The results are labor-intensive to parse, so knowing how to interpret them is key, security experts say.

A new set of evaluations for managed security service providers that MITRE Engenuity has released can potentially give enterprise decision-makers a handy resource to consult when selecting a provider. The key to benefiting from the information, though, is knowing how to interpret the results, MITRE and others said this week.

MITRE Engenuity's first-ever evaluation of security service providers — like its product evaluations — does not offer any winners or losers, nor any rankings based on performance, nor any indication of how well, or poorly, a vendor might have performed. 

Instead, it offers detailed information on how different security service providers analyze and describe adversary behavior to their clients. MITRE's evaluation leaves it entirely up to security professionals and teams using the data to make any vendor comparisons they might want with it.

**An Objective Look at MDR Capabilities**

"MITRE Engenuity’s ATT&CK Evaluations for Managed Services is likely the only objective demonstration of what’s available in the managed services and managed detection and response (MDR) market," says Katie Nickels, director of intelligence at Red Canary, one of 16 security service providers that participated in the evaluation. "It allows organizations to see a realistic demonstration of how these tools actually work, with those results being provided by a neutral third party."

For the evaluation, MITRE Engenuity gave each of the participating vendors an opportunity to deploy their adversary detection and monitoring tools on a MITRE-hosted Microsoft Azure environment. A MITRE purple team then executed an emulated attack on the environment using tactics and techniques of the well-known Iranian threat group OilRig. 

Service providers that participated in the evaluation knew the simulated attack would happen within business hours in a specific two-week period. However, MITRE did not inform them of more exact timing, what techniques it would use, or which adversary MITRE Engenuity was emulating.

In carrying out the simulated attack, MITRE Engenuity's team showcased commonly used adversary tactics such as spear-phishing for initial access, credential dumping, Web shell installation, lateral movement, data exfiltration, and cleanup. Vendors had an opportunity to use any of the tools in their MDR portfolio to evaluate the malicious activity and report on it. 

But MITRE's rules prohibited them from taking any steps to respond or block the attack because the goal was to see how each service provider detected and analyzed the unfolding attack and the detail and clarity with which it reported their findings.

**Parsing the Results Can Be Challenging**

MITRE Engenuity's evaluation results for each participating service provider offers both a high-level and a detailed view of how each of them detected the attack through the entire chain. It provides a look at the depth of the analysis each vendor provided at each stage, their communications with MITRE during the emulation, the individual techniques that they spotted and reported on, and what context and information they provided about the attack.

The information can be very useful for skilled security professionals who don't have the resources to do their own bake-off and are willing to compare results themselves, says John Pescatore, director of emerging security trends at the SANS Institute. But the data can be difficult to parse for others, he says. 

"MITRE Engenuity purposely doesn't make it easy to rank vendors in their evals," Pescatore says. "So, the tests are not useful for someone who just wants to make a 'safe' choice or compete the top three against each other."

"To compare, I’d have to look at each one and count how many techniques, etc., they covered, and I’d get some kind of ranking,' Pescatore notes. "But in order to understand how they did it, to see how that would fit with my processes, I have to either get info from the vendor or play with the product or service myself."

**Context Is Key**

Nickels from Red Canary says that while the results don't offer a clear apples-to-apples comparison between vendors, that’s not the point. "Every provider is different in how it detects activity and communicate findings, and every organization and security team has different needs," she says.

The best way to get an understanding of the value provided by each vendor in MITRE Engenuity's evaluation is to consider qualitative aspects, such as how each vendor communicated with MITRE during the emulation, the screen shots they took, and the analysis and context they might have provided, she says: "Examining these resources, while labor intensive, will offer organizations the best view into the value provided by each vendor."

In a report this week, Red Canary also highlighted what it described as some limitations of the MITRE Engenuity tests, such as it being too endpoint-focused and being too heavily weighted toward detection coverage and not enough on response. 

"The test required participants to turn off many preventive and other security controls," Nickels says. "Under normal circumstances, most of the vendors who participated would have detected and responded to MITRE’s emulation activity relatively early, thereby preventing the more impactful, later-stage activity."

Another factor to keep in mind when interpreting the results is whether all participating vendors deployed technologies that they normally use for MDR, or if they used something else for the evaluation. "We recommend organizations reviewing these results ask vendors if their environment was normal for the average customer."

**MITRE Engenuity's Recommendation**

In a blog post, Ashwin Radhakrishnan, MITRE Engenuity's general manager of ATT&CK evaluations, recommended that users consider the results in the proper context. Like Nickels noted, MITRE too strongly recommended against organizations merely looking at the total number of techniques a vendor might have detected as the sole yardstick.

"Before starting any analysis of technique coverage, it is important to determine which techniques are most relevant to your organization based on the adversary groups and threats that your organization faces," MITRE said. The blog post offered 10 ways that security practitioners should interpret the evaluation results.

The recommendations include looking at top-level report statuses of the service providers to get a high-level understanding of how they performed in the evaluation, looking at how the service providers presented their findings to their customers, and determining if the service providers correctly attributed the adversary (OilRig). Some of the other measures users consider is whether the service providers recommended any mitigation measures; the length of their reports; the clarity of the language in the reports; and the details in their own releases about the evaluations, MITRE Engenuity said.

