Active Directory (AD), introduced with Windows 2000 [1], has become an integral part of modern organizations, serving as the backbone of identity infrastructure for 90% of Fortune 1000 companies [2]. Active Directory is widely used by organizations for its simplicity and centralized management approach. It is an attractive solution for businesses as it makes it […]
La entrada Active Directory Security se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Securit y at the epicenter of innovation: That ’s not t he world we live i n today, but what i f it were? While excitement and budgets are rising for cutting-edge security programmes, progress on actually improving security is sluggish, even stagnant. PwC’s 2024 Global Digital Trust Insights survey of 3,876 business and tech […]
La entrada C_Suite Playbook Putting security at the Epicenter of Innovation se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Increasing our understanding of EDR capabilities in the face of impossible odds.
I recently had a discussion with our chief strategist, Jared Atkinson, about purple teaming. We believe that large quantities of procedures per technique affect the overall success of the assessment. I began to theorize how I could prove this concept. In this post, I will discuss the validation of my theory.
When you take a technique and make a broad statement of detection you are often ignoring orders of magnitude more detail, forcing those who view it to make a broad assumption about what is and is not detected. Take this hypothetical EDR marketing:
While some portions of this example are purely satirical, this still seems great! We have four different techniques that are detected! But is this the full story? If you have been following Jared Atkinson’s posts, you may realize that each of these techniques look something like this:
This is a set of operation chains for different procedures of process injection. If you are unfamiliar with what operation chains are, I recommend reading Jared’s blog series on Tactical to Functional. Using this information, I asked myself, “How could I build a representation of my understanding of the EDR’s capabilities with respect to process injection?
EDR capabilities can, and should, be measured as a set of data. Our industry has different methods of measuring capabilities and representing the resulting data. Common examples that are used for measurement include Mitre ATT&CK Evaluations, or generically mapping the Mitre ATT&CK framework to testing performed via something like Atomic Red Team. The problem with evaluations of this type are that they typically focus on one variation of a technique, which can only represent one procedure. While usually not explicitly stated, those using those projects often mistake the results for full “coverage” of that technique. The reality is that none of these approaches are designed to be used or interpreted in this fashion.
The argument I am going to make throughout this post is that these tests are not particularly sufficient to guarantee coverage. In fact, no amount of testing will ever guarantee 100% coverage of any given technique. This does not mean all hope is lost of detecting the use of process injection, but it does mean that we need to better understand what our testing results actually mean — so at least we have knowledge of the potential gaps prior to accepting the risk.
To start proving my argument, let’s start in Excel. We will build a table that represents a set of process injection procedures that an EDR may detect. The columns will represent the individual procedures while the rows will represent each possible combination of procedures an EDR may detect. We will treat a 0 as “not detected” and a 1 as “detected”. For this first example I will limit the procedures to “Standard” (e.g., shellcode injection) and “Thread Hijacking.” I am going to say, for the sake of argument, that these are the only two known forms of process injection. This means that there are four possibilities for an EDR’s capability to detect process injection. At this point, without running any tests, an end user of an EDR will have no idea which of the four outcomes is true for their EDR.
We can safely rule out some of these outcomes because we assume that an EDR is detecting at least one of these procedures to make the claim that it detects process injection. Let’s say that the most likely candidate for detection is standard shellcode injection since that is the canonical form that comes to mind when process injection is mentioned.
If we know that standard injection is detected with our theoretical EDR, then we now have two potential cases, albeit in our hypothetical world where there are only two known forms of process injection. We can show this on the chart by graying out the rows that are not relevant to our EDR.
The chart shows that by either testing or seeing real-world examples of an EDR detecting a given procedure we removed 50% of the possible combinations of process injection procedures the EDR can potentially detect.
I want to be clear here — this is not a probability that an EDR will detect a given technique, or a full coverage of the EDR capabilities. This is merely filling in 50% of our understanding of an EDR’s capability regarding a specific technique using known procedures for that technique. I am going to continue stressing this throughout this post. All of these statistics are applicable to better understanding an EDR but none of the table entries are weighted to convey the prevalence or any other attribute of a procedure.
Let’s add a third procedure and see what happens to our potential capability.
We are dealing with exponential math here. There are two states that our data can be in, 0 or 1. So the number of potential combinations of procedures from the table that an EDR can detect is n^x , where “n” is the number of potential results and “x” is the number of procedures. So the table above can be represented as 2³or 8.
With 3 process injection procedures, we have expanded our hypothetical world to 8 possibilities, so what happens if I again run a test to see if my EDR detects standard shellcode injection?
We have once again eliminated 50% of the possibilities of what our EDR detects, with a single test case, even though we have doubled the amount of potential possibilities. What happens if you run a second test, and see if your EDR detects thread hijacking?
It does detect it! This allows us to throw away all of the potential states where thread hijacking is 0. Another 50% of the remaining possibilities have been removed. Are you starting to see the pattern? For each test case we ran we could remove 50% of the remaining possibilities from the table.
Let’s try one more test and bump this up to 6 total forms of process injection. Following our previous formula, our potential set of detection possibilities should be 2⁶ or 64.
Awesome! As before, I want to test my EDR and see if it is capable of detecting standard shellcode injection. We already know that it does from our previous testing but will it really remove 50% of our detection possibilities? Before immediately showing you the answer, look at the first column of binary data.
The options for Standard Shellcode Injection alternate between 0 and 1 every single time. So if we do detect it, then it will absolutely remove 50% of our results; just as it did before with a different number of process injection procedures. You may recognize these tables as truth tables and our testing process as being similar to a binary search algorithm, allowing each of our tests to reduce our possible detection combinations by half. This is demonstrated again in the following graphic by running each test in succession for the six chosen procedures shown before, and taking it to the logical conclusion.
This simply validates our previous testing with a larger dataset; There has been a singular theme throughout these tests. Each time we had limited our table of process injection procedures to a specific number of remaining rows. Given enough testing, it’s possible to arrive at a single combination of procedures an EDR will detect for a given technique, but what happens when we don’t know how many procedures there are?
Excel works well to illustrate finite numbers of procedures for performing a technique, but it fails to work as well when we don’t know what the true number of procedures are. The reality is that even though I listed six different forms of process injection for this post, there are certainly more than that in existence. In fact, as far as I know, there are an infinite number of ways to perform process injection!
The easiest way to visually represent this is with a curve.
Note: I am not good at math. The curve and the resulting formula is not an attempt to provide a real or usable method for plotting capability, it is simply an illustrative tool. Shoutout to Evan McBroom for helping me find a curve that fit what I was trying to show.
Take the following curve for example:
y=10/2^{x}
In this example the curve starts with Y=10 for X=0 and Y will decrease by 50% every time X increases by 1. The area under the curve represents the potential combinations of procedures an EDR may detect for a given technique, with the upper bound of X being the number of process injection procedures tested. It may appear at a glance that running 10 test cases is all that is needed to completely fill in our understanding of the EDR, but if you take a closer look you will see that the curve never actually reaches the X axis.
