A single device with malicious code can foil a networking protocol used by spacecraft, aircraft, and industrial control systems, resulting in unpredictable operations and possible failures.

Imagine: A mission to redirect an asteroid using a team of astronauts goes wrong, when a malicious device onboard the spacecraft interferes with its ability to dock with a robotic spacecraft — causing the crewed capsule to veer off course, spinning into space.

Such a mission is still in the planning stages, but the simulated attack demonstrates the danger of a recently discovered vulnerability in the networking protocol used for securely sharing critical messages in software for spacecraft, airplanes, and critical infrastructure. That's according to researchers from the University of Michigan and NASA, who said the protocol, known as time-triggered ethernet (TTE), reduces the cost of implementing networks for critical infrastructure devices by allowing multiple devices to use the same network without affecting one another.

The vulnerability could be used to disrupt or cause failures in connected devices used in those highly sensitive applications. The researchers tested the attack in several experiments, ending with the simulation of an attack against NASA's planned Asteroid Redirect Mission. The ARM aims to use "a robotic spacecraft to move an asteroid into a stable orbit around the Moon." A crewed spacecraft, such as NASA's Orion, would then "carry astronauts to the asteroid in order to study it, take samples, and return the samples to Earth," the researchers stated in a paper published this week.

The experiments showed that it's practical for a simple device using electromagnetic interference to break the isolation that is the cornerstone of the TTE protocol.

The attack demonstrates some of the security issues that have to be considered when implementing networks hosting both critical and non-critical devices — an increasingly common occurrence as the designers of critical systems try to reduce costs and increase efficiency. TTE networks allow critical, time-sensitive traffic to travel on the same network as less critical traffic, known as best-effort (BE) communications. The attack, dubbed PCSPOOF, uses specially crafted interference to corrupt parts of non-critical network packets, allowing malicious data to be injected into critical systems.

"We wanted to determine what the impact would be in a real system," Baris Kasikci, an assistant professor of computer science and engineering at University of Michigan, said in a statement. "If someone executed this attack in a real spaceflight mission, what would the damage be?"

**Critical Infrastructure Under Attack**

The attack continues a trend of critical infrastructure and industrial control systems (ICS) being increasingly targeted by cyberattackers. The Cybersecurity and Infrastructure Security Agency (CISA) warned in September that advanced persistent threat (APT) actors had increased attacks against critical infrastructure, such as utilities and industrial targets.

Communications are a common point of entry. In April, CISA warned that attackers had created three malware tools that targeted the Open Platform Communications Unified Architecture (OPC UA), which allows sensors and other devices to exchange data with connected services and software.

Time-triggered networks are tightly synchronized using a global schedule that is loaded into the devices when the network is created, specifying when data frames are expected to be sent and received. The networks typically have low latency and jitter, measures of network delay and variability in bandwidth.

By identifying the IP address of another device on the network — the target — an attacker can determine the critical traffic marker through brute force. The networks allow devices on the same network to communicate with each other with the right critical traffic markers. Using the markers, an attacker could create a protocol control frame that holds data, a technique also known as packet-in-packet attack.

**Exploits in Space**

The disclosure comes as NASA launched its Artemis rocket after months of delays, the first step in its quest to put people back on the moon. With competition heating up in this second space race, attacks on spacecraft and robotic probes may not be out of the question: The PCSPOOF attack could certainly cause missions to fail in a catastrophic way, the researchers stated in the paper.  

"We evaluated PCSPOOF on an avionics testbed for a real spaceflight mission," the researchers said. "Our results show that PCSPOOF can threaten mission success and safety from a single BE device, such as those used in an onboard research experiment developed by a university."

Modern TTE networks often do not verify parts of the data packets sent through local subnets, which makes PCSPOOF attacks more achievable. During an attack, researchers gathered information from the targeted TTE network to create a special packet, known as a protocol control frame (PCF), and then injected that frame into the network while creating electromagnetic interference to undermine the switch's ability to control routing.  

As far as defending against such an attack, organizations can replace any copper Ethernet cables with fiber optic, thus eliminating the impact of electromagnetic interference. In addition, the network could be modified to prevent malicious synchronization-control messages from accessing the same devices as legitimate messages.

So far, affected organizations have committed to making the changes, according to Andrew Loveless, a UM doctoral student in computer science and engineering, and subject matter expert at NASA's Johnson Space Center. The researchers notified NASA, the European Space Agency, Northrop Grumman Space Systems, and Airbus Defense and Space — organizations which use TTE in critical systems.

"To our knowledge, there is not a current threat to anyone’s safety because of this attack," Loveless says. "We have been very encouraged by the response we have seen from industry and government."

