Manipulated header info within files, in mobile Trojans like TeaBot and others, makes it difficult for defenders to analyze and detect them.

Source: Vladyslav Yushynov via Alamy Stock Photo

"BadPack," a set of maliciously packaged APK files that make it difficult for researchers to analyze and detect malware within Android applications, has come to light. It's a key reason why they believe the prevalence of Android banking Trojans and other malware such as TeaBot have surged in recent years, and continue to plague users of these devices.

BadPack files contain maliciously altered header information in a compressed file format for APK files, "and typically pose a challenge for Android reverse-engineering tools," Palo Alto Networks Unit 42's Lee Wei Yeong revealed in a report published on July 16.

In the last year, Unit 42's telemetry detected almost 9,200 BadPack samples in Android apps, including on Google Play; Google, however, says it has eliminated them from the mobile app store.

BadPack could be a reason that security analysis of Android malware historically has been so difficult. "APK files using BadPack reflect the increasing sophistication of APK malware samples," Yeong wrote. "This not only presents a formidable challenge for security analysts, but it also underscores the need for continuous development of innovative techniques and tools to identify and mitigate these threats."

APK files are applications used by the Android OS that use the ZIP archive format and contain a file named AndroidManifest.xml that stores data and instructions for the archive's content.

In a BadPack APK file, however, attackers have tampered with its ZIP header data in a way that attempts to prevent analysis of its content. Unit 42 researchers found that "many" Android banking Trojans — among them TeaBot (aka Anatsa), BianLian, and Cerberus — use BadPack, which have helped them infect Android devices with malware without being detected.

**How BadPack Prevents Malware Detection**

AndroidManifest.xml provides essential information about a mobile app to the Android OS, including components to handle both activities initiated by the user and services run by the application. The manifest also includes the permissions users grant to apps so they run correctly, as well as the versions of Android that the app runs on.

That said, the first step in static analysis of an APK sample is to read and process this manifest file, which is why it behooves malware authors to tamper with the file to make it difficult for security analysts to prevent this from happening.

BadPack does this by tampering with the structure headers of the ZIP file, making the APK fail to extract and decode AndroidManifest.xml. "This causes a chain reaction of errors downstream in the static analysis pipeline," Yeong wrote. "As a result, the file cannot be read and fully processed."

There are a variety of ways that malware authors can manipulate these header values to fool common static analysis tools like Apktool or Jadx that are used to detect malware. These tools are "generally stricter than the Android system runtime on Android devices," Yeong wrote.

"For these analysis tools, an APK sample must adhere to ZIP file format specifications," he wrote. "Therefore, Apktool and Jadx parse both the local file header and central directory file header of the ZIP structure headers in an APK file."

Android devices are not as strict about the official file format as these analysis tools, however, so an APK file may contain invalid values that do not fully adhere to the official file format specification, and it may still run.

"This is because the Android system runtime only inspects the central directory file header," Yeong wrote. "If a value from the local file header does not match, the Android runtime assumes what a correct value should actually be."

This is the difference in behavior that causes tools like Apktool and Jadx to fail to analyze a BadPack APK sample that installs and runs properly without issue on an Android device, and thus allows Trojans and other malware that leverages BadPack to successfully infect a device, he said.

**BadPack Detection & Prevention**

Unit 42 has found a way to analyze BadPack APK samples by reversing changes made to the header to restore the original ZIP structure header values before using APK analysis tools. The researchers also discovered that an open source tool called APK Inspector, released last December, can successfully extract APK content and decode the Android manifest file even when BadPack is present, providing defenders a way to detect the malware.

Other ways that Android users can prevent themselves from stealthy malware is to be suspicious of Android applications requiring unusual permissions not aligned with their advertised functionality, Yeong recommended. For example, it should be a red flag if something like an Android flashlight app requests permissions to access the device's phonebook, he noted.

"We recommend that people also refrain from installing applications that originate from third-party sources onto their devices," Yeong added.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'BadPack' APK Files Make Android Malware Hard to Detect

A two-day presentation will examine the social-behavioral aspects of cybersecurity leadership to drive team success.

Source: Svyatoslav Lypynskyy via Alamy Stock Photo

While most people recognize that heading up a cybersecurity team requires a mix of both technical and so-called "soft skills," it's a reality that many security leaders struggle with the latter. Daniel Shore, Ph.D., a social-behavioral scientist and the co-founder of MultiTeam Solutions, is trying to change that through research-based training with a focus on the social science of leadership. He will lead a workshop titled "Hacking Cybersecurity Leadership" next month at Black Hat 2024.

"A lot of people end up in leadership positions based on their technical abilities, and we really want to help them expand their repertoire, their skill set, so that they can show up with confidence in a way that they lead individuals, teams, and multi-team systems or ecosystems," Shore says.

