AI promises considerable benefits however there’s still a lot of confusion surrounding the topic, particularly around the terms generative AI and predictive AI.
The post Generative AI vs. Predictive AI: A Cybersecurity Perspective appeared first on Security Boulevard.
For two decades or so now, web applications have been the backbone of many businesses, making their security paramount. Dynamic Application Security Testing (DAST) and penetration testing are crucial for identifying and mitigating security vulnerabilities in web application security. While both aim to enhance application security, they differ significantly in their approach, execution, and outcomes. …
DAST Vs. Penetration Testing: Comprehensive Guide to Application Security Testing Read More »
The post DAST Vs. Penetration Testing: Comprehensive Guide to Application Security Testing appeared first on Security Boulevard.
A threat group dubbed Unfurling Hemlock infects targeted campaign with a single compressed file that, once executed, launches a 'cluster bomb' of as many as 10 pieces of malware that include loaders, stealers, and backdoors.
The post Unfurling Hemlock Tossing ‘Cluster Bombs’ of Malware appeared first on Security Boulevard.
Chinese fast-fashion-cum-junk retailer “is a data-theft business.”
The post Temu is Malware — It Sells Your Info, Accuses Ark. AG appeared first on Security Boulevard.
Microsoft details Skeleton Key, a new jailbreak technique in which a threat actor can convince an AI model to ignore its built-in safeguards and respond to requests for harmful, illegal, or offensive requests that might otherwise have been refused.
The post Skeleton Key the Latest Jailbreak Threat to AI Models: Microsoft appeared first on Security Boulevard.
Navigating the landscape of customer interactions is a delicate balancing act that requires constant calibration between security and operability (or usability, if speaking from a customer’s perspective).
The post How to Enhance Security Without Affecting the Customer Experience appeared first on Security Boulevard.
Let’s examine why so many applications remain vulnerable despite high-severity warnings and how to minimize the threat to your organization.
The post The Urgency to Uplevel AppSec: Securing Your Organization’s Vulnerable Building Blocks appeared first on Security Boulevard.
The rate of cyberattacks is rising as the threat level continues to evolve, according to BlackBerry Limited’s latest Global Threat Intelligence Report.
The post Cyberattack Rate Surges as Novel Malware Growth Accelerates appeared first on Security Boulevard.
2 min read Sticky note security now plagues application and service connections, necessitating a shift to more mature workload access safeguards.
The post How to Advance Breach Protection Against Non-Human Identity Threats in Workloads appeared first on Aembit.
The post How to Advance Breach Protection Against Non-Human Identity Threats in Workloads appeared first on Security Boulevard.
By now, you’ve likely seen the LinkedIn posts, the media stories, and even some formerly-known-as “Tweets”: The latest exploit to hit front pages is the malicious use of polyfill.io, a popular library used to power a large number of web browsers. As per usual, there’s a ton of speculation about what’s happening. Is this the […]
The post Third-Party Trust Issues: AppSec Learns from Polyfill appeared first on OX Security.
The post Third-Party Trust Issues: AppSec Learns from Polyfill appeared first on Security Boulevard.
Meta Description: Discover how data-centric security supports the hybrid cloud strategy of Cloudera Data Platform users. Learn about the benefits of hybrid cloud, data management, and secure data sharing.
The post Boost Hybrid Cloud Strategy with Cloudera and comforte’s Data-Centric Security appeared first on Security Boulevard.
Ensuring the security of your customers’ and partners’ data is paramount in today’s digital environment. That’s why Service Organization Control 2 (SOC 2®) compliance has emerged as a widely recognized cybersecurity audit framework. SOC 2® reporting has been adopted by more businesses to demonstrate their commitment to strong cybersecurity practices. Let’s explore what a SOC 2® report...
The post A Step-by-Step Guide to Getting a SOC 2® Report appeared first on Hyperproof.
The post A Step-by-Step Guide to Getting a SOC 2® Report appeared first on Security Boulevard.
Researchers have identified three distinct nation-state campaigns leveraging advanced highly evasive and adaptive threat (HEAT) tactics.