Spacecraft Vulnerable to Failure, Thanks to Aerospace Networking Bug

Stop chatty apps from oversharing and eliminate a hacker backdoor — train developers on "security first" while subjecting APIs to least-privilege zero-trust policies.

We are more connected than ever — but far less so now than we will be: There will be 3.6 network devices for every living person in the world by 2023, up from 2.4 per person in 2018, according to the Cisco Annual Internet Report. The number of networked devices will rise from 18.4 billion to 29.3 billion within that time. The number of machine-to-machine (M2M) connections will increase from just over 6 billion to 14.7 billion.

As a result, we will grow only more reliant on software to make everything work. The performance of application programming interfaces (APIs) greatly affects software's overall effectiveness. Whether we're online seeking a weather update, participating in an industry webinar, sharing docs with colleagues, or calling up medical lab test results, APIs enable two software components to talk to each other to both make user requests and respond to them.

But, in this case, it's possible to have _too_ much talking between APIs which, like gossipy chatterbox co-workers in our offices, will overshare "too much information" if we let them. We call this "TMI tech."

By design, APIs open the floodgates for communication between apps. When the risk-mitigation measures of their access control are lax, APIs will reveal too much information or — even worse — expose themselves through a vulnerable app backdoor. Too often, developers over-permission APIs for functions so they don't have to keep changing access rights with every program build. However, attackers are well aware that this is happening, so they take over APIs and leverage their powerful permissions to breach networks.

As a result, oversharing APIs are emerging as frequently targeted, low-hanging fruit: The Salt Security State of API Security Report indicates that one-fifth of organizations have experienced a breach due to compromised APIs. Malicious traffic accounts for 2.1% of all API traffic, growing from an average of 12.22 million malicious calls per month to 26.46 million calls. The Open Web Application Security Project (OWASP) lists broken access control as the top Web application risk — over cryptographic failures, injections, and misconfigurations.

**Recommended Best Practices**

So, how do security leaders and their teams avoid these issues? We recommend the following best practices:

*   **Upskill developers to cultivate a "security first" culture.** It's critical to educate developers about the nuances that differentiate a poor coding pattern from a good one, to help them focus on building safe software from the start. When security teams strengthen their communications and relationships with developers, those developers learn how to use the right tools for protection and even maximize their value. Hands-on/person-to-person training proves essential here. Computer-based training by itself comes with too many limitations, often lacking the ability to verify the security skills of participants.
*   **Practice real-life scenarios.** All training programs must include this. Developers benefit the most by experiencing the real-world scenarios and consequences of broken access control – it's the most potent way to both verify and improve skills.
*   **Extend zero trust (ZT) to APIs.** We typically consider ZT in terms of user access. But we should apply it to APIs as well to eliminate over-permissioning and enforce role-based controls. If an API is supposed to perform a specific function, then security teams must work with developers to restrict permissions to solely that function.
*   **Contain API "phone privileges."** In further incorporating ZT, security/developer teams should limit the calls APIs are allowed to make, so these calls are strictly conducted based upon context-centered requests. Subsequently, attackers will encounter difficulties in modifying them for criminal purposes.

**Training Is Key**

Whether dealing with real people or software, we should take oversharing seriously. Those gossipy chatterbox co-workers could cause very real damage in the office, after all, which is why HR needs to sit down with them to firmly enforce what is appropriate to discuss and what is not. In the same office, we don't allow Sara from accounting to snoop around freely in the legal department and download whatever documents she wants.

Similarly, we have to train developers on "security first" while subjecting APIs to least-privilege ZT policies. With this, software will share only what is necessary to perform set tasks, and the elimination of TMI tech will firmly seal off our office "door" — and the network and all digital assets — from attackers.

TMI Tech: How to Stop Vulnerable Software from 'Oversharing'

Online fraud prevention company predicts Cyber Monday will see a 100% increase in online fraud attempts.

Austin, TX - November 17, 2022 — Leveraging data from its own platform, SEON is painting a daunting, but nuanced picture of online fraud in the run up to Black Friday and Cyber Monday. This year, SEON predicts that fraud attempts will increase by more than 100% on Cyber Monday when compared to a typical Monday. In addition, the company foresees bot programs and fake profiles as being the weapons of choice for fraudsters in 2022.

SEON’s internal data paints an interesting picture for online businesses like eCommerce merchants, online loan providers and iGaming companies. While the company processed 26% more transactions on Black Friday compared to a normal Friday, it saw a 57% increase in declined transaction rates. More surprisingly, the company’s system processed around 19.5% more transactions on Cyber Monday than on a typical Monday but experienced an 100.3% increase in declined transaction rates.

Last year, SEON reviewed more than $300 billion of transactions during Black Friday and Cyber Monday. During this period, the company was able to stop more than $6 billion in attempted fraud on behalf of its clients. Now, the company is predicting similar figures for this year’s shopping bonanza. In fact, SEON believes more people may now turn to online fraud in response to growing economic pressures.

