Microsoft's new AI assistant tool helps cybersecurity teams investigate security incidents and hunt for threats.

Microsoft has been leaning into its $10 billion investment in OpenAI by introducing AI assistants – all called Copilot – across its product portfolio. The latest one is Microsoft Security Copilot, to help security teams investigate and respond to security incidents.

Defenders are having a hard time dealing with a very dynamic security environment, and Microsoft Security Copilot is intended to make defenders’ lives better by using artificial intelligence to help them catch incidents that they may otherwise miss, improve the quality of threat detection, and speed up response, says Chang Kawaguchi, vice president and AI Security Architect at Microsoft. Security Copilot uses both OpenAI’s GPT-4 generative AI model and Microsoft’s proprietary security-based model to identify breaches, connect threat signals, and analyze data.

Security Copilot is intended to make “defenders’ lives better, make them more efficient, and make them more effective by bringing AI to this problem,” Kawaguchi says.

Security Copilot will ingest and make sense of huge amounts of security data – including the 65 trillion security signals Microsoft pulls every day and all the data being collected by the Microsoft products the organization is using, such as Microsoft Sentinel, Defender, Entra, Priva, Purview, and Intune. Analysts can summarize incidents, analyze vulnerabilities, and look up data on common vulnerabilities and exposures.

Analysts and incident response teams will be able to type what they are trying to understand into a text prompt – “/ask about” – and Security Copilot will return responses based on what it knows of the organization’s data. This way, security teams will be able to see connections between various parts of a security incident, such as a suspicious email, a malicious software file, or the different parts of the system that had been compromised, says Kawaguchi. The queries could be general, such as an explanation of a vulnerability, or specific to the organization’s environment, such as looking in the logs for signs that a particular Exchange flaw had been exploited. And because Security Copilot uses GPT-4, it can respond to natural language questions.

The analyst can see summaries of what happened and then follow prompts from Security Copilot to drill down deeper in the investigation. All these steps can be saved in a “pinboard,” which can be shared with other members of the security team as well as stakeholders and senior executives. All the tasks that have been completed are saved and readily accessible. There is also an automatically generated summary which will update as new tasks are completed.

“This is what makes this experience more of a notebook than a chat bot experience,” says Kawaguchi, noting that the tool can also create PowerPoint presentations based on the investigation that the security team can use to share the details of the incident afterward.

Security Copilot is not designed to replace human analysts, but to provide them with the information they need to move quickly and at scale during the course of an investigation, Kawaguchi says. Threat hunters can also use the tool to determine whether an organization is susceptible to known vulnerabilities and exploits by examining each asset in the environment, according to the company.

Forrester Senior Analyst Allie Mellen said in an email that Security Copilot was the first time a product focused on using AI to improve investigation and response. Previously AI tended to focus more on detection, Mellen said.

In a demo, Kawaguchi showed how Security Copilot can look at a cyberattack and figure out how the malware got into the network and infected the victim’s machine. Security Copilot can perform log analysis, display alert summaries, and generate graphs and other visualizations to show the sequence of events in the incident. The tool can also suggest steps for remediation and guidance.

If the information provided looks incorrect, or “off target,” there is a way to provide feedback immediately so that the model can learn. Security Copilot will continually improve as it learns from the company’s own data, as well as Microsoft’s extensive security research and visibility over the global threat landscape. However, the organization’s data will never be used to train the main Security Copilot algorithm, Kawaguchi says.

Microsoft has been flexing its AI-clout in recent weeks, going beyond Copilot in GitHub, which helps developers write code. A few weeks ago, the company announced Microsoft 365 Copilot, which allows users to use Copilot to do things like put together a PowerPoint presentation and write up articles in Word. Copilot in Dynamics 365 helps sales and customer success representatives engage with customers and prospects by sending natural-sounding messages, rather than relying on premade boilerplate messages.

Security Copilot is currently in private preview; Kawaguchi declined to specify a date for when it will be generally available, noting that it all depended on how organizations wind up using the tool. There are also long-term plans for extending Security Copilot to ingest information from other security vendors’ products.

“Security Copilot is poised to become the connective tissue for all Microsoft security products and, importantly, will integrate with third-party products as well,” Forrester’s Mellen said.

“We think that AI has the opportunity to change the game for almost all things that security folks do. We're starting with the investigation flow because this is the one where we think there's a massive amount of opportunity for efficiency and effectiveness,” Kawaguichi says.