The post Three Nation-State Campaigns Targeting Healthcare, Banking Discovered appeared first on Security Boulevard.
Cloud security has become a major focus for organizations worldwide as they battle with a growing number of data breaches and application sprawl that makes defense more complicated.
The post Cloud Security Tops Priority List for Organizations Globally appeared first on Security Boulevard.
Most organizations are uncertain about the effectiveness of their cybersecurity investments, despite increasing budgets and rampant cyber incidents, according to Optiv’s 2024 Threat and Risk Management Report.
The post Security Budgets Grow, but Inefficiencies Persist appeared first on Security Boulevard.
IT security teams are tasked with protecting an increasingly mobile work environment—managing a myriad of devices efficiently and securely. Addressing this need, NinjaOne has launched its new Mobile Device Management (MDM) capabilities, marking a significant milestone in their mission to […]
The post How NinjaOne’s New MDM Capabilities Transform IT Management appeared first on TechSpective.
The post How NinjaOne’s New MDM Capabilities Transform IT Management appeared first on Security Boulevard.
Threat actors can cover up their espionage activity by deploying ransomware or simply get some financial gain in the process.
The post Chinese APT Groups Use Ransomware to Hide Spying Activities appeared first on Security Boulevard.
It’s easy to confuse CSPM and SSPM (Cloud Security Posture Management and SaaS Security Posture Management). They both secure assets on the cloud, automatically identify misconfigurations, and detect identity-based threats. The difference between the two lies in the areas that they protect. SSPMs secure SaaS applications, while CSPMs secure cloud services, such as AWS or […]
The post A WIN for Cloud Security with Adaptive Shield and Wiz appeared first on Adaptive Shield.
The post A WIN for Cloud Security with Adaptive Shield and Wiz appeared first on Security Boulevard.
30,000 websites at risk: Check yours ASAP! (800 Million Ostriches Can’t Be Wrong.)
The post WordPress Plugin Supply Chain Attack Gets Worse appeared first on Security Boulevard.
A report from the Government Accountability Office (GAO) highlighted an urgent need to address critical cybersecurity challenges facing the nation.
The post GAO Urges Action to Address Critical Cybersecurity Challenges Facing U.S. appeared first on Security Boulevard.
In the first quarter of 2024, nearly half of all security incidents our team responded to involved multi-factor authentication (MFA) issues, according to the latest Cisco Talos report.
The post Misconfigured MFA Increasingly Targeted by Cybercriminals appeared first on Security Boulevard.
Red Teaming security assessments aim to demonstrate to clients how attackers in the real world might link together various exploits and attack methods to reach their objectives.
The post Stepping Into the Attacker’s Shoes: The Strategic Power of Red Teaming (Insights from the Field) appeared first on Security Boulevard.
By introducing a mobile device management (MDM) platform into the existing infrastructure, administrators gain the ability to restrict sideloading on managed devices.
The post EU Opens the App Store Gates: A Call to Arms for MDM Implementation appeared first on Security Boulevard.
Snowflakes has become the latest corporate victim in a cyberattack but how it is playing out is a little different than many breaches.
The post Snowflake Breach appeared first on Security Boulevard.
Let’s explore some of the details behind this escalating threat to SaaS applications, what may be driving it, and what you can do to better protect your SaaS footprint from these types of threats.
The post Why SaaS Identity Abuse is This Year’s Ransomware appeared first on RevealSecurity.
The post Why SaaS Identity Abuse is This Year’s Ransomware appeared first on Security Boulevard.
The LockBit ransomware group is claiming that it hacked into systems at the U.S. Federal Reserve and stole 33TB of data that it will begin leaking as early as Tuesday if the institution doesn’t pay the unspecified ransom. The notorious cybercriminals announced the attack on its dark web leak site on June 23, giving the..
The post LockBit Claims Ransomware Attack on U.S. Federal Reserve appeared first on Security Boulevard.
Security analysts at Google are developing a framework that they hope will enable large language models (LLMs) to eventually be able to run automated vulnerability research, particularly analyses of malware variants. The analysts with Google’s Project Zero – a group founded a decade ago whose job it is to find zero-day vulnerabilities – have been..