SEON, which has just been named as the ‘Hottest Cybersecurity Startup’ at The Europas Awards 2022, predicted a 150% increase in attempted loan fraud during last year's Black Friday. The company’s own research now shows this prediction to be somewhat conservative. The sector saw the biggest increase in attempted fraud according to SEON’s data last year and must now brace for a similar period in 2022.

For more information about SEON, please visit: https://seon.io/

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyber Monday Will Be the Most Fraudulent Day of the Season, Says SEON

**NEW YORK, Nov. 16, 2022 /PRNewswire/ —** Yesterday, a broad transatlantic coalition of 41 associations - representing companies of all sizes from various sectors of the business community - called on EU policymakers to make a swift conclusion to the EU adequacy decision process so that businesses can confidently rely on the new EU-U.S. Data Privacy Framework. In a statement delivered to EU and U.S. officials, the associations offered an analysis of recent U.S. Executive Order and accompanying U.S. Department of Justice regulations implementing the U.S.'s commitments under the EU-U.S. Data Privacy Framework to help inform and support EU's work towards making the EU-U.S. Data Privacy Framework operational through the EU adequacy decision process.

"We urge all stakeholders to consider deliberately but fairly the substance of these new U.S. legal requirements, which establish unprecedented restrictions on U.S. surveillance activities as well as a meaningful redress mechanism for EU citizens," **the associations wrote.** "We are heartened that these new safeguards serve to strengthen all existing transfer mechanisms available to companies, including standard contractual clauses, and should be relevant considerations in the context of EU supervisory authority investigations. Furthermore, we recognize that this is not only a matter of facilitating economic stability and growth. The efforts to reach agreement on a new framework embody a statement of common purpose from the EU and U.S., and a willingness to work together to find new ways to uphold the joint values we share as democratic societies. These developments also send a strong message on the importance of privacy globally, and in establishing robust and secure frameworks for cross-border data transfers."

Recipients of the statement included European Commission President Ursula von der Leyen; Executive Vice-President Margrethe Vestager; Commissioner Didier Reynders; Commissioner Vera Jourova; Members of European parliament's LIBE Committee, the European Data Protection Board, the European Data Protection Supervisor, and individual Data Protect Authorities; officials from EU Member States; and U.S. Administration officials, including those at the U.S. Departments of Commerce and Justice.

The statement was signed by ACT | The App Association, Alliance Française des Industries du Numérique (AFNUM), Alliance for Automotive Innovation, Allied for Startups, AmCham EU, AmCham Ireland, American Council of Life Insurers, Asia Internet Coalition (AIC), Biotechnology Innovation Organization (BIO), Bitkom, Business Roundtable, Coalition of Services Industries (CSI), Computer & Communications Industry Association (CCIA), Confederation of Danish Industry (DI), Confederation of Industry of the Czech Republic (SPCR), Consumer Technology Association® (CTA), Danish Entrepreneurs, Dansk Erhverv / The Danish Chamber of Commerce, Developers Alliance, Digital Future for Europe, Digital Poland ZIPSEE, Ecommerce Europe, Engine, Entertainment Software Association, European Games Developer Federation (EGDF), European Publishers Council, FEDMA, IAB, INFOBALT, ITI – Information Technology Industry Council, Interactive Software Federation of Europe (ISFE), Internet Infrastructure Coalition, National Retail Federation, NLdigital, Software & Information Industry Association (SIIA), Swedish Enterprise (SN), TechNet, techUK, Trans-Atlantic Business Council, U.S. Chamber of Commerce, and **U.S. Council of International Business (USCIB)**.

Read the full statement here.

41 Transatlantic Business Coalition Calls on EU Policymakers to Finalize Agreement to Secure Transatlantic Data Flows

Unified data layer enables continuous platform updates.

**Santa Clara, CA, November 17, 2022 —** Revelstoke, the next-level Security Orchestration Automation and Response (SOAR) platform, today announces several new product upgrades to include sub-workflow, case management, and indicators of compromise (IOC) automation.

Revelstoke offers Chief Information Security Officers (CISOs) and security analysts the only SOAR solution built on a unified data layer (UDL). Revelstoke automates analysis, eliminates software development needs, optimizes workflows, prevents vendor lock, scales processes, and quickly and effectively allows analysts to get to the root of incidents.

New Revelstoke capabilities include:

**Sub-Workflow Replication**

Sub-workflows allow analysts to create a repeatable process that can be reused across multiple workflows. For example, if there is a common account lockdown procedure across numerous account types, a sub-workflow allows this functionality to be created once and used in multiple locations. Revelstoke users can containerize reusable objects, saving time and allowing analysts to focus more on mission-critical issues and threats.