MITRE Engenuity Launches Evaluations for Security Service Providers

Autocompleted code is convenient and quick, but it may expose your organization to security and compliance risks.

In recent months, we've marveled at the quality of computer-generated faces, cat pictures, videos, essays, and even art. Artificial intelligence (AI) and machine learning (ML) have also quietly slipped into software development, with tools like GitHub Copilot, Tabnine, Polycode, and others taking the logical next step of putting existing code autocomplete functionality on AI steroids. Unlike cat pics, though, the origin, quality, and security of application code can have wide-reaching implications — and at least for security, research shows that the risk is real.

Prior academic research has already shown that GitHub Copilot often generates code with security vulnerabilities. More recently, hands-on analysis from Invicti security engineer Kadir Arslan showed that insecure code suggestions are still the rule rather than the exception with Copilot. Arslan found that suggestions for many common tasks included only the absolute bare bones, often taking the most basic and least secure route, and that accepting them without modification could result in functional but vulnerable applications.

A tool like Copilot is (by design) autocompletion turned up a notch, trained on open source code to suggest snippets that could be relevant in a similar context. This makes the quality and security of suggestions closely tied to the quality and security of the training set. So the bigger questions are not about Copilot or any other specific tool but about AI-generated software code in general.

It's reasonable to assume Copilot is only the tip of the spear and that similar generators will become commonplace in the years ahead. This means we, the technology industry, need to start asking how such code is being generated, how it's used, and who will take responsibility when things go wrong.

**Satnav Syndrome**

Traditional code autocompletion that looks up function definitions to complete function names and remind you what arguments you need is a massive time-saver. Because these suggestions are merely a shortcut to looking up the docs for yourself, we've learned to implicitly trust whatever the IDE suggests. Once an AI-powered tool comes in, its suggestions are no longer guaranteed to be correct — but they still feel friendly and trustworthy, so they are more likely to be accepted.

Especially for less experienced developers, the convenience of getting a free block of code encourages a shift of mindset from, "Is this code close enough to what I would write" to, "How can I tweak this code so it works for me."

GitHub very clearly states that Copilot suggestions should always be carefully analyzed, reviewed, and tested, but human nature dictates that even subpar code will occasionally make it into production. It's a bit like driving while looking more at your GPS than the road.

**Supply Chain Security Issues**

The Log4j security crisis has moved software supply chain security and, specifically, open source security into the limelight, with a recent White House memo on secure software development and a new bill on improving open source security. With these and other initiatives, having any open source code in your applications could soon need to be written into a software bill of materials (SBOM), which is only possible if you knowingly include a specific dependency. Software composition analysis (SCA) tools also rely on that knowledge to detect and flag outdated or vulnerable open source components.

But what if your application includes AI-generated code that, ultimately, originates from an open source training set? Theoretically, if even one substantial suggestion is identical to existing code and accepted as-is, you could have open source code in your software but not in your SBOM. This could lead to compliance issues, not to mention the potential for liability if the code turns out to be insecure and results in a breach — and SCA won't help you, as it can only find vulnerable dependencies, not vulnerabilities in your own code.

**Licensing and Attribution Pitfalls**

Continuing that train of thought, to use open source code, you need to comply with its licensing terms. Depending on the specific open source license, you will at least need to provide attribution or sometimes release your own code as open source. Some licenses forbid commercial use altogether. Whatever the license, you need to know where the code came from and how it's licensed.

Again, what if you have AI-generated code in your application that happens to be identical to existing open source code? If you had an audit, would it find that you are using code without the required attribution? Or maybe you need to open source some of your commercial code to remain compliant? Perhaps that's not yet a realistic risk with current tools, but these are the kind of questions we should all be asking today, not in 10 years' time. (And to be clear, GitHub Copilot does have an optional filter to block suggestions that match existing code to minimize supply chain risks.)

**Deeper Security Implications**

Going back to security, an AI/ML model is only as good (and as bad) as its training set. We've seen that in the past — for example, in cases of face recognition algorithms showing racial biases because of the data they were trained on. So if we have research showing that a code generator frequently produces suggestions with no consideration for security, we can infer that this is what its learning set (i.e., publicly available code) was like. And what if insecure AI-generated code then feeds back into that code base? Can the suggestions ever be secure?

The security questions don't stop there. If AI-based code generators gain popularity and start to account for a meaningful proportion of new code, it's likely somebody will try to attack them. It's already possible to fool AI image recognition by poisoning its learning set. Sooner or later, malicious actors will try to put uniquely vulnerable code in public repositories in the hope that it comes up in suggestions and eventually ends up in a production application, opening it up to an easy attack.

And what about monoculture? If multiple applications end up using the same highly vulnerable suggestion, whatever its origin, we could be looking at vulnerability epidemics or maybe even AI-specific vulnerabilities.

**Keeping an Eye on AI**

Some of these scenarios may seem far-fetched today, but they are all things that we in the tech industry need to discuss. Again, GitHub Copilot is in the spotlight only because it currently leads the way, and GitHub provides clear warnings about the caveats of AI-generated suggestions. As with autocomplete on your phone or route suggestions in your satnav, they are only hints to make our lives easier, and it's up to us to take them or leave them.