The post Google’s Project Naptime Aims for AI-Based Vulnerability Research appeared first on Security Boulevard.
Copying users’ files and deleting some? Even a cartoon hound knows this isn’t fine.
The post Microsoft Privacy FAIL: Windows 11 Silently Backs Up to OneDrive appeared first on Security Boulevard.
Effective April 30, 2024 Airbnb, the global vacation rental giant, announced a significant policy change: the prohibition of all indoor security cameras in its listings worldwide. This decision, aims to bolster the privacy of guests and address longstanding concerns about hidden cameras. While the majority of Airbnb’s over 7 million listings did not report having […]
The post Airbnb’s Ban on Indoor Security Cameras: What It Means for Your Personal Cybersecurity appeared first on BlackCloak | Protect Your Digital Life™.
The post Airbnb’s Ban on Indoor Security Cameras: What It Means for Your Personal Cybersecurity appeared first on Security Boulevard.
Stefan Dumitrascu Brings Expertise to AMTSO Board We are delighted to announce that our Chief Technology Officer, Stefan Dumitrascu, has been elected as a Board Member of the Anti-Malware Testing Standards Organisation (AMTSO). What is AMTSO? AMTSO is an international non-profit association dedicated to improving the objectivity, quality, and relevance of anti-malware testing methodologies worldwide. […]
The post Our CTO joins AMTSO Board appeared first on SE Labs Blog.
The post Our CTO joins AMTSO Board appeared first on Security Boulevard.
Designing software from the ground up to be secure, as recommended by the Secure by Design initiative from the Cybersecurity and Infrastructure Security Agency (CISA), has its challenges, especially if it's done at scale. .
The post How platform engineering helps you get a good start on Secure by Design appeared first on Security Boulevard.
eBPF is one of the most widely used technologies in today’s computing ecosystem, starting from the cloud sector
The post Reverse engineering eBPF programs appeared first on ARMO.
The post Reverse engineering eBPF programs appeared first on Security Boulevard.
Node.js is an open-source, cross-platform JavaScript runtime environment built on the powerful V8 engine from Chrome. It allows you to run JavaScript code outside a web browser, making it popular for building real-time applications and data streaming services. However, like any software, it is not immune to security vulnerabilities. Recently, multiple vulnerabilities were discovered in […]
The post Addressing Node.js Vulnerabilities in Ubuntu appeared first on TuxCare.
The post Addressing Node.js Vulnerabilities in Ubuntu appeared first on Security Boulevard.
Google’s initiative to phase out third-party tracking cookies through its Google Privacy Sandbox has encountered criticism from Austrian privacy advocacy group noyb (none of your business). The non-profit alleges that Google’s proposed solution still facilitates user tracking, albeit in a different form. Allegations of Misleading Practices According to noyb, Google’s Privacy Sandbox, marketed as […]
The post Alert: Australian Non-Profit Accuses Google Privacy Sandbox appeared first on TuxCare.
The post Alert: Australian Non-Profit Accuses Google Privacy Sandbox appeared first on Security Boulevard.
History doesn’t repeat itself, but it often rhymes. As AppSec evolves towards a new playbook, here’s what we can learn from IT’s journey. Just over 20 years ago, Watts Humphrey declared that every business was a software business. Not everyone agreed. No one would image that, sports shoe manufacturers, automakers and even barbecue brands are […]
The post Back to the Future: What AppSec Can Learn From 30 Years of IT Security appeared first on OX Security.
The post Back to the Future: What AppSec Can Learn From 30 Years of IT Security appeared first on Security Boulevard.
Say goodbye to passwords! Passkeys are the next generation of authentication, offering enhanced security and convenience. Learn how passkeys work, their benefits over passwords, and why they are the future of secure online access.
The post Passkeys: The Future of Passwordless Authentication appeared first on Security Boulevard.
Multiple bad actors are using the Rafel RAT malware in about 120 campaigns aimed at compromising Android devices and launching a broad array of attacks that range from stealing data and deleting files to espionage and ransomware. Rafel RAT is an open-source remote administration tool that is spread through phishing campaigns aimed at convincing targets..