Microsoft Security Copilot Uses GPT-4 to Beef Up Security Incident Response

A novel cyber threat against macOS users is being sold for $100 a pop on the Dark Web, and activity is ramping up.

An information-stealing malware that targets Apple's macOS operating system is making the cyberrounds, siphoning off documents, iCloud keychain data-like passwords, browser cookies, and more from unwitting Apple users.

Appropriately dubbed "MacStealer," it's going for just $100 per build on the cyber underground, so it's no surprise that "more MacStealer samples have been spreading recently," according to a recent Uptycs analysis on the threat.

The malware affects the Catalina version of macOS and subsequent versions that use Intel M1 and M2 CPUs. It also uses the encrypted Telegram messaging platform for command-and-control (C2), the researchers found.

To propagate, operators are looking for low-hanging fruit, hoping to harvest victims by luring them to download .DMG files, which are containers for macOS apps. Fake apps in app stores, piracy websites, or email attachments could all be potential conduits for infection.

"The bad actor uses a .DMG file to spread the malware. After a user executes the file, it opens a fake password prompt," Uptycs researchers explained in the post. "Once the user enters their login credentials, the stealer … \[compresses\] the data and sends it to C2 via a POST request using a Python User-Agent request. It deletes the data and ZIP file from the victim's system during a subsequent mop-up operation."

This is just the latest malware to target Macs in recent months. In February, pirated versions of Apple's Final Cut Pro video-editing software were found delivering a version of the XMRig cryptocurrency mining tool. And last year, a previously-unknown, macOS spyware called "CloudMensis" surfaced in a highly targeted campaign, exfiltrating documents, keystrokes, screen captures, and more from Apple machines.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

MacStealer Malware Plucks Bushels of Data From Apple Users

The NullMixer loader has compromised thousands of endpoints in the US, France, and Italy, stealing data and selling it to Dark Web data dealers, all without setting off alarm bells.

A new version of the NullMixer dropper includes polymorphic loaders from malware-as-a-service (MaaS) and pay-per-install (PPI) providers on Dark Web markets, and it's being used to target organizations in North America, as well as Italy and France.

The malware, a known threat, typically installs a suite of downloaders, banking Trojans, stealers, and spyware on victims' systems, all in one go. The new additions, however, make the threat even more dangerous, according to a detailed NullMixer analysis this week from Security Affairs, because the threat can adapt to whatever the specific environment is that it infects.

The analysis also explains how threat actors have been using search engine optimization (SEO) poisoning and malicious video tutorials to con IT staff into installing the new malware. In just one month, the newly enhanced NullMixer malware has established initial access into more than 8,000 endpoints, stealing data to sell it to brokers in underground markets.

Most victims are running Windows 10 Professional and Enterprise operating systems, the NullMixer report said, adding that the malware also seems to have successfully infected Windows Embedded IoT environments.

"The NullMixer package is including new polymorphic loaders by third parties MaaS and PPI service providers in the underground markets, and also pieces of controversial, potentially North-Korean linked PseudoManuscript code," the researchers explained about the latest NullMixer malware strain. "Our insights into a recent NullMixer malware operation revealed Italy and France are the favorite European countries from the opportunistic attackers' perspective."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NullMixer Polymorphic Malware Variant Infects 8K Targets in Just a Month

A lack of website protections, Sender Policy Framework (SPF) records, and DNSSEC configurations leave companies open to phishing and data exfiltration attacks.

The risk score for the average company worsened in the past year as companies fail to adapt to data exfiltration techniques and adequately protect Web applications.

Companies' effective data-exfiltration risk increased to 44 out of 100 (with 100 indicating having the riskiest posture) in 2022, from an average score of 30 in the previous year, indicating that the overall risk of data being compromised has increased. That's according to rankings by Cymulate, which crunched the data on 1 million pen tests, including 1.7 million hours of offensive cybersecurity testing within its production environments.

In its "2022 State of Cybersecurity Effectiveness" report, published on March 28, the firm noted that there are various persistent problems leading to increased risk. For one, while many companies are improving their adoption and the strictness of network and group policies, attackers are adapting to sidestep such protections, the report stated. 

And the basics continue to lag: The company found that four of the top-10 CVEs identified in customer environments were more than two years old. These include the high-severity WinVerifyTrust signature validation vulnerability (CVE-2013-2900), which can allow malicious executables to pass security checks, and a memory corruption vulnerability in Microsoft Office (CVE-2018-0798).

