R2D2 Project: applying AI for APT detection

In the dynamic and ever-changing landscape of cybersecurity, Advanced Persistent Threats (APTs) stand out as one of the most significant challenges. These threats, characterized by their sophistication and ability to evade traditional defences, can infiltrate corporate and government networks, remaining undetected for extended periods. Effective detection of APTs is therefore a critical priority to protect the integrity and confidentiality of information.

APTs are characterized by their high sophistication and persistence in target systems. Attackers, often backed by significant resources, employ complex tactics to gain unauthorized access to systems and extract sensitive data or cause prolonged damage. These tactics include the use of custom malware, exploitation of unknown vulnerabilities (zero-day), and advanced social engineering techniques. On the defensive side, the MITRE ATT&CK framework provides a comprehensive structure detailing the various methods and techniques attackers use at each stage of the cyberattack lifecycle, allowing for a better understanding and defence against these advanced threats.

In this context, artificial intelligence (AI) emerges as a promising tool to enhance APT detection capabilities. AI, with its ability to analyse vast amounts of data and detect anomalous patterns, offers an advanced solution against traditional cybersecurity techniques. Unlike conventional methods, which often rely on predefined signatures and static rules, AI can adapt and learn from new threats in real-time.

[Read more…]

Geolocation through Artificial Intelligence #OSINT

Joey Tribbiani (Friends) apunta a la televisión donde aparece él mismo

If you don’t live under a rock and use social media, you’ve surely witnessed or starred in those posts at your favorite coffee shop, close to home, at work, on the road, or at those unforgettable Project X-style epic parties. We love to share those moments, don’t we?

Often, we don’t even realize the mountain of information we give to the world every time we post something on our social networks. We expose ourselves to the Internet without thinking about the possible consequences. It’s like venturing into the digital jungle without a map, not knowing what predators lurk.

But do you know what’s crazy? That with every post we are dropping clues about our location, our daily routine, our activities, our family, our friends, among many other things. It’s as if we are leaving digital breadcrumbs for anyone to follow, revealing our life to an invisible and potentially dangerous audience.

And it’s not just the information we know we share, but also the information we share without even being aware of it, because of course, let’s not forget about metadata. When, for example, we take a photo with our cell phone, that image can contain a lot of information that, at first glance, we could overlook. From the exact location where the photo was taken, to the make, model and software version of the device used, and even details about the camera settings. Small details that, at first glance, seem harmless but, contrary to what we might think, reveal a lot of information, making us vulnerable to possible attacks by those who know how to look for it.

Left: Example of metadata extracted from a photo captured with the cell phone. Right: Example of metadata extracted from a photo captured with the cell phone.
[Read more…]

The importance and complexity of Classified Information

Classified information is a vital component of national and international security in the contemporary world. This type of information, meticulously protected by governments and organizations, encompasses a wide range of sensitive content that, if it falls into the wrong hands, could pose a significant threat to a nation’s security, stability and strategic interests.

The nature of Classified Information

Classified information may include data on military operations, intelligence strategies, advanced technologies, intelligence sources, as well as sensitive diplomatic and political information.

The classification of this information is made according to the seriousness of the damage that its disclosure could cause, and is divided into different levels of classification, such as “Limited Disclosure”, “Confidential”, “Reserved” and “Secret”, and their international equivalents.

[Read more…]

Pentest in space

When we talk about space, it often sounds like fiction at first. However, we are not as far away as we may think. A new security testing trend that is flourishing nowadays is the well known Pentest against satellites. Today, a single person can design, build and launch a satellite while respecting very few safety standards and protocols.

As we already know, human error is quite well known in our field, which together with the democratization of space that has opened a new frontier to companies and enthusiasts to exploration and innovation in the space field, produces the birth of a new set of specific vulnerabilities, which require qualified and specialized professionals to identify them.

What is Satellite Pentesting?

In short, it is what many of us already know as “pentesting” but extrapolated to satellites. Therefore, it is a process of testing the security of satellite communication systems, where we simulate attacks against them, identifying potential vulnerabilities and deficiencies that can be exploited and then report them to the client with their respective corrective measures, allowing them to mitigate the risks identified.

[Read more…]

EDR Silencer

In today’s cybersecurity landscape, the complexity of the solutions implemented to protect against growing threats is constantly increasing. Because of this, both malicious actors, who seek to compromise organizations and systems for their own benefit, and Red Team operators, whose mission is to identify and report vulnerabilities for later remediation, are driven to identify and exploit new weaknesses in systems, adapting their methods and developing new TTPs that allow them to evade existing defenses.

