Month: February 2024

Categories
AI Security

Tackling the Rise of Shadow AI in Modern Enterprises

Understanding the Shadow AI Phenomenon 

Shadow IT has been a persistent challenge for CIOs and CISOs. This term refers to technology utilized within an organization without the explicit approval of the IT or security departments. Recent data from Gartner indicates that in 2022, a staggering 41% of employees engaged in the acquisition, modification, or creation of technology outside the purview of IT. Projections suggest this figure could soar to 75% by 2027. The primary concern with shadow IT is straightforward: it’s nearly impossible to safeguard what remains unknown. 

In a parallel development, the AI landscape is witnessing a similar trend. Tools like ChatGPT and Google Gemini are becoming popular among employees for task execution. While innovation and adaptability are commendable, the unchecked use of these tools, without the knowledge of IT or security departments, poses significant information and compliance risks. 

Why Employees Gravitate Towards AI Tools 

Generative AI, machine learning, and expansive language models have transformed the way we work. These technologies offer: 

  • Enhanced Process Efficiencies: AI can automate repetitive tasks, streamline workflows, and reduce time to delivery. 
  • Boosted Personal Productivity: With AI’s assistance, employees can focus on more strategic tasks, fostering creativity and innovation. 
  • Improved Customer Engagement: AI-driven tools can personalize customer experiences, predict trends, and enhance overall satisfaction. 

Balancing Innovation with Security 

The challenge for organizational leaders is twofold: ensuring that employees can harness their preferred AI tools while simultaneously mitigating potential security threats. Here are some strategies: 

  1. Establish Policy
  • Identify Regulations: Many companies are subject to consumer privacy laws, determine what is permitted based on the client’s or customer’s location. 
  • Catalog Contracts: Often our clients have requirements in contracts that dictate how we can, or cannot, use AI in how data is processed. 
  1. Educate and Train
  • Awareness Campaigns: Launch initiatives to educate employees about the potential risks associated with unsanctioned AI tools and encourage collaboration on approved usage. 
  • Training Programs: Offer regular training sessions on the safe and responsible use of AI, including what types of data are permitted. 
  1. Implement Robust Security Protocols
  • Regular Audits: Conduct frequent IT audits to detect and address unauthorized AI tool usage. 
  • Advanced Threat Detection: Employ sophisticated AI-driven security solutions to identify and counteract potential threats. 
  1. 4. Promote Approved AI Tools
  • Internal AI Toolkits: Create a suite of organization-approved AI tools that employees can safely use. 
  • Feedback Mechanisms: Establish channels for employees to suggest new tools, fostering a culture of collaboration and trust. 

The Way Forward 

While the allure of AI is undeniable, it’s crucial for organizations to strike a balance between innovation and security. By understanding the motivations behind shadow AI, enterprises can create an environment where technology augments human capabilities without compromising safety. 

Conclusion 

The rise of shadow AI underscores the rapid evolution of technology in the workplace. By adopting a proactive approach, organizations can harness the power of AI while ensuring a secure and productive environment for all. 

Categories
General Cyber and IT Security

Decoding Digital Dangers: Common Cybersecurity Threats Explained – Part 2

Security should be a lifestyle and not just a “To-Do” list. As a Cybersecurity Professional myself, I cannot preach enough about the importance of Layered Security. No matter how big or small your environment, remember that even David took down a GIANT with a slingshot and pebble. Threats in our industry are diverse and dangerous. Staying ahead of the curve is no walk in the park and that is why a series of this magnitude is important for proactive reasoning.

In the first installment, we briefly covered threats such as Phishing (BEC Attacks), Malware Attacks, and Insider Threats. In this second installment, we will dive into Ransomware Attacks, Distributed Denial of Service attacks, and Zero-Day Exploits.

4. Ransomware Attacks:

Ransomware involves the encryption of a victim’s data by an attacker, who then demands a ransom in exchange for the decryption key. The impact of ransomware attacks ranges from financial loss to severe disruption of operations. This form of attack is huge in critical sectors such as healthcare, finance, and government.

Motions to Mitigate:

Mitigation against Ransomware attacks can consist of:

· Endpoint Security: Install and regularly update endpoint security software to detect and prevent malicious software from running on a user’s device.

o Some popular Endpoint Detection and Response solutions include Microsoft Defender for Endpoint, VMware’s Carbon Black, and CrowdStrike Falcon Platform.

o If Endpoint Security is something your company is interested in implementing, SecurIT360 would love to assist you on this journey through our SOC services.