Without an automated sub-workflow, analysts must build a workflow every time they repeat a task manually, and organizations cannot create and manage repeatable processes across the board.

**Case Management Console**

The new Case Management console builds on Revelstoke’s unique case management offerings. The console allows at-a-glance access to all active cases, including functional quick search, pagination, and sorting. Analysts can now view data simply instead of searching through pages and pages of case number listings. In addition, analysts get single-view access to the status of cases to determine those which need attention and those that are remedied.

**IOC Database Initiation**

Revelstoke now allows analysts to search the entire UDL data store for common entities between cases and incidents. As alerts flow into cases, analysts can discover cases that are similar or have similar indicators. This represents the first step toward a robust IOC database, allowing SOC analysts to search across cases for common IOCs and build correlations.

“The capabilities of Revelstoke’s unique UDL powers a platform that can be upgraded and augmented to meet the evolving needs of Security Operations Centers,” said Josh McCarthy, Revelstoke Co-Founder, and Chief Product Officer. “We continually focus on ensuring that our customers have access to SOAR automation capabilities not offered by any other platform.”

Additional user interface capabilities include:

· Streamlined Dashboard

*   Consolidated Workflow Interface
*   Integration Management Console

· New User Preferences including Light and Dark Mode

**Multi-Tenancy**

Multi-tenancy allows for Managed Security Service Providers (MSSPs), Managed, Detection and Responders (MDRs), and large multi-national enterprise customers to segregate, but still centrally manage individual customers or business units from one "parent" account. This allows the parent to push down workflows to all the other tenants as well as offer a birds-eye view of the entire environment while allowing the individual “child tenants” to manage their own environments and not see each other's data. This is made even more powerful by the UDL which pushes down workflows from the parent to seamlessly adapt to any technology stack.

For more details on platform enhancements, please visit: https://www.revelstoke.io/resource/revelstoke-interface-v2-features-updates-and-improvements/

**About Revelstoke**

Revelstoke is the only next-generation Security Orchestration, Automation, and Response (SOAR) solution built on a Unified Data Layer that offers no-code automation and low-code customization. Revelstoke empowers CISOs and security analysts to automate analysis, eliminate software development needs, optimize workflows, prevent vendor lock, scale processes, and secure the enterprise. For more information, get on board at Revelstoke.io.

Revelstoke Upgrades SOAR Platform With Augmented Automation, Case Management, and User Interface Capabilities

Access to digital certificates would allow the Chinese-speaking espionage group to sign its custom malware and skate by security scanners.

The state-sponsored cyberattack group known as Billbug managed to compromise a digital certificate authority (CA) as part of an wide-ranging espionage campaign that stretched back to March — a concerning development in the advanced persistent threat (APT) playbook, researchers warn.

Digital certificates are files that are used to sign software as valid, and verify the identity of a device or user to enable encrypted connections. As such, a CA compromise could lead to a legion of stealthy follow-on attacks.

"The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates, they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines," according to a report this week from Symantec. "It could also potentially use compromised certificates to intercept HTTPS traffic."

"This is potentially very dangerous," the researchers noted.

Others concur. 

“Certificate authorities are one of the most important elements of maintaining security in today’s digital world," Chris Hickman, CSO at Keyfactor, tells Dark Reading. "Much like a driver’s license or passport, digital certificates contain information about an individual or entity and are used to verify the authenticity of websites, devices, or organizations, ensuring an individual user that the entity that they’re communicating with online can be trusted. Think of this as the difference between issuing a real ID rather than a fake one — real IDs will always have some characteristics that cannot be replicated in a fake ID. The same holds true with certificates, which is why this dangerous.”

**An Ongoing Spate of Cyber-Compromises**

Billbug (aka Lotus Blossom or Thrip) is a China-based espionage group that mainly targets victims in Southeast Asia. It's known for big-game hunting — i.e., going after the secrets held by military organizations, governmental entities, and communications providers. Sometimes it casts a broader net, hinting at darker motivations: In one past instance, it infiltrated an aerospace operator to infect the computers that monitor and control the movements of satellites.

In the latest run of nefarious activity, the APT hit a pantheon of government and defense agencies throughout Asia, in one case infesting "a large number of machines" on a government network with its custom malware.

"This campaign was ongoing from at least March 2022 to September 2022, and it is possible this activity may be ongoing," says Brigid O Gorman, senior intelligence analyst at Symantec Threat Hunter Team. "Billbug is a long-established threat group that has carried out multiple campaigns over the years. It is possible that this activity could extend to additional organizations or geographies, though Symantec has no evidence of that at the moment."

