Security Art Work

In today’s cybersecurity landscape, the complexity of the solutions implemented to protect against growing threats is constantly increasing. Because of this, both malicious actors, who seek to compromise organizations and systems for their own benefit, and Red Team operators, whose mission is to identify and report vulnerabilities for later remediation, are driven to identify and exploit new weaknesses in systems, adapting their methods and developing new TTPs that allow them to evade existing defenses.

The tools developed by both operators and hostile attackers are designed for evasion of security solutions such as EDRs. This is because keeping the operation off the Blue Team’s radar is of vital importance. Being detected would result in the defense team obtaining IOCs, which they would use to dismantle an entire operation, blocking IP addresses and domains, creating YARAs for artifacts or implementing the latest updates to all their security solutions.

These actions, in addition to increasing the Blue Team’s alert level, would mean the end or restart of an attack or operation, as the entry vector could be mitigated or directly blocked and the infrastructure would need to be almost completely reassembled. This is why maintaining the OPSEC of an operation is of vital importance, avoiding the generation of alerts that could notify the defenders and thus meet the objective without being detected.

The world of cybersecurity is becoming increasingly complex and challenging. With each new threat, from harmful capabilities such as malware or 0 days, to changes in infrastructure, having moved from on-premise to hybrid or full-cloud environments, there is an urgent need for schemes and methodologies to help address these adversities. We not only seek to minimize the impact of any threat, but also to achieve a level of detection and neutralization with which we feel confident, although this can often give a false sense of security.

Today we find various schemes that help us understand and contextualize the modus operandi of hostile actors. From the widely recognized MITRE to the Malware Behavior Catalogue (MBC), through Microsoft Attack Kill Chain and Lockheed Cyber Kill Chain, these tools offer us a guide to understand and confront the tactics, techniques and procedures (TTPs) used by adversaries. Within this scenario MITRE ATT&CK is the most recognized scheme. Its matrix breaks down the different techniques, tactics and procedures (TTPs) used by hostile actors.

When it comes to an attack on an internal network, we all think that the output of the data could be through that same network. For example, if a potential attacker were to infect a device with the intention of stealing information, he would require an exit through the network itself to send the information to an external server.

The question we could ask ourselves is: is there a second way in which the stolen information could be sent? To which the answer is yes, but with nuances. Let us consider the following scenario: an attacker manages to connect a device that communicates by radio frequency to a computer in the internal network. What could this involve?

There is a Spanish prototype, the RPK2, which answers this question. This USB is passed off as a printer to the computer it is connected to. Subsequently, it will start communicating with a receiver that will be manipulated by the attacker. Since the receiver device communicates by radio frequency, it should be located a few meters away from the malicious USB, in order to maintain continuous communication.

Just as green shoots flood our fields after a cool spring night, waking us up with the promise of stalks determined to germinate, so we wake up one day to the emergence of a new paradigm: the dawn of Cloud Security.

If for a moment we decide to do some research on this subject, we will discover a painful tendency to use four acronyms to designate new concerns whose existence was absolutely unknown a few years ago. In this infinite universe we will find the CISPA or Cloud Infrastructure Security Posture Assessment, but also the CWPPS, or Cloud Workload Protection Platform, without forgetting the CASBs or Cloud Access Security Brokers or the CNAPP or Cloud-Native Application Protection Platform.

If at this point you have survived this string of names, I will understand your sincere interest in this new science, so allow me to take a step back and comment on the reason for this curious amalgam of new security solutions.

In this article we are going to learn about threat clustering carried out by Threat Hunting teams. But, first of all, let’s define some terms.

First of all, Threat Hunting refers to the art of proactively searching for and detecting cybersecurity threats hidden in an environment. It is a dynamic and strategic approach that allows defenders to discover and neutralize potential dangers before they escalate, making it an essential skill in today’s cybersecurity landscape.

Second, Threat Hunting analysts, also called Threat Hunters, need techniques to identify and track APTs and their activities. APT refers to an advanced, persistent threat that operates covertly and with malicious intent over an extended period of time. To accomplish their goals, APTs use sophisticated techniques, tactics and procedures (TTPs) to gain access to high-value networks and information systems, such as government, financial, military and other systems.

There is not a day in which we do not see some news related to Artificial Intelligence (AI) and, although there is a common position regarding the benefits that it can generate in different areas such as health, education, environment, etc., the development of AI-based systems generates certain ethical challenges that can result in wide-ranging risks, since they will be used worldwide.