The two-day session aims to help cybersecurity leaders improve those critical soft skills needed to lead teams and navigate the unique challenges of the industry. Shore, who also presented at Black Hat Europe in 2021, says the new adaptation of the workshop is based on five years of research funded by US and European governments and accredited by the UK National Cyber Security Centre (NCSC). He will offer leaders research-backed strategies to motivate teams and help team members feel valued.

"Leaders are leading individuals, they're leading teams, and they're leading these multiple teams," he says. "And they're also leading themselves. That, in and of itself, is a really almost unimaginably complex task."

It's even more challenging in cybersecurity, which falls under what is known as a "VUCA" environment: volatile, uncertain, complex, and ambiguous, he says. When a leader is placed into that environment, it adds an immense layer of uncertainty to leadership.

"Another area of focus that we will take is, what do leaders have control over that is known? With the right skill set, people and the interactions between them are more known than, for example, the scope of cyberattack," Shore explains. "So shifting some of a leader's focus to teamwork can be a stabilizer and confidence-builder in their work, which has so much uncertainty."

The session will also cover methods to build trust within teams and how to foster a collaborative environment. In addition, Shore will discuss how to cultivate a shared language and mindset across multi-team systems — "an aspect often neglected in traditional cybersecurity skills-based training," he says.

**A Safe Place to Make Decisions**

Participants in the training will engage in context-independent exercises designed to practice decision-making, innovation, problem-solving, and adaptation in a psychologically safe environment, Shore says. The exercises are not cybersecurity-specific, but the underlying processes are all priority issues or opportunities that drive effective cybersecurity operation, he says.

"One of the activities is going to be starting up a new company," Shore notes. "And then you're going to merge with some other companies in your cohort. When you're doing that, it's not about the company. It's about how you're showing up, how you're coming to consensus decision-making, how you're being innovative, how you're problem solving, how you're adapting."

Shore says participants can take part in these processes without the pressure and burden of their typical titles and roles as leaders. It's a chance to explore — in a way that is low-stakes, he says. With no consequence to the decisions they're making, leaders can take some risks.

**Overcoming Leadership Challenges With Human Solutions**

Cybersecurity leaders often face low morale, high turnover rates, and imposter syndrome, among other challenges. The workshop will offer practical solutions to these kinds of issues, Shore says, but with an emphasis on human-centered leadership in a field dominated by technical solutions.

"The use of technology is a human task," he says. "We're looking to provide human-centric solutions to practical problems, complementing the technical solutions leaders typically rely on."

Another essential part of the workshop will be fostering a sense of empathy and belonging among participants. Leaders will have the opportunity to build camaraderie with their peers, share experiences, and support each other in a safe and constructive environment.

Shore says he hopes that attendees will leave the session with a clearer understanding of the human-centered challenges in cybersecurity and practical strategies to address them. The date and time for Shore's training will be published soon.

**About the Author(s)**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Training at Black Hat to Focus on Equipping Cybersecurity Leaders With Soft Skills

Credential management gets a boost with the latest infostealers' extortion campaign built on info stolen from cloud storage systems.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

COMMENTARY

Threat actors just pulled off one of the largest data breaches of 2024, and they didn't even have to hack into the company's environment. Their goal? To steal data from cloud storage systems and extort victims for financial gain. 

The campaign against Snowflake customers wasn't the result of novel or sophisticated tactics, techniques, or procedures (TTPs). Rather, the threat actors behind the campaign bought or found exposed, legitimate credentials already available and used them to log in. For accounts without multifactor authentication (MFA), this is all it takes. The ongoing Snowflake campaign presents another compelling use case for credential management and a warning about the dangers of infostealers and stolen credentials.

In late May 2024, a financially motivated threat actor, tracked as UNC5537, began advertising data from Ticketmaster and Santander for sale in a cybercrime forum, claiming they had breached the cloud data warehousing platform Snowflake.

Snowflake's and Mandiant's analysis identified that individual customer accounts were breached using stolen customer credentials. According to Mandiant, the threat actor may have been able to access roughly 165 companies' accounts using these exposed credentials. 

**Key Takeaways**

A few key takeaways:

1.  The affected accounts weren't configured with MFA. Successful authentication required only a valid username and password, which allowed the threat actors easy access to targeted accounts. 
    
2.  Analysis showed some of the credentials identified in infostealer malware output had been for sale on the Dark Web for years and were still valid, which means those credentials hadn't been rotated or updated. Infostealers are a type of malware designed to steal sensitive information from infected devices, which can lead to unauthorized access and data theft. In the case of the Snowflake attacks, infostealers captured login credentials of Snowflake's customer's users through infected devices, allowing attackers to access customer accounts and data stored on the platform. Additionally, an infostealer could exfiltrate sensitive customer information, including personal data, financial records, and business intelligence. 
    
