Attack & Defend #5: OpenAI’s Red Teaming Network, Defending Against DDoS Attacks, and Kernel Hardening

View this email in your browser

👩‍💻 This Week in Attack & Defense

OpenAI Launches a Red Teaming Network: OpenAI announced a Red Teaming Network made up of a contracted group of employees to bolster its AI model risk assessment and mitigation strategies. The goal of this effort is to flag biases in models and prompts that can be used to bypass safety filters.

Microsoft AI Researchers Exposed 38TB Private Info: Microsoft AI researchers exposed terabytes of data that included private keys and passwords when they published a storage bucket of open source training data on GitHub. The 38 terabytes of private data included a disk backup of two employees’ workstations, something that Microsoft blamed on an excessively permissive Shared Access Signature (SAS) token, a feature in Azure.

New Vulnerability in GCC Stack Smashing Protection on ARM64. A new vulnerability was found in which GCC’s stack smashing protection has no effect on variable length arrays or buffers allocated with alloca(). The vulnerability targeted 64-bit ARM architecture. This article includes details about the vulnerability, a demonstration of the vulnerability, and a discussion of the response. A fix is available on the GCC mailing list.

Cisco to Acquire Splunk in $28B Massive Deal: The biggest enterprise software acquisition of the year to date goes to Cisco for acquiring the observability behemoth Splunk in a $28B deal, paying a premium of $157 per share on the average of $80 or $90 Splunk has had this year. With Splunk, Cisco gets an observability platform that could fit nicely into its security business to help customers better understand security threats.

Evasive Gelsemium Hackers Spotted in Attack against Asian Govt: The Gelsemium cyberespionage group, which has been operational since 2014, has been spotted in attacks targeting a Southeast Asian government. The group is known for its technical capacity and programming knowledge, which has helped them fly under the radar for many years.

🚀 Treasure Trove

If you’re one of the curious security ninjas, this is the place to discover useful offensive and defensive security resources. Here’s a selection of Blue Team and Red Team tools and resources this week.

Blue Team

Blocking Visual Studio Code Embedded Reverse Shell Before it's Too Late: Microsoft added a tunnel feature to VS Code in July 2023 that allows users to share their Visual Studio desktop via the web. This is a prime utility for attackers to establish persistence. This article provides some methods to disable the usage of VS Code tunnel as well as some methods to detect its usage.

Audit Logs Wall of Shame: A list of vendors that don’t prioritize high-quality, widely-available audit logs for security and operations teams. There are some popular names on this list.

kernel-hardening-checker: kernel-hardening-checker is a tool for checking the security hardening options of the Linux kernel. It supports checking Kconfig options, sysctl parameters, and boot configs. The repository also contains a map of kernel configuration options and vulnerability classes.

Red Team

Sliver vs Havoc: Objective comparison of two well-known adversary emulation (i.e. command and control) frameworks. Matt takes an empirical approach to answer questions such as why you might want one over the other, how easy they are to use, and the potential for expanding their functionality with new features.

RedTeamPentesting/kbtls: A library for creating mutually trusted client and server certificates based on a pre-shared connection key.

AttackGen: AttackGen uses a Large Language Model via LangSmith and the comprehensive MITRE ATT&CK framework to generate tailored incident response scenarios based on user-selected threat actor groups and organization details.

jackmichalak/phishim: A phishing tool that bypasses most types of MFA by proxying at the user-interaction level rather than the traffic level. It spins up a Puppeteer browser on the server that the victim unknowingly interacts with and then forwards screenshots down to the victim’s browser and forwards interactions up to the server. A clever approach that has been found effective for many of the most common MFA solutions.

🤖 Infosec Concepts & Strategies

Defending against DDoS Attacks - What You Need to Know: This post discusses four main variants of DDoS attacks, including flooding, amplification, resource depletion, and diversion or ransom attacks. Mitigation strategies include recognizing the signs of DDoS attacks, having an incident response plan, contacting an ISP provider, having threat intel handy, and using other mitigation defenses and tools.

Types of Adversarial ML Attacks and How To Overcome Them: AI research is ongoing. Slowly but steadily, machine learning is becoming a core element in the value proposition of organizations worldwide. Machine learning-powered algorithms are susceptible to a variety of adversarial attacks that aim to degrade their performance. This article discusses the different type of attacks including poisoning attacks, availability attacks, and evasion attacks.

DevOps Threat Matrix: Researchers at Microsoft categorized attack techniques into their related tactics and mapped these into a threat matrix. This mapping aims to help defenders to better understand the landscape and possible attacker actions, so defenders are better equipped to defend against each technique and protect DevOps environments.

📑 MasterClass: Tutorials & Guides

Essential Guide to Cybersecurity Compliance: SOC 2, ISO, HIPAA, Cyber Essentials – all the security frameworks and certifications today are an acronym soup that can make even a compliance expert's head spin. If you're embarking on your compliance journey, read on to discover the differences between standards, which is best for your business, and how vulnerability management can aid compliance.

Hunting C2s with Nuclei: This tutorial details a method to repurpose Nuclei, a common DAST tool, for threat hunting. The author outlines the steps that they used through other tools and manually to threat hunt and then the high-level process for automating their process with Nuclei. The post also includes an example of hunting for Nimplant.

How to Trick Hackers - Setting up a Honeypot using AWS: A honeypot is a security system that is deployed on a network to monitor security intrusions from hackers or other threat actors. Through this tutorial, learn how to deploy an open-source honeypot application on AWS. You will also learn how to spin up a virtual machine and set up basic firewall rules to allow the honeypot to monitor traffic flowing across the network and detect cyber-attacks and threats.

Protecting your Identity with a Zero Trust Mindset: Zero-trust architecture is a very powerful tool to reduce risk within the enterprise. If you aren’t adopting a zero-trust architecture, you need to add this to your strategy today. This post advocates why you should adopt a zero-trust architecture and discusses ways to put zero-trust into practice.

Defending CI/CD Environments: This CyberSecurity Information Sheet (CIS) explains how to integrate security best practices into typical software development and operations(DevOps) Continuous Integration/Continuous Delivery (CI/CD) environments, without regard for the specific tools being adapted. You will also find recommendations and best practices for improving defenses in cloud implementations of development, security, and operations (DevSecOps).