This is illustrating that the area underneath the line is actually infinite because the potential number of procedures for performing process injection is infinite and thus our possible combinations for which of those procedures an EDR may detect is also infinite.. In reality, there certainly is a limit to the different ways process injection may be performed, but for the purposes of testing and measuring, we will likely never know what that limit is.
All of that aside, knowing the infinite possible number, the reality is that the real number of total procedures for performing process injection are probably much lower than that. If we run a single test on a single procedure, we can plot our knowledge gained on the curve.
What about if we run 7 tests on 7 different procedures?
In regards to a specific technique, we can be significantly more certain now about what procedures our EDR can, and cannot, detect.
I want to stress again that this doesn’t show an increase in detection coverage of process injection for the EDR itself — that’s not what we are testing. This is an increase in your knowledge of the EDR’s capability surrounding process injection.
I understand that this post ignores any kind of weighting for each of the procedures. As an example, it may be more likely that you see standard shellcode injection than APC injection. I understand that, but since I am not tracking a desired state of coverage for each procedure, it’s not strictly relevant to the current discussion.
Recently, I have been reading “The User Illusion” by Tor Nørretranders. In Chapter 2, titled “Throwing Away Information,” he shares an example of information loss in the context of grocery shopping.
When you go to the grocery and fill up a cart full of food, you check out, and they hand you a receipt for $218.52 — that receipt carries with it the full list of items you used to reach that total. Three months later, you check your credit card statement and you see a charge at Walmart for $218.52. If I asked you to go back to Walmart, armed with only that information, and recreate your exact cart of groceries, could you do it?
I would venture to guess that you couldn’t. There are far too many possibilities in Walmart that add up to $218.52 — as Tor says in the book:
But in fact there is far less information in the result than in the problem: After all, there are lots of different combinations of goods that can lead to the same total price. But that does not mean you can guess what is in each basket if you know only the price.
— The User Illusion, Tor Nørretranders
We make these kinds of generalizations on a day-to-day basis, but often without realizing or caring about the information we are leaving behind. Tor uses the example of temperature to convey this. When someone asks what the temperature is outside, and you respond with 75 degrees, you ignore the immeasurable number of potential states of matter and molecules required to place the temperature at 75 degrees. In this case, you don’t really care, you just want to know if you should wear a jacket or not — the information conveyed was sufficient, and the discarded information was not relevant. Even if you wanted to know, there is no way to reverse engineer the exact state from the resulting temperature.
How is this relevant to our EDR and purple team? Similar to the charge on your credit card, if an EDR makes a claim to “detect” process injection, then there are upwards of sixty-four different combinations of “detection” (based just on the six procedures I used earlier for illustration) that can lead the vendor to make that claim. Luckily, we can use something like a purple team assessment to successfully reverse engineer a representative set of results that could have led the vendor to make that statement.
The truth is that the vendor has already done this as well. The likelihood that they released a product incapable of detecting some form of process injection, and yet claim to do so, is quite low; however, most, if not all, vendors are not forthcoming in giving you the “receipt” of their testing. They may point to something like the aforementioned Mitre ATT&CK Evaluations as a facsimile for a true receipt, but the detail and depth of that testing I would argue is insufficient for assessing the true capability of an EDR, and as a result, your ability to secure your enterprise with it.
If you think back to our original pretend EDR marketing graphic, knowing what we know now, perhaps it should look more like this:
Now we know what set of possible data lies behind the shiny marketing and catchy buzzwords — but the only way to get to that data is to test different procedures, and as many of them as possible (within reason).
The question is, would you rather make the assumption, or know the reality?
To Infinity and Beyond! was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post To Infinity and Beyond! appeared first on Security Boulevard.
Views: 0Source: securityaffairs.com – Author: Pierluigi Paganini BreachForums resurrected after FBI seizure The cybercrime forum BreachForums has been resurrected two weeks after a law enforcement operation that seized its infrastructure. The cybercrime forum BreachForums is online again, recently a US law enforcement operation seized its infrastructure and took down the platform. The platform is now reachable […]
La entrada BreachForums resurrected after FBI seizure – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Views: 0Source: securityaffairs.com – Author: Pierluigi Paganini ABN Amro discloses data breach following an attack on a third-party provider Dutch bank ABN Amro discloses data breach following a ransomware attack hit the third-party services provider AddComm. Dutch bank ABN Amro disclosed a data breach after third-party services provider AddComm suffered a ransomware attack. AddComm distributes […]
La entrada ABN Amro discloses data breach following an attack on a third-party provider – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Views: 0Source: securityaffairs.com – Author: Pierluigi Paganini Christie disclosed a data breach after a RansomHub attack Auction house Christie disclosed a data breach following a RansomHub cyber attack that occurred this month. Auction house Christie’s disclosed a data breach after the ransomware group RansomHub threatened to leak stolen data. The security breach occurred earlier this month. The website […]
La entrada Christie disclosed a data breach after a RansomHub attack – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Views: 0Source: securityaffairs.com – Author: Pierluigi Paganini Experts released PoC exploit code for RCE in Fortinet SIEM Researchers released a proof-of-concept (PoC) exploit for remote code execution flaw CVE-2024-23108 in Fortinet SIEM solution. Security researchers at Horizon3’s Attack Team released a proof-of-concept (PoC) exploit for a remote code execution issue, tracked as CVE-2024-23108, in Fortinet’s […]
La entrada Experts released PoC exploit code for RCE in Fortinet SIEM – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Episode 331 of the Shared Security Podcast discusses privacy and security concerns related to two major technological developments: the introduction of Windows PC’s new feature ‘Recall,’ part of Microsoft’s Copilot+, which captures desktop screenshots for AI-powered search tools, and Slack’s policy of using user data to train machine learning features with users opted in by […]
The post Microsoft’s Copilot+ Recall Feature, Slack’s AI Training Controversy appeared first on Shared Security Podcast.
The post Microsoft’s Copilot+ Recall Feature, Slack’s AI Training Controversy appeared first on Security Boulevard.
