CyberPoint Blog

Traditional Perimeter Security and Zero Trust – Are they Really That Different?

This post will compare and contrast of some differences between Zero Trust (ZT) based perimeter security and traditional perimeter security. It will not be possible to cover all differences or similarities, so the focus will be of some highlights. In particular, the focus will be on Artificial (and Automated) Intelligence (AI), automated system refresh capabilities, logging, and Virtual Private Networks (VPNs). Knowing that many organizations are utilizing Machine Learning and Artificial (and Automated) Intelligence today, it is likely there are organizations already implementing ZT capabilities. While AI/ML are not the only aspect of ZT, it is utilized in ways that extend the automation process and reduce response time to flagged events. As with all organization's security-based decisions, the cost to implement ZT capabilities must be a factor in determining the scope and feasibility of its coverage. For example, a company may have the ability and financial backing to integrate a moderate level of AI log analysis yet may not have the resources to implement automated responses to events.

Evaluating-Vendors-for-Zero-Trust-System-Integration

In this installment of our Zero Trust series, we'll discuss how to evaluate vendors for Zero Trust integration. While creating an exhaustive evaluation plan would exceed the scope of a blog post, these methods and ideas will provide a good foundation for evaluating vendors for use within the Zero Trust environment. It is common when onboarding a new solution, or even an upgraded version of an old solution, features or behaviors are identified which can positively or negatively affect the platform. Unfortunately, the timing can be too late during the development or integration process to mitigate the negative issues or replace the solution. At the speed of business, delays exacerbate already tight timelines and are compounded by technology with multiple integration points.

Getting to Ground Zero (Trust)

Zero Trust (ZT) focuses on the idea that one should always assume the environment has been compromised. The guiding principle of Zero Trust is to handle all resources, without trust, on both granular and global levels. In doing so, one is required to embrace a total buy-in of risk-based decisions in-lieu of assuming any resource is trustworthy despite following best practices or historically accepted security guidance. The traditional workflow of deploy, monitor, assess, wash-rinse-repeat has morphed into the next generation best practice of trust nothing and assume everything is potentially malicious. When digesting this ZT perspective, one could easily look at an environment and see an unending expanse of circular dependencies, of which none can be trusted. With the depth and breadth of different Zero Trust guidance, establishing a baseline for a ZT program becomes non-trivial.

HTTP/2 and You: When hypertext gets too/2hyper

If you are reading this, CVE-2023-44487 aka HTTP/2 Rapid Reset is upon us. New DDoS records have been set to the tune of 7.5 times the previous all-time high. Some admins and enterprises will be in scramble mode. The culprit: a protocol-level oversight in HTTP/2 (HTTP Version 2) in the handling of stream closure that allows an attacker the opportunity to request and immediately close streams between client and server at an arbitrary rate. When executed en masse, the result is an amplification attack that leverages the underlying speed advantage of HTTP/2 and its introduction and allowance of multiple streams over a single TCP connection.

Graphing the Future: Harnessing the Power of Graph Neural Networks for Cybersecurity

The digital era has ushered in unparalleled technological advancements and global connectivity. As our reliance on digital infrastructure grows, so does the sophistication and frequency of cyber threats. Organizations of all sizes grapple with escalating risks of data breaches, ransomware attacks, network intrusions, and various forms of cyber espionage.

Traditional approaches to cybersecurity, such as rule-based systems and signature-based detection, have proven to be inadequate against the ever-evolving and highly dynamic nature of cyber threats. As cyber attackers employ increasingly sophisticated techniques and exploit complex network topologies, the need for innovative and adaptive cybersecurity solutions becomes imperative.

CyberPoint's Vlad Gostomelsky Appears on Paul's Security Weekly Podcast

CyberPoint's Vlad Gostomelsky appeared on Paul's Security Weekly podcast on June 1, 2023. Vlad heads CyberPoint's Security Research Team (SRT), which is a public-facing research unit that works on relevant challenges within information security (infosec), we specialize in vulnerability research, malware analysis, threat intelligence, and technical evaluation. Our team's been doing this kind of work for years. We're passionate about it on both a professional and a personal level, and we're excited to do research that helps our customers and the larger community."