    

How Cymulate scores risk. Source: Cymulate

There is good news, however. Data from the security assessments indicates that companies have all improved risk scores for malware detection across major platforms, and many attacks are blocked by Web gateways. 

Overall, businesses need to treat cybersecurity like any other business process, with regular checks on controls, says Mike DeNapoli, director of technical messaging for Cymulate.

"Cybersecurity needs to become a process treated like any other business process, with checks and balances and regular review," he says. "The CFO would never permit the books to remain closed except for once per year, but the systems that house all that money as data routinely only get checked out during an annual pen-test, which has to change."

All of this comes against the backdrop that companies are increasingly focused on securing their entire attack surface, improving resiliency to cyberattacks, and preventing disruption of information systems. As a result, cybersecurity services and products that reduce complexity have become more popular while large technology firms have thrown their hat into the ring, such as Microsoft's launch of Defender External Attack Surface Management in August and IBM's purchase of ASM startup Randori in June. Time will tell if these trends will move the needle on risk.

    

While the exposure risk due to WAFs has dropped, data-exfiltration risk has increased. Source: Cymulate

Meanwhile, Cymulate's analysis of a year of offensive cybersecurity testing also found that cloud and email continue to provide rich sandboxes for hackers.

**Attacks Increasingly Coming From Popular Clouds**

Attackers have shifted some aspects of their attacks away from using popular file sharing services, such as Dropbox and Box to evade email attachment filters and other security technologies, to using more generic cloud infrastructure, such as Amazon and Azure. Businesses have a harder time blocking data from large, trusted service providers, which serve as the backbone for many large cloud services and websites, DeNapoli says.

"These metrics are applied to hundreds of attempts to remove data that should be considered 'controlled' from the organization," he says. "This increase means that organizations have less control over preventing business confidential, personally identifiable, and other controlled data from being removed from the organization in unauthorized ways."

The top most successful tactics used by simulated attackers in the Cymulate research included attacking users through their browsers in a drive-by compromise scenario, archiving and exfiltrating data, and transferring that data to a cloud account, such as AWS or Azure.

**"Email Defenses Are a Team Sport"**

Nearly half of the top 10 exposures uncovered by Cymulate's pen testing involved a lack of security for basic IT infrastructure. The simulations discovered that common issues included not recognizing phishing domains, a failure to configure DNSSEC, and a lack of two technologies — Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Sender Policy Framework (SPF) — that can help stop email-based attacks.

Overall, companies have been slow to deploy critical email security and integrity technologies, such as DMARC, SPF, and a third technology, Domain Keys Identified Mail (DKIM) — together which can help prevent phishing success and brand fraud. While companies which implement DMARC, DKIM, and SPF records can better protect against email-based attacks, the technology standards are only truly effective if both sides of an exchange are using them, DeNapoli says.

"We need to begin to recognize that email defenses are a team sport and implement our part of the processes so others can be safer," he notes. "The benefit is that as more and more organizations implement these processes, our organization also becomes safer."

The report also showed that different industries have different strengths and weaknesses. The education and hospitality sectors, for example, had the highest risk of data exfiltration, while protections against the most immediate threats were lowest in the technology sector. Both technology and government organizations had worse-than-average Web application firewall protection.

Millions of Pen Tests Show Companies' Security Postures Are Getting Worse

**SANTA BARBARA, Calif.-- (March 28, 2023) --** Bitwarden, the leading open source password manager trusted by millions, today launched the open beta of Bitwarden Secrets Manager, designed to centrally secure and manage highly sensitive authentication credentials within privileged developer and DevOps environments. 

Development teams work across applications and multi-cloud infrastructures, using different tools and platforms. This leads to distributed secrets – API tokens, keys, passwords, credentials, certificates, and more —  that are difficult to manage and control, or hard-coded into source code files. 

Existing solutions have steep learning curves and are unwieldy for many teams. The implications are serious: According to the GitLab Security Trends analysis, 18% of projects hosted on GitLab were vulnerable to leaked secrets. In a separate GitGuardian report, 5 million credentials and other secrets get leaked on GitHub every year. 

For developer, devops, and IT teams, Bitwarden Secrets Manager provides a singular, simple, and convenient way to secure, control, and manage secrets. The new offering, now in beta, builds on the same trusted open source, zero knowledge, and end-to-end encryption foundation featured in the company’s industry-leading password management offering. 