· User Behavior Analytics: Using user behavior analytics tools to identify deviations from normal user behavior can help detect compromised accounts more efficiently.

o This can be achieved through SecurIT360’s 24/7/365 security operations center, which provides real-time monitoring through utilization of MDR and EDR solutions.

· Disable Unnecessary Services: Disabling or restricting services and features that are not essential for business operations can prevent Ransomware from exploiting these services.

· Network Segmentation: Segmenting your network to isolate critical systems and data from the rest of the network can help contain the spreading of ransomware.

· Backup and Disaster Recovery: Regularly backing up critical data and systems to offline or secure locations is another helpful tip. Ensuring backups are not accessible from the network and testing data recovery procedures can go a long way when ensuring you can restore your systems in case of an attack.

· Patch and Update Software: Keeping operating systems, software, and applications up to date with the latest security patches will combat and address vulnerabilities that ransomware may exploit.

5. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks:

DoS and DDoS attacks aim to make a network, service, or system unavailable to its intended users. This type of attack is aimed to hinder the “A”, availability, within the CIA (Confidentiality, Integrity, and Availability) triad. This is achieved by overwhelming the target with a flood of internet traffic that the target was not built to withstand. In a DDoS attack, the attacker uses multiple compromised computers (Botnets) as sources of traffic, making these attacks particularly challenging to mitigate.

Motions to Mitigate:

A few ways to mitigate this are by implementing Distributed Traffic Filtering, Content Delivery Networks, and Geographic Blocking in your environment. Other forms of DOS/DDOS mitigation consist of:

· IP Reputation Lists: Utilize IP reputation lists and databases to block known malicious IP addresses and networks. This should be updated quarterly due to the frequency of IPs switching hands or ISPs (Internet Service Providers).

o We know that this can become quite a task but our Security Operations Center can help relieve this pressure through our managed firewall services.

· Network and Server Redundancy: Build redundancy into your network and server infrastructure to ensure that a failure in one component does not result in a complete service outage.

· Intrusion Prevention Systems (IPS)/Intrusion Detection Systems (IDS): Deploy IPS solutions to detect and block malicious traffic and behavior at the network level.

o The SecurIT360 SOC Team can assist with detecting malicious activity through our MDR solutions and blocking known malicious with some of our other managed services (EDR, Managed Firewalls, etc).

· Black Hole Routing (BGP Sink holing): Configure your network to use black hole routing to discard malicious traffic. BGP sink-holing can redirect DDoS traffic to a “black hole” where it is discarded.

6. Zero-Day Exploits:

A zero-day exploit targets a software vulnerability that is unknown to the software’s developer. The term “zero-day” refers to the fact that the developer has zero days to fix the vulnerability once it becomes known. This method is one of the most dangerous to defend which is why organizations need to have a more proactive approach rather than reactive when regarding this subject.

Motions to Mitigate:

· Advanced Threat Detection Solutions: Deploy advanced threat detection solutions that can identify zero-day attacks based on abnormal behavior and anomaly detection.

· Application Security Testing: Conduct regular security assessments, including penetration testing, to identify and address potential weaknesses in your applications and systems.

o If a Pentest is something your organization is interested in having conducted, contact SecurIT360’s Offsec Department to set up an engagement.

· Behavior-Based Analysis: Employ behavior-based analysis tools that can detect unusual or malicious behavior on endpoints and networks. Zero-day exploits often exhibit abnormal patterns.

o This can fall under the umbrella of EDR services. Detecting User/Behavior-Based Analytics to determine your environment’s baseline behaviors in comparison to anomalies is something SecurIT360’s SOC works with daily.

· Threat Intelligence Sharing: Participate in threat intelligence sharing communities and organizations to stay informed about the latest threats, including zero-day vulnerabilities.

· Sandboxing: Use sandboxing techniques to run potentially risky or untrusted code in an isolated environment, preventing it from affecting the rest of the system.

· Vulnerability Management: Proactively discover and mitigate weaknesses in your systems before attackers can exploit them. This includes software, hardware, and even human behaviors.

o SecurIT360’s ISSO department specializes in internal scan assessments.

o SecurIT360’s Security Operations Center services include External Scan Assessments monthly or per request.

As you can see, there are many threats in our industry and the need for persistent protection is constant. My goal for this second installment was to provide easily digestible information on some common threats Cybersecurity Professionals like myself witness on a day to day.