With their potential to exponentially improve development efficiency, AI-based code generators are likely to become a permanent part of the software world. In terms of application security, though, this is yet another source of potentially vulnerable code that needs to pass rigorous security testing before being allowed into production. We're looking at a brand new way to slip vulnerabilities (and potentially unchecked dependencies) directly into your first-party code, so it makes sense to treat AI-augmented codebases as untrusted until tested — and that means testing everything as often as you can.

Even relatively transparent ML solutions like Copilot already raise some legal and ethical questions, not to mention security concerns. But just imagine that one day, some new tool starts generating code that works perfectly and passes security tests, except for one tiny detail: Nobody knows how it works. That's when it’s time to panic.

Are We Ready for AI-Generated Code?

The cybersecurity industry is facing a challenge to find qualified candidates. Here’s what recruiters, educators, and employers can do to fill the talent gap.

In today's cybersecurity space, there is a knowledge gap, with numerous cybersecurity positions going unfilled. As demand increases and talent lags, cybersecurity educators, recruiters, and employers alike are looking for more actionable solutions to collaborate and link talent to jobs. While the worker shortage continues to grow amid new demands, here is what organizations and educators alike need to understand to adapt and bridge the gap in the future.

**Challenges in the Current Cybersecurity Job Landscape**

Currently, there is an industrywide challenge to find qualified employees, as recognized by the Bureau of Labor and Statistics, which states a 37% projected growth rate of cybersecurity positions by 2030. Potential new hires are taking notice, as positions listed on job-posting sites, such as LinkedIn and Monster.com, continue to climb.

At the federal level, the government is treading water, at best, as they meet talent needs. Notably, the United States Army plans to double its active-duty cyber forces in size, to employ 6,000 active-duty military personnel by the end of this decade, drawing from all branches. At the state and local level, many parts of government are struggling to attract enough cybersecurity professionals. Meanwhile, bad actors continue to target organizations such as hospitals, government offices, public schools, law offices, and other entities to go after low-hanging fruit with ransomware attacks. Such attacks have recently spiked, and, as of last year, almost 60% of these organizations were attacked. In the private sector, geographic areas with relatively new tech hubs are struggling to find on-site talent, as many graduates are drawn to more established cities for the industry.

**Recruiters Aim for Higher Compensation and Better Incentives to Attract Talent**

Across the field, employers and recruiters are trying a variety of techniques to recruit cybersecurity professionals. In the private sector, many are luring new talent with the promise of bonus sign-on compensation and salary growth potential. Recruiters in the public sector, on the other hand, emphasize job security that comes with a government role.

Recently, however, the public sector has allocated more funding with plans to expand the US Cyber Command, creating more competitive salaries. In June, the Pentagon received $11.2 billion in funding for cyber for 2023 — jumping nearly $1 billion from the year prior. Increased funding will translate into increased compensation, making beginner federal positions very competitive compared with the private sector.

While public sector salaries climb at entry level, recruiters are still challenged to find candidates who can pass the extensive background checks and adhere to rigorous work and behavior standards required by the government and military. Private sector recruiters, by contrast, emphasize flexibility in the workplace to sway potential candidates — as many tech workplaces are celebrated for disrupting corporate social norms. To this end, the private sector is becoming more amenable to options such as remote work and flex scheduling, which is particularly important in geographic regions where there is a dearth of cybersecurity candidates.

**Cybersecurity Educators' Role in Educating New Talent for Recruiters**

Cybersecurity educators have a unique challenge to prepare students for challenges on platforms that are constantly evolving. Students need to see real-world applications of knowledge and skills to be set up for success. At American Public University System, where I instruct, we aim to equip tomorrow's cyber leaders with valuable knowledge that is relevant by offering a strong cyber-defense focused online curriculum at both the undergraduate and graduate levels.

As scholar-practitioners, we know what educational resources can best equip our students. Well-rounded curriculum for students should cover intrusion, incident handling, IT security, and digital forensics, and should integrate multiple disciplines to gain the critical skills and management practices needed to effectively lead missions in real time.

Given the national shortage in talent, it is also important educators provide accessible opportunities to welcome non-traditional learners into the fold — no matter their geographic location, age, or career history. There are always opportunities for real-world application. At the K-12 level, this may look like attending field trips or creating mock drills. At the undergraduate and graduate level, it may be partnerships and collaboration with employers — from career fairs to supervised internship programs — so students have a successful path in mind as soon as they begin meeting with recruiters.

Educators and recruiters alike recognize that the knowledge gap is not going away — and we are working to help address it with high-quality, accessible education for future cybersecurity professionals.

**About the Author**

    

Dr. Kenneth Williams is the Executive Director of the Center for Cyber at American Public University System. He is a retired US Army IT officer with 24 years of active service and seven years of federal service as a civilian for the US Army. Dr. Williams has a graduate and a PhD degree in Cybersecurity from Capella University and has focused intently on various aspects of cybersecurity to include compliance, governance, and other related aspects of cybersecurity mitigation.

The Future of Cybersecurity Recruiting: Lessons on What Employers Want and What Students Need

Fresh startup BoostSecurity has an SaaS platform for developers and security teams that provides automated tools to shore up cybersecurity within the software supply chain.

For organizations trying to quickly develop secure code, a software-as-a-service (SaaS) platform from BoostSecurity aims to provide automated tools and checks throughout the build, test, and release phases of that process — in order to prioritize security throughout the software supply chain. 