Source: securityaffairs.com – Author: Pierluigi Paganini Google fixes eighth actively exploited Chrome zero-day this year, the third in a month Google rolled out a new emergency security update to fix another actively exploited zero-day vulnerability in the Chrome browser. Google has released a new emergency security update to address a new vulnerability, tracked as CVE-2024-5274, […]
La entrada Google fixes eighth actively exploited Chrome zero-day this year, the third in a month – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Source: securityaffairs.com – Author: Pierluigi Paganini CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog CISA adds Apache Flink improper access control vulnerability to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a NextGen Healthcare Mirth Connect vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The issue, tracked […]
La entrada CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Source: securityaffairs.com – Author: Pierluigi Paganini Usage of TLS in DDNS Services leads to Information Disclosure in Multiple Vendors The use of Dynamic DNS (DDNS) services embedded in appliances can potentially expose data and devices to attacks. The use of Dynamic DNS (DDNS) services embedded in appliances, such as those provided by vendors like Fortinet […]
La entrada Usage of TLS in DDNS Services leads to Information Disclosure in Multiple Vendors – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Source: securityaffairs.com – Author: Pierluigi Paganini Recall feature in Microsoft Copilot+ PCs raises privacy and security concerns UK data watchdog is investigating Microsoft regarding the new Recall feature in Copilot+ PCs that captures screenshots of the user’s laptop every few seconds. The UK data watchdog, the Information Commissioner’s Office (ICO), is investigating a new feature, […]
La entrada Recall feature in Microsoft Copilot+ PCs raises privacy and security concerns – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Source: securityaffairs.com – Author: Pierluigi Paganini An ongoing malware campaign exploits Microsoft Exchange Server flaws A threat actor is targeting organizations in Africa and the Middle East by exploiting Microsoft Exchange Server flaws to deliver malware. Positive Technologies researchers observed while responding to a customer’s incident spotted an unknown keylogger embedded in the main Microsoft Exchange Server […]
La entrada An ongoing malware campaign exploits Microsoft Exchange Server flaws – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Source: securityaffairs.com – Author: Pierluigi Paganini Critical GitHub Enterprise Server Authentication Bypass bug. Fix it now! GitHub addressed a vulnerability in the GitHub Enterprise Server (GHES) that could allow an attacker to bypass authentication. GitHub has rolled out security fixes to address a critical authentication bypass issue, tracked as CVE-2024-4985 (CVSS score: 10.0), in the GitHub […]
La entrada Critical GitHub Enterprise Server Authentication Bypass bug. Fix it now! – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Source: securityaffairs.com – Author: Pierluigi Paganini OmniVision disclosed a data breach after the 2023 Cactus ransomware attack The digital imaging products manufacturer OmniVision disclosed a data breach after the 2023 ransomware attack. OmniVision Technologies is a company that specializes in developing advanced digital imaging solutions. In 2023, OmniVision employed 2,200 people and had an annual revenue […]
La entrada OmniVision disclosed a data breach after the 2023 Cactus ransomware attack – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Source: securityaffairs.com – Author: Pierluigi Paganini CISA adds NextGen Healthcare Mirth Connect flaw to its Known Exploited Vulnerabilities catalog CISA adds NextGen Healthcare Mirth Connect deserialization of untrusted data vulnerability to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a NextGen Healthcare Mirth Connect vulnerability to its Known Exploited Vulnerabilities […]
La entrada CISA adds NextGen Healthcare Mirth Connect flaw to its Known Exploited Vulnerabilities catalog – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
At Shmoocon 2015, Will Schroeder (Harmj0y) gave a talk titled “I Hunt Sys Admins,” describing how attackers can hunt (or find the location of) system administrators throughout the network. The talk is only 15 minutes long, so I highly recommend you watch it to understand the motivations and implementations of attackers concerning “user hunting.” As you can see in the screenshot below, Harmj0y describes the motivation behind this attack as “determining where high-value users are logged in” to steal their credentials. At the time of his talk, Mimikatz was the primary method of stealing credentials; still, user hunting continues to be necessary for identity snowball attacks regardless of the credential access technique used.
Later, “user hunting” became the foundation of the popular attack path mapping project BloodHound. Initially, BloodHound would provide a map of the environment by understanding how users, computers, groups, logon sessions, and other factors impact access control. Specifically, users’ location within the network is a crucial component because the location is both ephemeral and admin access to a machine implies the ability to take over the identity of any users logged on to that system. If an attacker can find where high value users are located in the network, they can steal their credentials. As described in his talk, account takeover is not limited to Mimikatz. Attackers can take over accounts via many techniques within the Credential Access Tactic category, such as LSASS Credential Dumping, Token Impersonation (not sure why this is not considered a Credential Access Technique), etc.
In his March 2018 blog post, Rohan Vazarkar (CptJesus) wrote about some of the mechanisms SharpHound uses, the data collection component of the BloodHound project, to collect the necessary data for projecting attack paths. In the Session Collection section of the post, he describes how attackers use the NetSessionEnum function to collect this information. In this post, we will analyze the NetSessionEnum function, understand the operation chain associated with the user hunting technique, and examine five tools that implement this behavior. Ultimately, we will explore how changes to how a behavior is executed (execution modality) can impact detection as much as the operation chain (behavior) itself.
In their descriptions of User Hunting, Harmj0y and Rohan mentioned one Windows API function that was particularly interesting: NetSessionEnum. As a part of the Win32 API, you can find the NetSessionEnum documented online. Below is an image of the function’s overview, which describes it as “[it] provides information about sessions established on a server.” It also shows the syntax for how developers can call the function from their application. In his post, Rohan details how SharpHound calls this function and why specific parameters must be specified in certain ways to guarantee the function returns the information necessary for mapping attack paths.
In one of my previous blog posts, “Understanding the Function Call Stack,” I described how the Windows API is an abstraction that sits atop the functionality. Eventually, this post will require a clear understanding of the NetSessionEnum function call stack, so we should check it out now.
This section will walk through the NetSessionEnum implementation to demonstrate how the function call stack was derived. Feel free to skip to the Behavior section if you trust me. :)
The first step is identifying which dynamic link library (DLL) implements the NetSessionEnum function. The Requirements section of the Microsoft API documentation page provides information about Netapi32.dll, the DLL in the screenshot below.
So when Harmj0y and CptJesus, or frankly most other developers, mention NetSessionEnum, they specifically mean the version of that function implemented within netapi32.dll or written differently netapi32!NetSessionEnum.
The netapi32!NetSessionEnum syntax is a common way to differentiate between functions with the same name implemented in different DLLs. This additional precision provides clarity in discussions when the difference between, say, kernel32!OpenProcess and kernelbase!OpenProcess might matter. The way to interpret it is DLL!Function, where DLL corresponds to the implementing DLL and Function refers to the function name. We will see later in the post that it is necessary to be specific about the function we refer to.
While it is true that the majority of legitimate applications will use this “orthodox” version of the API, we’ve seen a trend among malware to use lower-level undocumented API functions or system calls (syscalls). With that in mind, it is worth understanding the entire function call stack to understand what exactly happens after netapi32!NetSessionEnum is called. To figure this out, we can open netapi32.dll in a disassembler like IDA Pro.
netapi32!NetSessionEnum
After loading netapi32.dll into our disassembler, we find that the netapi32!NetSessionEnum function is implemented as a “forwarded export” to srvcli.dll.
