BYOVD, Rust Windows core, RSA Conference 2023 , more-April 22-28th- F5 SIRT-This Week in Security

More content:

RSA Conference 2023: DevSecOps and The Future Of Security

https://securityboulevard.com/2023/05/rsa-conference-2023-devsecops-and-the-future-of-security/

The future of DevSecOps

The person who coined the term "DevSecOps," Shannon Lietz, former VP of Adobe Security, delivered the day's keynote. In her session: "DevSecOps… The Train has Left the Station!" she laid out her vision for how we can get to a better, more secure future in DevOps by staying focused on three overarching topics:

Improving Accessibility

Improving Transparency

Improving Accountability

A simple, clear response plan for non-security folks

In her session "Incident Response for Developers," the one and only Tanya Janca, author and founder of We Hack Purple, shared with us a training course we can use with our own teams. Along the way, she told a lot of amusing anecdotes gained from her years of security leadership.

She said one of our most important jobs is helping the rest of the team understand their role during any security incident. What we tell them can boil down to a fairly short list:

1. "Tell the security team if you see something." It is important to let them know you will never be mad at a false alarm. It is always better to tell security than to act on their own.

2. "Don't leave the premises without telling security." Developers are used to going home when the day is done, and they arrive at a logical stopping point. You must explain it is critical for them to stay around until the security team clears everyone to depart.

3. "This incident is top priority. Treat it like an emergency" This is not just a high priority; this is a fire. Do not hide things in order to just keep working on that Jira ticket.

4. "Follow 'need to know' rules about security information." Do not spread what you 'think' is correct. When in doubt, just remember the first item on this list.

5. "Don't try to manage it yourself and try to be a hero" Unfortunately, acting independently and without the right training in some security situations can mean contaminating evidence or chain of custody, which helps bad actors go free even if caught.

Tomorrow's SOC

Bryan Palma, CEO of Trellix foresees a future where we respond to the growing threats more aggressively and with a different approach than we have been taking, which looks a lot like throwing more security personnel at every security issue. In his talk "SIEM There, Done That: Rising Up in the SecOps Revolution," Bryan said he went to 6 different Security Operation Centers, SOCs, and was shocked to find the state of things. The rapid expansion of threats and variety of attacks has meant longer hours and teams struggling to stay motivated.

He then laid out a simple 3-point plan to address the state of things.

He said tomorrow's SOC:

Fights back – You can not win the game by only playing defense. We must be able to respond so rapidly that the attacker is taken off their feet. Each round they have to rethink their approach is a round they are not attacking, making it a round you win.

Games the system – There are currently more than 3.4 million more openings for security professionals than there are qualified people to fill them. Meanwhile, estimates are over 3 billion gamers exist worldwide. If we could even harness even 1% of that, we could easily fill this skill gap. It is up to us to rethink how training and what day-to-day operations look like.

Runs on robots – Nearly 1/3 of CISOs surveyed want more automation in their security operations. Bryan believes we need to find ways to move humans away from the front lines of response and into the supervisor roles overseeing the robots who are engaging in ever more common machine-on-machine warfare.

The state of CVEs

In their highly informative talk "The Evolution of CVEs, Vulnerability Management, and Hybrid Architectures," Dr. Benjamin Edwards of the Cyentia Institute, and Sander Vinberg, Threat Research Evangelist at F5 Networks, laid out the history of CVEs and the overall trends they are seeing from their research.

Back in 1999, there were just 321 vulnerabilities identified on the first-ever list of CVEs, Common Vulnerabilities and Exposures. Currently, there are between 500 and 1200 new CVEs each week, with over 1000 per week trending to be the new norm by the end of 2023. The high number of CVEs alone does not necessarily mean we are becoming less secure. Instead, the data points to more efficient reporting with better-defined and more tightly scoped vulnerabilities.

The rate of new CVEs has skyrocketed from a new one introduced 300 days after the launch of this classification system to 0 days between them now. They said their research revealed this is in part due to the explosion of vendors in the marketplace. 59% of all CVEs ever reported are related to a single vendor. By comparison, Microsoft has over 10,000 associated CVEs, Google accounts for over 9,100, and Fedora is tied to just over 4,200 CVEs. Roughly 74% of CVEs affect only one product, and 49% of them affect only one version of that product.

While the number of CVEs continues to grow overall, the severity of reported vulnerabilities remains fairly constant. They warned that getting too fixated on the volume of reports can be counterproductive. Tracking CVEs will continue to be an important part of everyone's overall security posture, even if it tends to be a bit messy. They stressed it is far better than the alternative of no common framework where it is every product and security team for themselves. Again, they hit on the underlying theme that we are stronger together.