If you have enjoyed this second installment of the Decoding Digital Dangers: Common Cybersecurity Threats Explained series, be sure to go back and check out Part 1 as well.

Additionally, If your company needs expert cyber security and IT services for ongoing risk management and operational excellence, such as SOC services, please contact us here at SecurIT360 to be of assistance: Contact – SecurIT360.

Categories
AI Security

AI Security 101: Addressing Your Biggest Concerns

Understanding the Landscape of AI Security

In today’s digital age, Artificial Intelligence (AI) has become an integral part of our daily lives. From smart home devices to advanced medical diagnostics, AI is revolutionizing industries and improving user experiences. However, with the rapid adoption of AI technologies, security concerns have become paramount. As we integrate AI into critical systems, ensuring the safety and integrity of these systems is of utmost importance.

The Main Concerns in AI Security

1. Data Privacy and Protection

AI systems rely heavily on data. The quality and quantity of this data determine the efficiency of the AI model. However, this data often includes sensitive information, which, if mishandled, can lead to significant privacy breaches. Ensuring that data is minimized, collected, stored, and processed securely is crucial.

2. Adversarial Attacks

These are sophisticated attacks where malicious actors introduce slight alterations to the input data, causing the AI model to make incorrect predictions or classifications. Such attacks can have severe consequences, especially in critical systems like autonomous vehicles or medical diagnostics.

3. Model Robustness and Integrity

Ensuring that an AI model behaves predictably under various conditions is vital. Any unpredicted behavior can be exploited by attackers. Regular testing and validation of AI models can help in maintaining their robustness and integrity.

4. Ethical Concerns

As AI systems make more decisions on our behalf, ensuring that these decisions are ethical and unbiased becomes crucial. Addressing issues like algorithmic bias is essential to build trust in AI systems.

Best Practices in AI Security

1. Enable AI Usage

Establish controls with policies and procedures on when AI usage is permitted, how to onboard AI tools and when they can be used. Document all approved systems so there is a clear understanding of where your data is.

2. Secure Data Management

Always encrypt sensitive data, both at rest and in transit. Employ robust access controls and regularly audit who has access to the data, where the data resides and how long the data is stored. Ensure compliance with data protection regulations both contractually and regulatory.

3. Regularly Update and Patch Systems

Just like any other software, AI systems can have vulnerabilities. Regular updates and patches can help in fixing these vulnerabilities before they can be exploited.

4. Employ Defense-in-Depth Strategies

Instead of relying on a single security measure, use multiple layers of security. This ensures that even if one layer is breached, others can still provide protection.

5. Continuous Monitoring and Anomaly Detection

Monitor AI systems in real-time. Any deviations from normal behavior can be a sign of a potential security breach. Immediate action can prevent further damage.

6. Educate and Train Teams

Ensure that everyone involved in the development and deployment of AI systems is aware of the potential security threats and knows how to address them.

The Future of AI Security

As AI technologies continue to evolve, so will the security challenges associated with them. However, by being proactive and adopting a security-first approach, we can address these challenges effectively. Collaborative efforts between AI developers, security experts, and policymakers will be crucial in shaping a secure AI-driven future.

In conclusion, while AI offers immense potential, ensuring its security is paramount. By understanding the challenges and adopting best practices, we can harness the power of AI while ensuring the safety and privacy of users.

Categories
General Cyber and IT Security

Decoding Digital Dangers: Common Cybersecurity Threats Explained – Part 1

Have you heard the phrase “Don’t bring a knife to a gunfight”? Well, this phrase holds the same truth within the realms of modern cybersecurity. There are a wide range of dangers in our industry and one must know what they are, to properly prepare for the battle against these. The sheer volume of these risks alone should emphasize how critical it is to comprehend them while also developing mitigation solutions.

One might ask, well what are a few common threats that we as cybersecurity professionals should look out for in this constantly changing digital environment? This series was created to highlight just that. In this first installment, we will cover Phishing (BEC Attacks), Malware Attacks, and Insider Threats.

  1. Phishing Attacks:

Phishing attacks are the most common form of cybersecurity threats. This is where an attacker masquerades as a legitimate entity to “reel” victims into revealing sensitive data such as usernames, passwords, and credit card information. Phishing attacks often take the form of emails, website pop-ups, or text messages. Which stresses the importance of always verifying that you are communicating with whom the entity states they are.