**A Familiar Approach to Cyberattacks**

At those targets as well as at the CA, the initial access vector has been the exploitation of vulnerable, public-facing applications. After gaining the ability to execute code, the threat actors go on to install their known, custom Hannotog or Sagerunex backdoors before burrowing deeper into networks.

For the later kill-chain stages, Billbug attackers use multiple living-off-the-land binaries (LoLBins), such as AdFind, Certutil, NBTscan, Ping, Port Scanner, Route, Tracert, Winmail, and WinRAR, according to Symantec's report.

These legitimate tools can be abused for various doppelganger uses, such as querying Active Directory to map a network, ZIP-ing files for exfiltration, uncovering paths between endpoints, scanning NetBIOS and ports, and installing browser root certificates — not to mention downloading additional malware.

The custom backdoors combined with dual-use tools is a familiar footprint, having been used by the APT in the past. But the lack of concern about public exposure is par for the course for the group.

"It's notable that Billbug appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past," says Gorman.

She adds, "The group's heavy use of living off the land and dual-use tools is also notable, and underlines the need for organizations to have in place security products that can not only detect malware, but can also recognize if legitimate tools are potentially being used in a suspicious or malicious manner."

Symantec has notified the unnamed CA in question to inform it of the activity, but Gorman declined to offer further details as to its response or remediation efforts.

While there's no indication so far that the group was able to go on to compromise actual digital certificates, the researcher advises, "Enterprises should be aware that malware could be signed with valid certificates if threat actors are able to achieve access to cert authorities."

In general, organizations should adopt a defense-in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain, she says.

"Symantec would also advise implementing proper audit and control of administrative account usage," Gorman notes. "We'd also suggest creating profiles of usage for admin tools as many of these tools are used by attackers to move laterally undetected through a network. Across the board, multifactor authentication (MFA) can help limit the usefulness of compromised credentials."

China-Based Billbug APT Infiltrates Certificate Authority

The results are labor-intensive to parse, so knowing how to interpret them is key, security experts say.

A new set of evaluations for managed security service providers that MITRE Engenuity has released can potentially give enterprise decision-makers a handy resource to consult when selecting a provider. The key to benefiting from the information, though, is knowing how to interpret the results, MITRE and others said this week.

MITRE Engenuity's first-ever evaluation of security service providers — like its product evaluations — does not offer any winners or losers, nor any rankings based on performance, nor any indication of how well, or poorly, a vendor might have performed. 

Instead, it offers detailed information on how different security service providers analyze and describe adversary behavior to their clients. MITRE's evaluation leaves it entirely up to security professionals and teams using the data to make any vendor comparisons they might want with it.

**An Objective Look at MDR Capabilities**

"MITRE Engenuity’s ATT&CK Evaluations for Managed Services is likely the only objective demonstration of what’s available in the managed services and managed detection and response (MDR) market," says Katie Nickels, director of intelligence at Red Canary, one of 16 security service providers that participated in the evaluation. "It allows organizations to see a realistic demonstration of how these tools actually work, with those results being provided by a neutral third party."

For the evaluation, MITRE Engenuity gave each of the participating vendors an opportunity to deploy their adversary detection and monitoring tools on a MITRE-hosted Microsoft Azure environment. A MITRE purple team then executed an emulated attack on the environment using tactics and techniques of the well-known Iranian threat group OilRig. 

Service providers that participated in the evaluation knew the simulated attack would happen within business hours in a specific two-week period. However, MITRE did not inform them of more exact timing, what techniques it would use, or which adversary MITRE Engenuity was emulating.

In carrying out the simulated attack, MITRE Engenuity's team showcased commonly used adversary tactics such as spear-phishing for initial access, credential dumping, Web shell installation, lateral movement, data exfiltration, and cleanup. Vendors had an opportunity to use any of the tools in their MDR portfolio to evaluate the malicious activity and report on it. 

But MITRE's rules prohibited them from taking any steps to respond or block the attack because the goal was to see how each service provider detected and analyzed the unfolding attack and the detail and clarity with which it reported their findings.

**Parsing the Results Can Be Challenging**

MITRE Engenuity's evaluation results for each participating service provider offers both a high-level and a detailed view of how each of them detected the attack through the entire chain. It provides a look at the depth of the analysis each vendor provided at each stage, their communications with MITRE during the emulation, the individual techniques that they spotted and reported on, and what context and information they provided about the attack.

The information can be very useful for skilled security professionals who don't have the resources to do their own bake-off and are willing to compare results themselves, says John Pescatore, director of emerging security trends at the SANS Institute. But the data can be difficult to parse for others, he says. 

"MITRE Engenuity purposely doesn't make it easy to rank vendors in their evals," Pescatore says. "So, the tests are not useful for someone who just wants to make a 'safe' choice or compete the top three against each other."

