Source: securityboulevard.com β Author: Nathan Eddy Failure to properly configure authentication led to malicious actors exploiting the database backups of Airsoftc3.com, a popular Airsoft enthusiast community site, according to Cybernews researchers, who discovered the breach in December. The breach exposed sensitive user data, affecting approximately 75,000 individuals within the community involved with Airsoft, a team-based [β¦]
Failure to configure authentication allowed malicious actors to exploit Airsoftc3.com's database, exposing the sensitive data of a vast number of the gaming site's users.
Here we go again: Verizonβs new Data Breach Investigations Report (DBIR) is out, and once again,Β unauthorized uses of web application credentials and exploits of vulnerabilities in web applications are among the top three on the breach list. Itβs the same, lame story every single year. At what point will the industry figure out that Application Security (AppSec) status quo methods β Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), web application firewall (WAFs), etc. β aren't working? Why not give something new β like Runtime Security β a chance?
Financial institutions are among the most regulated businesses in the world. Thatβs understandable given their role in a key critical infrastructure sector and rising threat levels across the industry. Itβs why in the EU, the Digital Operational Resilience Act (DORA) will soon take effect, to improve baseline security efforts in the sector. Yet even as investment in cybersecurity increases, breaches continue to occur. The IMF warned recently that cyber-incidents over the past 20 years have cost the sector $12bn.
Ransomware attacks are an expensive proposition for any company. For example, a report this week by cybersecurity firm Sophos found that while the percentage of companies that were victims of ransomware this year has dropped slightly, the recovery costs β which donβt include a ransom payment β have jumped to $2.73 million, a 50% increase..
Data breaches are like uninvited guests at a party β they show up unexpectedly, take what they want, and leave a big mess behind. This April, the party crashers were particularly busy, leaving a trail of exposed information in their [β¦]
What is PIPEDA, Canadaβs Personal Information Protection and Electronic Documents Act? PIPEDA, or the Personal Information Protection and Electronic Documents Act, is Canadaβs primary federal privacy law governing the collection, use, and disclosure of personal information by private-sector organizations. PIPEDA establishes ten fair information principles to guide organizations in their handling of personal data. What [β¦]
Nice Cup of IoTea? The UKβs Product Security and TeleΒcommΒuniΒcations InfraΒstrucΒture Act aims to improve the security of net-connected consumer gear.
Pioneering DSPM deployment in high assurance environments sets new standard for comprehensive data protection Symmetry Systems,, the data+AI security company,...
In episode 327 Tom, Scott, and Kevin discuss the findings from Mandiantβs M-Trends 2024 report, highlighting a significant rise in traditional vulnerability exploitation by attackers while observing a decline in phishing. Despite phishingβs decreased prevalence, it remains the second most popular method for gaining initial network access. Discussions include the impact of high-profile vulnerabilities and [β¦]
In August of last year, @tifkin_, @0xdab0, and I released Nemesis, our offensive data enrichment platform. After lots of feedback, operational testing, hundreds of commits, and another solid dev cycle, weβre proud to finally announce Nemesisβ 1.0.0 release. This post will detail several of the major changes weβre excited about, from host modeling, to a streamlined installation process, dashboard improvements, andΒ more!
Host Modeling
Since the beginning of development, one of our visions for Nemesis has been for it to provide guidance to operators agnostic of their C2 tooling. If we want Nemesis to be able to perform analysis like PowerUpβs privilege escalation, we have to build a proper offline data model to handle the analysis we want. Part of this involves the very specific problem of host βuniquenessβ when you have data coming in from a number of different C2Β sources.
This, however, ended up being a more challenging task than we anticipated. We will be releasing a detailed post diving into all of the nuances of this problem in the next few weeks, but we wanted to at least highlight the problem as we viewed it. We also have a specific temporal issue that weβll touch on briefly asΒ well.
The host uniqueness problem is a consequence of the variety of ways host data can be ingested into Nemesis. In order to perform host-based analysis, we have to collapse data from potentially multiple ingested sources into a single host abstraction so we donβt miss any details. I.e., consider the situation of having multiple C2 agent types on the same host. C2 agents can report a hostβs short name(e.g., NetBIOS name), fully qualified name, or IP addresses. We might be performing an action against a remote host from a C2 agent, i.e., downloading a file from a host that doesnβt have an agent on it, but the connection is being routed through an existing agent. And finally, we might have manual data weβre uploading through the Nemesis interface in case there isnβt an existing connector.
With all of these options, the way to elegantly (well, at least as elegantly as possible) combine data from multiple ingestion sources in a way that we can break sections back apart if there is a mapping mistake wasβ¦tricky. We also ran across a βtemporal problemβ for specific types of data like file or process listings where these data are ephemeral and can be influenced by operator events. For example, if you took a file listing but then uploaded or deleted a file on the host, the ground truth (as far as you know) for the filesystem state has to be built from multiple pieces. This data may also be ingested out of order (e.g., ingesting long-term collection output from a tool running on another host). Luckily, we believe we have a solution for thisΒ too!