New and evolving threats

RSAC brings together thought leaders to share their opinions on trends they are seeing in their research. The panel discussion "The Five Most Dangerous New Attack Techniques" brought together 5 such influential minds to share what they see on the horizon. The panel was lead by Ed Skoudis, President of SANS, and featured Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite, Katie Nickels, Director of Intelligence at Red Canary, and Fellows from the SANS Institute Stephen Sims and Johannes Ullrich.

Malvertizing and copycat sites

Starting things off, Katie's research showed that defenders are getting better at building fences, but adversaries are getting better at going over and around our barriers. She said the disturbing rise in SEO attacks, where attackers leverage Google ads to trick victims into directly downloading malware like Gootloader. Katie noted this type of attack, referred to as 'Malvertizing," has just been added to the MITRE ATT&CK framework during RSAC.

Devs at risk

Johannes is most concerned with the threats developers face, specifically, malware loaded in from typosquatting attacks. To make things worse, many tools warning of dangers often get ignored or muted, thanks to the high false positive rates so many devs have experienced.

Blocking developers' tools like GitHub's Copilot or 7zip might seem like a secure approach, but these kinds of efforts normally backfire. If a developer wants a tool, they will find a way to get it. What we should be doing is educating teams about the potential risks, while at the same time giving them safe paths to get what they want.

AI written malware

Stephen Sims said his research had taken him down some interesting paths with ChatGPT. While the AI program will refuse to write malware if directly asked, if you ask enough times and in indirect ways, he found you can manipulate it into writing some pretty sophisticated malware. Combine this with a determined attacker who is always on the alert for new Zero Days, and he worries we are about to see a whole new class of AI-assisted ransomware and malware attacks. Beyond awareness of zero days and keeping patched as soon as possible, he is still trying to figure out what else can be done about this threat.

ChatGPT awareness

Heather rounded out the panel by sharing a story about how she tried to leverage ChatGPT to try to get her young son to reveal his address over chat. He was savvy enough to know something was wrong and refused to fall for any lure to disclose his location. While she is proud of her son, the exercise also showed he how sophisticated ChatGPT has become in writing convincing, compelling language. Her fear is not for those who are growing up with this tech but for the vast majority of adults who do not fully realize what ChatGPT, and AI in general, is capable of.

A CTO’s Reflection of the 2023 RSA Conference
https://hackernoon.com/a-ctos-reflection-of-the-2023-rsa-conference

We must change the game

Instead of attempting to scan every part of an exponentially expanding surface, the only tenable approach is to make design choices that completely eliminate large portions of our vulnerability surface. We have to make entire classes of attacks impossible.

We must build software in ways that drastically reduce the size of potential targets and limit the blast radius. Our software must become private and secure by design.

In the past, this was challenging and costly. The following tools are changing the game:

Strongly typed languages like Rust and Typescript turn invariants into compile-time errors. This reduces the set of possible mistakes that can be shipped to production by making them easier to catch at build time.

Memory-safe languages eliminate the possibility of buffer overflows, use-after-free, and other memory safety errors. An attack vector that is known to cause 60-70% of high-severity vulnerabilities in large C or C++ codebases. Rust provides this safety without the performance costs of garbage collection at runtime.

Supply chain security practices described in emerging standards like SLSA help us build controls that guarantee artifact integrity within our dependency trees. This diminishes the possibility of malicious libraries, packages, and container images exploiting developer workstations, build pipelines, and runtime environments.

Cryptographic keys, stored in secure hardware, combined with passwordless and tokenless approaches eliminate the possibility of attacks using stolen passwords and access tokens.

Mutual authentication and granular authorization, at the application level, using tools like Ockam, enables zero trust in operating networks, VPNs, and VPCs. This removes other applications within the same network from an application’s vulnerability surface.

Application layer, end-to-end encryption of all data, and using Ockam Secure Channels, eliminates third-party services from our vulnerability surface. End-to-end guarantees of data authenticity, integrity, and confidentiality mean that any mistake or misconfiguration within a broker, load balancer, or gateway cannot compromise our application’s data.

All these approaches shift security left and allow an application’s development team to be in control of the security and privacy properties of their application. This team no longer has to cross their fingers and hope a third-party service won’t be compromised; they can simply end-to-end encrypt data as it passes through that service.

Such design decisions turn security and privacy into problems that can be methodically solved instead of endlessly rolling a big boulder up a steep hill.