Once a successful Phishing Attack has occurred this can lead to a Business Email Compromise or BEC for short. As Cybersecurity professionals we must empower ourselves against BECs. Implementing the following recommended strategies can assist in strengthening your cybersecurity posture:

Motions to Mitigate:

A few ways to stay proactive against Phishing attempts are:

  • User Education and Training: Provide regular cybersecurity training and awareness programs to educate users about the risks of phishing.
    • The SecurIT360 SOC Team can assist with this through our KnowBe4 managed services. Through this service, we can set up Phishing Simulations along with Awareness Training.
  • Email Filtering and Authentication: Implement email filtering solutions to block or flag potential phishing emails before they reach users. Configure email authentication protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance) to verify the authenticity of incoming emails.
  • Multi-Factor Authentication (MFA): Enforce MFA for email and other critical accounts. Even if a phishing attack results in stolen credentials, MFA can provide an additional layer of security.
    • SIEM and MDR services can even help to identify and respond to suspicious MFA activity. These services can collect and analyze logs from a variety of sources, including MFA devices, applications, and servers. This data can be used to identify patterns of behavior that may indicate an attack, such as MFA Bombing, logins sourced from known malicious IPs, and logins originating from non-approved countries.
    •  As a SecurIT360 SOC MDR client, we can add this particular log source type in our SIEM solution to best accommodate your environment’s real-time monitoring.
  • Phishing Simulations: Conduct phishing simulations and tests within your organization to assess user awareness and response. Use the results to tailor training and awareness efforts.

Additional helpful articles for improving awareness of BEC attacks/Phishing:

  1. Malware Attacks: 

Malware, short for malicious software, refers to any software designed to damage or disrupt a computer system. Types of malware include viruses, worms, Trojans, spyware, and adware. Malware attacks typically involve the installation of this malicious software onto a victim’s device without their knowledge, leading to data loss or theft. Another way Malware can be downloaded unknowingly is by clicking unfamiliar links such as from a Phishing email. This illustrates how some of these attacks can be combined to get what the Threat Actor is after.

Motions to Mitigate:

Malware can be a pest but implementing the following can assist in reducing the appearance in your environment:

  • Application Whitelisting: Implement application whitelisting, which allows only authorized and known applications to run on endpoints. This can prevent unapproved applications, including malware, from executing.
  • Network Monitoring and Alerting: Implementing network monitoring tools to detect unusual network traffic and behaviors that may indicate a malware infection can be helpful.
    • The SecurIT360 SOC Team can assist with this through our 24/7/365 operations of real-time monitoring and utilization of MDR and EDR solutions.
      • Through our EDR services, we can detect User Behavior Analytics to assist with determining baseline behaviors in comparison to anomalies.
  1. Insider Threats: 

Insider threats involve cybersecurity threats that originate from within an organization. These can be intentional – for instance, a disgruntled employee causing harm – or unintentional, such as an employee unknowingly clicking on a phishing link or accidentally uploading sensitive login credentials of your company’s own infrastructure on a site like GitHub (In reference to: https://www.vice.com/en/article/m7gb43/microsoft-employees-exposed-login-credentials-azure-github

Motions to Mitigate:

  • Least Privilege Access: Limit user and system access to only the resources and data required for their tasks. This principle minimizes the potential impact of a ransomware infection.
    • A great way to test your current Access Controls is by performing a Pentest. It is recommended to get a Penetration Test done once to twice a year at a minimum. If a Pentest is something your organization is interested in having conducted, contact SecurIT360’s Offsec Department to set up an engagement.
  • Data Loss Prevention (DLP): Use DLP solutions to monitor and prevent the unauthorized transfer or leakage of sensitive data. This can help prevent both accidental and intentional data breaches.
  • Secure Offboarding: Ensure that when employees leave the organization, their access is immediately revoked. This includes disabling accounts, collecting company-owned devices, and updating access control lists.
  • Data Access Auditing: Implement auditing and logging for data access to track who accessed sensitive data and when.
  • Secure Mobile Device Management (MDM): Manage and secure mobile devices that employees use for work, including the ability to remotely wipe devices in case of loss or theft.

All mitigation strategies require a comprehensive approach that includes a combination of technology, user education, and proactive security measures. By implementing these practices, your organization can significantly reduce its vulnerabilities and minimize potential damage.

One takeaway is the mantra of the “12 P’s”:

“Positive Proper Preparation Prevents Piss Poor Performance; Piss Poor Performance Promotes Pain” and we don’t want your organization to experience the pain of improper preparation.