If youβre as interested in this type of problem as we are (Bueller? Bueller?) keep an eye out for our upcoming modeling deep diveΒ post.
HELM Charts!
Helm toΒ 108!
One of the most common pieces of negative, yet legitimate, feedback we received about Nemesis was the complexity of its installation. Previously, setting up Nemesis required a number of prerequisites like Docker, Helm, and Kubernetes via Minikube. In response to this feedback, weβve now adopted k3s, which can be installed with one command and doesnβt depend on Docker. Our updated quickstart guide outlines the full installation process in just five steps, making it quicker to get up andΒ running.
Weβve significantly improved the deployment process of Nemesis with the transition from Skaffold to Helm. Max worked hard on creating three new Helm charts: quickstart, nemesis, and monitoring. The quickstart chart is designed to configure all the secrets and dependencies necessary for Nemesis, providing an easy setup for most users. Advanced users, who might want to manually manage these settings or integrate with a Kubernetes secrets manager will want to replicate the functionality of the quickstart chart themselves. The nemesis chart sets up all the required Nemesis services like before. The monitoring chart is an optional installation that deploys monitoring services like Fluentd, Grafana, and Prometheus for those who want more insight into logging and performance. Additionally, this change has allowed us to eliminate the need for the janky nemesis-cli.py script!
Additionally, we have builds of Nemesis Docker images pushed to Dockerhub, meaning users no longer have to go through the build process. The entire setup process is described here in the documentation, but involves setting up the prerequisites, running the Nemesis quickstart chart to configure a handful of secrets/configs, and running the Nemesis Helm chart from a local clone or the remote repo. Hereβs how the actual core Nemesis deployment looks like from running the local HelmΒ chart:
Nemesis installation with a local HelmΒ chart.
Another nice side effect of this is that Max was able to get self-signed TLS working, so communication to the Nemesis endpoint is now all over HTTPS. Additionally, the monitoring infrastructure is now optional, which can help save on resources. Big thanks to @M_alphaaa for helping us out with some HelmΒ issues!
And finally, for those who really like Minikube or Docker Desktop, we do have documentation for setting up Nemesis using the new installation procedure. Note that we will only be officially supporting k3s going forward (itβs way easier, we promise!).
Text Search Modifications
The βSummoning RAGnarok With Your Nemesisβ post we released in March has complete details on these modifications, but TL;DR we completely redid how text search works under the hood forΒ Nemesis.
In the Document Search page, there are now two tabs. The first, βFull Document Searchβ, searches for text phrases over the entire text extracted from any compatible document, Γ laΒ Google:
Full DocumentΒ Search
The main difference here is that we now have search filters that let you include or exclude specific paths, name patterns, or file extensions:
Include pathΒ filter.Exclude pathΒ filter.
We also collapsed the old βSource Code Searchβ tab into βFull Document Searchβ. In order to search indexed source instead of extracted document text, select source_code as the index in the expanded search filterΒ section:
Changing searchΒ indexes.
The βText Snippet Searchβ tab now replaces the old βSemantic Searchβ tab and has received a complete overhaul. This tab searches over snippets of text extracted from compatible documents, where each snippet/chunk is ~400β500 words. If you want to know more about why this chunking was used, check out the βSummoning RAGnarok With Your NemesisβΒ post!
When you type a term or question into this search, the query is passed to the new https://<NEMESIS>/nlp/ endpoint, specifically the /nlp/hybrid_search route. Nemesis calculates the embedding vector for the query and searches the closest vector/text pairs, as well as performing a more classic BM25 βfuzzyβ search of the text and the indexed document title. These results are fused together through Reciprocal Rank Fusion and returned reordered to theΒ user:
Hybrid search.
Note: deselecting βUse Hybrid Vector Searchβ will remove the embedding vector approach and use just the BM25 βfuzzyβ search. βSnippet Searchβ also has the same include/exclude filters that the βFull Document Searchβ tabΒ has.
If you want to use a local LLM to chat over text extracted from Nemesis documents, check out RAGnarok!
Hasura API
Nemesis has a very rich backend data model thatβs presented in two ways: a semi-structured and easily searchable form in Elasticsearch, and a highly structured form in PostgreSQL. While Kibana/Elastic have been accessible in Nemesis since the beginning, one piece of feedback we commonly heard was there was no way to easily access the structured data. We have had pgAdmin present for basic troubleshooting but nothing programmatically accessible.
Hasura fixes that! Hasura lets us easily construct GraphQL and REST APIs on top of our existing PostgreSQL database. Once itβs deployed, we get an awesome interface where we can play around with query and subscription construction:
Hasura interface.
This also means we can do some basic scripting to process existing data or new data as it comes in. We have some improved documentation (another 1.0.0 βfeatureβ!) which includes information about scripting with HasuraΒ here:
Basic Hasura scripting.