This means that when an application calls netapi32!NetSessionEnum the call is transparently forwarded to srvcli!NetSessionEnum, so in order to continue our exploration of the function call stack we will need to load srvcli.dll into our disassembler next.
srvcli!NetSessionEnum
Upon decompiling srvcli!NetSessionEnum, we immediately see a call to the NdrClientCall3 function, which is responsible for facilitating RPC procedure calls. This particular instance calls the NetrSessionEnum (Opnum 12) procedure implemented by the [MS-SRVS] Interface (otherwise known as the Server Service Remote Protocol).
For a detailed description of how to analyze calls to the NdrClientCall3 function, I highly recommend checking out Kai Huang’s Uncovering RPC Servers through Windows API Analysis post. Search for the section titled “A sneak peek into SspiCli!SspipLogonUser and NdrClientCall3,” where he explains how to break down this function’s different parameters and related structures.
Using this analysis, we can construct a function call stack that demonstrates the relationship between the three functions (netapi32!NetSessionEnum, srvcli!NetSessionEnum, and ms-srvs!NetrSessionEnum) that our samples called. The nested nature of this relationship allows us to treat all three functions as “functionally equivalent,” meaning that we can ignore the differences between tools implementing one instead of the other since they are minimal.
As a result of this analysis, we have a new function call stack starting with netapi32!NetSessionEnum, flowing through srvcli!NetSessionEnum, and finally, calling the NetrSessionEnum RPC Procedure implemented by MS-SRVS (ms-srvs!NetrSessionEnum). This function call stack implements the Session Enumeration operation as shown below:
Note: I’ve found that the NdrClientCallX functions are best represented as the RPC Procedure that it is executing. In this case, I’ve used ms-srvs!NetrSessionEnum in its place.
In previous examples, we’ve seen that the function call stack ends at the syscall because it represents the transfer of execution from user mode to kernel mode. For this model, we treat what happens in the kernel as a black box because developers cannot simply call functions that reside in the kernel in the same way they call lower-level API functions like those that reside in ntdll.dll. This same concept is applied to RPC procedures because they transfer execution from the RPC client (in this case, srvcli.dll) to the RPC server (srvsvc.dll). Generally speaking, especially regarding user hunting, the use case for Session Enumeration is to do so remotely. As such, the server component can be treated as a black box because it is not possible, as far as I know, for the client to call the same functions as the server component on a remote system.
At this point, we are familiar with the concept of user hunting and its application for red teamers and threat actors. We’ve also become familiar with the Session Enumeration operation that facilitates this behavior. If you’ve reached this point in the series, you may wonder why I’m only talking about a single operation. After all, I thought procedures were chains of operations? Well, in this case, NetSessionEnum is a function that has no dependency on other functions. As a result, Session Enumeration can manifest as a stand-alone operation in a chain, as shown below:
Session Enumeration’s stand-alone nature lends itself as a great teaching aid. Since there is only one operation, we can skip any questions regarding which operation is optimal for detecting the procedure. After all, we should be able to figure this out since there is only one option. I think of this much like the approach to teaching mathematics. In algebra class, students learn how to solve single-variate equations (solve for X) before they learn to tackle multivariate equations (solve for X and Y). The authors of the algebra curriculum understand that many of the real-world applications of mathematics are multivariate; however, they also understand that if you cannot solve for X, you likely cannot solve for both X and Y! In our case, a single-operation procedure is equivalent to solving for X. It only gets more difficult as you add more operations to your chain or multiple chains to your detection.
The critical takeaway is understanding that the operation chain represents the behavior we discuss when we say “behavior-based detection.” In this case, the behavior is a single operation. Still, in other cases, the behavior may be a sequence of operations in a chain, as we’ve seen with LSASS Memory Dumping or Process Injection (shown below for reference):
At this point, we’ve identified the behavior (i.e., operation chain) that attackers want to execute as part of user hunting. Still, the attacker must weaponize the behavior before they can use it in their operation. Behaviors are conceptual; tools are concrete. Developers implement these ideas in code, which makes them concrete and usable. During this weaponization process, developers have many implementation options. Despite the relative simplicity of this user hunting procedure, there is a relatively wide range of ways to implement the behavior. This section will analyze five tools that implement “user hunting” (the Session Enumeration operation), but each does so uniquely. The fact that developers can implement the same behavior in many ways brings up a distinction I believe is essential for detection engineers to understand. The differences between behavior and weaponization. I describe these differences as “execution modalities.”
An example that I like to use to differentiate behavior from modality is heart rate (HR) monitoring. In today’s society, it is common to encounter several devices that monitor our HR for one reason or another. How often do we stop and think about how this diagnostic is measured? It turns out there are three primary diagnostic modalities used to measure heart rate.
Digital
The first mode is the most rudimentary but readily available to all of us. It is an old-fashioned pulse measurement. The measurer takes the pulse by pressing their fingers against an artery of the patient. Generally, the pulse is taken on the wrist (radial pulse) or the neck (carotid pulse). Luke Paine told me EMTs humorously call this a “digital” measurement.
Optical
Photoplethysmography (PPG) is the second modality. We typically encounter this modality in consumer electronic devices such as Apple Watches and Oura Rings, as well as the pulse oximeter that hospitals use. This mode uses an LED to illuminate the skin so an optical sensor can measure blood flow changes, which the device interprets as heart rate. Due to the optical sensor, we call this modality “optical.”
Electrical
The third mode, electrocardiography (ECG/EKG), uses electrodes attached to the skin in different locations to measure the electrical changes caused by each cardiac cycle. We will call this modality “electrical.”
Each approach has its pros and cons but measures the same phenomenon. Numerous considerations, such as necessary precision, activity levels, equipment availability, etc., influence the practitioner’s modality choice. This section will show how to apply the same conceptual approach to attacker tradecraft. However, detection engineers must differentiate between the behavior and the modality used to implement said behavior. We currently conflate these two concepts, leading to numerous detection efficacy mistakes.
Now that we’ve established the difference between behavior and modality, I want to look at tools that implement the same behavior but use different modalities. In this section, we will analyze five tools that implement the Session Enumeration operation and thus can be used for user hunting, as Harmj0y described in his talk. Some tools are built into the operating system, some are meant to be administrative tools, and some were constructed explicitly for attackers. Interestingly, while they all ostensibly do the same thing, they are weaponized differently. These differences in weaponization affect execution, detectability, extensibility, interoperability, etc. An important point is that our high-order objective in detection is behavior-based, not modality-based. Therefore, we should be interested in detecting Session Enumeration (behavior-focused), not Session Enumeration in PowerShell (modality-focused). I labeled each tool’s subsection using the tool name [function] (modality) syntax to simplify things. Let’s jump in!
net.exe session [srvcli!NetSessionEnum] (Built-in Console Application)
It is natural to start our analysis with a tool built into the Windows operating system: net.exe. Many of you are familiar with net.exe and its many modules. For instance, you may have used net user /add to add a local user account to a computer. However, one module, net session, allows for the enumeration of user sessions, making it relevant to our analysis.