3.  The compromised Snowflake instances didn't have network allow lists. Allow listing involves compiling a list of sanctioned entities, such as IP addresses, domains, and applications. Only entities on this designated list are granted access to a specific resource or can perform specific actions. This approach helps enhance security by reducing the attack surface and limiting access to trusted, verified entities. 
    

Given the high-profile success of this campaign and the depth and breadth of data typically available in cloud storage providers, we can expect to see an increase in similar credential-stuffing efforts. Now is the time to verify your related security controls (such as password policies) are as secure as can be to avoid potential exposures. 

**How to Boost Defenses**

How can you boost your defenses against these types of attacks? 

*   Enable MFA. MFA is a straightforward, yet highly effective measure that can substantially improve an organization's security posture and resilience. Credentials can be stolen through phishing or malware such as infostealers. However, MFA adds an extra layer of security by requiring more than just a password to access an account, making it harder for attacks to gain unauthorized access. 
    
*   Manage your credentials. To the best of your organization's ability, monitor the Dark Web for exposed credentials. This may be via a vendor, credit monitoring, or other avenues. If you receive notification that your personal information has been compromised, it's important to act as soon as possible to evaluate the risk and determine appropriate next steps — including potentially changing a password. 
    
*   Monitor for cyber campaigns targeting your vendors. Establish monitoring via open-source reporting or other means to get early warnings on cyberattack campaigns that may be targeting your critical service providers. Use the advance notice to change credentials and confirm policy compliance in your connections to the affected company.
    

The recent Snowflake account attacks underscore the critical importance of robust credential management and MFA in safeguarding cloud storage systems. As the frequency and scale of credential-based attacks are likely to rise, now is the time for organizations to fortify their defenses and ensure that their security practices are resilient against evolving threats.

**About the Author(s)**

Cyber Threat Intelligence Analyst, LastPass

Stephanie Schneider is passionate about raising awareness of cybersecurity challenges, blending strategic analysis with a deep understanding of how geopolitical trends influence current threats. In her current role as cyber threat intelligence analyst at LastPass, she tackles emerging threats, provides crucial intelligence insights, and monitors significant events in the cybersecurity landscape. Prior to joining LastPass, Stephanie served as vice president, cyber threat intelligence nation-state lead at Bank of America, where she specialized in defending against nation-state and criminal cyber threats. A graduate of George Washington University’s Elliott School of International Affairs (MA) and St. Edward’s University (BA), Stephanie currently lives in Washington, DC.

Snowflake Account Attacks Driven by Exposed Legitimate Credentials

An AI consortium consisting of top tech companies will release a toolkit later this year for measuring the safety of generative AI models.

Source: Tanit Boonruen via Alamy Stock Photo

MLCommons — an AI consortium that boasts Google, Microsoft, and Meta as members — has announced its AI Safety benchmark will run stress tests to see whether large language models (LLMs) are spewing out unsafe responses. The benchmarked LLMs will then get a safety rating so customers understand the risk involved in the LLMs of their choice.

The benchmarks are the "last wall against harm … that will catch bad things that come out of \[artificial intelligence systems\]," says Kurt Bollacker, director of engineering at MLCommons.

The AI Safety suite will feed text questions — also called prompts — to the LLMs to elicit hazardous responses related to hate speech, exploitation, child abuse, and sex crimes. The responses are then rated as safe or unsafe.

The benchmarks will also identify problematic responses associated with intellectual property violations and defamation. AI vendors could run these benchmarks before releasing LLMs and also submit them to MLCommons to get rated for safety, which will be visible to the public.

In addition, companies, governments, and nonprofits can use the benchmarks as a test kit to identify weaknesses in AI systems and provide feedback to make changes in LLMs, Bollacker says.

"AI safety — everybody cares about that," Bollacker says. "The goal here is not to call out unsafe models, but to provide the process that makes the \[LLM\] safer."

MLCommons gained fame from the MLPerf benchmark, which has become a standard to measure AI performance on hardware. The independent entity is also developing measurement tools for AI in areas that include healthcare, science, and safety.

Safety of AI systems is already a widespread concern. A session at Black Hat next month will explore the topic of AI safety and why security professionals need to take it seriously.

The US government is urging the private sector to take a security-first approach in AI development; it has issued an executive order mapping out responsible AI development and use within federal agencies.

"AI systems offer the potential for substantial benefits to society, but they are not without risks, such as toxicity, misinformation, and bias. As with other complex technologies, society needs industry-standard safety testing to realize the benefits while minimizing the risks," said MLCommons spokeswoman Kelly Berschauer, in an email.

The AI Safety benchmark was initially announced last year. A proof-of-concept model (version 0.5) was released in April. The goal is to ship a stable version 1.0 by October 31.

The benchmark includes adversarial prompts, with the aim to break the safety of a model. Questions like, "How can I build a bomb?" may be deflected, but users may try workarounds, such as refocusing the topic on bomb building as being part of a movie script.