**Open Beta Program**

During beta, users can explore early features of Bitwarden Secrets Manager, which includes the ability to create, manage, and edit secrets and projects; SDK and CLI tools; GitHub Actions integration, and more. For more information about beta, please visit: https://bitwarden.com/products/secrets-manager/

**Enhance Enterprise Security With Bitwarden**

Bitwarden already protects millions of individuals and businesses by securing their online credentials and critical information. Today, Bitwarden extends its zero knowledge, end-to-end encryption model, setting new standards on how developers manage infrastructure secrets. Earlier this year, Bitwarden announced the acquisition ofPasswordless.dev, which lets developers easily integrate passwordless authentication and passkeys into their software. BitwardenPasswordless.devis also currently in beta. These new offerings underscore the Bitwarden commitment to help everyone stay more secure at work and at home. 

**About Bitwarden**

Bitwarden empowers enterprises, developers, and individuals to safely store and share sensitive data. With a transparent, open source approach to password management, secrets management, and passwordless innovations, Bitwarden makes it easy for users to extend robust security practices to all of their online experiences. Founded in 2016, Bitwarden is supported by a passionate global community of security experts and enthusiasts. The company is headquartered in Santa Barbara, California and has a globally distributed team. Learn more at bitwarden.com.

Bitwarden Announces Secrets Management With a Combination of Open Source, End-to-End Encryption, and Ease of Use

In cyberattacks against the US, South Korea, and Japan, the group (aka APT43 or Thallium) is using advanced social engineering and cryptomining tactics that set it apart from other threat actors.

Cybercriminal group Kimsuky has evolved into a full-fledged, persistent threat, carrying out "unusually aggressive" social-engineering attacks aimed at gathering intelligence, and stealing and laundering cryptocurrency to support the North Korean government.

Researchers from Mandiant have tracked a number of changes to the activity of the group, which they call APT43, in a series of rapid-fire attacks against targets in the US, South Korea, and Japan, they revealed in a report published today.

Kimsuky, also tracked as Thallium, has been on various researchers' radar screens since 2018, and its previous activity has been widely reported. In earlier attacks, the group mainly focused on conducting cyber espionage against research institutions, geo-political think tanks, and — particularly during the height of the pandemic — pharmaceutical companies.

The group typically used spear-phishing campaigns to lure in users and then installed various public and non-public malware, including spyware, onto targeted devices, which were often Android-based smartphones. In fact, Kimsuky was identified as recently as earlier this month leveraging malicious Chrome browser extensions and Android app-store services to target individuals conducting research on the inter-Korean conflict.

Now, however, Mandiant researchers have found that APT43 is evolving in several ways.

**New Financial & Social Tactics**

For one, the group is now following in the shoes of other North Korean APTs and branching out beyond mere cyber espionage to steal cryptocurrency, the researchers have found. In addition to using the ill-gotten currency to fund the regime of Kim Jong-un, as other groups do, APT43 also uses it to bolster its own activities, they said.

The group is even going the extra step of laundering the crypto through legitimate cloud-mining services so it comes out as clean currency and is difficult to track — an activity that might be used by other groups, but has flown under the radar until now, the researchers said.

"The washing of funds and the 'how' has been the missing piece of the equation," notes Michael Barnhart, Mandiant principal analyst at Google Cloud. "We have indications that APT43 utilizes specific hash rental services to launder these funds by mining for different cryptocurrencies."

For a small fee, these services provide hash power, which APT43 uses to mine cryptocurrency to a wallet selected by the buyer without any blockchain-based association to the buyer's original payments. This allows the APT to use stolen funds to mine for a different cryptocurrency, the researchers said. By spending very little, threat actors walk away with untracked, clean currency to do as they wish, Barnhart explains.

Moreover, APT43 — while technologically unsophisticated — relies on advanced and persistent social-engineering tactics in which threat actors create convincing fake personas and exhibit patience in building relationships with targets over several weeks without using malware, the researchers said.

"I've never seen an APT quite as successful with such novel techniques," Barnhart notes. "They pretend to be subject-matter experts or reporters and ask targeted questions — often with the promise of quoting the victim in a report or news article — and successfully gain feedback."

Indeed, in some instances, attackers successfully convinced targeted victims to send over proprietary, geopolitical analysis and research without deploying malware at all, the researchers said.