We can learn how this tool works by opening it in our disassembler. Once our disassembler has loaded and analyzed it, we see that when a user executes net.exe, it calls the CreateProcessW API function to create a new process called net1.exe.
For those unfamiliar, there is a fun story about the creation of net1.exe involving Y2K.
After we open net1.exe, we find a subroutine called session_display that eventually calls the NetSessionEnum function. A glance at the imports table shows that net1.exe calls srvcli!NetSessionEnum. Calling the function in srvcli.dll is interesting because it skips a level in our function call graph (netapi32!NetSessionEnum). However, it is essential to note that the first parameter, servername, which represents the computer on which the function will enumerate sessions, is set to 0. The documentation indicates that when the servername parameter is NULL, shown as 0, it will enumerate sessions on the local computer. Since the NULL value is hardcoded, net(1).exe is not a tool that can facilitate “user hunting.”
NetSess.exe [netapi32!NetSessionEnum] (Third-party Console Application)
The second tool is a third-party binary released by Joeware called NetSess.exe. This tool has been around for a long time and is often referred to by later implementations.
Like net.exe, I threw NetSess.exe into a disassembler to peek under the hood. I eventually found a call to NetSessionEnum, which is the basis of the tool’s functionality. The difference is that NetSess.exe calls the netapi32 version of the function and takes the servername parameter from the command-line. User control of the servername parameter means the tool facilitates the enumeration of sessions on remote systems, meaning that NetSess.exe is the first tool we can use for user hunting!
One drawback to NetSess.exe, however, is that it is a console application. As a result, an attacker must bring this tool with them or download it to the target system before using it. As we progress through our tour of user hunting tools, we will encounter other tool variations that do not require dropping a binary file to disk. This in-memory execution is, of course, valuable to an attacker to avoid standard disk-based AV scanning.
PowerView Get-NetSession [netapi32!NetSessionEnum] (PowerShell)
Our third tool is Harmj0y’s PowerView Get-NetSession function. PowerView was the precursor to BloodHound as we know it. Will wrote the original BloodHound collector as a wrapper around various PowerView functions, including Get-NetSession. As the screenshot below shows, Get-NetSession relies on a call to netapi32!NetSessionEnum. Like NetSess.exe, Get-NetSession can enumerate sessions on remote computers, which means it supports “user hunting.”
When Harmj0y wrote PowerView, PowerShell’s value proposition was that it could execute scripts in memory (without being dropped to disk and thus subject to AV scans). Also, PowerView targeted PowerShell version 2, which did not include many security features we’ve all come to know and love. These features made PowerShell an exciting modality for user hunting and attacker tradecraft in general.
get-netsession [netapi32!NetSessionEnum] (BOF)
TrustedSec provides a Beacon Object File (BOF) called get-netsession as part of their CS-Situational-Awareness-BOF project. I imagine this BOF’s name is a tribute to the PowerView function discussed earlier, but I have not confirmed this. Since we can access the get-netsession source, we can review the code to understand its implementation. Very quickly, we see a call to the netapi32!NetSessionEnum function, so we know that its behavior will be similar to the previous tools we’ve analyzed.
An advantage of BOFs is that they integrate the functionality directly into the agent itself, removing many more superficial detection opportunities. For instance, when executed, it does not create a process (like NetSess.exe or powershell.exe). Detections focused on process names, command-lines, PowerShell ScriptBlocks, etc., will not be relevant for this modality.
netview.py [ms-srvs!NetrSessionEnum] (Direct RPC Request)
The final tool we will analyze is part of the popular Impacket suite. For those unfamiliar with Impacket, it is a Python framework primarily intended for working with network protocols (e.g., RPC). While the framework supports interaction with many RPC Interfaces, it also includes a set of example scripts to demonstrate its functionality. One such example is netview.py, which we will analyze.
netview.py seems to be a reimplementation of Rob Fuller’s netview.exe, which Harmj0y discussed in his Shmoocon talk. The original tool did much more than simple Session Enumeration; we see the same in Impacket’s implementation. However, we can focus on the Session Enumeration component of the script, shown below in the getSessions function. Here, we see a call to the srvs.hNetrSessionEnum function, Impacket’s implementation of the [MS-SRVS] NetrSessionEnum RPC procedure (ms-srvs!NetrSessionEnum).
According to the NetSessionEnum function call stack we built earlier, the netapi32!NetSessionEnum function eventually calls the ms-srvs!NetrSessionEnum RPC procedure as part of its execution. Additionally, our analysis of the function call stack showed that nothing happens between netapi32!NetSessionEnum and ms-srvs!NetrSessionEnum, so any application that calls the RPC procedure directly, like Impacket, will not skip any observable behavior. However, it tremendously reduces the observable footprint of execution due to a modal change.
An exciting feature Impacket facilitates is the ability to proxy these requests to the target. Proxying allows the implementation of the behavior without the need to run an application on target or call the relevant Win32 API Function (e.g., netapi32!NetSessionEnum). This approach challenges many assumptions in contemporary detection engineering strategies, such as the Implicit Process Create.
When the analytical dust settles, plotting the samples we analyzed on the function call stack is useful. In doing so, we find three samples (NetSess.exe, PowerView Get-NetSession, and BOF get-netsession) called the high-level netapi32!NetSessionEnum function, one sample (net session) called the undocumented srvcli!NetSessionEnum function, and one sample (Impacket netview.py) called the ms-srvs!NetrSessionEnum RPC procedure directly. The updated graph is below:
Detection engineers, malware analysts, and thread intel analysts must learn to differentiate between behavioral and modal changes. Behavioral changes result in a new or different operation chain. Modal changes focus on how an operation is executed, not how it is changed. Generally speaking, a behavioral change is more substantial than a modal change. Modern endpoint detection and response (EDR) sensors generate events that focus on operations. As a result, changes that do not affect the operation chain (the behavior) should not generally impact behavioral detections. It is, however, critical to consider whether your detection rule is resilient to modal changes. If not, it likely falls in the “signature” category. There’s nothing wrong with using signatures as a part of a comprehensive detection strategy, but we often conflate signatures with behavioral detections.
Another thing I want to point out is what I perceive to be an error in the way that ATT&CK categorizes some techniques. All tools analyzed in this post implement T1033 System Owner/User Discovery. We know the behavior because we can observe the operation chain (in this case, just a single operation) they are executing. However, for PowerView’s Get-NetSession, an additional technique also applies, specifically T1059.001 Command and Scripting Interpreter: PowerShell. PowerShell is not a technique; instead, it is an execution modality. The distinction between technique (behavior) and modality is important because a modality, like PowerShell, can be applied to any technique. It also applies to some of the other Command and Scripting Interpreter sub-techniques. For instance, Windows Command Shell. Does NetSess.exe implement T11059.003 Command and Scripting Interpreter Windows Command Shell? I guess so, but that is the least exciting aspect of that sample.
