizations to identify, assess, and mitigate risks more efficiently: In the complex industrial landscape, an up-to-date OT asset inventory is not just a luxury—it’s a necessity. The benefits are clear: enhanced security, improved efficiency, better compliance, informed decision-making, and significant cost savings. By embracing this powerful tool, organizations can navigate the challenges of modern industry with confidence and agility. As threats evolve and regulations tighten, the value of a comprehensive OT asset inventory will only increase. Don’t let your organization fall behind. Take the first step towards a more secure, efficient, and profitable future today. Ready to transform your OT asset management? Discover how Sectrio’s cutting-edge solutions can help you build and maintain a robust OT asset inventory. Contact Sectrio now to start your journey toward operational excellence.

The post Leveraging OT Asset Inventory for Operational Excellence: The Benefits appeared first on Security Boulevard.

API Security: A 2024 Initiative for All Organizations In the rapidly evolving digital landscape, API security has emerged as a top priority for organizations of all sizes. Protecting your APIs is not just about defense; it’s about staying ahead of potential threats and ensuring the seamless operation of your applications. That’s why we’re excited to […]

The post Unleashing the Power of API Security: Join Our API Bites Bootcamp Series appeared first on Cequence Security.

The post Unleashing the Power of API Security: Join Our API Bites Bootcamp Series appeared first on Security Boulevard.

Perforce Software today published a survey of 250 IT professionals that finds the amount of sensitive data residing in non-production environments is rising as organizations embrace artificial intelligence (AI) and digital business transformation.

The post Survey Surfaces Widespread Mishandling of Sensitive Data appeared first on Security Boulevard.

Season 3, Episode 12: Could the overturning of Chevron Deference impact cybersecurity and privacy regulations?

The post Overturning of Chevron Deference’s Impact on Cybersecurity Regulation appeared first on Security Boulevard.

As the U.S. election nears, DataDome's assessment shows two-thirds of U.S. donation sites lack adequate bot protection, risking donor data and contributions.

The post Security Alert: U.S. Political Donation Sites at Risk appeared first on Security Boulevard.

Digital certificates take many forms but they share the same primary goal: to authenticate a website or server's identity. How this is accomplished will depend on the type of certificate and the level of authentication or protection needed.

The post Multi-Domain vs Wildcard SSL Certificates: Differences & Uses appeared first on Security Boulevard.

You are the weakest link. Hello.    Ninety-one percent of organizations experienced at least one software supply chain security incident in 2023. Chances are the other 9% are riding their luck: The average organization has nine high, critical or apocalyptic risks within their supply chain.    At the heart of the problem: Companies that aren’t […]

The post That was then, this is now….Modernizing AppSec in Fast-Paced Development Environments appeared first on OX Security.

The post That was then, this is now….Modernizing AppSec in Fast-Paced Development Environments appeared first on Security Boulevard.

Several vulnerabilities have recently been identified in OpenJDK 8, which could potentially lead to denial of service, information disclosure, arbitrary code execution, or even the bypassing of Java sandbox restrictions. In response, Canonical has released security fixes for multiple versions of OpenJDK, including OpenJDK 21, OpenJDK 17, OpenJDK 11, and OpenJDK 8 on affected Ubuntu […]

The post Ubuntu Addresses Multiple OpenJDK 8 Vulnerabilities appeared first on TuxCare.

The post Ubuntu Addresses Multiple OpenJDK 8 Vulnerabilities appeared first on Security Boulevard.

The art of detecting subtle anomalies, predicting emergent vulnerabilities and remediating novel cyber-attacks is becoming more refined, day by day.

Related: GenAI’s impact on elections

It turns out that the vast datasets churned out by cybersecurity toolsets happen to be … (more…)

The post NEWS ANALYSIS Q&A: The early going of Generative AI and LLMs impacting cybersecurity first appeared on The Last Watchdog.

The post NEWS ANALYSIS Q&A: The early going of Generative AI and LLMs impacting cybersecurity appeared first on Security Boulevard.

Crypto enthusiasts have lately been flooding software registries like npm and PyPI with thousands of bogus packages that add no functional value and instead put a strain on the entire open source ecosystem.

A single instance, recorded by Sonatype in July 2024, saw 281,512 distinct packages appearing on the npmjs.com registry overnight — each package named a gibberish Latin phrase akin to Lorem Ipsum. 

The post Crypto enthusiasts flood npm with more than 281,000 bogus packages overnight appeared first on Security Boulevard.

The Other Crowdstrike Outage On July 19, 2024, a flawed update in CrowdStrike Falcon's channel file 291 led to a logic error that caused Windows systems to crash, resulting in widespread BSOD (Blue Screen of Death) incidents. The impact was severe, disrupting critical infrastructure globally, from grounded flights to halted public transit systems. In fact, [...]

The post What You Missed About the CrowdStrike Outage:: The Next Strike Might Be Linux Due to eBPF appeared first on Wallarm.

The post What You Missed About the CrowdStrike Outage:: The Next Strike Might Be Linux Due to eBPF appeared first on Security Boulevard.

Authors/Presenters:Sihang Liu, University of Virginia; Suraaj Kanniwadi, Martin Schwarzl, Andreas Kogler, Daniel Gruss, Samira Khan

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – Side-Channel Attacks on Optane Persistent Memory appeared first on Security Boulevard.

An unknown threat group leveraged publicly exposed environment variables in organizations' AWS accounts to exfiltrate sensitive data and demand ransoms in a wide-ranging extortion campaign that targeted 110,000 domains.

The post Extortion Group Exploits Cloud Misconfigurations, Targets 110,000 Domains appeared first on Security Boulevard.

President Biden’s call for the mainstreaming of Software Bill of Materials (SBOMs) is a major step forward.

Related: Europe mandates resiliency

Requiring a formal inventory of all components, libraries and modules in all business applications can help lock down software … (more…)

The post Black Hat Fireside Chat: Why grasping the context of code is a recipe for keeping software secure first appeared on The Last Watchdog.

The post Black Hat Fireside Chat: Why grasping the context of code is a recipe for keeping software secure appeared first on Security Boulevard.

via the inimitable Daniel Stori at Turnoff.US!

Permalink

The post Daniel Stori’s ‘The War For Port 80’ appeared first on Security Boulevard.