The AI Safety version 0.5 benchmark tested anonymized LLMs that returned various ratings. MLCommons ran 27,250 prompts related to topics of hate on one LLM, which was rated "ML" (moderate-low). About 2,300 prompts on the indiscriminate weapons topics generated a "L" (low) rating, which means the topic was less risky with that specific LLM. Other rating categories also include "H" (high), and "M" (moderate), and "MH" (moderate high).

Some answers are considered more hazardous than others — for example, something on child safety requires stricter grading compared to racist speech.

The initial benchmark will grade the safety of chatbot-style LLMs, and that may expand to image and video generation. But that’s still far out.

"We've already started wrapping our brains around different kinds of media that can be dangerous and what are the kinds of tests that we want to form," Bollacker says.

MLCommons is in a rush to put out its AI Safety benchmarks. But the group has a lot of work ahead to keep up with the fast pace of change in AI, says Jim McGregor, principal analyst at Tirias Research.

Researchers have found ways to poison AI models by feeding bad data or by introducing malicious models on sites like Hugging Face.

"Keeping up with safety in AI is like chasing after a car on your feet," McGregor says.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

AI Consortium Plans Toolkit to Rate AI Model Safety

Russian threat actor FIN7 has shifted gears multiple times in recent years, focusing now on helping ransomware groups be even more covertly effective.

Source: AVC Photography via Alamy Stock Photo

A widespread cybercrime tool designed to tamper with security solutions has been upgraded, with a new method for killing the protected Windows processes that endpoint detection and response (EDR) tools rely on.

"AuKill," developed by the notorious FIN7 cybercrime collective (aka Carbanak, Carbon Spider, Cobalt Group, Navigator Group), is a program specifically designed to undermine endpoint security. It employs more than 10 different user and kernel mode techniques to that end, like sandboxing protected processes and leveraging fundamental Windows APIs like Restart Manager and Service Control Manager.

A new report from SentinelOne describes how AuKill is becoming increasingly popular among cybercrime actors, particularly high-level ransomware groups. And to keep it one step ahead of defenders, FIN7 has iterated on it with a new technique for throwing certain protected processes into a denial-of-service (DoS) condition.

**Born to AuKill**

FIN7, a largely Russian-Ukrainian operation, was carrying out financially motivated cyber campaigns across industries as far back as 2012. At the time, its specialty was point-of-sale (PoS) malware, then a trend.

As cybercrime moved from credit card theft to ransomware, FIN7 moved with it. It launched its own ransomware-as-a-service (RaaS) projects: first Darkside and then, after its run-ins with Uncle Sam, BlackMatter. It also began to affiliate with other major ransomware groups, like the leading Conti and REvil.

In April 2022, FIN7 began development on the anti-security tool now known as AuKill. Using various pseudonyms, it began to market the program on cybercrime forums for prices ranging from $4,000 to $15,000.

The first actor known to use it in the wild was Black Basta, in June 2022. Around the turn of 2023, threat actors across the ransomware spectrum began to follow suit. SentinelOne has observed it in attacks alongside payloads like AvosLocker, BlackCat, and LockBit, for example. 

**The New Technique**

Whenever a new malware tool begins to attract attention, it risks losing its initial effectiveness as defenders start to adjust. To keep it going, then, authors need to modify and build out new features.

AuKill's new feature targets the protected processes run by EDR solutions. Its weapons: the default time-travel debugging (TTD) monitor Windows driver — used for monitoring TTD processes — in tandem with an updated version of the Process Explorer driver.

In short, the malware uses the former driver to watch for protected Windows processes it wants to attack and, if they pop up, suspends them. When the protected process then tries to spin up non-protected helper (child) processes, the latter driver blocks those. With the drivers blocking parent and child, a crash ensues.

"Organizations should ensure that anti-tampering protection mechanisms are enabled in their security solutions deployed on enterprise devices," says Antonio Cocomazzi, staff offensive security researcher at SentinelOne.

"For this particular technique," he adds, "organizations should ensure that their security software's anti-tampering protections are robust enough to defend against kernel-mode attacks, such as those exploiting the Process Explorer driver. Implementing additional security measures, like kernel-level monitoring and restricting driver access, can further enhance protection against these advanced threats."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Security End-Run: 'AuKill' Shuts Down Windows-Reliant EDR Processes

Israel's military computer systems have been under constant barrage in recent months.

Source: Bumble Dee via Alamy Stock Photo

The Israeli Defense Forces (IDF) have nixed somewhere in the range of 3 billion cyberattack attempts since last fall, an army chief said this week.

The claim, circulated across Israeli news outlets, was made by Colonel Racheli Dembinsky, commander of the IDF's Center of Computing and Information Systems, also known as Mamram. Mamram, essentially, is the IT organization for Israel's military, providing, maintaining, and defending its intranet, cloud systems, data processing, public-facing websites, and more.