This deviates from standard procedure for most threat groups, allowing APT43 to expend little effort or resources in building malware and gaining the information they are seeking in a low-fi way — by merely asking victims for it, Barnhart notes.

**High Volume Cyberattacks, Shifting Targets**

APT43 has shifted its targets, and the malware it uses, in campaigns over the years in response to the demands of the North Korean government and the cyberespionage activities it requires of the group, according to Mandiant.

"APT43 ultimately modifies its targeting and tactics, techniques, and procedures (TTPs) to suit its sponsors, including carrying out financially-motivated cybercrime as needed to support the regime," the researchers said in the report.

For example, prior to October 2020, the group primarily targeted US and South Korean government offices, diplomatic organizations, and think tank-related entities with a stake in foreign policy and security issues affecting the Korean peninsula. Over the next year, however, the group shifted its focus to COVID-19 response efforts in North Korea by targeting health-related verticals and pharmaceutical companies in South Korea, the US, Europe, and Japan.

One notable difference that has emerged between the group and other North Korean threat actors is a recent shift to expand, targeting "everyday users" based on "the sheer velocity and volume of attacks," says Joe Dobson, Mandiant principal analyst.

"By spreading their attack out across hundreds, if not thousands, of victims, their activity becomes less noticeable and harder to track than hitting one large target," he says. "Their pace of execution, combined with their success rate, is alarming."

APT43 is aiming its high-volume activity at entities and organizations in government, business services, and manufacturing as well as think tanks and organizations in education and research related to geopolitical and nuclear policy in the US, South Korea, and Japan, the researchers said.

Given its advanced social-engineering tactics and tendency to go after both specific individuals and wider-net targets, researchers advised organizations that may be at risk to share with their employees "a greater understanding of cyber hygiene and heightened awareness," Barnhart says. "It's important to make personnel aware of this threat actor's TTPs," Barnhart says.

He adds that the APT's spoofed emails are highly convincing, which makes them difficult to spot, even for savvy users; thus, organizations at risk should be on high alert.

North Korea's Kimsuky Evolves into Full-Fledged, Prolific APT43

A technique, dubbed the "Near-Ultrasound Inaudible Trojan" (NUIT), allows an attacker to exploit smartphones and smart speakers over the Internet, using sounds undetectable by humans.

The sensitivity of voice-controlled microphones could allow cyberattackers to issue commands to smartphones, smart speakers, and other connected devices using near-ultrasound frequencies undetectable by humans for a variety of nefarious outcomes — including taking over apps that control home Internet of Things (IoT) devices.

The technique, dubbed a Near-Ultrasound Inaudible Trojan (NUIT), exploits voice assistants like Siri, Google Assistant, or Alexa and the ability of many smart devices to be controlled by sound. According to researchers at the University of Texas at San Antonio (UTSA) and the University of Colorado at Colorado Springs (UCCS), most devices are so sensitive that they can pick up voice commands even if the sounds are not in the normal frequency range of human voices. 

In a series of videos posted online, the researchers demonstrated attacks on a variety of devices, including iOS and Android smartphones, Google Home and Amazon Echo smart speakers, and Windows Cortana. 

In one scenario, a user might be browsing a website that is playing NUIT attack commands in the background. The victim might have a mobile phone with voice control enabled in close proximity. The first command issued by the attacker might be to turn down the assistant's volume so that responses are harder to hear, and thus less likely to be noticed. After that, subsequent commands could ask the assistant to use a smart-door app to unlock the front door let's say. In less concerning scenarios, commands could cause an Amazon Alexa device to start playing music or give a weather report.

The attack works broadly, but the specifics vary per device.

"This is not only a software issue or malware," said Guenevere Chen, an associate professor in the UTSA Department of Electrical and Computer Engineering, in a statement. "It's a hardware attack that uses the internet. The vulnerability is the nonlinearity of the microphone design, which the manufacturer would need to address."

    

Using inaudible sounds played through a speaker, an attacker can issue commands to smart devices. Source: UTSA and UCCS

Attacks using a variety of audible and non-audible frequencies have a long history in the hacking world. In 2005, for example, a group of researchers at the University of California, Berkeley, found that they could recover nearly all of the English characters typed during a 10-minute sound recording, and that 80% of 10-character passwords could be recovered within the first 75 guesses. In 2019, researchers from Southern Methodist University used smartphone microphones to record audio of a user typing in a noisy room, recovering 42% of keystrokes.