I’m not trying to say that you shouldn’t detect abnormal PowerShell command-lines and ScriptBlock executions like encoded commands and Unmanaged PowerShell. What I’m saying is that this technique is disproportionately common because it is not a behavior like most of the other techniques. It is an execution modality that attackers can apply to most techniques. The problem is that this causes detection rules that over indexes on the PowerShell aspect of, for instance, PowerView’s Get-NetSession function, to miss all of the other equally devastating implementations out there.
Threat actors and red teamers are spoilt for choice while pursuing their objectives. These choices are not limited to which technique they will use to steal credentials or laterally move, but they also include which tool they will use to implement that technique. Depending on their modality, these tools afford the attacker different capabilities. As defenders, we must understand these differences and their implications towards our ability to detect and defend against them.
During our analysis, we saw one tool that is built into the operating system (Built-in Console Application), a tool that had to be dropped to disk (Third-party Console Application), a tool that could run in PowerShell’s memory (PowerShell Script), a tool that runs in the memory of an arbitrary process (Beacon Object File), and a tool that can run via a proxy without ever touching the subject endpoint (Direct RPC Request). It is self-evident that if we want to detect user hunting or Session Enumeration more specifically, we must detect all implementations regardless of their modality.
The truth is that most of us only detect some of the five. We may detect PowerView’s Get-NetSession because we are skeptical of PowerShell code. We may detect net.exe (even though this is not particularly threatening) because it is built-in and has predictable command-line arguments. Do we detect the BOF or the Impacket variation? How about some variation that only calls netapi32!NetSessionEnum, but we have no other known indicators? Have you tested it? In a later post, we will continue building on this knowledge to demonstrate why a single test case does not provide sufficient evidence to answer these questions confidently.
Behavior vs. Execution Modality was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Behavior vs. Execution Modality appeared first on Security Boulevard.
In episode 330 Tom, Scott, and Kevin discuss the new features for iPhones and Android phones designed to warn users about secret trackers, possibly aiding in identifying stalkers. The hosts discuss Apple and Google’s collaboration on a technology called DOLT (Detecting Unwanted Location Trackers), aiming to improve user privacy by detecting Bluetooth trackers like Tiles […]
The post New Tracker Warning Features on iPhones & Androids, 2024 Verizon Data Breach Investigations Report appeared first on Shared Security Podcast.
The post New Tracker Warning Features on iPhones & Androids, 2024 Verizon Data Breach Investigations Report appeared first on Security Boulevard.
Source: LinkedIn[/caption]
Alexandre Blanc is a renowned Cybersecurity dvisor, ISO/IEC 27001 and 27701 Lead Implementer, and a recognised security expert. With a track record of holding successful cybersecurity events, Blanc serves as an Independent Strategic and Security Advisor, providing invaluable counsel to various organisations. His expertise spans incident response management, digital transformations, and dark web investigations.
Recognised as a LinkedIn Top Voice in Technology and named among the top security experts with over 75k followers on LinkedIn, Blanc's insights are highly sought-after in the cybersecurity community. Through publications, speaking engagements, and advisory roles, he continues uplift the IT and security industry.
Source: LinkedIn[/caption]
Alissa Abdullah, PhD, is a distinguished senior information technology and cybersecurity executive with a rich background spanning Fortune 100 companies, the White House, and the government intelligence community. Currently serving as Deputy Chief Security Officer for Mastercard, she brings over 20 years of experience in IT strategy, fiscal management, and leading large government programmes.
Abdullah's strategic leadership extends beyond her corporate role; she serves as a board member for organisations like Girls in Tech, Inc. and Smartsheet, while also lecturing at the University of California, Berkeley. With a PhD in Information Technology Management, and over 17k followers on LinkedIn, she is a recognised authority in cybersecurity and IT leadership.
Source: LinkedIn[/caption]
Jane Frankland is a prominent figure in cybersecurity with a career spanning over two decades of experience in the field. As a cybersecurity influencer and LinkedIn Top Voice, she has established herself as an award-winning leader, coach, board advisor, author, and speaker.
Frankland's expertise lies in bridging the gap between business strategy and technical cybersecurity needs, enabling smoother and more effective engagements. With a portfolio career, she works with major brands as an influencer, leadership coach, and board advisor. Additionally, Frankland is deeply involved in initiatives promoting diversity and inclusion in cybersecurity, aligning her work with the UN Sustainable Development Goals.
Source: LinkedIn[/caption]
Mark Lynd is a globally recognised cybersecurity strategist, and keynote speaker in cybersecurity and AI. With over 25 years of experience, including four stints as a CIO & CISO for global companies, he excels in technology, cybersecurity, and AI.
Currently, he serves as the Head of Executive Advisory & Corporate Strategy at Netsync, a global technology reseller, where he concentrates on cybersecurity, AI, data center, IoT, and digital transformation. Lynd's accolades include being ranked globally for security and AI thought leadership, and he's authored acclaimed books and eBooks.
He holds a Bachelor of Science from the University of Tulsa and is a proud military veteran.
Source: LinkedIn[/caption]
Naomi Buckwalter is an accomplished Information Security Leader, Nonprofit Director, Keynote Speaker, and LinkedIn Learning Instructor. With extensive experience in directing information security programmes, she has notably served as Director of Product Security at Contrast Security and Director of Information Security & IT at Beam Dental. Buckwalter's expertise encompasses compliance, risk management, and security operations.
She is also the Founder & Executive Director of the Cybersecurity Gatebreakers Foundation, aiming to revolutionise cybersecurity hiring practices. With a background in computer science and over 99K followers on LinkedIn, she is recognised for her contributions as a cybersecurity thought leader and advocate for diversity in tech.
Source: Australian Cyber Conference 2024[/caption]
Raj Samani is currently a Chief Scientist at Rapid7 and has experience in this industry spanning 20 years. He has worked with law enforcement and is also advisor to the European Cybercrime Centre. Samani is a sought-after speaker at industry conferences, a published author, and continues to make appearances in podcasts where he discusses his expertise surrounding threat intelligence, cyber defence strategies, and emerging threats.
With his following of over 15.2k followers on LinkedIn and 14.4k on Twitter, Samani is influential to his followers due to the cybersecurity related articles, updates and insights he shares, often engaging not only cybersecurity enthusiasts but also professionals.
Source: BankInfoSecurity[/caption]
Tyler Cohen Wood is a prominent and respected figure in the cybersecurity field. Currently the co-founder of Dark Cryptonite, a Special Comms method of cybersecurity, Woods has over 20 years of experience in the intelligence community. Woods previously served as Senior Intelligence Officer at the Defence Intelligence Agency (DIA) and Cyber Branch Chief at the DIA's Science and Technology Directorate.