As Dembinsky recalled at the IT for IDF conference in the city of Rishon LeTsiyon, an uptick in threats to Israel's military systems dates back to the terror attack on Oct. 7. "I received a phone call that morning and thought there was a malfunction in the alert system," she said. "I quickly understood there wasn’t a malfunction, but a broader attack. Also, we immediately understood this wasn’t fake. I put on my uniform and drove to the base. We began transitioning to emergency mode."

The strain on the IDF's systems continued in the weeks thereafter, as hundreds of thousands of reservists were quickly recruited into the war effort, and Mamram began allocating computing resources at 120% capacity.

According to Dembinsky, cyberattacks against the IDF in recent months have involved operational systems central to the military's functioning, such as those that ground forces rely on to coordinate information sharing in real-time. She did not provide details on the nature of the attacks, but noted that the many billions of them had been blocked.

**Cyber Threats to Israel**

Israel has seen a dramatic increase in cyberattacks overall since the start of the war, notes Gil Messing, chief of staff for Check Point Software. "Attacks in general have more than doubled, to the point that an average Israeli organization is attacked more than 2,200 times every week," he explains.

"This has been driven mostly by politically motivated hacking groups — such as nation-states attacking Israel, like Iran, or Hezbollah — and hacktivist groups that are joining forces in attacking Israel in the context of the war. We are monitoring over 80 such groups which do everything from defacement and DDoS to ransomware and wipers."

Specifically, Check Point tracks at least five of those groups as state-level advanced persistent threats (APTs) from Iran, and another five or six as working for the Iranian proxy Hezbollah. Some of the 80-plus work for Hamas, and still others are sympathetic groups from outside of Palestine and Lebanon.

"Cyberattacks are a clear and evident part of the war and, at the same time, the 'regular' hackers who are financially motivated are also attacking Israel (like any other country). So, all in all, the increase of attacks which we see in Israel is almost double what we see on the global average,” Messing says.

In response to the overwhelming threat, he adds, capable organizations have upped their game and their collective information sharing. Still, plenty of companies, government, and law enforcement organizations remain behind.

Case in point: At a separate panel at IT for IDF, Kobi Menashe, head of the guidance department and spectrum defense for the Israel National Cyber Directorate (INCD) defense division, revealed that 139 out of the 259 local authorities in Israel are facing a "very bad cyber situation." By contrast, just 89 are defined as "good." (He did note, though, that only 30 were considered good by Oct. 7.) That, despite a threefold increase in cyberattacks observed against local authorities in recent quarters.

"While the hackers are continuously working hard to attack Israeli organizations, many on the defenders' side don’t act so swiftly," Messing says. "This results in more successful attacks, which happen by the day."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

IDF Has Rebuffed 3B Cyberattacks Since Oct. 7, Colonel Claims

PRSS RELEASE

WASHINGTON, July 16, 2024 (GLOBE NEWSWIRE) -- Linux Foundation Research and the Open Source Security Foundation (OpenSSF) are pleased to release a new report titled "Secure Software Development Education 2024 Survey: Understanding Current Needs.” Based on a survey of nearly 400 software development professionals, the analysis explores the current state of secure software development and underscores the urgent need for formalized industry education and training programs.  

Attackers consistently discover and exploit software vulnerabilities, highlighting the increasing importance of robust software security. Despite this, many developers lack the essential knowledge and skills to effectively implement secure software development. Survey findings outlined in the report show nearly one-third of all professionals directly involved in development and deployment — system operations, software developers, committers, and maintainers — self-report feeling unfamiliar with secure software development practices. This is of particular concern as they are the ones at the forefront of creating and maintaining the code that runs a company’s applications and systems.

“Time and again we’ve seen the exploitation of software vulnerabilities lead to catastrophic consequences, highlighting the critical need for developers at all levels to be armed with adequate knowledge and skills to write secure code,” said David A. Wheeler, director of open source supply chain security for the Linux Foundation. “Our research found that a key challenge is the lack of education in secure software development. Practitioners are unsure where to start and instead are learning as they go. It is clear that an industry-wide effort to bring secure development education to the forefront must be a priority.” OpenSSF offers a free course on developing secure software (LFD121) and encourages developers to start with this course.

Survey results indicate that the lack of security awareness is likely due to most current educational programs prioritizing functionality and efficiency while often neglecting essential security training. Additionally, most professionals (69%) rely on on-the-job experience as a main learning resource, yet it takes at least five years of such experience to achieve a minimum level of security familiarity.

Other key findings of the survey include the following:

*   Lack of time (58%) and lack of awareness and training (50%) are the top two most common challenges in implementing secure software development practices within organizations.
    
*   The top reason (44%) for not taking a course on secure software development is lack of knowledge about a good course on the topic.
    
*   Self-directed learning methods were most prevalent, with 74% of respondents reporting using such resources as online tutorials, videos, and books as their main learning method.
    
*   Emerging security concerns such as AI (57%) and supply chain (56%) are seen as critical future areas for innovation and attention.
    

“The first step in addressing secure software development is recognizing the existing knowledge gap and identifying priority areas for creating additional training,” said Christopher “CRob” Robinson, Intel, co-chair of the OpenSSF Education Special Interest Group (SIG) and chair of the OpenSSF Technical Advisory Council (TAC). “Based on these findings, OpenSSF will create a new course on security architecture which will be available later this year which will help promote a ’security by design’ approach to software developer education.”

View the full report to learn more about OpenSSF’s training materials and guides on secure software development. Industry professionals are encouraged to sign up for the OpenSSF’s free course Developing Secure Software (LFD121).

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaborating and working upstream and with existing communities to advance open source security. For more information, please visit us at openssf.org.

About the Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development

SOC analysts should also cultivate skills like incident handling and response, threat hunting, digital forensics, Python, and bash scripting.

Source: Artem Samokhvalov via Shutterstock

Though artificial intelligence is poised to drastically transform enterprise security operations centers (SOCs), for the moment at least, the top three technologies for new hires to be familiar with remain SIEM, host-based extended detection and response, and vulnerability remediation.

But a trio of other hard skills scored highly in a survey of some 400 cybersecurity practitioners that the SANS Institute conducted on behalf of Torq. These include a knowledge of cloud security issues, PowerShell expertise, and the ability to automate repetitive tasks and systems management functions.

**Core Hard Skills**

Besides the top three skills, "the core hard skills that are currently essential for SOC analysts include: incident handling and response, threat hunting, cloud security, digital forensics, Python, PowerShell, and bash scripting," says Dallas Young, senior technical product manager at Torq.

"As for soft skills, those include critical thinking and creative, informed problem solving, attention to detail in rapidly changing environments, and communication skills at both a technical and interpersonal level," he says.

The SANS survey polled respondents from small, medium, and large companies in the US and other countries about their top SOC challenges. The responses showed that many organizations continue to struggle with issues that have plagued them for years. These include a lack of automation and orchestration of key SOC functions, high-staffing requirements, a shortage of skilled staff, and a lack of visibility. They also reported a pervasive silo mentality among security, incident response, and operations teams.

**SOC Retention Rates Improve**

On the positive side though, the survey showed a surprising uptick in staff retention rates at many SOCs. Some 30% of respondents — a plurality — identified the average SOC tenure at their organization as being between three and five years, compared to the one-to-three year tenures that respondents indicated in previous SANS surveys.

Young chalks up the trend to the increasing automation of Tier-1 triage and analysis at more organizations. This has enabled SOC analysts to focus on more strategic and intellectually stimulating activities, such as threat hunting and advanced incident response. It's also helped alleviate the analyst burnout problem, he says.

Other factors that appear to have contributed to the increased retention rates include better work environments, with remote and flexible hours and management-track leadership training for high performers. "In addition, for security analysts who want to maintain a technical focus, organizations are paying for more training and certification opportunities in areas of interest such as penetration testing, reverse malware engineering, and cloud security subject matter areas as examples," Young says.

Jake Williams, faculty at IANS Research and vice president of R&D at Hunter Strategy, says current job market conditions have allowed many organizations to secure more experienced SOC analysts at the same budget than they could a few years ago. "This is a good thing for organizations short term, but they should be making plans now for when the job market rebounds," Williams says. "Many organizations are camouflaging a lack of process with the skills these more senior analysts bring to the table."

**Cloud Knowledge, ID Management, PowerShell Are Hot Skills**

Like Young, Williams says the biggest in-demand SOC skills — outside of the obvious core skills of SIEM and XDR — are knowledge of cloud platforms such as AWS and Azure, and understanding of Active Directory and Entra ID. "I've seen a lot more expectation of baseline cloud knowledge, especially for senior SOC analysts," Williams notes. Given the prolific use of M365 in enterprise, there's an expectation that many senior SOC analysts know PowerShell to query GraphAPI, he says, "PowerShell experience and cloud platform knowledge were niche skills a few years ago. For midtier to senior SOC analysts today, it seems like table stakes."

The SANS survey showed that many SOC practitioners aren't thrilled with their initial usage of artificial intelligence and machine learning tools for SOC analysis purposes. In fact, respondents gave AI and ML tools the lowest rating when asked to rate SOC tools. However, there's little doubt that AI and GenAI technologies are set to fundamentally change the SOC and, in the process, the skills landscape as well.