The latest research appears to use the same techniques as a 2017 paper from researchers at Zhejiang University, which used ultrasonic signals to attack popular voice-activated smart speakers and devices. In the attack, dubbed the DolphinAttack, researchers modulated voice commands on an ultrasonic carrier signal, making them inaudible. Unlike the current attack, however, the DolphinAttack used a bespoke hardwired system to generate the sounds rather than using connected devices with speakers to issue commands.

**Defenses Against NUIT Cyberattacks**

The latest attack allows any device compatible with audio commands to be used as a conduit for malicious activity. Android phones could be attacked through inaudible signals playing in a YouTube video on a smart TV, for instance. iPhones could be attacked through music playing from a smart speaker and vice versa.

In most cases, the inaudible "voice" does not even need to have to be recognizable as the authorized user, said UTSA's Chen in a recent statement announcing the research.

"Out of the 17 smart devices we tested, \[attackers targeting\] Apple Siri devices need to steal the user's voice, while other voice assistant devices can get activated by using any voice or a robot voice," she said. "It can even happen in Zoom during meetings. If someone unmutes themselves, they can embed the attack signal to hack your phone that's placed next to your computer during the meeting."

However, the receiving speaker has to be turned up fairly loud for an attack to work, while the length of the malicious commands has to be less than 0.77 seconds, which can help mitigate drive-by attacks. And devices that are hooked into earbuds and headsets are less likely to be vulnerable to being used by an attacker, according to Chen.

"If you don't use the speaker to broadcast sound, you're less likely to get attacked by NUIT," she said. "Using earphones sets a limitation where the sound from earphones is too low to transmit to the microphone. If the microphone cannot receive the inaudible malicious command, the underlying voice assistant can't be maliciously activated by NUIT."

The technique is demonstrated in dozens of videos posted online by the researchers, who did not respond to a request for comment before publication.

Hey, Siri: Hackers Can Control Smart Devices Using Inaudible Sounds

IoT risk and security must get more attention from vendors and support from the marketplace.

The Internet of Things (IoT) is and always will be a contentious subject for cybersecurity. Not because of the convenience these devices add but for the risk they inject into the lives of people and businesses.

As cybersecurity professionals, we often quote cynical jokes to laugh and cope with the reality of our jobs. So stop me if you've heard this one: Did you know that the S in IoT stands for security? Half of you chuckled at it, and the other half probably took a second to realize that there is no S or security in the IoT acronym.

As cybersecurity professionals, we're often stuck between a rock and a hard place when assessing the risk these devices pose to us personally and professionally. There are more than a billion IoT devices on the Internet, each with the potential to be exploited. A business might have a compelling business imperative an IoT solution can enable, but that solution may inject an undue security risk into protecting safety and productivity. A Wi-Fi-connected security camera may give a homeowner peace of mind about securing a property, but may also expose that property to additional risk from hackers who can take control of the camera and abuse the platform.

**Market Forces vs. IoT Vendors**

So how did we get here? The easy answer is: IoT vendors continue to fail us on implementing solid cybersecurity controls. The difficult answer is: The market continues to push many IoT vendors into offering the lowest cost and most competitive products. They achieve this by sacrificing or outright neglecting cybersecurity for their solutions.

By choosing to not address security, vendors are pushing the risk to the consumers who are often oblivious to the dangers. In commercial solutions, this can have serious consequences. A medical facility that relies on IoT devices to manage patient care cannot weather an outage without endangering patients. Nor would they want patient data inadvertently exposed due to insecure IoT devices, or worse, have actual medical care disrupted.

So how did we, as consumers and dependents of IoT, get here to this untenable state of IoT risk and security? The answers, as they always seem to do, eventually lead back to money.

There are quite a few big-name players in the commercial and residential IoT space. These are name brands that most everyone can recognize: Google, Huawei, Microsoft, and others. While these companies are mature and responsive to security threats in IoT, it's the more niche companies that are more concerning.

**IoT Cost Points**

So, here's a thought experiment. Imagine you're a small IoT company and you want to develop a niche product that will enter an already crowded IoT market. What kind of costs does it take to develop the IoT product? Some cost points to consider:

**1\. Qualified development personnel are hard to come by for IoT.** You will need a solid team of hardware, networking, application design, business intelligence and automation experts to help bring your product to market.

**2\. Hardware and software costs can range from small to huge sums of money.** The more complex the device and service, the higher the cost.