The startup emerged from stealth on Nov. 16 with $12 million in seed funding, led by Sorenson Capital.

In addition to misconfigurations and insider threats to compromised dependencies, BoostSecurity's platform will also help security and engineering identify and fix security issues with automated tools, according to a statement released by the new enterprise. 

**Different Approach**

The company's approach is different than what has been available before, BoostSecurity's CEO Zaid Al Hamami tells Dark Reading. Specifically, automated testing and continuous integration (CI) were once available only to companies that could afford to hire quality assurance teams to conduct manual testing.

"In the future, I believe that building secure software will be as pervasive as automated testing and CI is today," Al Hamami predicts. "That will happen when it becomes just as easy to use, and where the benefits to development teams become just as obvious." 

With headline-grabbing software supply chain cyberattacks becoming all too common, including the infamous SolarWinds compromise, shifting left to make security checks part of the entire software development cycle has become an increasing priority. BoostSecurity sees itself as offering automated DevSecOps tools to help. 

"Even with the increased awareness and the exploding industry around developer security, we believe that we are still in the early innings of a major transformation," Vidya Raman, partner at Sorensen Venture and lead investor in BoostSecurity, said in a statement about the company. "The world now knows how to ship high quality code, rapidly. The next challenge is continuing to do both, but much more securely."

BoostSecurity Emerges From Stealth With SaaS DevSecOps Platform

Be proactive about data defense. Start with the right data, leverage domain expertise, and create models that help you target the most critical vulnerabilities.

Ransomware is _still_ on the rise. What can we do about it? There are three things you need to consider right now.

First, some context: The pandemic is slowing down, so why aren't the attacks slowing down? The pandemic fueled a stratospheric rise in both the sophistication and volume of attacks as threat actors capitalized on the often-hasty shift to remote work. Suddenly, millions of devices and users were outside perimeters and in survival mode. Easy targets.

But that was then. The world has adapted to the Everywhere Workplace. Most companies have begun to get their proverbial feet under them. Digital transformation is accelerating, and companies are starting to adopt cybersecurity protocols that are more appropriate for the current landscape.

Surely, that's enough to stem the flow of ransomware attacks. Right? Well, apparently not.

**The Latest on Ransomware Threats**

In a just-released "Ransomware Report for Q2/Q3," Ivanti reports yet another increase in vulnerabilities. The highlights (or perhaps I should say lowlights):

As of the third quarter of 2022, there are a total of 170 documented ransomware families actively seeking to exploit vulnerabilities.

*   10 new ransomware families emerged over the past two quarters.
*   18 ransomware vulnerabilities are _missing_ from popular scanners.
*   Two new vulnerabilities are being effectively exploited by AvosLocker and Cerber ransomware.
*   706 vulnerabilities have become weaponized in the last two years alone.
*   A new weakness category (CWE) is contributing to ransomware vulnerabilities.
*   Despite the documented rise in ransomware vulnerabilities, there are still 124 vulnerabilities that haven't even been added to the CISA KEV catalog yet.
*   Healthcare, energy, and critical manufacturing are the worst-hit sectors, at a time when all three sectors are still reeling from the pandemic.

    

To date, there are 323 vulnerabilities tied to ransomware. However, CISA's KEV catalog is missing 124 of those. Organizations that continue to rely on traditional vulnerability management practices, such as solely leveraging public databases to prioritize and patch vulnerabilities, will remain at high risk of cyberattack. Source: Ivanti

You'd be forgiven if your eyes glazed over reading that list or looking at the graphic. It's a _lot_ to take in. And it's even more to combat.

**How to Combat Ransomware Right Now**

I promised three things to consider right now when it comes to combatting this overwhelming threat. To make them easier to remember, I call this list "The Three Ds."

**#1: Data**

**#2: Domain expertise**

**#3: Data modeling**

You can't patch everything. And you also can't patch what you don't know about. That's why _everything starts with data_.

Right now, defense tends to be static. Too often, it's a "set it and forget it" approach that is completely antithetical to the way threat actors operate. Threat actors are _not_ static, and neither should your defense be.

A clean and comprehensive data set, used the right way, lets you establish risk and security context.

How to do it? Don't wait for a vulnerability to be exploited. Every morning, look at your key risk indicators (KRIs) to get a sense of _known_ vulnerabilities and _known_ exploits (known/known). These are vulnerabilities that we can confirm are being used by threat actors. These early indicators are essential to get ahead of the game.

Fix known/knowns first. Once you've done that, _then_ you can look for vulnerabilities that have the potential and likelihood to be weaponized. How likely are they?

This timely information is critical. Risk context and security information make patch data sets (that often feel overwhelming) more approachable. Instead of scrambling to produce as many patches as possible, you can fix what matters.

Domain expertise turns raw data into something actionable. Anyone can look at a data set, and no matter how clean and comprehensive it is, if you don't have domain expertise, you'll still be making wild guesses. Domain expertise lets you be smart about risks and prioritization. Without understanding a threat actor's intent — an understanding that can only come with domain expertise — you're wasting your time.

Finally, while domain expertise is fundamental to putting effort in the right place, truly effective risk-based patch management is impossible without automation. No one, no matter how much expertise and data they have, can effectively manage all this manually.