The post Rafel RAT Used in 120 Campaigns Targeting Android Device Users appeared first on Security Boulevard.
In this episode of the Shared Security Podcast, the team debates the Surgeon General’s recent call for social media warning labels and explores the pros and cons. Scott discusses whether passwords should be stored in web browsers, potentially sparking strong opinions. The hosts also provide an update on Microsoft’s delayed release of CoPilot Plus PCs […]
The post Social Media Warning Labels, Should You Store Passwords in Your Web Browser? appeared first on Shared Security Podcast.
The post Social Media Warning Labels, Should You Store Passwords in Your Web Browser? appeared first on Security Boulevard.
The Payment Card Industry Data Security Standard (PCI DSS) is a global cornerstone for safeguarding cardholder data. PCI DSS version 4.0, the most recent iteration, emphasises a dynamic, risk-based approach to security, compelling organisations to tailor their controls to their unique environments. PCI DSS penetration tests are crucial for meeting and maintaining security standards. Within …
PCI DSS Penetration Testing Guide Read More »
The post PCI DSS Penetration Testing Guide appeared first on Security Boulevard.
ISO 27001, the internationally recognised standard for information security management systems (ISMS), provides a framework for organisations to protect their valuable information assets. Penetration testing is crucial in preventing data breaches and maintaining the business’s reputation. ISO 27001 strongly recommends it as a critical tool for assessing an organisation’s security posture and ensuring compliance with …
Learn about ISO 27001 Penetration Testing and its requirements Read More »
The post Learn about ISO 27001 Penetration Testing and its requirements appeared first on Security Boulevard.
Long simmering suspicions about the loyalty of Kaspersky Software, a cybersecurity firm headquartered in Russia, came to a head this week after the U.S. government banned the sale of the company’s software, effective July 20th, to both companies and individual consumers. In addition, the U.S. Treasury Department has placed sanctions on 12 senior leaders of..
The post U.S. Bans Sale of Kaspersky Cybersecurity Software appeared first on Security Boulevard.
Recently, we hosted Ross Randall, Director of Technology at Lamar County School District in Georgia, and Tim Miles, Director of Technology at Steamboat Springs School District in Colorado, for a summer-inspired live webinar focused on fortifying your district’s multilayered cybersecurity strategy. From beach balls to firewalls, Ross and Tim generously shared their practical insights, […]
The post Ross Randall’s 3 Essential Tips to Strengthening Your District’s Multilayered Cybersecurity appeared first on ManagedMethods.
The post Ross Randall’s 3 Essential Tips to Strengthening Your District’s Multilayered Cybersecurity appeared first on Security Boulevard.
In our purple team service, we try to take a depth and quality approach and run many different functionally diverse test cases for a given technique. In this blog, I will describe our process of defining and implementing test cases for our purple team runbooks. The goal of this blog post is to provide the community with a bit more information about how we implement test cases for logon session enumeration, what preventative controls might be, and how this process can be applied to other techniques.
We wanted to develop a logical numbering system to separate test cases for each technique. After a couple of iterations of our purple team service, we started to deliberately select test cases and run variations based on three distinct categories:
Defining test cases in this manner allows us to triangulate a technique’s coverage estimation rather than treat the techniques in the MITRE ATT&CK matrix as a bingo card where we run net session and net1 session, fill in the box for this technique, and move on to the next one. After running each test case during the purple team assessment, we look for whether the test case was prevented, detected, or observed (telemetry) by any security controls the organization may have.
Let’s dive into logon session enumeration by deconstructing the functional differences between three distinct procedures. If you want to learn more (or want to apply this methodology yourself), you can find out more about the process we use to examine the function call stack of tools in Nathan’s Beyond Procedures: Digging into the Function Call Stack and Jared’s On Detection: Tactical to Functional series.
We can start by examining the three distinct procedures that SharpHound implements. Rohan blogged about the three different methods SharpHound uses. SharpHound can attempt to use all three depending on the context it’s running under and what arguments are passed to it. The implementation of each procedure can be found here: NetSessionEnum, NetWkstaEnum, and GetSubKeyNames in the SharpHoundCommon library. Matt also talks about this in his BOFHound: Session Integration blog.