Dashboard Changes
As the Nemesis /dashboard/ route is the main way operators interact with Nemesis, itβs one of the pieces we received the most feedback on. There are nearly too many quality-of-life changes to count, but weβll highlight a few of themΒ here:
The File Viewer page was broken out which displays syntax-highlighted text, or raw hex of a binary file. This page is accessible via the i icon on the main filesΒ page:
Link for detailed file information.Detailed fileΒ viewer.
The File Upload was broken out into its own page with values saved in cookies for persistence betweenΒ runs:
New File UploadΒ page.
We finally exposed the Custom Cracklist endpoint in the interface. This service keeps a unique list of non-dictionary words extracted from documents and lets you download the X mostΒ common:
Custom Cracklist download.
If there are any Yara rule matches against a downloaded file, the match is displayed in a new sub-tab along with the matching rule text. The appropriate icon on the Files page will link you directly to these results now asΒ well:
Hyperlinked YaraΒ tag.Yara results.
The NoseyParker tab was revamped and hyperlinked from the displayed tag bubbles asΒ well:
NoseyParker resultΒ display.
Countless Miscellaneous Changes
There were, of course, countless other bug fixes and tweaks as well. Weβll run through a grabbag of themΒ here:
Added additional documentation, including (finally) a usage guide to get peopleΒ started.
Streamlined NLP indexing to prevent choking and exposed a /nlp/ route forΒ search.
Removed the Tensorflow model hosting and DeepPass as the model just wasnβt accurate enough to beΒ useful.
Streamlined hash cracking and added in deduplication so hashes arenβt crackedΒ twice.
Added a `monitor` command to submit_to_nemesis.sh for continual file submission.
Any compatible file is now handled by Apache Tika instead of aΒ subset.
Detection of already processed files and suppression ofΒ alerts.
Automatic expunging of expired data via the `data_expunge` task.
Added Jupyter notebooks back into theΒ stack.
Processing for Chromium JSON cookieΒ dumps.
Countless other bug fixes and small usability changes.
Wrapup
Weβve put a lot of blood, sweat, and tears (mostly at k8s) into Nemesis, and weβre incredibly excited for this official 1.0.0 release! With the quality of life changes and ease of installation with Helm, weβre looking forward to more people getting to play with Nemesis handsΒ on.
If you play around with Nemesis, let us know what works and what doesnβt! Come join us in the #nemesis-chat channel of the BloodHound Slack! We (the main Nemesis devs- @tifkin_, @harmj0y, and @Max Harley) are all active in thatΒ channel.
North American software developers have reasonable confidence that generative AI can be a tool to improve the security of the software they're building. In other regions? Not so much.
The warning underscores the importance of a collaborative approach to AI security involving stakeholders across different domains, including data science and infrastructure.
The shift to cloud computing has enhanced the resilience and security of most organizations. In this era of unparalleled agility and scalability, data-centric security can offer transformational opportunities for Chief Information Security Officers (CISOs) to improve data protection, compliance, and operational efficiencies, thereby strengthening customer trust. Despite this, a layered defense model is still necessary [β¦]
Although artificial intelligence (AI) has been with us for some time, the technology seems to be everywhere these days, as vendors and end users get more vocal about its benefits. Theyβre right to be enthused. McKinsey estimates that AI could unlock trillions of dollarsβ worth of value globally across functions in 19 sectors. In some areas, itβs no longer about even carving out competitive differentiation, but merely delivering what is expected by customers and employees.
Learn how to elevate your CX strategies with CIAM and data-driven insights. From seamless digital experiences to proactive customer engagement, discover the key to driving growth and loyalty in a competitive market.
What is the CCPA, the California Consumer Privacy Act? CCPA, or the California Consumer Privacy Act, is a law in California data privacy law that came into effect in early 2020. The CCPA grants California residents several key rights about how businesses collect, use and share their personal information.Β The CCPA contains 4 key protections [β¦]
A threat group thatβs been around since last year and was first identified earlier this month is using three high-profile information stealers in a wide-ranging campaign to harvest credentials, financial information, and cryptocurrency wallets from targets around the world who were downloading the malware that masqueraded as movie files. Researchers with Ciscoβs Talos threat intelligence..
The new directive prohibits data disclosure when law enforcement agencies want to investigate people, healthcare providers, or others seeking reproductive care that is lawful where the care is given.
Source: securityboulevard.com β Author: Jeffrey Burt The takedown this week of a massive phishing-as-a-service (PhaaS) operation spanned law enforcement agencies from both sides of the Atlantic and is the latest example of an increasingly aggressive approach by authorities to disrupt the operations of high-profile cybercriminal gangs. Agencies from 19 countries participated in the operation against [β¦]
Source: securityboulevard.com β Author: Brian Robertson The newest version of the European Union Network and Information Systems directive, or NIS2, came into force in January 2023. Member States have until October 2024 to transpose it into their national law. One of the most critical changes with NIS2 is the schedule for reporting a cybersecurity breach.Β [β¦]
Login