Data modeling is the final key. It can dissect the data based on any number of factors, such as sector, geography, threat profile, etc. Instead of looking at the data one way, you can look at it 10 different ways without expending additional human cycles.

**Interdependent Protection Levels**

Here's the tricky part: each of these factors (data, domain expertise, data modeling) flow into each other. You can't pick and choose. They're interdependent. Effective data modeling and automation are not a replacement for domain expertise; they're _enabled_ by domain expertise. Lack of domain expertise means faulty models and faulty outputs. And again, without a clean and comprehensive data set, no amount of domain expertise will produce the right outcomes.

Start with the right data. Leverage domain expertise. And create models that help you target the most critical vulnerabilities.

Done well, this is a proactive and pain-free way to stay ahead of threat actors. Patch management and cybersecurity is too often _reactive_, but playing from behind is the biggest risk of all.

Threat actors are looking at their problem statement in a dynamic way, and they're reassessing constantly. Shouldn't you?

New Ransomware Data Is In: What's Happening and How to Fight Back

President Zelensky offers hard-won Ukrainian cybersecurity expertise to other countries that want to protect citizen populations.

Ukrainian President Volodymyr Zelensky spoke to the G20 Summit's "Digital Transformation" panel this week, offering the benefits of his embattled country's cyber-defense experience to G20-allied countries.

Zelensky noted that Ukraine's "IT army," made up of talent pooled from companies across the country, has successfully stopped more than 1,300 Russian cyberattacks over the past eight months of the Russian invasion. That experience, he said, offers lessons for protecting civilian populations from the kinds of brutal cyberattacks that have been leveled against his country as part of Russia's invasion.

For instance, after Russia destroyed a major data center in the country, Ukraine switched to the cloud, allowing it to build public registers and make payments to citizens effected by the war, he said. The country's Diia state site is operating and able to provide 100 contactless public services, including providing digital passports, accepting tax payments, and more, Zelensky said during his speech to the G20. 

"My good advice to you is to take Ukrainian defense experience in order to guarantee the safety of your people," Zelensky said. "Ukraine is willing to help. Our security experience is your security experience. And please remember that everything must now be considered from the point of view of security." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ukraine's 'IT Army' Stops 1,300 Cyberattacks in 8 Months of War

A service that allows organizations to back up data in the cloud can accidentally leak sensitive data to the public Internet, paving the way for abuse by threat actors.

Legions of databases are being inadvertently exposed monthly, through a feature of an Amazon cloud-based data-backup service. The situation gives threat actors access to personally identifiable information (PII) that they can use in extortion, ransomware, or other threat activity, researchers have found.  

Amazon RDS is a popular platform-as-a-service that provides a database based on several optional engines, including MySQL and PostgreSQL. An RDS snapshot, or a storage volume snapshot of a database instance, is an intuitive feature that helps organizations back up their databases, allowing users to share public data or a template database to an application, researchers said.

The Mitiga Research Team recently discovered the leaks in the form of numerous Amazon Relationship Database Service (RDS) snapshots that are being shared publicly — whether intentionally or by mistake.

Over the course of one month, researchers said that they observed 2,783 RDS snapshots, 810 of which were exposed publicly during the entire time frame. Additionally, 1,859 snapshots of the 2,783 were exposed for one-to-two days, which is still enough time for attackers to pounce upon the leak, they reported.

Individuals within an organization also can share these snapshots with colleagues by using the feature without having to worry about user profiles or roles — a scenario that leads to the snapshot being shared publicly, researchers said.

"These snapshots can be shared across different \[Amazon Web Services\] accounts — in or out of the on-premises organization, as well as AWS accounts that make the RDS snapshots publicly available," researchers wrote. "With that, one might unintentionally leak sensitive data to the world, even if you use highly secure network configuration."

Some of the exposures last for months, and some for just a short period of time, in both cases potentially allowing threat actors to take advantage, they said in a blog post shared online Wednesday.

**Uncovering Cloud Misconfigurations & User Errors**

The exposure once again highlights the potential for exploitation of the fragile security posture of cloud-based services that allow for enterprise resources to be shared on the public internet, Mitiga researchers Ariel Szarf, Doron Karmi, and Lionel Saposnik noted in the post.

"Attackers are always looking for new ways to put their hands on confidential information of organizations, mostly for financial gain," they wrote. "Some cloud services that allow sharing cloud resources widely to the world \[are\] exposing a new threat to organizations — unintentional sharing of information through resources like disk snapshots (EBS), or in our case DB snapshots (RDS)."

To conduct their research, the Mitiga team developed a AWS-native technique, using AWS Lambda Step Function and boto3, that can easily be integrated into an AWS environment and customized to investigate snapshot exposure.

Unfortunately, attackers also can develop such a tool to view public snapshots and perform the same tasks, allowing them to steal data from these public-facing resources and abuse it later to extort money from organizations that own it, researchers said.

Researchers outlined several specific instances in which they could access data from exposed snapshots during a month-long investigation.

One was a MySQL database exposed for the entire month that that appeared to be from a car rental agency. Exposed data included information from car-rental transactions, including PII of customers; business-knowledge data such as the type of cars in the company's fleet; and other specific rental information.

Another snapshot exposed for less than four hours came from a database of a now-defunct dating application that included a user table containing emails, password hashes, birth dates, links to personal images, private messages, and other personal data of about 2,200 users of the app.