Here is a breakdown of each of the three unique procedures implemented in SharpHound for remote session enumeration:
Distinct Procedure #1: Network Session Enumeration (NetSessionEnum)
NetSessionEnum is a Win32 API implemented in netapi32.dll. The image below shows where each tool is implemented in the function call stack:
This Win32 API returns a list of active remote or network logon sessions. These two blogs (Netwrix and Compass Security) go into detail about which operating systems allow “Authenticated Users” to query logon sessions and how to check and restrict access to this API remotely by altering the security descriptor in the HKLM/SYSTEM/CurrentControlSet/Services/LanmanServer/DefaultSecurity/SrvsvcSessionInfo registry key. If we read Microsoft’s documentation on the RPC server, we see the MS-SRVS RPC server is only implemented via the \PIPE\srvsvc named pipe (RPC servers can also be commonly implemented via TCP as well). As Microsoft’s documentation states, named pipes communicate over CIFS\SMB via port 445.
In our purple team service, we usually target the organization’s most active file server for two reasons. First, port 445 (SMB) will generally be open from everywhere on the internal network for this server. Second, this server has the most value to an attacker since it could contain hundreds or even thousands of user-to-machine mappings an attacker could use for “user hunting.”
Distinct Procedure #2: Interactive, Service, and Batch Logon Session Enumeration (NetWkstaUserEnum)
NetWkstaUserEnum is also a Win32 API implemented in netapi32.dll. Below is the breakdown of the function call stack and where each tool is implemented:
As Microsoft documentation says: “This list includes interactive, service, and batch logons” and “Members of the Administrators, and the Server, System, and Print Operator local groups can also view information.” This API call has different permission requirements and returns a different set of information than the NetSessionEnum API call; however, just like NetSessionEnum, the RPC server is implemented only via the \PIPE\wkssvc named pipe. Again, this blog from Compass Security goes into more detail about the requirements.
Since this, by default, requires administrator or other privileged rights on the target machine, we will again attempt to target file servers and usually get an access denied response when running this procedure. As a detection engineer, if someone attempts to enumerate sessions, do we have the telemetry even if they are unsuccessful? Next, we will attempt to target a workstation on which we have administrator rights to enumerate sessions using this minor variation in a different test case.
Distinct Procedure #3: Interactive Session Enumeration (RegEnumKeyExW)
Note: I’m only showing the function call stack of RegEnumKeyExW, SharpHound calls OpenRemoteBaseKey to get a handle to the remote key before calling RegEnumKeyExW. I also left out calls to API sets in this graph.
RegEnumKeyExW is, again, a Win32 API implemented in advapi32.dll. Below is the breakdown of the function call stack and where each tool is implemented:
As Microsoft documentation says, the remote system “requires the Remote Registry service to be running on the remote computer.” Again, this blog from Compass Security goes into more detail about the requirements, but by default, the service is disabled on workstation operating systems like Windows 11 and 10 and set to trigger start on server operating systems by interacting with the \PIPE\winreg named pipe. If the remote registry service is running (or triggerable), then the HKEY_USERS hive can be queried for a list of subkeys. These subkeys contain SIDs for users that are interactively logged on. Like NetWkstaUserEnum and NetSessionEnum, the RPC server is implemented only via the \PIPE\winreg named pipe.
Now that we have a diverse set of procedures and tooling examples that use a variety of execution modalities, we can start creating test cases to run for this technique. Below, I have included an example set of test cases and associated numbering system using each of the three distinct procedures and altering the execution modality for each one.
You can also find a full TOML runbook for the examples below here: https://ghst.ly/session-enumeration-runbook. All of the test cases are free or open source and can be executed via an Apollo agent with the Mythic C2 framework.