We could ask ourselves, how can a technology that should be designed to facilitate work, decision-making and contribute to the improvement of people’s lives, have a negative impact if it is not designed and monitored properly?

Taking as a reference the reflections of Coeckelbergh (AI Ethics, 2021): “AI will progressively increase its capacity for intentional agency, replicating and replacing human agency, generating the problem of the absence or dissolution of ethical responsibility in technological systems”.

In the field of cyberspace operations, most attack or exploitation operations are remote, i.e. they are carried out using technologies that allow the hostile actor not to be physically close to its target: access via VPN, a malicious email or link that installs an implant in the victim, a remote vulnerability that is successfully exploited, etc. But a small percentage of operations require a physical approach between the hostile actor and its target: these are proximity operations, also called Sneaker Operations or CACO (Close Access Cyberspace Operations).

When not everything was connected to the Internet, proximity operations were almost the only way to access the target’s systems or information; to steal information you had to place a bug or a camera by sneaking into a building at night, modifying a supply chain or placing yourself in a building across the street from the target’s premises, to give a few examples. Some of the signals intelligence acquisition actions required this proximity, and this proximity obviously implied a significant risk of being neutralized, with all the implications that this neutralization can have. Some well-known examples of proximity operations for signals intelligence acquisition involve (allegedly) the French DGSE implanting bugs in the business seats of Air France flights between Paris and New York, the Soviets (allegedly) giving a Great Seal with an implant to the US ambassador to the USSR, or Germans and Americans (allegedly) manipulating Crypto AG cipher devices in Operation Rubicon.

In today’s cybersecurity landscape, the concept of Threat Hunting or the proactive pursuit of cyber threats begins merely as soon as an actor establishes their foothold in an organization, limiting the detection capabilities and overall understanding of a campaign that a hunter may have regarding the offensive capabilities of their adversary. In this context, I propose and intend to tackle these challenges with two main tactics that hunters can employ to disrupt the offensive operations of state actors and non-state actors more effectively: Horizontal Hunting and Vertical Hunting, while integrating elements of persistent engagement to enhance visibility.

Initially, as is usual in hypothesis-driven Threat Hunting, we formulate hypotheses based on intelligence feeds to conduct proactive searches within our environment. However, this approach often lacks precision in both operational capabilities and strategic insight into the adversary’s intentions. This can be attributed to various factors, including:

• Limited intelligence collection capabilities
• Technical expertise of both hunters and Threat Intelligence teams  
• Uncertainty about the proactivity of the hunting team
• Urgency to deploy detection capabilities (which may not always be effective) or publish articles by the Threat Intelligence team.  

In this article we will try to explain step by step in the simplest possible way how to create a working environment to perform an ethical hacking on an Android device application, so that it can be done by anyone regardless of the knowledge they have.

The first step is to create a working environment to start an audit of mobile applications on Android. To do this, we will look at several mobile device emulators and choose one in which to mount our environment.

Some emulators on the market

First, let’s explain what an emulator is. This word comes from the Latin word aemulātor (emulates), which means something that imitates the operation of something else. Wikipedia defines it as follows: “In computing, an emulator is software that allows programs or video games to run on a platform (either a hardware architecture or an operating system) different from the one for which they were originally written. Unlike a simulator, which merely attempts to reproduce the behavior of the program, an emulator attempts to accurately model the device so that the program works as if it were being used on the original device”.

ChatGPT digital tool is well known at this point. This artificial intelligence (AI) is having a huge impact on the information and communication age. ChatGPT is being used for different purposes to improve some systems, however, some of the applications for which it is being used are generating controversy, and therefore, one more reason why it is being echoed.

If you still don’t know ChatGPT, you should know that it is a tool developed by OpenAI specialised in dialogue. It is a chatbot. In other words, you enter a text input and ChatGPT generates a coherent text that responds to what you have written.

Well, ChatGPT can also be used in health. But what do we mean by “in health”? “In health” means that it can be applied in any area that affects people’s wellbeing, whether it is to develop new software to improve the health management of a hospital or to ask questions about our welfare from home.

Several projects have been developed using AI with focus on health. Some of them implement the same ChatGPT models and others are based on proprietary technology, all of them taking into account the communication with the patient.