Threat Clustering and Threat Hunting

In this article we are going to learn about threat clustering carried out by Threat Hunting teams. But, first of all, let’s define some terms.

First of all, Threat Hunting refers to the art of proactively searching for and detecting cybersecurity threats hidden in an environment. It is a dynamic and strategic approach that allows defenders to discover and neutralize potential dangers before they escalate, making it an essential skill in today’s cybersecurity landscape.

Second, Threat Hunting analysts, also called Threat Hunters, need techniques to identify and track APTs and their activities. APT refers to an advanced, persistent threat that operates covertly and with malicious intent over an extended period of time. To accomplish their goals, APTs use sophisticated techniques, tactics and procedures (TTPs) to gain access to high-value networks and information systems, such as government, financial, military and other systems.

[Read more…]

Ethics in Artificial Intelligence Systems

There is not a day in which we do not see some news related to Artificial Intelligence (AI) and, although there is a common position regarding the benefits that it can generate in different areas such as health, education, environment, etc., the development of AI-based systems generates certain ethical challenges that can result in wide-ranging risks, since they will be used worldwide.

We could ask ourselves, how can a technology that should be designed to facilitate work, decision-making and contribute to the improvement of people’s lives, have a negative impact if it is not designed and monitored properly?

Taking as a reference the reflections of Coeckelbergh (AI Ethics, 2021): “AI will progressively increase its capacity for intentional agency, replicating and replacing human agency, generating the problem of the absence or dissolution of ethical responsibility in technological systems”.

[Read more…]

Proximity operations in cyberspace

In the field of cyberspace operations, most attack or exploitation operations are remote, i.e. they are carried out using technologies that allow the hostile actor not to be physically close to its target: access via VPN, a malicious email or link that installs an implant in the victim, a remote vulnerability that is successfully exploited, etc. But a small percentage of operations require a physical approach between the hostile actor and its target: these are proximity operations, also called Sneaker Operations or CACO (Close Access Cyberspace Operations).

Crypto AG CX-52. Fuente: WikiPedia.

When not everything was connected to the Internet, proximity operations were almost the only way to access the target’s systems or information; to steal information you had to place a bug or a camera by sneaking into a building at night, modifying a supply chain or placing yourself in a building across the street from the target’s premises, to give a few examples. Some of the signals intelligence acquisition actions required this proximity, and this proximity obviously implied a significant risk of being neutralized, with all the implications that this neutralization can have. Some well-known examples of proximity operations for signals intelligence acquisition involve (allegedly) the French DGSE implanting bugs in the business seats of Air France flights between Paris and New York, the Soviets (allegedly) giving a Great Seal with an implant to the US ambassador to the USSR, or Germans and Americans (allegedly) manipulating Crypto AG cipher devices in Operation Rubicon.

[Read more…]

Horizontal and Vertical Hunting with Persistent Engagement

In today’s cybersecurity landscape, the concept of Threat Hunting or the proactive pursuit of cyber threats begins merely as soon as an actor establishes their foothold in an organization, limiting the detection capabilities and overall understanding of a campaign that a hunter may have regarding the offensive capabilities of their adversary. In this context, I propose and intend to tackle these challenges with two main tactics that hunters can employ to disrupt the offensive operations of state actors and non-state actors more effectively: Horizontal Hunting and Vertical Hunting, while integrating elements of persistent engagement to enhance visibility.

Initially, as is usual in hypothesis-driven Threat Hunting, we formulate hypotheses based on intelligence feeds to conduct proactive searches within our environment. However, this approach often lacks precision in both operational capabilities and strategic insight into the adversary’s intentions. This can be attributed to various factors, including:

  • Limited intelligence collection capabilities
  • Technical expertise of both hunters and Threat Intelligence teams  
  • Uncertainty about the proactivity of the hunting team
  • Urgency to deploy detection capabilities (which may not always be effective) or publish articles by the Threat Intelligence team.  
[Read more…]

Android Pentesting (I): Environment Configuration

In this article we will try to explain step by step in the simplest possible way how to create a working environment to perform an ethical hacking on an Android device application, so that it can be done by anyone regardless of the knowledge they have.

The first step is to create a working environment to start an audit of mobile applications on Android. To do this, we will look at several mobile device emulators and choose one in which to mount our environment.

Some emulators on the market

First, let’s explain what an emulator is. This word comes from the Latin word aemulātor (emulates), which means something that imitates the operation of something else. Wikipedia defines it as follows: “In computing, an emulator is software that allows programs or video games to run on a platform (either a hardware architecture or an operating system) different from the one for which they were originally written. Unlike a simulator, which merely attempts to reproduce the behavior of the program, an emulator attempts to accurately model the device so that the program works as if it were being used on the original device”.

[Read more…]

Application of ChatGPT in healthcare

ChatGPT digital tool is well known at this point. This artificial intelligence (AI) is having a huge impact on the information and communication age. ChatGPT is being used for different purposes to improve some systems, however, some of the applications for which it is being used are generating controversy, and therefore, one more reason why it is being echoed.