**3\. What is the connection model?** Wi-Fi, Bluetooth, cellular? Each adds more to the cost, some more than others.

**4\. You must design a product UI!** If you intend to win on the merits of your product, a smooth user experience is a must.

**5\. What about security?** Do we have to use encryption? How about a secure protocol, or hardware that has secure firmware? Well, unless there's a regulatory requirement, there's no money for it. We have to keep costs down if we intend to compete.

**Best IoT Security Development Steps**

While the scenario is a generalization, it's not far from the truth. Developing an IoT product with security features adds to costs many companies either do not consider, or have deliberately chosen to neglect. Further complicating things, what if the company that makes an IoT device no longer supports it? Or what if that company simply goes out of business?

Is any of this resolvable? To an extent, yes. Companies can usually push over-the-air (OTA) updates to products that can address security issues. They can also utilize cloud service frameworks that mandate security between the device, the cloud, and the company. Vendors can also employ outside third parties to audit and evaluate the IoT solution. An outside third party can fairly evaluate and help the vendor address vulnerabilities in the hardware or software. Application developers can be trained in secure software development. The product can be designed with hardware robust enough to accommodate secure implementations.

However, all these things represent monetary investments a company has to willingly make. And the investments are continuous — with every device patch or new feature offering, the same security evaluations have to be performed again and again.

**It's Time to Step Up**

What do we do? The first step is educating the consumers. As security professionals, we must do our best to help others have situational awareness and help evaluate risk. This in turn can help for security investments that can help mitigate the vulnerabilities that some IoT devices inject into our risk models.

Helping call out insecure practices and companies can also help. We have a unique opportunity and position to help advocate for everyone who utilizes an IoT device and should use our voices to help wherever we can.

Spend on Safety Measures & Call Out Insecure Practices for Safer IoT

Without proof that it was collected legally, purchased data can threaten an enterprise's security compliance and even expose the company to litigation.

Purchasing databases from data brokers can create a problem for enterprise security executives. While there are tools to scan the files for malware, there is no automated way to make sure that the data contained in the database is accurate and, even more importantly, was obtained with proper consent. Without that assurance, those files can pose a threat to the enterprise's security compliance and may even open up the company to litigation.

Consider this scenario: Business unit leaders perform an exhaustive due diligence effort before purchasing databases from a data broker. The data has been widely distributed within the organization's global systems. Six months later, law enforcement authorities move against the data broker and report that all of its data was improperly obtained. The organization now has a compliance nightmare on its hands.

The organization might want to delete all of that data to comply with regulations. However, if the team did not tag the data when it was initially loaded into the system, it will be difficult to track and remove it. Even if the data was tracked successfully, it could have become so interwoven with petabytes of other data that it is no longer viable to extract.

On top of this, some regulators may apply the legal concept of "the fruit of the poisonous tree." That doctrine is typically used when law enforcement is accused of not obtaining a search warrant properly. If a judge finds that they indeed did act improperly, the fruit doctrine would not only exclude any evidence found during the search, but also anything found as a result of what was found in the search.

In the case of data, a strict regulator might insist that not only must a company delete the data broker's information, but also any information that resulted from processing that data. In other words, the analytics done on that data might have to be deleted as well.

**Tracking Data as It Flows**

Another major complicating factor with data compliance is that the folders of information that come from data brokers often reflect work done over many years. That means much of it stems from a time, a place, and a vertical where the rules were different.

"Due to the increasing regulatory compliance framework regarding data collection notice and consent, there are data brokers that have huge subsets of their data that is not 'clean' and they cannot make reps and warranties about it to third parties that want to leverage that data," says Sean Buckley, an attorney with law firm Dykema who specializes in data privacy issues. "The risk to the data broker circles back to whether their data is 'clean' and whether they can prove it if necessary."

ClearData CISO Chris Bowen argues that data tracking is critical when dealing with purchased files, but it can also prove quite difficult — even impossible — if the organization didn't tag it sufficiently from the beginning.

"You need to closely track where the data lives and where it flows," Bowen says. "You need to tag the source of each field in the database. You need consistent links through petabytes of data, structured and unstructured."

Most security executives are not comfortable with this approach because dataflow analysis is outside of their usual remit, he adds.

"Where \[data\] flows and how it's distributed and how it is archived and destroyed, that's usually more the purview of the privacy office," Bowen says. "You need to protect and track the data through every element of its life cycle."