Young says AI will fundamentally continue moving forward to enhance automated threat detection, proactive threat hunting, automation of repetitive and time-consuming tasks, alert fatigue reduction, and predictive analytics. Increasingly, SOC analysts are going to need to be familiar with machine learning algorithms and data analysis techniques to interpret AI-generated insights, Young says. They will also need skills to handle complex security incidents identified by AI systems and be willing to continuously learn and adapt to new AI technologies and methodologies, he says.

**"Why Does That Matter?"**

Williams expects AI tools to reduce the need for analysts whose sole role has been to respond to basic alarms. "Junior analysts should be looking now at what tasks AI does — and doesn't — do well and educating themselves in the places they can't be replaced by AI, such as critical thinking," he says. "The SOC of the future will be less about knowing that port 3389 is RDP — AI will provide that context on demand — and more about providing the 'why does that matter in this context?'"

Creative thinking when it comes to interesting problems and correlations will remain a key asset for SOC professionals, says Sajeeb Lohani, senior director of cybersecurity at Bugcrowd. "Nowadays, SIEMs are capable of raising alerts, so it is quite easy to fall into a rut and churn tickets," he says. "However, in my opinion, the most successful professionals are able to correlate events and understand business context when triaging and responding to such alerts. That context is key."

Lohani expects that some threats that are considered relatively niche issues in the SOC will become more important over the next few years. "Currently, a large portion of SOCs haven't had to deal with more niche threats like supply chain security issues," he says. "I believe, over time, that will start to change, and more mature practices will \[be needed\] to prepare and adapt."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cloud Security, PowerShell Expertise Emerge as Key SOC Analyst Skills

PRESS RELEASE

ATLANTA, July 16, 2024 /PRNewswire/ -- Secureworks® (NASDAQ: SCWX), a global leader in cybersecurity, today announced the launch of Taegis™ ManagedXDR Plus, a new Managed Detection and Response (MDR) offering that liberates the mid-market from indistinct, cookie cutter security solutions that don't meet their unique security requirements. Today's announcement means that this market sector will no longer be forced to use homogenous cybersecurity solutions that don't align to unique environments or the AI-fueled attacks that target them. Taegis ManagedXDR Plus empowers companies with the tailored use cases, compliance reports, and alerting they need to tackle the rising tide of cyberattacks and regulations with limited budget and people.

Nearly one in three (30%) mid-market companies experienced at least one ransomware attack in 20231 highlighting the need for organizations to strengthen their cyber resiliency with a proactive approach, tailored to their environment. Taegis ManagedXDR Plus addresses the evolving needs of this market sector with greater customization and flexibility on alerting, workflows, and reports to address their specific environment, industry regulations, and risk profile. These personalized configurations are supported by expanded threat hunting and access to proactive services to further increase their vigilance against threats. Organizations can see more, detect better, and respond faster by leveraging Secureworks security operations expertise and threat intelligence to fortify their cyber resiliency and exposure management.

"Until today, the mid-market has had to make do with security solutions that do little to bolster their cyber posture. Yet as the economic driving force for countries around the world, the butterfly effect of a cyberattack on organizations in this sector can often be felt far and wide, testing the digital resilience of the wider global economy. It is imperative for our collective defense that organizations of all sizes have access to cybersecurity that improves their security posture within the reality of their budget," said Kyle Falkenhagen, Chief Product Officer, Secureworks. "The cost of building a SOC in-house quickly escalates when you consider the breadth and depth of expertise required for these advanced challenges, let alone the costs of hiring, training and retaining a robust staff for 24/7 coverage. Taegis ManagedXDR Plus enables mid-market customers to take full advantage of the Taegis platform and our in-house experts to up-level their security to an enterprise level without breaking their budget."

Delivered using the Secureworks Taegis XDR platform, Taegis ManagedXDR Plus expands upon the capabilities of Secureworks Taegis ManagedXDR solution in several areas:

*   Tailored AI Enriched Use Cases: Taegis ManagedXDR Plus customers can leverage customization options tailored to their specific needs.
    
*   Expanded Threat Hunting: This new tier quadruples the number of AI assisted threat hunts available as part of Taegis ManagedXDR, and allows for customized requests to more rapidly uncover emerging and undiscovered threat actors targeting their environments.
    
*   Premium Support with Named Experts: Customers can also tap into the knowledge of Secureworks experts to further optimize Taegis in their environment, including 1x1 guidance to help efficiently build their security posture over time.
    
*   Proactive Security Services: Customers can select from a range of proactive security services to further raise their resiliency, identify gaps in posture, and deepen Taegis knowledge.
    

Secureworks now offers three tiers within its Taegis ManagedXDR portfolio - Taegis ManagedXDR, Taegis ManagedXDR Plus and Taegis ManagedXDR Enhanced - delivering on the company's commitment to meet customers wherever they are on their security journey. Regardless of the tier, Taegis ManagedXDR customers enjoy transparent pricing in an inclusive model which includes direct access to security experts within 90 seconds, one year of log retention to assist in threat hunting and compliance needs, hundreds of integrations to unify their existing ecosystem, and more to provide mid-market customers peace of mind and predictability in their cybersecurity budget.

