Artificial Intelligence Cybersecurity

We as Cybersecurity practitioners must use the best tools we can find. So if AI(Artificial Intelligence) can help us we need to use them.

Of course we have to use real AI tools, not old tools renamed “AI” to sell more software for a little bit of time.

What is the definition of AI ?  a machine software (i.e. no human modification) that imitates human behavior. Or a branch of computer science dealing with simulation of intelligent behavior in computers.

So a true AI Cybersecurity is a program running attack or defense for the network or computer without human interaction.

What in today’s environment shows small views of intelligence? Bots and viruses of course.

 

It is also my opinion that future AI will first come as more sophisticated “Bots” or infectious software:

SCMagazine story: “Cryptominer campaign leveraging Oracle bug spreads worldwide via multiple infection tactics”

Again this affected entities that did not patch their PeopleSoft HR and Oracle E-business Suite software.

NIST explanation of CVE-2017-10271:

What makes this vulnerability bad is that it is a remote execution vulnerability.  “Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.” (from NIST link).

So if an AI program can program itself to infect and take over other machines to both infect other machines and perform other goals (like mine crypto currencies the latest actions in this exploit for example) then it is easily done when people find ways not to patch their software.

Image example of CVE-2017-10271 as it was found

The key is to patch your machines, and we have to develop “Blue team” AI first in this  coming “AI war”

To be a bit clearer (as mud I am sure) As someone programs an attack program to do the 3 things mentioned:

  1. Find vulnerability
  2. Exploit vulnerability  and make money with cryptocurrencies on your machines.
  3. Propagate the program as much as possible

So the future in AI (the real scary part) is when a truly non-human fully automated attack program does all 3  items and improves. The danger in how it will act is still not fully realized yet. I.e. we are not sure how bad it will get.

The important piece of this puzzle is the exponential level of improvement a fully electronic AI could do.

Some people have talked about the ‘singularity’ moment when an AI will have more capabilities than a human brain(supposedly sometime in 2020s).

 

What about a Cybersecurity ‘singularity’ moment? When a improving attack program starts to improve so fast that it morphs into something that is difficult to stop.

Contact me to discuss

 

 

Test your network by Bloodhound

Which Bloodhound might you ask?

No not the Dog…

But the following program in Kali Linux:

Just a slightly different picture and meaning.

Cobaltstrike has tested with it and this is his explanation:

“BloodHound is a tool to analyze and understand Active Directory Trust Relationships. For an offensive practitioner, this tool can highlight the hops you might take to reach a goal within a network. For a defensive practitioner, this tool is gold as it can show you the most likely paths an attacker might take. It’s a good exercise to decide which of these trust paths needs to exist and which you can eliminate.”

Once setting up Bloodhound and Neo4J (used to create a graphical representation) you can then review your users in Active Directory. what is the most important attribute of your users in Active Directory?  Permissions. What can a user access with their permission?

“Defenders think in lists.

Attackers think in graphs

As long as this is true attackers will win “

John Lambert quote , he is with Microsoft Threat Intelligence.

 

What is going to happen is what is called as an Identity snowball attack.  We want to learn what users have privileges that allow us to gain more privileges.

The following images are from a youtube video of Andy Robbins, Will Schroeder, and Rohan Vazarkar – six degrees of Domain Admin

In Bloodhound: Vertices represent individual elements of a system (uses, groups, computer, domain)

Edges: generically represent relationship between vertices( group membership, admin rights, user session, domain trusts)

paths point toward escalating rights – always(compromising a system or user).

 

So the idea is to find users that lead you to domain admin user accounts or their privileges.

Powerview is also useful ( a pure PowerShell v2.0+ domain/network situational awareness tool… Which bloodhound is built upon.  With this tool bloodhound can collect data and does not need elevated privileges for collection methods.

  • Invoke-UserHunter
    • Get-NetSession sessions w remote user
    • Get-NetLoggedOn/Get-LoggedOnLocal – who is looged on to what machine.

Who can admin what?

We can enumerate members of a local group on a remote machine without admin privilieges

  • The WinNT service provider or NetLocalGroupGroup-ComputerName IP [-API]
  • GPOs can set local admins
  • GPOs are applied to OUs/Sites
    • correlation is equal to local admin information through communication with a DC
  • PowerView
    • Find-GPOLocation
  • Who is in What Groups
    • Get-NetGroup| Get-Netgroupmember

Instead of doing these commands manually via PowerView, Bloodhound does it graphically.

Here are 2 examples from the youtube video:

I believe this is test data, but from a large environment (200k computers) so there were a few large graphs. The 2 examples I chose from video are groups and certain users, computers broken out. The key is one can find a few specific computers and users that one has to infiltrate to then quickly get domain admin access. I.e. Identity snowball attack.

 

This tool is worth the time to learn and understand to make sure your environment is not easy to escalate and take over.

Contact Us to discuss.

 

Trust Issues in Security

Who do I trust when dealing in Security?

(definition of ‘trust’ from Google)

First impressions count – remember what everyone says…

But Wall Street Journal story “The Mistakes You Make In a Meeting’s First Milliseconds” has a communications coach saying that you should not always trust your first impressions. And there is a way to repair a potential impression made.

With data and computer networks in a corporate setting we are dealing with a different trust relationship than personal relationship trust.