Understanding the common cybersecurity threats listed in this first installment is the initial step toward strengthening your cybersecurity defenses. Your organization’s defenses should mimic that of an Onion. An onion has many layers to it and your defense should follow this same blueprint. We recommend investing in regular staff training and maintaining a culture of cybersecurity awareness to protect against these threats along with utilizing robust cybersecurity solutions. For instance, utilizing a Cybersecurity Framework could be essential to your business long term.

To get more information on implementing the best Cybersecurity Framework for your environment, check out: The Building Blocks of Cyber Defense: Why Your Business Needs a Cybersecurity Framework – SecurIT360

If your company needs expert cyber security and IT services for ongoing risk management and operational excellence, such as SOC services, please contact us here at SecurIT360 to be of assistance: Contact – SecurIT360.

Additionally, be sure to be on the lookout for the second installment of this Decoding Digital Dangers: Common Cybersecurity Threats Explained series releasing in the coming weeks.

Categories
Cybersecurity Advisories

Russia-linked Midnight Blizzard Cyberattack: Awareness and Guidance

Given the recent report from Microsoft regarding a cyber-attack on their organization by Russian state-sponsored hacking group, Midnight Blizzard, our SOC Team wanted to raise awareness concerning Threat Actor behavior related to Entra ID (formerly Azure ID) app registrations/app consent per what we have been seeing in the news and in the wild.

You can read Microsoft’s report detailing this behavior that was observed during their own recent compromise by this threat actor group: https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/

This post explains that the threat actor group “Midnight Blizzard” gained access to an account through a password spray and then leveraged existing OAuth applications and created additional applications to escalate privileges and compromise additional accounts.

Our DFIR team has also seen similar behavior recently during BEC investigations, where compromised account gave consent to a specific third-party application called “PerfectData Software” likely in an attempt to exfil mailbox data.

See the following link for additional information on this specific behavior: How Abuse of ‘PerfectData Software’ May Create a Perfect Storm: An Emerging Trend in Account Takeovers | Darktrace Blog

The following will detail the actions we are detecting on our end to better detect this type of post-compromise behavior related to app consent grants/permissions/registrations and how we recommend you can mitigate this type of attack in your environment.

SecurIT360 SOC Managed Services

Last week, our managed SOC services rolled out a new alert that will detect the creation of a service principal that looks for “PerfectData Software” specifically. A service principal in Entra ID (Formerly Azure AD) is an identify created to manage access for applications, hosted services, and/or automated tools.

We also plan to create an additional rule or rules to provide auditing for application management within our Monthly MDR reports. 

Additionally, as always, we will continue to provide monitoring and alerting concerning initial access by looking for possible password sprays, MFA bombing, suspicious logins, etc. to attempt to prevent this sort of behavior before it happens. However, as we believe in a defense in depth approach, we will continue to expand and refine our post-access detection capabilities through the rules mentioned above. 

Please feel free to contact the SOC via email at soc@securit360.com if you have any questions or concerns.  

Mitigation Recommendations

By default, users are allowed to register applications and give consent to third party applications. This means that if a Threat Actor compromises a standard user account they can give consent to apps or register apps, without having any admin permissions or an admin being notified.

However, you can restrict this behavior by editing default role permissions and require admin consent to be given before a user gives access to an application.  We strongly recommend you adjust this default permission and review all active registrations ASAP.

How to Change Default Permissions

  1. In order to restrict default user role permissions, within the Azure portal you can go to Microsoft Entra ID -> Users -> User settings and change the slider for “Users can register applications” to “No”:

See the following Microsoft KB article to learn more about default user permissions: Default user permissions – Microsoft Entra | Microsoft Learn

  1. To turn off or edit a user’s ability to grant consent to third part applications you can go to the Microsoft Entra admin center -> Identity- > Applications -> Enterprise applications -> Consent and permissions -> User consent settings.

  2. You can also configure a workflow that would allow admins to consent on behalf of users: Configure the admin consent workflow – Microsoft Entra ID | Microsoft Learn

Review Existing App Registrations

Once the permissions have been changed, perform a review of all current App Registrations within your Azure/Entra ID environment and consider disabling all of them that are not approved.

Additionally, as we saw in the Microsoft case, regular auditing of app registrations and permissions in addition to similar auditing for user accounts is always recommended and an important part of lowering the potential impact of an account compromise.

Please let us know if you have additional questions or concerns. We are always happy to help you adjust in response to new or emerging threats.

Ready to make cybersecurity your strength, not your weakness? Contact us today and let’s build a safer, more secure digital future for your business.