**No PII? Still a Problem**

Even if an RDS snapshot that's exposed publicly includes no PII, there is still a way for threat actors to find out who the database and thus its data belongs to, researchers said.

In their investigation, they were able to identify who owned account IDs for many snapshots by simply looking at the snapshot name and seeing the company name in it, they said.

Moreover, every snapshot metadata contains a field called "MasterUsername," which is the main database username, researchers explained. In many cases, that username includes either the name of the company that owns the database fully spelled out or identified in acronyms and shortcuts; or a name of a person working at the company, they said.

In the latter case, by using a method that they admitted was "a little creepy, but useful," researchers conducted LinkedIn searches to find out where the people identified in the username worked, noting that this is a method threat actors could employ to do the same.

**Mitigating the Problem**

As many organizations using Amazon RDS may not even know if they have public snapshots, identifying if there are any in their respective environments is the first step toward mitigating the issue, researchers said.

Helpfully, Amazon sends an email quickly to users if they share a snapshot publicly, notifying them about the public snapshot to ensure that it was intended to be publicly available. In the case of a test done by researchers, this email was received 23 minutes after exposure.

Researchers also outlined a step-by-step way to conduct a historical check using CloudTrail logs to discover if someone created a public snapshot that potentially can be abused.

To prevent the creation of public Amazon RDS snapshots at all, enterprises should manage permissions well by adopting a practice of "least-privilege permissions," giving them only on a strict, as-needed basis.

They also can set service control policies (SCPs), which are AWS organizational-level policies that can specify the maximum permissions for an organization, researchers said. Applying SCP on an AWS root account to deny certain operations on RDS snapshot will prevent unintended sharing of RDS DBs, they said.

Organizations also can encrypt snapshots in AWS using a KMS key, and researchers confirmed in their investigation that it's not possible to share a snapshot publicly encrypted in this way, they said.

One roadblock to mitigation is that currently there's no way to know if someone has copied a public snapshot of an Amazon RDS database, as there is no log event for copying a public snapshot to another account or restoring a database instance from another account in the snapshot owner's account, researchers said.

Mitiga approached AWS about the issue and, upon confirmation that "logging an RDS copy and restore operation is currently unavailable," made a feature request to support its addition to the platform, researchers said.

Thousands of Amazon RDS Snapshots Are Leaking Corporate PII

Embracing shared responsibility, Vectra MDR reinforces customers’ SOC teams with 24/7/365 skills and expertise to mitigate today’s most advanced cyber threats.

**SAN JOSE, Calif., Nov. 16, 2022** — Vectra AI, the leader in Security AI-driven hybrid cloud threat detection and response, today announced Vectra MDR global managed detection and response (MDR) services. Vectra MDR delivers the 24/7/365 cybersecurity skills needed to detect, investigate, and respond to threats where Vectra MDR analysts and customer security analysts work together inside the Vectra Threat Detection and Response platform to hunt, detect, prioritize, investigate, and respond to attacks in progress. Whether customers choose to augment or outsource their security operations, Vectra’s shared responsibility model ensures constant communication and collaboration between Vectra MDR analysts and customer analysts.

As attack entry points go beyond traditional networks and endpoints and into public clouds, SaaS applications and identities, security teams are challenged with defending an ever-expanding hybrid cloud attack surface. More evasive attackers and overwhelming security alert noise add to the challenge as attackers find new ways to infiltrate and progress inside an organization unnoticed. Vectra MDR harnesses **Security AI-driven Attack Signal Intelligence****TM** to automate threat detection, triage and prioritization for SOC teams, thus reducing alert noise, false positives, and analyst burnout. With Vectra MDR services powered by Attack Signal Intelligence, customer security teams have complete visibility and context for how an attack progresses through the cyber kill chain — ultimately stopping them from becoming breaches.

Experience recurring meetings where our security experts discuss customer-specific and global trends, security posture, and events in your network.

Vectra MDR Services empowers security teams in the following areas:

**Human intelligence that does not sleep**

24/7/365 eyes-on-glass service, with expertise in cloud, threat intelligence, and playbook design to proactively detect, prioritize, investigate, and stop attacks.

**Security team extension**

Vectra MDR is a security team multiplier, adding analysts to your team with expertise and insights gained from hundreds of customer environments.

**Vectra platform optimization**

Advice on best practices for integrating Vectra into existing workflows and processes, while ensuring deployments are always in tip-top shape and collecting the right data to provide the coverage needed.

“With the scale and sophistication of cyber threats on the rise, security teams are burdened with overwhelming alert noise and inadequate threat signals while attempting to defend expanding hybrid cloud attack surfaces,” said Kevin Kennedy, Senior Vice President of Products at Vectra. “Vectra MDR provides security teams with the resources they need to stop attacks 24/7/365 whether they just need our security analyst expertise to augment their security operations teams or to completely outsource detection and response. Vectra MDR along with Attack Signal Intelligence gives security teams both the threat signal needed to stop attacks and the resources and expertise required to stay ahead of attacks in today’s security operations centers.”