Blackbeard's Ransom: Ransomware of Source Code is a Real Threat

Question: Can source code stored in an online service be ransomed away from the owner?

I want to share a recent story that I hope will help some of you. For more than 25 years, I have practiced cyber defense with the belief that if we understand how offensive cyber-attacks work and how attackers think, we can help defend others from them. Recently the question stated above was posed to me in technical conversation. After thinking about this carefully, for my answer I said the following to quote 'The Simpsons' cartoon: "Short answer, 'yes with an if'. Long answer, 'no with a but'".

OpenSSL 3.0 CVE-2022-3786 Buffer Overflow Vulnerability

BACKGROUND: A buffer overflow can occur during X.509 certificate verification, specifically during name constraint checking. This happens after the certificate chain signature has been verified, and it requires either a CA to have signed the malicious certificate or for the application to continue verification despite not being able to construct a path to a trusted issuer. An attacker can craft a malicious email address that overflows four (4) bytes controlled by the attacker on the stack. This could result in a crash, causing a denial of service, or potentially allowing remote code execution.

CyberPoint NORDIC researchers discover a high-severity vulnerability (CVE-2022-2975) affecting Avaya telecommunication and VoIP products

CyberPoint NORDIC lead Alex Levesque discovered a vulnerability in Avaya Aura Application Enablement Services servers. Following CyberPoint's responsible disclosure policy, we provided a writeup of the discovery to Avaya's Product Security Team, who released an Avaya Security Advisory, assigned CVE-2022-2975, and published a patch to the software. The vulnerability allows for privilege escalation and execution of arbitrary code as the root user. CyberPoint will release a full writeup of the discovery 30 days after patch release. To anyone with Avaya systems, please update at your earliest convenience!

Apache Log4j Vulnerabilities: The Basics

Old Exploits Up to Old and New Tricks: TrickBot

The classics never get old, do they? Sometimes an old classic receives a new look, like the remake of West Side Story or Ghostbusters. In the case of Conti ransomware, the classics that never get old are TrickBot and Cobalt Strike, used by Conti to distribute their ransomware. In the case of TrickBot, the remake comes with creative new obfuscation techniques. This article discusses the current incarnation of TrickBot, its historical evolution, new tradecraft it employs, and what the future holds according to some hints dropped in recent weeks.

Major Leak from Conti Ransomware Group Translated

As you may be aware there was a major leak from Conti ransomware/crimeware group. A group I hang out with got the leak. A portion of it was translated with machine learning. The translation was poor so I added a column and manually translated key parts that were incorrect.

Apache Log4j Vulnerabilities: The Basics

A series of exploits leveraging vulnerabilities in the popular Apache Log4j Java library were uncovered recently, prompting tremendous cybersecurity activity in response to the threats. The Log4j module allows Java-based applications to better handle internal event logging and is used by many popular applications, cloud-based services, and even operating systems. Because of Log4j's ubiquity, the threat these vulnerabilities represent is significant.

Sylphs in the Cloud

A Sylph (also known as Sylphid) is an air spirit. They are formed of air, they live in the air, and they have unusual power over the air, particularly the wind and the clouds. Usually, Sylphs are portrayed as guardians who protect secret knowledge, beautiful women, or the environment, but it's not out of the question for a Sylph to cause mischief among men.

CyberPoint is no stranger to malware and malware analysis. Our work has us detecting malware, analyzing malware, and occasionally writing malware.

Got MODBUS? Please Check!

In the past three years, we have been fortunate to have been given the opportunity to study industrial control systems (or 'control systems' for short) in excruciating detail for vulnerabilities, exploits and mitigations. While I am a relative newcomer in industrial control security when compared to people like the Dragos team, what we discovered in 2020 was worthy enough to write about even if only as a brief post.

When you are finished reading, please ask yourself and your team, "Do we have any MODBUS on our network? What are we doing to protect those devices from attack?"