If you still don’t know ChatGPT, you should know that it is a tool developed by OpenAI specialised in dialogue. It is a chatbot. In other words, you enter a text input and ChatGPT generates a coherent text that responds to what you have written.

Well, ChatGPT can also be used in health. But what do we mean by “in health”? “In health” means that it can be applied in any area that affects people’s wellbeing, whether it is to develop new software to improve the health management of a hospital or to ask questions about our welfare from home.

Several projects have been developed using AI with focus on health. Some of them implement the same ChatGPT models and others are based on proprietary technology, all of them taking into account the communication with the patient.

read more

Cybersecurity in the maritime sector: Maritime communication protocols

Maritime transport is a fundamental pillar of the global economy and, like any system adopting new connectivity technologies, it is subject to cybersecurity risks. In the article “New cybersecurity requirements in shipbuilding: implications in the engineering process and designs of new ships“, we commented on the increasing connectivity of new ships, as well as the low maturity of cybersecurity in this area and the common problems encountered in their systems. These characteristics, together with the increase in cyber-attacks, are driving the creation of mandatory standards and certifications for new ships. However, the problems are not just procedural. Let us look at one of the most important technical aspects, maritime communication protocols.

To recap the previous post, the common issues in the maritime domain lie in factors such as reliance on network isolation and physical security, coupled with long system lifetimes and a focus on availability. These characteristics are reflected in the way ships are designed and operated, from general aspects such as architectures to specific aspects such as communication standards. In this article, we analyse the most commonly used maritime protocols today in terms of their security and the risk of being affected by some of the most common types of cyber-attack.

Maritime network protocols are the communication standards that define the rules, syntax and procedures for internal communication between ship systems and ship-to-ship communication. As in other fields, international associations such as NMEA (National Marine Electronic Association) have worked to establish standards that are used by all manufacturers.

read more

From intelligence to threat detection

Threat detection is largely based on indicators of compromise. These indicators are observables that we identify during the management of an incident or during an investigation, that we receive from third parties in the form of intelligence feeds, that we download from platforms such as MISP, that we share among working groups… in short, we discover them or they discover them. But where do these indicators come from? In one way or another, indicators, a fundamental part of the characterisation of a threat (actor, operation…), come from intelligence analysis. In this article, we will discuss the path from intelligence gathering to the generation of indicators of compromise to detect a threat. This path is summarised in the figure below:

We all know that the various intelligence disciplines play a fundamental role in detecting threats in cyberspace. In this cyber domain, each of these disciplines (simplified SIGINT, MASINT, HUMINT, OSINT and GEOINT) has a specific weight and value, and forms the basis of what we call cyber intelligence. For example, the role of signals intelligence tends to be much more important than that of geospatial intelligence, and human sources contribute much less intelligence than signals, but much more value if well managed.

read more

AI vs. GRC: How AI can affect GRC areas of technology consultancies

AI (Artificial Intelligence) has proven to be a powerful tool in a number of areas, including Security Governance, Risk Management and Regulatory Compliance (GRC). As AI continues to develop and play an increasingly important role in our society it is critical to recognize the value and importance of the human component. While AI offers significant technological advances, there are areas where human judgment, experience and interpersonal skills are indispensable.

We, as workers in consulting firms and specifically in the GRC area, analyze the repercussion and impact that the arrival of AI may have in our professional field.

Will AI put an end to our jobs? This is a question that after the media boom that the irruption of ChatGPT has meant in our lives we ask ourselves without being able to avoid it, therefore, I have proposed to carry out an analysis to understand if AI could replace the work we develop at our clients, so below I allow myself to add my point of view on different aspects and/or reasons why, in my opinion, I understand that it is unlikely that AI can replace or at least take over the work developed in the GRC areas of technology consultancies:

Regulatory complexity

Regulations and laws related to risk management and compliance can become extremely complex. AI can help in automating certain tasks related to the work performed by GRC areas, but interpreting regulations and making decisions in complex situations often requires human judgment and expert knowledge of the business context and sometimes even human, and no less important budgetary and financial aspects. Consulting firms play a crucial role in providing expert guidance on how to comply with regulations and adapt to regulatory changes based on clients’ needs.

read more

Cybersecurity in the quantum computing era

Introduction

Cyber security is an important issue today. As the number of devices connected to the Internet continues to grow and more and more personal and business information is stored online, cyber security has become a major concern for businesses, governments and citizens.

Related to this, the emergence of quantum computing, with its ability to solve problems previously thought impossible with conventional systems, poses a major challenge for today’s computer security. This article examines its fundamentals and how it relates to quantum computing, as well as the potential threats and solutions being considered to meet these new challenges.

Quantum Computing: Fundamentals

Before discussing the implications of quantum computing for cybersecurity, it is important to understand how it works physically. Quantum computing is a different approach to traditional computing because it works thanks to the principles of quantum mechanics. Quantum mechanics is the theory that explains the behavior of elementary particles and how they interact with each other. It is based on the principle of quantum superposition, which states that quantum particles (such as electrons and photons) can be in several states at the same time. Instead of using bits to represent information, quantum computers use qubits that can be in multiple states at the same time.

[Read more…]