To learn more about Vectra MDR services and Vectra Attack Signal Intelligence, please visit:

*   **Vectra MDR page**: https://www.vectra.ai/products/mdr
*   **Vectra MDR solution brief**: https://info.vectra.ai/hubfs/Vectra-MDR-services-solution-brief.pdf
*   **Vectra MDR best practices**: https://info.vectra.ai/hubfs/Vectra-MDR-services-best-practises-guide.pdf
*   **Blog:** https://www.vectra.ai/blogpost/vectra-mdr-shared-responsibility-model
*   **YouTube video**: https://www.youtube.com/watch?v=eMqDACDwpYc
*   **Press release**: www.vectra.ai/news/vectra-unveils-global-mdr-services

**About Vectra**

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. Only Vectra optimizes AI to detect attacker methods — the TTPs at the heart of all attacks — rather than simplistically alerting on "different." The resulting high-fidelity threat signal and clear context enables cybersecurity teams to rapidly respond to threats and stop attacks from becoming breaches. The Vectra platform and services cover public cloud, SaaS applications, identity systems, and network infrastructure — both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization. For more information, visit vectra.ai.

Vectra Unveils Global Managed Detection and Response (MDR) Services With Game-Changing Attack Signal Intelligence™

Additional functionality also added to the fourth-party risk solution is providing better visibility and insights into vendor risk.

**BOSTON, Nov. 16, 2022 /PRNewswire/** — BitSight, the Standard in Security Ratings, today announced that it has enhanced its Third-Party Risk Management (TPRM) platform to provide additional insights to customers, helping them to more proactively detect and mitigate vulnerabilities and exposure across their third-party vendor ecosystem. BitSight also expanded its Fourth-Party Risk Management solution to increase visibility into risk across an organization's extended supply chain and to help manage and prioritize mitigation efforts more efficiently.

Third-Party Vulnerability Detection helps organizations to uncover, attribute, and prioritize vulnerabilities and exposures. Risk managers can use these real-time insights to respond to major security events, and in their ongoing efforts to find and remediate threats within their vendor portfolio. These enhancements allow users to save time by prioritizing vendor outreach efforts, easily access critical vulnerability data, and build stronger vendor relationships through timely and evidence-based collaboration.

"When Zero Days and other major security events occur, organizations struggle to quickly understand, remediate, and report on their exposure," said Vanessa Jankowski, Vice President and General Manager of Third Party Risk Management, BitSight. "This new capability from BitSight enables organizations to uncover, prioritize, and respond to vulnerabilities and other exposure across their vendor ecosystem. With easy access to vulnerability data that scales across an entire third-party portfolio, customers can now take action on high-priority incidents quickly, while surfacing critical information to board members and executive-level stakeholders."

BitSight also announced that it has enhanced the fourth-party capabilities within its platform by providing critical data and insights to help customers gain better visibility into concentrated risk within their extended supply chain, and more easily communicate risk emanating from fourth-party service providers.

"Customers are trying to understand the state of cyber risk not only in their third-party portfolio but in their extended digital footprint," continued Jankowski. "We're seeing networks of fourth-party vendor relationships that are indirect and increasingly complicated, making it necessary to prioritize based on impact. BitSight's enhanced fourth-party risk management capability automatically discovers service providers and products in use across the extended ecosystem, surfaces areas of risk based on concentration and fourth-party security posture, and provides visibility into fourth-party security incidents. Together, customers can connect concentration risk and security risk, allowing them to prioritize across an extended network that often goes unmanaged."

BitSight provides a complete Third-Party Risk Management offering with solutions for continuously monitoring vendor security performance, measuring security controls, mitigating supply chain risk, and quantifying cyber risk for business leaders. In September, as part of its acquisition of ThirdPartyTrust, BitSight launched its new Vendor Risk Management product to help address the evolving needs of third-party risk managers and provide customers with the tools they need to successfully manage vendor risk in one place, from procurement all the way through the lifecycle of the vendor relationship.

**About BitSight**

BitSight creates trust in the digital economy and transforms how organizations manage cyber risk. The BitSight Security Ratings Platform applies sophisticated algorithms, producing daily security ratings that range from 250 to 900, to help organizations manage their own security performance; mitigate third party risk; underwrite cyber insurance policies; conduct financial diligence; and assess aggregate risk. With the largest ecosystem of users and information, BitSight is the Standard in Security Ratings. For more information, please visit www.bitsight.com, read our blog or follow @BitSight on Twitter.

SOURCE: BitSight

BitSight Enhances Its Third-Party Risk Management Platform to Help Organizations Respond to Major Vulnerabilities

Nova introduces innovations to help stop zero-day threats, simplify security architectures, and reduce the risk of costly misconfigurations.

**SANTA CLARA, Calif., Nov. 16, 2022 /PRNewswire/** — Cyber threats continue to increase in volume and complexity with threat actors developing new ways to avoid detection — including highly evasive malware. To help organizations outpace these evolving threats, Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, today announced PAN-OS® 11.0 Nova, the latest version of its industry leading PAN-OS software, unleashing 50-plus product updates and innovations. Amongst them are the new Advanced WildFire® cloud-delivered security service that brings unprecedented protection against evasive malware and the Advanced Threat Prevention (ATP) service which now protects against zero-day injection attacks.

"We've observed a significant increase in unique malware samples  
over the last year along with an increasing level of malware  
sophistication. A new approach is required to detect this advanced  
malware," said Anand Oswal, senior vice president, Network Security, Palo Alto Networks. "PAN-OS 11.0 Nova is a leap forward in network security.  
It stops 26% more zero-day malware than traditional sandboxes; detects  
60% more injection attacks; simplifies security architecture; and helps  
organizations adopt cybersecurity best practices. The bottom line is  
that Nova helps keep organizations one step ahead of attackers."

**Security Against Zero-Day Threats**

**Advanced WildFire:** Modern malware is highly evasive and sandbox-aware. To solve this problem, sandboxes need to continuously evolve to thwart analysis-resistant evasion techniques. The new Advanced WildFire service builds upon its custom hardened hypervisor to introduce radical new capabilities, such as intelligent run-time memory analysis combined with stealthy observation and automated unpacking to stay hidden from malware and defeat advanced evasions. These new capabilities enable Advanced WildFire to stop more highly evasive zero-day malware than traditional sandboxes.

**Advanced Threat Prevention (ATP)**: The enhanced ATP service reimagines the intrusion prevention system (IPS) with industry-first inline capabilities for stopping zero-day injection attacks. Injection attacks — one of the top attacks on the OWASP "Top 10 Web Application Security Risks" list — attempt to push malicious code into a computing system by exploiting unpatched vulnerabilities in software. Such malicious code executes remote commands that lead to data loss or full system compromise.

To protect against such injection attacks, ATP deep-learning models have been built on high fidelity telemetry data across tens of thousands of exploited vulnerabilities over the last decade. Internal testing has shown that the enhanced ATP service detects 60% more zero-day injection attacks that traditional solutions miss.

Nova not only sets up the foundation for modern day network security by continuously protecting against zero-day threats but also raises the bar for how organizations can proactively improve cyber hygiene and simplify security architectures. In addition to Advanced WildFire and Advanced Threat Prevention, notable innovations in the Nova release include:

**Simplified and Consistent Security**

**Web Proxy Support:** For customers who need to run explicit proxies in their network due to network architecture or compliance requirements, Nova introduces natively integrated proxy capabilities for Palo Alto Networks NGFWs helping to secure Web as well as non-Web traffic. Now Palo Alto Networks NGFWs and Prisma® Access support web proxy, allowing customers to deploy consistent network security across campus locations, branches and mobile users, all managed centrally.

**Integration of Next-Generation CASB:** Palo Alto Networks Next-Generation Cloud Access Security Broker (CASB), natively integrated with Nova and Prisma SASE, now includes all-new SaaS Security Posture Management (SSPM) to help find and eliminate dangerous misconfigurations in 60-plus enterprise SaaS apps. Next-Generation CASB now also has support for near-real time data protection in modern collaboration apps and suspicious user behavior detection, which helps to protect sensitive data in modern SaaS apps from compromised accounts and insider threats.

**Stronger Cyber Posture**

**AIOps:** Palo Alto Networks AIOps helps reduce misconfigurations that can lead to security breaches. AIOps, launched earlier this year, now processes 29B metrics every month across 50,000 firewalls, and proactively shares 24,000 misconfigurations and other issues with customers for resolution every month. With Nova, AIOps is even more proactive. AIOps now guards against violations of best practices and enables remediation of inefficiencies in security policies before committing changes, helping organizations strengthen defenses against cyberattacks.

In addition to all the PAN-OS software updates, a new set of 4th-generation ML-Powered NGFWs bring these new capabilities to branches, campus locations and data centers at up to 5x higher performance compared to the previous generation. The new hardware firewalls also bring the flexibility of fiber and Power over Ethernet (PoE) to small branches.

**PA-445 and PA-415 for small branches**: The PA-445 and PA-415 bring the flexibility of fiber and PoE ports to distributed enterprises and small and medium businesses. PoE powers downstream devices such as access points, IP cameras, and IP phones without the need for additional electrical circuits.The PA-445 and PA-415 also bring improved resiliency with dual power supplies and fanless cooling.

**PA-1400 Series for large branches**: The new PA-1400 Series offers up to 5x performance and up to 7x the session capacity compared to the previous generation. The PA-1400 Series is ideal for protecting large branch locations and small enterprise campuses, with support for PoE and fiber ports.

**PA-5440 for large campus locations and data centers**: We are launching the highest performing fixed-form factor in 2RU, the PA-5440. This platform offers 2x the performance of the previous generation PA-5260, and is ideal for protecting large campus locations and data centers.

"Attackers continue to develop new ways to evade traditional defenses, while security teams struggle to defend organizations with point solutions that are complex to deploy and operate," said John Grady, ESG senior analyst. "Palo Alto Networks PAN-OS 11.0 Nova addresses these critical challenges by stopping zero-day threats in real-time, simplifying security architectures, and improving cyber hygiene."

**Availability  
**PAN-OS 11.0 and most of the security services will be available in November. New ML-Powered NGFW platforms will be available in December, and SSPM will be available on the NGFW platforms in January. Most security services, including Advanced WildFire, will be compatible with previous versions of PAN-OS.

**Additional Resources**

*   Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram
*   Launch event

**About Palo Alto Networks  
**Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2022), Comparably Best Companies for Diversity (2021) and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Prisma, PAN-OS and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

SOURCE: Palo Alto Networks, Inc.

Source

DARKReading