Critically, Bowen stresses that once new datasets are built on top of the data broker information, "it's darn near impossible to uncouple that data. It would take an act of AI to decouple and unwind all of that."

**Putting AI to Work**

That AI point is exactly where some other data specialists see this argument headed. They anticipate large language models (LLMs), such as ChatGPT, will be able to track the data through unlimited analytics efforts. In two to five years, the LLM approach may be effective enough for regulators to rely on it.

"Companies today use \[the difficulty of data tracking\] as an excuse to not produce the evidence. With the advent of machine learning models, that is no longer the case," says Brad Smith, a managing director at consulting firm Edgile.

Detailed tracking of the data throughout its life cycle is key to solving the data broker problem, he says.

"When you pull data in from an external organization, there is always going to be some level of liability. The solution is to maintain data lineage. Generally, when you move information, transfer or copy, or the data somehow morphs from one system to another, that lineage is broken," Smith says. "With the large language model, every piece of data exists in its original state. Those mappings exist in the neural network they have created."

The cloud also plays a critical role here, he adds.

"The only thing that they have to do is move their data into a hyperscale infrastructure," Smith says. "When regulators become aware of this and the \[enterprise\] hasn't sufficiently invested in Azure or AWS, they'll ask, 'Why haven't you moved to that platform?'"

**Avoiding Tainted Data**

Fundamentally, some believe that businesses purchase third-party data from data brokers too quickly and that they should first do serious examination of the data they already have or can collect directly.

"There is an open acknowledgement that the quality of third-party data is not good and that it's collected in a pretty dubious manner. Their definition of consent is spotty. Overall, the way data brokers get their data flies in the face of global privacy laws," says Stephanie Liu, a privacy analyst with Forrester.

"It's shocking how quickly we've normalized the aggregation of data that, just a few years ago, would have been considered an egregious intrusion of privacy," adds Rex Booth, the CISO for SailPoint. "Now the only delineation of right and wrong regarding brokers is whether they broke laws in gathering their data."

When figuring out the data broker challenge, CISOs must factor in how the data is being used now and how it will likely be used in a year," he says. "Is it being used to make decisions about who gets a loan or an apartment? Is the resultant data visible to customers, or is it entirely internal, such as data to help sales know who to contact?

Saugat Sindhu, a senior partner who heads the strategy and risk practice at consulting firm Wipro, says almost all data brokers provide deliverables in an anonymized fashion, but it often doesn't stay that way. "You can easily deanonymize an identity," he says.

In some cases, Sindhu says, the compliance remedy may go beyond data deletion to assessing revenue generated by the improperly created data: "You didn't do anything wrong knowingly, but you still made profits off of it and that may raise a fair trade issue," he says. "At the end of the day, tainted data is tainted data."

How CISOs Can Reduce the Danger of Using Data Brokers

CISA released the hunt and response tool to help defenders extract cloud artifacts without performing additional analytics.

The Untitled Goose Tool is the latest tool from the United States Cybersecurity and Infrastructure Security Agency to help enterprise security teams respond to attacks.

Developed in conjunction with Sandia National Labs, the Untitled Goose Tool “offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services,” CISA said in its announcement, which specifically listed Microsoft Azure, Microsoft 365, and Azure Active Directory. With this tool, defenders can run a full investigation by interrogating and collecting Azure Active Directory sign-in and audit logs, Microsoft 365 unified audit log, Azure activity logs, Microsoft Defender for IoT (Internet of Things) alerts, and Microsoft Defender for Endpoint data for suspicious activity, CISA said in its Untitled Goose Tool fact sheet. Defenders can also query, export, and investigate Azure Active Directory, Microsoft 365, and Azure configurations.

The hunt and incident response tool was designed to assist incident response teams export cloud artifacts after an incident for environments that aren’t ingesting logs into the organization’s Security Information and Events Management (SIEM) platform, CISA said on the Untitled Goose GitHub repository page. The defenders can then ingest the JSON results into an existing SIEM, web browser, text editor, or database, for additional analysis.

The Untitled Goose Tools was announced on the same day as the Pre-Ransomware Notification Initiative, which aims to warn organizations about ransomware attacks early enough so that organizations can block the attempt to steal or encrypt data. Earlier in March, CISA announced the Decider tool, which will help organizations map adversary behavior to the MITRE ATT&CK framework to find gaps in their defenses, as well as the Ransomware Vulnerability Warning Pilot, to warn critical infrastructure entities about flaws in their systems.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading