

Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending July 9th
US Government being held to quantifiable objectives and delivery ownership for its cyber strategy...
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week it has been about the Jumpcloud incident who released this note.
In the high-level this week:
Cybercrime in Australia 2023 - Overall, 47 percent of respondents experienced at least one cybercrime in the 12 months prior to the survey—and nearly half of all victims reported experiencing more than one type of cybercrime. Thirty-four percent of respondents had experienced a data breach.
Cybersecurity: Launching and Implementing the National Cybersecurity Strategy - from the US Government Accountability Office - This Snapshot covers the status of the National Cybersecurity Strategy. The strategy's goals and strategic objectives provide a good foundation, but the Administration needs to establish specific objectives and performance measures, resource requirements, and roles and responsibilities
University of California Sues Lloyd’s Syndicates Over Cyber Insurance - The University of California is suing a number of insurance firms for refusing to pay out on cyber policies nearly 10 years after hackers breached data on millions of patients at its health system.
In Russia, they checked the stability of the Runet in case it is turned off from the outside - The Russian authorities and operators once again checked the performance of Russian sites in the context of the country's disconnection from the international Internet.
Russia Seeds New Surveillance Tech to Squash Ukraine War Dissent - Russia is incubating a cottage industry of new digital surveillance tools to suppress domestic opposition to the war in Ukraine. The tech may also be sold overseas.
Recent Chinese cyber intrusions signal a strategic shift - The most recent intrusion highlighted by the Five Eyes isn’t the type of espionage that is the veritable background noise of enduring competition among states. Chinese cyber operators have become notorious for intellectual property theft, but their cyber espionage activity has gradually shifted to meeting other strategic imperatives, as the Volt Typhoon case shows.
US National Counter Intelligence & Security Centre issued an alert on China titled ‘Safeguarding Our Future’.
Press coverage on this by the Wall Street Journal New Chinese Law Raises Risks for American Firms in China
A security and resilience framework for CBDC (Central Bank Digital Currency) systems - issued by the Bank for International Settlements
How the FBI hacked Hive - FBI digital sting against Hive cybercrime group shows the promise - FBI field agents in Florida managed to unravel the group using little more than a keyboard, first hacking their way into Hive’s network in July 2022, and then undermining its extortion efforts by helping targeted organizations unlock their systems on their own.
Russian Cybersecurity Executive Arrested for Alleged Role in 2012 Megahacks - Nikita Kislitsin, formerly the head of network security for one of Russia’s top cybersecurity firms, was arrested last week in Kazakhstan in response to 10-year-old hacking charges from the U.S. Department of Justice.
Law
UK Law Commission issued a report which outlined what changes are required to ensure applicability in a digital assets worlds - Our recommendations for reform and common law development aim to create a clear and consistent framework for digital assets that will provide greater clarity and security to users and market participants.
International Law and Cyberspace - Ireland has published a Position Paper on the Application of International Law in Cyberspace as a contribution to discussions at UN level, particularly in the context of its participation in the OEWG, aimed at developing a better shared understanding of how international law applies in cyberspace.
UK–Poland 2030 strategic partnership joint declaration on foreign policy, security and defence - has a whole section on Cyber - including - Share analysis, intelligence and data, to counter cyberattacks and strengthen Cyber resilience;
EU-NATO Task Force: Final assessment report on strengthening our resilience and protection of critical infrastructure - Moreover, transport infrastructure is increasingly digitalised, making it more vulnerable to malicious cyber activities and disruptions.
The Reserve Bank of India slaps Rs 65 lakh fine on Mahesh Bank for failing to boost cyber security - for failing to provide cyber infrastructure and efficient firewalls as a result of which a loss to the tune of Rs 12.48 crore (£1.1 mil / $1.5 mil) was caused due to a fraud committed by Nigerian in January 2022.
Limits of Machine Learning for Automatic Vulnerability Detection -
US DoD’s Milley Makes Case for Rules-Based Order, Deterrence in New Era
Reflections this week come from briefing the Non-Executive Directors at UK Government Investments as part of their professional development day. The reflection is there is huge cause for optimism about the future of cyber governance at board level whilst there also exists an opportunity to accelerate. It is clear that a more technology immersed set of individuals are hitting boards, which is a huge a win for our domain. However there is opportunity to accelerate in the way we standardise reporting information at board level. We have this for finance, but different organisations reporting their risk, threats, compliance status, transformation programmes and then the technical underpinning in different ways is clearly causing challenges. These challenges are both for like for like comparison and also in enabling an understanding of what good looks like. Anyway, answers on a post card please for this little noodle…
On the interesting job/role front (thanks to those sending me these):
Security Engineer - Attack Surface Operations - Nationwide Bank in the UK
Director, Military Science Research Group at the Royal United Services Institute in the UK
Enjoying this? don’t get via e-mail? Subscribe:
Think someone else would benefit? Share:
Have a lovely Sunday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Russia
Phishing attacks by the APT28 group (UAC-0028) to obtain authentication data for public mail services
Russia surging again with rather basic tradecraft in Ukraine. The point of note here is the use of Ubiquiti IoT devices for their command and control.
Ukraine CERT-UA discovered HTML files that imitate the web interface of mail services (in particular, UKR.NET, Yahoo.com) and implement the technical possibility of exfiltrating authentication data entered by the victim using HTTP POST requests
At the same time, the transfer of stolen data is carried out using previously compromised Ubiquiti devices (EdgeOS).
Separate attention should be paid to the fact that one of the HTML files ("detail.html", MD5: b0ef610dffa854e239fca9475f35272a) contains the email address of the object of the attack: "iri_1357@yahoo.com". According to available data, the specified address belongs to the Embassy of the Islamic Republic of Iran in Tirana (Republic of Albania).
https://cert.gov.ua/article/5105791
Targeted attack using the theme of Ukraine's membership in the North Atlantic Treaty Organization
Another maldoc campaign, the netflow analysis which identified the 190+ IPs communicating with the C2 should come with a health warning considering security researchers etc.
The analysis of the content of the SMB resource made it possible to establish 195 IP addresses used by computers from which interaction with the described infrastructure was carried out. However, the analysis of the IP addresses shows their geographical distribution (about 30 different countries) and most of them belong to VPN services, research organizations, etc.
https://cert.gov.ua/article/5077168
North Korea
Lots of tactical reporting omitted this week as again there was so much. Can be found on the subreddit.
North Korean Malicious Groups and Latest Trends
South Korean summary of North Korean groups and their activities in Korean. Provides a comprehensive bit of work. Nothing in here that is a revelation if you are a regular reader, but a nice summary nevertheless.
BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection
Phil Stokes provides some further technical insight into the evolving macOS capabilities of North Korea. It will be interesting to see how Apple start to respond to what appears to be an increasing trend / arms race etc.
RustBucket is noteworthy for the range and type of anti-evasion and anti-analysis measures seen in various stages of the malware.
The attack begins with an Applet that masquerades as a PDF Viewer app. An Applet is simply a compiled AppleScript that is saved in a
.app
format. Unlike regular macOS applications, Applets typically lack a user interface and function merely as a convenient way for developers to distribute AppleScripts to users.The threat actors chose not to save the script as run-only, which allows us to easily decompile the script with the built-on
osadecompile
tool (this is, effectively, what Apple’s GUI Script Editor runs in the background when viewing compiled scripts).
China
Chinese Threat Actors Targeting Europe in SmugX Campaign
China doing what they do and in Europe no less. As European governments get to the bottom of this latest incident the response they levy against China will be one to watch. The use of HTML smuggling is the only noteworthy aspect..
[We] uncovered a targeted campaign carried out by a Chinese threat actor targeting government entities in Europe, with a focus on foreign and domestic policy entities.
The campaign leverages HTML Smuggling, a technique in which attackers hide malicious payloads inside HTML documents.
Following a complex infection chain involving either archives or MSI files, the attacks deploy PlugX, an implant commonly associated with Chinese threat actors.
The campaign, called SmugX, overlaps with previously reported activity by Chinese APT actors RedDelta and Mustang Panda. Although those two correlate to some extent with Camaro Dragon, there is insufficient evidence to link the SmugX campaign to the Camaro Dragon group.
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
Wuhan Xiaoruizhi Class of ‘19
Intrusion Truth does what they do best i.e. continue to be a thorn in the side of the Chinese APT supply base.
Welcome back Intrusion Truth readers, it’s been a little while. We hope you’ve spent the time reflecting on our findings from our previous set of articles on suspicious happenings in and around Wuhan. We don’t know about you, but even after six articles we felt we had some unfinished business with Wuhan Xiaoruizhi and friends. So, we put together the remaining information we had to give you a few more interesting snippets on APT31’s operational infrastructure.
For our first annex, we will tackle a lead that was buried in the information leaked by our disaffected Xiaoruizhi insider, of articles 4 and 5. That employees of Xiaoruizhi (AKA APT31 actors) had moved to new companies in 2020.
https://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19/
Iran
Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware
Joshua Miller, Pim Trouerbach and friends detail how Iran has macOS game in addition to their wider Windows capability.
TA453 continues to adapt its malware arsenal, deploying novel file types and targeting new operating systems, specifically sending Mac malware to one of its recent targets.
TA453 in May 2023 began deploying LNK infection chains instead of Microsoft Word documents with macros.
Regardless of infection chain, TA453 continues to work toward its same end goals of intrusive and unauthorized reconnaissance.
Proofpoint worked with key partners across the defensive community to disrupt TA453 efforts.
Beyond appearances: unknown actor using APT29’s TTP against Chinese users
Interesting case of potential false flag here.
[We] detected a different maldoc samples of a potential malicious campaign. The initial access is through a Chinese phishing. The maldoc seems to be a campaign against Chinese speaking users as the content of the maldoc is written in Chinese. The social engineering technique applied into the maldoc’s content is to pretend to be a Curriculum Vitae of a 28 years old professional who is specialized in finance, concretely into the software development for banking systems and NCR.