  • Data Trust — Local network trust, cloud network trust, hybrid cloud(a local and cloud solution) The data is trusted to be unchanged or changeable depending on access levels. Where data is located and how it is managed makes a difference.
  • Employees — Some employees should not have access to finance or computer administrative functions. It is a security failure to give too much access to employees even though it may make function easier in short run.
  • Machines-IoT — Unfortunately even machines need some access, depends on the automated process, and this area will get trickier as more AI(Artificial Intelligence) becomes prevalent.
  • Vendors — Sometimes need special areas of access, but not too much.
  • Offboarding-Onboarding – When new employees are brought on and old employees removed from the systems we need to have our systems in place.
  • Friction  —  Everything we do is not always 100% accurate, so we must prepare for the times of inaccuracy.  Bad weather happens, storms come and go, so do errors.

 

It is the job of the Security professional to lead a company into defining data security and preservation needs.

We can help with this security issue of utmost importance. It includes compliance where in HIPAA privacy of patient records are paramount, and in PCI standards where no Credit Card information numbers are allowed to be stored without encryption, and preferably not stored at all.

There are other aspects of trust – government trust,  currency trust, physical security trust, and personal trust (spouse, family, and friend).

What I want to say in this space is that cybersecurity actually affects all trusts, and the new Cryptocurrency  is upending some of the government and currency trusts. Although Cryptocurrencies are interesting as to how they create trust, as the trust is not in a central bank (or the government) but in individual decentralization trust.

One thing is obvious in 2018 and beyond we will be using digital means and will affect our lives more than ever. So get cracking … fix your Cybersecurity now, before the hackers review it first.

Contact US to review your situation.

 

Risk Management Should Be: Known Threats Evaluated – Find Unknown Threats

It is a known fact that Risk management looks in the known facts department.  As we try to evaluate what issue to focus on.

Nowhere is this Security as last point of order more evident than in the Cryptocurrency markets being created with ICO’s (Initial Coin Offerings).

You would think that when setting up an ICO which is based on a Cryptological currency the security of the venture would not be an afterthought. But it apparently was several times as stated in ZDNet article  Cryptocurrency Catastrophes of 2017.

wallet addresses were changed on websites and million$ were stolen in the form of ethereum coins.

I am not interested in the Cryptocurrency market, but am interested in human psychology and efforts. In this new field it apparently does not dawn on many CEO’s of these new entities that security should be a central tenet in their business model. Especially since their venture is completely digital, i.e. constructed in a computer.

We as humans have a hard time with focusing on security. As it is hard enough to create an ICO and a cryptocurrency so when it is time to develop the website to sell  or manage cryptocurrencies the security is an afterhought?

Why are we always behind?

  1. July – Coindash ICO $7.4mil stolen
  2. Veritaseum’s ICO $8mil stolen
  3. Parity  wallet  $30mil stolen
  4. November: Tether $30.9 mil stolen
  5. User found vulnerability and exploited it thus freezing $160 mil in funds.

There were a bunch of scams as well, but those I am not interested in. So $76mil were stolen and $160mil frozen due to a lack of preparedness and misunderstanding of Cybersecurity.

Why is it we always focus on cybersecurity after something happens? After an issue occurs, thus making it known.

 

The problem we have in Cybersecurity is to focus a little bit of our time and effort before known issues come into being.

Contact Me to discuss this in detail as we can forge a path forward in this new digital age.

 

 

Patch Tuesday: Keep in Mind X, Y, and Z

Jan 9th was patch Tuesday: the day Microsoft designed to accumulate patches and release them on a regular basis with some kind of schedule.

Otherwise patches would be released whenever problems are solved. So this would be good in some ways(why not resolve problems as soon as practical) but the problem is this release schedule of releasing 1 or 2 patches every few days would make IT planning a mess.

As it is new critical problems may get release on an out of band release date. Such as a different  date as the second Tuesday of he month. (Like this month’s CPU bug released on Jan 3rd)

So we have a set schedule now of a number of accumulated patches which we can schedule around.

Trend Micro said Out of band patches were released by Microsoft January 3rd.

TrendMicro security update summary   

Kaspersky lab security update compatibility summary

Microsoft January 2018 security updates release notes date 1/9/18

“Meltdown” CVE-2017-5754 CVE – Common Vulnerabilities and Exposures

“Spectre” CVE-2017-5753 & CVE-2017-5715

***UPDATE – 1/12/18***

Intel has issued patches at it’s download center

AMD also on its official response

 

I have reviewed CVE before on this blog: http://oversitesentry.com/hackers-please-attack-us/

There are hundreds of CVE’s per year – so this is just the beginning for this year – prepare for a long year of patching.

CVE-2018-0797 is also a bad CVE as it is a Microsoft Word Critical vulnerability with remote code execution, so you have to update Office as well.

Keep in mind, you are not just patching the CPU bug this month, also Office bugs/vulnerabilities and others (including Adobe Flash) it is called the APSB18-01 vulnerability.

Keeping in mind all software may get security or other bugs and then you should update. This process of updating on a consistent basis needs to be planned

X: 2nd Tuesday of month releases most patches – plan for testing and subsequent weekend patch updates on production systems.

Y: Out of band critical releases may disrupt this schedule, so always have a few days available for critical vulnerabilities

Z: Do not forget Office and other applications that users use, these applications are usually in the 2nd Tuesday of month release.

 

Always look for remote execution vulnerabilities first.

I decided to pick out the remote code exec  in a spreadsheet initially created by Ghacks.net

Notice, most of the remote code execs are from Office, there are a couple for Share Point server

Create your own security policy and timeline to patch – contact us to help you design what is right for your circumstances.

 

Updated 1/12/18 to add latest Intel and AMD information