For example, our numbering looks like: Test Case X.Y.Z
A sample set of test cases we might include:
Network Session Enumeration (NetSessionEnum)
Interactive, Service, and Batch Logon Session Enumeration (NetWkstaUserEnum)
Interactive Session Enumeration (RegEnumKeyExW)
After executing each test case, we can determine if the test case was prevented, detected, or observed. Tracking information like this allows us to provide feedback on your controls and predict how likely they would detect or prevent an adversary’s arbitrary selection of procedure or execution modality. Also, we space test cases about 10 minutes apart; name artifacts like files, registry keys, and processes by their corresponding test case number; and alternate the machine and source user we are executing from to make finding observable telemetry easier. We may include or exclude certain test cases based on the organization’s security controls. For example, if they block and alert on all powershell.exe usage, we aren’t going to run 40 test cases across multiple techniques that attempt to call the PowerShell binary.
By researching and deconstructing each tool and looking at the underlying function call stacks, we found that regardless of which distinct procedure or execution modality was used, they all used three different RPC servers, each implemented using named pipes. This will also allow us to triangulate detection coverage and help determine if a custom or vendor-based rule is looking for a brittle indicator or a tool-specific detail\toolmark.
We now have a fairly broad set of test cases for a runbook that accounts for a wide variety of attacker tradecraft for this technique. Knowing this as a blue teamer or detection engineer will allow me to implement a much more comprehensive detection strategy for this particular technique around the three named pipes we discovered. This allows us to write robust detection rules, rather than looking for the string “Get-NetSession” in a PowerShell script. Would this produce a perfect detection for session enumeration? No. Does this include every single way an attacker can determine where a user is logged? No. Does deconstructing adversary tradecraft in this manner vastly improve our coverage for the technique? Absolutely.
In my next post, I will cover many log sources native to Windows (I’m counting Sysmon as native) and a couple of EDRs that allow us to detect logon session enumeration via named pipes (or TCP in some cases). Some of these sources you might be familiar with, others aren’t very well documented. Each of these log sources can be enabled and shipped to a centralized place like a SIEM. Each source has its requirements, provides a different context, and has its pros and cons for use in a detection rule.
Deconstructing Logon Session Enumeration was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Deconstructing Logon Session Enumeration appeared first on Security Boulevard.
ASUS announces major Firmware Update ASUS recently issued a firmware update to resolve a critical security vulnerability affecting seven different variants of its router models. Identified as CVE-2024-3080 with a CVSS v3 severity score of 9.8 (critical), the vulnerability permits remote attackers to take control of the affected router models without needing any login credentials. [...]
The post CVE-2024-3080: ASUS warns Customers about the latest Authentication Bypass Vulnerability detected Across seven Router Models appeared first on Wallarm.
The post CVE-2024-3080: ASUS warns Customers about the latest Authentication Bypass Vulnerability detected Across seven Router Models appeared first on Security Boulevard.
Spend more on security! Car and truck dealers fall back on pen and paper as huge SaaS provider gets hacked (again).
The post 30,000 Dealerships Down — ‘Ransomware’ Outage Outrage no. 2 at CDK Global appeared first on Security Boulevard.
Different models of access control offer unique methods and benefits. The three primary models are Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Discretionary Access Control (DAC).
The post Understanding Access Control Models: RBAC, ABAC, and DAC appeared first on Security Boulevard.
As per recent reports, cybersecurity experts uncovered a troubling development on the Python Package Index (PyPI) – a platform used widely by developers to find and distribute Python packages. A malicious package named ‘crytic-compilers‘ was discovered, mimicking the legitimate ‘crytic-compile’ library developed by Trail of Bits. This fraudulent package was designed with sinister intent: to […]
The post Python Developers Targeted Via Fake Crytic-Compilers Package appeared first on TuxCare.
The post Python Developers Targeted Via Fake Crytic-Compilers Package appeared first on Security Boulevard.
Modern chief information security officers (CISOs) are navigating tough circumstances due to complex challenges and heightened regulatory pressures.
The post It’s a Hard Time to Be a CISO. Transformational Leadership is More Important Than Ever. appeared first on Security Boulevard.
3 min read Security teams can enhance business operations by providing workload credential management as a service, freeing developers to focus on innovation.
The post Why Devs Aren’t Responsible for Non-Human Credential Hygiene appeared first on Aembit.
The post Why Devs Aren’t Responsible for Non-Human Credential Hygiene appeared first on Security Boulevard.
Login