Woods is also a keynote speaker and provides insight into global cyber threats and national security due to her knowledge on digital privacy and national security. Woods has a following of over 27k on LinkedIn, attention she’s garnered due to her ability to share insightful commentary on cybersecurity issues which explains complex technical concepts easily for all types of audiences.
Source: Experience McIntire[/caption]
Theresa Payton was the first ever female Chief Information Officer for the White House from 2006-2008, serving under George W. Bush, and is now the CEO of her company Fortalice Solutions which she founded in 2008.
Payton is best known for consulting as that is the purpose of her company, providing services like risk assessments, incident response, and digital forensics to government agencies and different industries and businesses about cybersecurity strategy and best IT practices.
Payton has over 25k followers on LinkedIn and this is due to her continuous and avid blogging exposing cybercrimes and tackling cybersecurity on her companies page.
Source: SC Magazine[/caption]
Bill Brenner is an experienced professional in the cybersecurity field and has ventured into many areas including journalist, editor, and community manager. His work has focused on cybersecurity education and awareness.
Brenner is currently the Vice President of Custom and Research Content Strategy at CyberRisk Alliance. Brenners 15.7k followers on Twitter come from his influence surrounding articles posted on CS Media and Techtarget which are informative and relevant to cybersecurity professionals.
Source: BH Consulting[/caption]
Brian Honan is the CEO of BH Consulting and has over 30 years of experience in cybersecurity. He was formerly a special advisor on cyber security to Europol’s Cyber Crime Centre, along with being an advisor to the European Union Agency for Network and Information Security.
Honan’s work in consultancy is not just aimed at government agencies but also multinational corporations, and small businesses. Honan advocates highly for education in the field and is a founding member of the Irish Reporting and Information Security Service (IRISS-CERT).
His following of 36.2k on Twitter can be attested to the articles and blogs he’s written and posted along with presentations at industry conferences worldwide.
Source: LinkedIn[/caption]
Magda Chelly is the first Tunisian woman to be on the advisory board of Blackhat. She has over 10 years of experience in security architecture, risk management, and incident response. Chelly is also a published author and is also known to be a keynote speaker who can deliver her talks in five different languages.
She is currently the Managing Director at Responsible Cyber where she helps organisations implement effective cybersecurity strategies, while also being the founder of Women of Security (WoSEC) Singapore which aims to encourage women to join the field of cybersecurity.
Chelly has over 57k followers on LinkedIn due to her posts on cybersecurity, but also her diversity initiatives which make her an advocate in the field.
Source: Facebook[/caption]
Marcus J Carey is a former Navy Cryptologist who is now in cybersecurity innovation. He has worked many roles including penetration tester, security researcher, and security engineer, all of which helped to gain new and revolutionary insights into offensive and defensive cybersecurity techniques.
Carey is famous for the books he has written surrounding hackers and cybersecurity and is an established CEO of Threatcare, a cybersecurity company focused on providing proactive threat detection and risk assessment solutions.
His 52.4k Twitter followers stem from the expertise he shares on social media and his importance in educating future professionals in the field. He is also sought after for speaking in industry conferences.
Source: Penguin Random House[/caption]
Andy Greenberg is currently a senior writer at Wired magazine, and has written many articles investigating high-profile cyber incidents, hacking groups, and emerging cybersecurity threats.
Greenberg's reports often focus on the details of cyberattacks and looks at the broader implications for people, the government, and the industry as a whole.
His 70.4k followers on Twitter are influenced by his updates and in-depth articles exploring the world of cybersecurity, not only informing the general public but also professionals about the hazards.
Source: SC Magazine[/caption]
Paul Asadoorian is a professional in the cybersecurity field for over 20 years, but his following comes from his blogs and podcasts. He’s best known as the founder and host of Security Weekly where Asadoorian brings together experts and practitioners from the cybersecurity field to discuss latest news and research in the field such as network security, application security, incident response, etc.
Additionally, he is also the founder and CEO of Offensive Countermeasures, a company that helps cybersecurity professionals enhance their skills and stay ahead of evolving threats. His 77.3k followers on Twitter are mostly due to his large social media presence as a podcaster and his posts surrounding resources , opinions, and promotion of Security Weekly.
Source:[/caption]
Nicole Perlroth is a Pulitzer Prize-winning journalist who covers cybersecurity and digital espionage for The New York Times. She is regarded for her intensive reporting on cyber threats, hacking incidents, and the intersection of technology and national security.
Perlroth has also written a book on the cyberweapons arms race. With 91.5k followers on Twitter, Perlroth shares her own articles, as well as insights and updates related to cybersecurity and technology which creates engagement for her from both cybersecurity professionals and general readers interested in security.
Source: Smashing Security[/caption]
Graham Cluley is an author and blogger who has written books on cybersecurity and continues to be avid in sharing news and stories on cybersecurity through the written word and speech. Currently, Graham Cluley is an independent cybersecurity analyst, writer, and public speaker.
He also runs a podcast where he discusses internet threats and safety in an entertaining, engaging and informative way. Cluley’s 112.9k Twitter followers are updated with his podcast, tweets and YouTube videos which explain cybersecurity topics and how to tackle them in a way patented to the general users of the internet.
Source: LinkedIn[/caption]
Rachel Tobac is an ethical hacker who helps companies keep safe through her work as CEO of SocialProof Security, which she co-founded. The company focuses on educating employees to recognize and deal with cyberattacks. She has a background in behavioural psychology and uses it to improve cybersecurity awareness and defences in the general public.
Tobac also works with the non-profit Women in Security and Privacy (WISP) where she helps women advance in the security field and often speaks for underrepresented groups to pursue a career in cybersecurity. Tobac’s 106k strong following on Twitter is due to her activism and due to the tips and updates she shares related to the industry, with some posts being popular for starting debates amongst professionals.
Source: SANS Cyber Security Certifications & Research[/caption]
Katie Moussouris is the Founder of Luta Security which encompasses her aims surrounding vulnerability disclosure and safer and responsible research in security. She is a leading figure in both the aspects and has 20 years of experience on the field. Some of Moussouris’s leading work is the Microsoft's bug bounty programme, which she developed and was one of the first-of-its-kind in the industry.
She also advocates for vulnerability disclosure, which merits more transparency between security researchers and organisations. Moussouris’s 115.5k followers come from her revolutionary developments. She is a frequent speaker at cybersecurity conferences and events. She often posts and talks about her advocacy for ethical hacking and responsible security practices along with her expertise on vulnerability disclosure and bug bounty programmes.
Source: The Official Cybersecurity Summit[/caption]
Brooks is the president of his consulting company where he advises clients on cybersecurity strategy, risk assessment, and business development. Along with that, he is a featured author in many technology and cybersecurity blogs.
Brooks has previously worked in advisory roles with corporations and also at government agencies, including the Department of Homeland Security and the Defence Intelligence Agency.
Brooks’ 116k LinkedIn followers are due to his regular contributions to industry research and news, media articles. Along with that, he is a popular keynote speaker who shares his expertise on a wide range of cybersecurity topics.