"To compare, I’d have to look at each one and count how many techniques, etc., they covered, and I’d get some kind of ranking,' Pescatore notes. "But in order to understand how they did it, to see how that would fit with my processes, I have to either get info from the vendor or play with the product or service myself."

**Context Is Key**

Nickels from Red Canary says that while the results don't offer a clear apples-to-apples comparison between vendors, that’s not the point. "Every provider is different in how it detects activity and communicate findings, and every organization and security team has different needs," she says.

The best way to get an understanding of the value provided by each vendor in MITRE Engenuity's evaluation is to consider qualitative aspects, such as how each vendor communicated with MITRE during the emulation, the screen shots they took, and the analysis and context they might have provided, she says: "Examining these resources, while labor intensive, will offer organizations the best view into the value provided by each vendor."

In a report this week, Red Canary also highlighted what it described as some limitations of the MITRE Engenuity tests, such as it being too endpoint-focused and being too heavily weighted toward detection coverage and not enough on response. 

"The test required participants to turn off many preventive and other security controls," Nickels says. "Under normal circumstances, most of the vendors who participated would have detected and responded to MITRE’s emulation activity relatively early, thereby preventing the more impactful, later-stage activity."

Another factor to keep in mind when interpreting the results is whether all participating vendors deployed technologies that they normally use for MDR, or if they used something else for the evaluation. "We recommend organizations reviewing these results ask vendors if their environment was normal for the average customer."

**MITRE Engenuity's Recommendation**

In a blog post, Ashwin Radhakrishnan, MITRE Engenuity's general manager of ATT&CK evaluations, recommended that users consider the results in the proper context. Like Nickels noted, MITRE too strongly recommended against organizations merely looking at the total number of techniques a vendor might have detected as the sole yardstick.

"Before starting any analysis of technique coverage, it is important to determine which techniques are most relevant to your organization based on the adversary groups and threats that your organization faces," MITRE said. The blog post offered 10 ways that security practitioners should interpret the evaluation results.

The recommendations include looking at top-level report statuses of the service providers to get a high-level understanding of how they performed in the evaluation, looking at how the service providers presented their findings to their customers, and determining if the service providers correctly attributed the adversary (OilRig). Some of the other measures users consider is whether the service providers recommended any mitigation measures; the length of their reports; the clarity of the language in the reports; and the details in their own releases about the evaluations, MITRE Engenuity said.

MITRE Engenuity Launches Evaluations for Security Service Providers

Autocompleted code is convenient and quick, but it may expose your organization to security and compliance risks.

In recent months, we've marveled at the quality of computer-generated faces, cat pictures, videos, essays, and even art. Artificial intelligence (AI) and machine learning (ML) have also quietly slipped into software development, with tools like GitHub Copilot, Tabnine, Polycode, and others taking the logical next step of putting existing code autocomplete functionality on AI steroids. Unlike cat pics, though, the origin, quality, and security of application code can have wide-reaching implications — and at least for security, research shows that the risk is real.

Prior academic research has already shown that GitHub Copilot often generates code with security vulnerabilities. More recently, hands-on analysis from Invicti security engineer Kadir Arslan showed that insecure code suggestions are still the rule rather than the exception with Copilot. Arslan found that suggestions for many common tasks included only the absolute bare bones, often taking the most basic and least secure route, and that accepting them without modification could result in functional but vulnerable applications.

A tool like Copilot is (by design) autocompletion turned up a notch, trained on open source code to suggest snippets that could be relevant in a similar context. This makes the quality and security of suggestions closely tied to the quality and security of the training set. So the bigger questions are not about Copilot or any other specific tool but about AI-generated software code in general.

It's reasonable to assume Copilot is only the tip of the spear and that similar generators will become commonplace in the years ahead. This means we, the technology industry, need to start asking how such code is being generated, how it's used, and who will take responsibility when things go wrong.

**Satnav Syndrome**

Traditional code autocompletion that looks up function definitions to complete function names and remind you what arguments you need is a massive time-saver. Because these suggestions are merely a shortcut to looking up the docs for yourself, we've learned to implicitly trust whatever the IDE suggests. Once an AI-powered tool comes in, its suggestions are no longer guaranteed to be correct — but they still feel friendly and trustworthy, so they are more likely to be accepted.

Especially for less experienced developers, the convenience of getting a free block of code encourages a shift of mindset from, "Is this code close enough to what I would write" to, "How can I tweak this code so it works for me."

GitHub very clearly states that Copilot suggestions should always be carefully analyzed, reviewed, and tested, but human nature dictates that even subpar code will occasionally make it into production. It's a bit like driving while looking more at your GPS than the road.