The tools developed by both operators and hostile attackers are designed for evasion of security solutions such as EDRs. This is because keeping the operation off the Blue Team’s radar is of vital importance. Being detected would result in the defense team obtaining IOCs, which they would use to dismantle an entire operation, blocking IP addresses and domains, creating YARAs for artifacts or implementing the latest updates to all their security solutions.

These actions, in addition to increasing the Blue Team’s alert level, would mean the end or restart of an attack or operation, as the entry vector could be mitigated or directly blocked and the infrastructure would need to be almost completely reassembled. This is why maintaining the OPSEC of an operation is of vital importance, avoiding the generation of alerts that could notify the defenders and thus meet the objective without being detected.

[Read more…]

ATT&CK: The game of squares

The world of cybersecurity is becoming increasingly complex and challenging. With each new threat, from harmful capabilities such as malware or 0 days, to changes in infrastructure, having moved from on-premise to hybrid or full-cloud environments, there is an urgent need for schemes and methodologies to help address these adversities. We not only seek to minimize the impact of any threat, but also to achieve a level of detection and neutralization with which we feel confident, although this can often give a false sense of security.

Today we find various schemes that help us understand and contextualize the modus operandi of hostile actors. From the widely recognized MITRE to the Malware Behavior Catalogue (MBC), through Microsoft Attack Kill Chain and Lockheed Cyber Kill Chain, these tools offer us a guide to understand and confront the tactics, techniques and procedures (TTPs) used by adversaries. Within this scenario MITRE ATT&CK is the most recognized scheme. Its matrix breaks down the different techniques, tactics and procedures (TTPs) used by hostile actors.

Imagen 1: Ejemplo de Mitre ATT&CK
[Read more…]

Radio frequency: a new possibility for pentesting?

When it comes to an attack on an internal network, we all think that the output of the data could be through that same network. For example, if a potential attacker were to infect a device with the intention of stealing information, he would require an exit through the network itself to send the information to an external server.

The question we could ask ourselves is: is there a second way in which the stolen information could be sent? To which the answer is yes, but with nuances. Let us consider the following scenario: an attacker manages to connect a device that communicates by radio frequency to a computer in the internal network. What could this involve?

There is a Spanish prototype, the RPK2, which answers this question. This USB is passed off as a printer to the computer it is connected to. Subsequently, it will start communicating with a receiver that will be manipulated by the attacker. Since the receiver device communicates by radio frequency, it should be located a few meters away from the malicious USB, in order to maintain continuous communication.

[Read more…]

Cloud Security Solutions: the new paradigm

Just as green shoots flood our fields after a cool spring night, waking us up with the promise of stalks determined to germinate, so we wake up one day to the emergence of a new paradigm: the dawn of Cloud Security.

If for a moment we decide to do some research on this subject, we will discover a painful tendency to use four acronyms to designate new concerns whose existence was absolutely unknown a few years ago. In this infinite universe we will find the CISPA or Cloud Infrastructure Security Posture Assessment, but also the CWPPS, or Cloud Workload Protection Platform, without forgetting the CASBs or Cloud Access Security Brokers or the CNAPP or Cloud-Native Application Protection Platform.

If at this point you have survived this string of names, I will understand your sincere interest in this new science, so allow me to take a step back and comment on the reason for this curious amalgam of new security solutions.

[Read more…]

Threat Clustering and Threat Hunting

In this article we are going to learn about threat clustering carried out by Threat Hunting teams. But, first of all, let’s define some terms.

First of all, Threat Hunting refers to the art of proactively searching for and detecting cybersecurity threats hidden in an environment. It is a dynamic and strategic approach that allows defenders to discover and neutralize potential dangers before they escalate, making it an essential skill in today’s cybersecurity landscape.

Second, Threat Hunting analysts, also called Threat Hunters, need techniques to identify and track APTs and their activities. APT refers to an advanced, persistent threat that operates covertly and with malicious intent over an extended period of time. To accomplish their goals, APTs use sophisticated techniques, tactics and procedures (TTPs) to gain access to high-value networks and information systems, such as government, financial, military and other systems.

[Read more…]

Ethics in Artificial Intelligence Systems

There is not a day in which we do not see some news related to Artificial Intelligence (AI) and, although there is a common position regarding the benefits that it can generate in different areas such as health, education, environment, etc., the development of AI-based systems generates certain ethical challenges that can result in wide-ranging risks, since they will be used worldwide.

We could ask ourselves, how can a technology that should be designed to facilitate work, decision-making and contribute to the improvement of people’s lives, have a negative impact if it is not designed and monitored properly?

Taking as a reference the reflections of Coeckelbergh (AI Ethics, 2021): “AI will progressively increase its capacity for intentional agency, replicating and replacing human agency, generating the problem of the absence or dissolution of ethical responsibility in technological systems”.

[Read more…]