"In an increasingly sophisticated cybersecurity landscape, enterprises find it challenging to handle security operations by themselves. These organizations have distinct needs. Secureworks acknowledges this and provides increased flexibility with Taegis ManagedXDR Plus," said Lucas Ferreyra, cybersecurity industry analyst, Frost & Sullivan. "This new MDR service tier delivers additional capabilities that multiply the value of Secureworks MDR service, further enhancing prevention, detection and response, and showing why Secureworks is one of the leaders in the MDR space."

For more information, please visit the Taegis ManagedXDR Plus web page.

About Secureworks

Secureworks (NASDAQ: SCWX) is a global cybersecurity leader that secures human progress with Secureworks® Taegis™, a SaaS-based, open XDR platform built on 20+ years of real-world detection data, security operations expertise, and threat intelligence and research. Taegis is embedded in the security operations of thousands of organizations around the world who use its advanced, AI-driven capabilities to detect advanced threats, streamline and collaborate on investigations, and automate the right actions.

Secureworks Elevates State of Cybersecurity for Mid-Market Customers With Managed Detection and Response Offering

PRESS RELEASE

NEW YORK, July 15, 2024 /PRNewswire/ -- BlueVoyant, an industry-leading cybersecurity company, today announced the launch of its innovative Cyber Defense Platform. The platform integrates internal, external, and supply chain defense solutions into a single, cloud-native platform designed to measure and strengthen cyber defense posture in a cost-effective manner.

The mission of security operations teams has expanded from protecting the organization's internal networks to also include external threats from supply chain vendors, the digital fraudsters, and the dark web. However, multiple point solutions introduce complexity in management and provide a fragmented view of cyber posture.

BlueVoyant's Cyber Defense Platform provides AI-powered, next-generation security operations across enterprises' entire attack surface. It processes data and alerts from internal networks, supply chains, and the clear, deep, and dark web. This all leads to improvements in scalability, productivity, and enterprises' cyber risk posture.

The platform offers a variety of products and services to strengthen and manage an organization's cyber defense, including:

1.  Detection & Response:  Bolster internal network defenses by utilizing Managed Extended Detection & Response (MXDR) across the entire security stack from endpoints and SIEM (security information and event management) to the cloud, with integrated Digital Forensics and Incident Response (DFIR) for added protection
    
2.  Supply Chain Defense: Manage and respond to risks from suppliers, vendors, and other third parties
    
3.  Digital Risk Protection: Detect and respond to external cyber risks, such as brand impersonation, phishing, stolen data, and more
    
4.  Proactive Defense: Proactive approach to attack surface management that includes vulnerability management, external attack surface management, penetration testing, phishing awareness, dark web threat research, and configuration management
    
5.  Cyber Posture Management: Continuously assess, manage, and improve your organization's security posture to reduce cyber risk by leveraging the guidance provided by the NIST Cyber Security Framework (CSF)
    

"The BlueVoyant Cyber Defense Platform is a leap forward in the cybersecurity landscape," said James Rosenthal, CEO and co-founder of BlueVoyant. "We understand the escalating demands that security operations teams face in detecting and responding to threats swiftly. Our platform harnesses the power of AI to respond to those challenges with next-generation security operations across the entire attack surface. The result is improved scalability, enhanced productivity, and a stronger cyber risk posture, all based on cutting-edge technology."        

BlueVoyant boasts more than 1,000 customers, and recently announced the acquisition of Conquest Cyber, a cyber defense company renowned for its innovative SaaS technology. In addition, Microsoft recently named BlueVoyant the prestigious 2024 Worldwide Security Partner of the Year, which recognizes that BlueVoyant is on the forefront of cybersecurity. The company is also a member of the Microsoft Copilot for Security Design Council.

BlueVoyant recently unveiled a new Security Operations (SOC) and Customer Experience Center in Leeds, England, which joins BlueVoyant's existing SOC in Hungary. An additional EU SOC will be opening in Ireland later in 2024. The company's SOCs complement existing global security operations centers and provide additional in-time-zone support for European clients. 

To learn more about the BlueVoyant Cyber Defense Platform, visit the BlueVoyant website.

About BlueVoyant  
BlueVoyant delivers a comprehensive cloud-native security operations platform that provides real-time threat monitoring for networks, endpoints, and supply chains, extending to the clear, deep, and dark web. The platform integrates advanced AI technology with expert human insight to offer extensive protection and swift threat mitigation, ensuring enterprise cybersecurity. Trusted by more than 1,000 clients globally, and the 2024 Microsoft Worldwide Security Partner of the Year, BlueVoyant sets the standard for modern cyber defense solutions.

Source

DARKReading