Protecting Legacy Encryption from Quantum Computing: A Possible Solution

The advent of quantum computing (QC), if it happens, will break nearly every practical application of cryptography in use today, making e-commerce and many other digital applications insecure.

Symmetric algorithms used for encryption, like AES, are still thought to be safe (with sufficient key length – e.g. AES-256 or larger); however, current asymmetric algorithms like RSA and ECDSA (Elliptic Curve Digital Signature Algorithm) will be rendered essentially useless once quantum computers reach a certain scale.

An alternative approach to quantifying cyber risk using comprehensive attack surface evaluation assessments and Value-at-Risk modeling.

Organizations have an imperative to protect the data that has been entrusted to them, as well as securing their digital borders against business-interrupting intrusions. The legal landscape regarding accountability for data breaches continues to develop, but it has become clear that regulators, lawmakers, and the public will hold the breached entity responsible for a cyber event and the loss of data. This trend means that a cyber event of any type has the potential to negatively affect an organization's revenue and reputation.

Worst-Case Complexity of Ford-Fulkerson

Ask a computer scientist the worst-case complexity of the Ford-Fulkerson algorithm¹ with integral edge capacities, and you'll likely get the answer of O(E*|f|), where E is the number of edges in the graph, and |f| is the capacity of the maximum flow, f, that the algorithm seeks to find. Indeed, that would have been my answer, as well. Until I tried to exploit that worst-case behavior.

Cyberspace — the Next Utility Infrastructure

Note: This White Paper represents the exploratory thoughts and analysis of the author; the assertions and recommendations are provided for consideration and validation by our industry, academic, and government partners. The opinions expressed herein may not be the same as those held by the owners, investors, or other executives of CyberPoint who were not involved in the writing of this White Paper…but they should be!

Accelerating Capabilities Acquisition Through OTAs and PIAs: A Contractor Perspective

OTAs (Other Transaction Agreements) are appropriate when you want prototypes (demos, validation, feasibility) of innovative capabilities directly relevant to weapons or weapons systems, and directly related to mission effectiveness (of personnel and supporting platforms, or by improvement of platforms/systems/components thereof).

Malicious Browser Extensions

As we do more and more of our day-to-day tasks online, our web browsers have become an irreplaceable tool for many people. Often, we decide to augment the default behavior of these browsers with browser extensions to provide custom functionality to our browsers in order to make the tasks that we perform online easier.

Using Compression to Compare Objects

In my previous blog post, I discussed our endeavor to benefit from unsupervised learning on CyberPoint's malware dataset. One of the more intriguing tools I played with during that effort was the normalized compression distance (NCD).

Learning in the Dark: Lessons Learned in Unsupervised Learning

CyberPoint has seen great success in using supervised machine learning for malware detection. A while back, however, some colleagues and I set out to investigate whether we could make any interesting discoveries by applying unsupervised learning to CyberPoint's malware dataset.

Logging Keystrokes with Event Tracing for Windows (ETW)

As a follow-up to our talk at Ruxcon, "Make ETW Great Again", we wanted to go into a bit more depth than we could cover in our hour long talk. While our talk consisted of multiple examples of ETW usage, detecting ransomware, USB Keylogging, and sniffing SSL encrypted data from WinINet…

The Human Interface Device (HID) Attack, aka USB Drive-By

As a part of our effort to educate, assess and train (EAT), we want to highlight a physical host attack technique that is extremely cheap and simple to pull off, and unfortunately yields a significant return for the attacker if successful. The technique is commonly referred to as a "Human Interface Device (HID) attack" or a "USB drive-by".

Software Defined Security at CyberPoint

Software-defined networking, commonly referred to as SDN, has received a lot of press recently regarding both the technology itself and the impact that it will have in the networking world. At CyberPoint, being a cybersecurity company, we got curious and decided to take a look at the impact that SDN could have on security.

The Minimum

"If the minimum weren't good enough, it wouldn't be the minimum." It's not just a rationalization of laziness. It's often the correct approach to compliance with externally mandated cybersecurity requirements.

CyberPoint Blog

We not only protect what's invaluable, we write about it too.