**Supply Chain Security Issues**

The Log4j security crisis has moved software supply chain security and, specifically, open source security into the limelight, with a recent White House memo on secure software development and a new bill on improving open source security. With these and other initiatives, having any open source code in your applications could soon need to be written into a software bill of materials (SBOM), which is only possible if you knowingly include a specific dependency. Software composition analysis (SCA) tools also rely on that knowledge to detect and flag outdated or vulnerable open source components.

But what if your application includes AI-generated code that, ultimately, originates from an open source training set? Theoretically, if even one substantial suggestion is identical to existing code and accepted as-is, you could have open source code in your software but not in your SBOM. This could lead to compliance issues, not to mention the potential for liability if the code turns out to be insecure and results in a breach — and SCA won't help you, as it can only find vulnerable dependencies, not vulnerabilities in your own code.

**Licensing and Attribution Pitfalls**

Continuing that train of thought, to use open source code, you need to comply with its licensing terms. Depending on the specific open source license, you will at least need to provide attribution or sometimes release your own code as open source. Some licenses forbid commercial use altogether. Whatever the license, you need to know where the code came from and how it's licensed.

Again, what if you have AI-generated code in your application that happens to be identical to existing open source code? If you had an audit, would it find that you are using code without the required attribution? Or maybe you need to open source some of your commercial code to remain compliant? Perhaps that's not yet a realistic risk with current tools, but these are the kind of questions we should all be asking today, not in 10 years' time. (And to be clear, GitHub Copilot does have an optional filter to block suggestions that match existing code to minimize supply chain risks.)

**Deeper Security Implications**

Going back to security, an AI/ML model is only as good (and as bad) as its training set. We've seen that in the past — for example, in cases of face recognition algorithms showing racial biases because of the data they were trained on. So if we have research showing that a code generator frequently produces suggestions with no consideration for security, we can infer that this is what its learning set (i.e., publicly available code) was like. And what if insecure AI-generated code then feeds back into that code base? Can the suggestions ever be secure?

The security questions don't stop there. If AI-based code generators gain popularity and start to account for a meaningful proportion of new code, it's likely somebody will try to attack them. It's already possible to fool AI image recognition by poisoning its learning set. Sooner or later, malicious actors will try to put uniquely vulnerable code in public repositories in the hope that it comes up in suggestions and eventually ends up in a production application, opening it up to an easy attack.

And what about monoculture? If multiple applications end up using the same highly vulnerable suggestion, whatever its origin, we could be looking at vulnerability epidemics or maybe even AI-specific vulnerabilities.

**Keeping an Eye on AI**

Some of these scenarios may seem far-fetched today, but they are all things that we in the tech industry need to discuss. Again, GitHub Copilot is in the spotlight only because it currently leads the way, and GitHub provides clear warnings about the caveats of AI-generated suggestions. As with autocomplete on your phone or route suggestions in your satnav, they are only hints to make our lives easier, and it's up to us to take them or leave them.

With their potential to exponentially improve development efficiency, AI-based code generators are likely to become a permanent part of the software world. In terms of application security, though, this is yet another source of potentially vulnerable code that needs to pass rigorous security testing before being allowed into production. We're looking at a brand new way to slip vulnerabilities (and potentially unchecked dependencies) directly into your first-party code, so it makes sense to treat AI-augmented codebases as untrusted until tested — and that means testing everything as often as you can.

Even relatively transparent ML solutions like Copilot already raise some legal and ethical questions, not to mention security concerns. But just imagine that one day, some new tool starts generating code that works perfectly and passes security tests, except for one tiny detail: Nobody knows how it works. That's when it’s time to panic.

Are We Ready for AI-Generated Code?

The cybersecurity industry is facing a challenge to find qualified candidates. Here’s what recruiters, educators, and employers can do to fill the talent gap.

In today's cybersecurity space, there is a knowledge gap, with numerous cybersecurity positions going unfilled. As demand increases and talent lags, cybersecurity educators, recruiters, and employers alike are looking for more actionable solutions to collaborate and link talent to jobs. While the worker shortage continues to grow amid new demands, here is what organizations and educators alike need to understand to adapt and bridge the gap in the future.

**Challenges in the Current Cybersecurity Job Landscape**

Currently, there is an industrywide challenge to find qualified employees, as recognized by the Bureau of Labor and Statistics, which states a 37% projected growth rate of cybersecurity positions by 2030. Potential new hires are taking notice, as positions listed on job-posting sites, such as LinkedIn and Monster.com, continue to climb.

At the federal level, the government is treading water, at best, as they meet talent needs. Notably, the United States Army plans to double its active-duty cyber forces in size, to employ 6,000 active-duty military personnel by the end of this decade, drawing from all branches. At the state and local level, many parts of government are struggling to attract enough cybersecurity professionals. Meanwhile, bad actors continue to target organizations such as hospitals, government offices, public schools, law offices, and other entities to go after low-hanging fruit with ransomware attacks. Such attacks have recently spiked, and, as of last year, almost 60% of these organizations were attacked. In the private sector, geographic areas with relatively new tech hubs are struggling to find on-site talent, as many graduates are drawn to more established cities for the industry.