Source: The Official Cybersecurity Summit[/caption]
Miessler is the founder and CEO of Unsupervised Learning where he writes informative articles and tackles relevant issues surrounding cybersecurity and what the world after AI means for human beings.
Miesslers following of 139.4k on Twitter comes from professionals in the field and novice enthusiasts engaging with his content and discussions due to his experience in the field. He also avidly shares articles, podcasts, bringing his audience up to speed with cybersecurity.
Source: iTWire[/caption]
Kevin Beaumont is an experienced professional who has worked in various cybersecurity roles, including security engineer and consultant. He also specialises in threat detection and incident response. Kevin is now the Head of Cybersecurity Operations at Arcadia Ltd. along with being a cybersecurity researcher who runs his own platform where he discusses cybersecurity.
Beaumont appeals to newer, younger cybersecurity enthusiasts with around 150.9k followers on Twitter due to his engagement with trolling on the internet. Additionally, he writes articles for Medium where he informs about cybercrime issues such as Microsoft Windows vulnerability.
Source: hacks4pancakes[/caption]
Lesley Carhart is currently a threat analyst and principal responder at Dragos, a company which works to protect industrial control systems from cyber threats, and has experience as a security analyst, incident responder and threat hunter.
Her work in both the public and private sectors allowed her to gain valuable insights into cybersecurity issues across different industries. Her following of 168k comes from her works such as blogger and speaker who offers career advice in the field of cybersecurity. She also speaks about topics such as industrial control, ransomware attacks and more.
Source: Wikipedia[/caption]
Schneier is a specialist in computer security and privacy along with being a cryptographer. Schneier is regarded as one of the most influential people in his field of cryptography and has written numerous books on cybersecurity, some of which are considered seminal works in the field.
He has also written articles about security and privacy for magazines such as Wired. Schneier’s following of 147.1k comes from being acknowledged as impactful in his field but also due to his blog where he addresses the prevalence of hacking and other cyber dangers intersecting with our everyday lives.
Source: LinkedIn[/caption]
Eugene Kaspersky is an individual most impactful in the cybersecurity, best known as the CEO of Kaspersky Lab, a company he co-founded in 1997 which identified government-sponsored cyberwarfare. Kaspersky’s following of 187.5k comes from how Kaspersky Lab has grown into a global cybersecurity powerhouse, offering a wide range of products and services, along with his advocacy for cybersecurity education.
Kaspersky is also a keynote speaker on emerging threats, and the importance of cybersecurity awareness at industry conferences and events. Furthermore, he writes a blog where he regularly posts updates about his life in the industry.
Source: LinkedIn[/caption]
Eric Geller is a freelance cybersecurity journalist recognised for his insightful coverage of digital security. With a comprehensive portfolio including esteemed publications like WIRED, Politico, and The Daily Dot, Geller offers in-depth analysis on cyber policy, encryption, and data breaches.
His investigative reporting touches the intricate intersections of cybersecurity and everyday life, from election security to critical infrastructure protection. Geller's expertise extends to interviews with top officials and breaking news on government initiatives. With a Bachelor of Arts in Political Science from Kenyon College, Geller's accolades include induction into the Pi Sigma Alpha national political science Honors society.
Source: The Futurum Group[/caption]
Shira Rubinoff is a cybersecurity and blockchain advisor as well as being a popular keynote speaker and author. She is the President of SecureMySocial, a cybersecurity company that focuses on protecting organizations from social media risks such as data leakage, reputational damage, and insider threats. Her videos are many and impactful, consisting of interviews and conversations with other professionals.
She is known to be one of the top businesswomen in the field and currently runs a cybersecurity consulting firm and serves as the Chair of the Women in Cybersecurity Council (WCI), aiming to influence more women to join the field. Her follower count of 190.4k isn’t only due to her experience as a businesswoman, but also her constant interaction on social media as she posts talks, videos, podcasts, written work and more about many topics in cybersecurity.
Source: WithSecure[/caption]
Miko Hyppönen has been in the world of cybersecurity since the late 1980s. Since then he has led researchers in identifying and eliminating emerging cyber threats, while providing insights and solutions to protect individuals, businesses, and governments from cybercrime.
Hyppönen has written for many famous newspapers like the New York Times and has also appeared on international TV and lectured at universities like Oxford and Cambridge. His 230.5k followers is due to his engaging and informative presentations, which help raise awareness about cybersecurity threats.
He also has a following for his blog posts and research papers detailing his expertise.
Source: IMDb[/caption]
Kim Zetter is an award-winning investigative journalist renowned for her expertise in cybersecurity and national security. With a distinguished career spanning publications like WIRED, Politico, and The New York Times Magazine, Zetter is a respected authority on topics ranging from election security to cyber warfare.
Her book, "Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon," offers a gripping narrative of covert cyber operations. As a sought-after speaker and social media personality with over 7K followers on LinkedIn, she shares insights at conferences worldwide. Zetter's relentless pursuit of truth has earned her acclaim and established her as a leading voice in the cybersecurity journalism.
Source: Keppler Speakers[/caption]
Brian Krebs is an investigative journalist who wrote for The Washington post from 1995 to 2009 for the security fix blog. He now runs his own blog, Krebs on Security. In it, he provides in-depth analysis and reports, along with promptly posted breaking news on cybercrime, hacking, data breaches, etc.
Krebs has received many awards for his investigative journalism, including the Pulitzer Prize finalist for his coverage of cybersecurity problems. Krebs’ 347.9k are due to the reputation his blog widely holds for being a first choice when looking for accurate, fast information, as well as the truth as he’s known to hold individuals and organisations accountable for in his work.
Source: Cyderes[/caption]
Herjavec is the CEO of the Herjavec Group and the Global Cybersecurity Firm, Cyderes, which leads cybersecurity options and supports many security services including threat detection and response, identity and access management, and compliance solutions. Along with that, he features on BBC’s Shark Tank and also provides motivational business advice through his books and videos.
His following of 2.2 million may be due to his appearance on the show, but he continues to actively post insights and gives commentary on cybersecurity trends and ever-changing threats. Most of his followers are there to witness what he shares on business and entrepreneurship. Herjavec frequently shares cybersecurity related articles and updates.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information. In this first-ever in-person recording of Shared Security, Tom and Kevin, along with special guest Matt Johansen from Reddit, discuss their experience at the RSA conference in San Francisco, including their walk-through of ‘enhanced security’ and the humorous misunderstanding that ensued. The conversation moves to the ubiquity of AI and machine learning buzzwords at the […]
The post Live at RSA: AI Hype, Enhanced Security, and the Future of Cybersecurity Tools appeared first on Shared Security Podcast.
The post Live at RSA: AI Hype, Enhanced Security, and the Future of Cybersecurity Tools appeared first on Security Boulevard.
Login