**Recruiters Aim for Higher Compensation and Better Incentives to Attract Talent**

Across the field, employers and recruiters are trying a variety of techniques to recruit cybersecurity professionals. In the private sector, many are luring new talent with the promise of bonus sign-on compensation and salary growth potential. Recruiters in the public sector, on the other hand, emphasize job security that comes with a government role.

Recently, however, the public sector has allocated more funding with plans to expand the US Cyber Command, creating more competitive salaries. In June, the Pentagon received $11.2 billion in funding for cyber for 2023 — jumping nearly $1 billion from the year prior. Increased funding will translate into increased compensation, making beginner federal positions very competitive compared with the private sector.

While public sector salaries climb at entry level, recruiters are still challenged to find candidates who can pass the extensive background checks and adhere to rigorous work and behavior standards required by the government and military. Private sector recruiters, by contrast, emphasize flexibility in the workplace to sway potential candidates — as many tech workplaces are celebrated for disrupting corporate social norms. To this end, the private sector is becoming more amenable to options such as remote work and flex scheduling, which is particularly important in geographic regions where there is a dearth of cybersecurity candidates.

**Cybersecurity Educators' Role in Educating New Talent for Recruiters**

Cybersecurity educators have a unique challenge to prepare students for challenges on platforms that are constantly evolving. Students need to see real-world applications of knowledge and skills to be set up for success. At American Public University System, where I instruct, we aim to equip tomorrow's cyber leaders with valuable knowledge that is relevant by offering a strong cyber-defense focused online curriculum at both the undergraduate and graduate levels.

As scholar-practitioners, we know what educational resources can best equip our students. Well-rounded curriculum for students should cover intrusion, incident handling, IT security, and digital forensics, and should integrate multiple disciplines to gain the critical skills and management practices needed to effectively lead missions in real time.

Given the national shortage in talent, it is also important educators provide accessible opportunities to welcome non-traditional learners into the fold — no matter their geographic location, age, or career history. There are always opportunities for real-world application. At the K-12 level, this may look like attending field trips or creating mock drills. At the undergraduate and graduate level, it may be partnerships and collaboration with employers — from career fairs to supervised internship programs — so students have a successful path in mind as soon as they begin meeting with recruiters.

Educators and recruiters alike recognize that the knowledge gap is not going away — and we are working to help address it with high-quality, accessible education for future cybersecurity professionals.

**About the Author**

    

Dr. Kenneth Williams is the Executive Director of the Center for Cyber at American Public University System. He is a retired US Army IT officer with 24 years of active service and seven years of federal service as a civilian for the US Army. Dr. Williams has a graduate and a PhD degree in Cybersecurity from Capella University and has focused intently on various aspects of cybersecurity to include compliance, governance, and other related aspects of cybersecurity mitigation.

The Future of Cybersecurity Recruiting: Lessons on What Employers Want and What Students Need

Fresh startup BoostSecurity has an SaaS platform for developers and security teams that provides automated tools to shore up cybersecurity within the software supply chain.

For organizations trying to quickly develop secure code, a software-as-a-service (SaaS) platform from BoostSecurity aims to provide automated tools and checks throughout the build, test, and release phases of that process — in order to prioritize security throughout the software supply chain. 

The startup emerged from stealth on Nov. 16 with $12 million in seed funding, led by Sorenson Capital.

In addition to misconfigurations and insider threats to compromised dependencies, BoostSecurity's platform will also help security and engineering identify and fix security issues with automated tools, according to a statement released by the new enterprise. 

**Different Approach**

The company's approach is different than what has been available before, BoostSecurity's CEO Zaid Al Hamami tells Dark Reading. Specifically, automated testing and continuous integration (CI) were once available only to companies that could afford to hire quality assurance teams to conduct manual testing.

"In the future, I believe that building secure software will be as pervasive as automated testing and CI is today," Al Hamami predicts. "That will happen when it becomes just as easy to use, and where the benefits to development teams become just as obvious." 

With headline-grabbing software supply chain cyberattacks becoming all too common, including the infamous SolarWinds compromise, shifting left to make security checks part of the entire software development cycle has become an increasing priority. BoostSecurity sees itself as offering automated DevSecOps tools to help. 

"Even with the increased awareness and the exploding industry around developer security, we believe that we are still in the early innings of a major transformation," Vidya Raman, partner at Sorensen Venture and lead investor in BoostSecurity, said in a statement about the company. "The world now knows how to ship high quality code, rapidly. The next challenge is continuing to do both, but much more securely."

Source

DARKReading