The infection chain is similar to the threat actor APT29, however it has been identified significant differences related to the typical APT29’s infection chain that makes consider that it does not seem to be this threat actor.
https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/
Malvertising Used as Entry Vector for BlackCat Actors Also Leverage SpyBoy Terminator
Lucas Silva, RonJay Caragay, Arianne Dela Cruz and Gabriel Cardoso give a clear example with evidence of a malvertising chain seen in the wild. You do wonder if/when these advertising networks are going to be held to account for enabling these operations in what some might call a shared responsibility model.
The infection starts once the user searches for “WinSCP Download” on the Bing search engine. A malicious ad for the WinSCP application is displayed above the organic search results. The ad leads to a suspicious website containing a tutorial on how to use WinSCP for automating file transfer.
The suspected Maha grass organization uses the WarHawk backdoor variant Spyder to spy on many countries
Chinese reporting on Indian activity. The reporting implies overlap in tradecraft and capabilities of various parts of the Indian state. In this case the tradecraft is basic - i.e. emailing of executable files with their icon changed to Microsoft Word, Excel etc. documents.
[We] found a batch of malicious samples related to Maha Grass. The backdoor used by the attackers is not the Trojan horse commonly used by the Maha Grass organization. Coincidentally, foreign security researchers also discovered several samples, named the backdoor Spyder according to the information on the login interface of the C2 server, and pointed out that the samples are similar to the WarHawk backdoor.
Multiple APT organizations in South Asia are inextricably linked. The Spyder backdoor attacking targets in multiple countries is an example. It has many similarities with the previously disclosed WarHawk backdoor, and according to the digital certificate of the early samples and the associated Remcos Trojan horse samples , the Spyder backdoor is more likely to be from the hands of Mahacao. In addition, we discovered additional backdoors through the infrastructure used by the attackers, a sign that the attackers are constantly expanding their arsenal.
Discovery
How we find and understand the latent compromises within our environments.
WeChat trillion data warehouse architecture design and implementation
How they built their security data warehouse by the Tencent engineering team. This is China scale..
Without sufficient characteristic data, the security policy will be "a tree without roots, water without a source". The WeChat Security Data Warehouse emerged as the times require and has become the feature data storage center for the entire security business. ions of feature data read and write requests every day, providing reliable data support for the entire WeChat security strategy, and is the cornerstone of WeChat security. However, the WeChat Security Data Warehouse is not only a storage center, but also a center for feature management and data quality management. During the evolution process, the data warehouse has been committed to improving feature management capabilities and data quality assurance, and has realized features such as feature management, sharing, analysis, and data quality testing.
Threat Hunting for Business Email Compromise Through User Agents
Dray Agha provides a practical walkthrough on how to apply anomalous user agent tradecraft to BEC hunting activities.
https://www.huntress.com/blog/threat-hunting-for-business-email-compromise-through-user-agents
Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity
Nathan Swift walks through how to use honeytokens in the Microsoft Defender for Identity eco-system. Would love to hear from any of you who are deploying this into production.
Microsoft Defender for Identity offers an easy-to-use capability that tags identities on local active directory domains and generates an alert once that user/identity is authenticated on the domain. Using these Honeytoken tags on enticing identities throughout your enterprise can act as trip wiring that will alert your Security Operations (SOC) teams of a potential threat.
dynmx
Simon provides a powerful capability which brings to the dynamic world what we have had in the static analysis world for so long.
dynmx (spoken dynamics) is a signature-based detection approach for behavioural malware features based on Windows API call sequences. In a simplified way, you can think of dynmx as a sort of YARA for API call traces (so called function logs) originating from malware sandboxes. Hence, the data basis for the detection approach are not the malware samples themselves which are analyzed statically but data that is generated during a dynamic analysis of the malware sample in a malware sandbox.
https://github.com/0x534a/dynmx
Defence
How we proactively defend our environments.
AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports
Zhenyuan Li, Jun Zeng, Yan Chen and Zhenkai Liang bring some scale to TI reporting analysis and corelation. Having seen this problem first hand it will be interesting to see how AttackKG emerges and if it scales against real-world data.
We run AttacKG on 16 manually labelled CTI reports. Empirical results show that AttacKG accurately identifies attack-relevant entities, dependencies, and techniques with F1-scores of 0.887, 0.896, and 0.789, which outperforms the state-of-the-art approaches Extractor and TTPDrill. Moreover, the unique technique-level intelligence will directly benefit downstream security tasks that rely on technique specifications, e.g., APT detection and cyber attack reconstruction.
https://arxiv.org/abs/2111.07093
SentinelARConverter
Christian Piet and Fabian Bader release this work aid which will help SOC teams.
You can convert a Sentinel Analytics rule in the YAML format to an Azure ARM template or vice versa.
https://github.com/f-bader/SentinelARConverter
Hijacking Detection Framework of BGP Routing Path Based on Link Prediction
Chinese paper on detecting BGP misuse. They (China) are clearly ramping up on all aspect of CNI research.
Because the existing system directly treats all unseen links as suspicious events, it needs to spend a lot of computing resources on the data plane to verify normal links. In order to solve this problem, this paper proposes a link authentication evaluation method based on on link prediction . This paper proves the predictability of AS links experimentally, and implements a real-time fake AS-PATH based on link prediction. Detection system Metis. Metis can effectively detect false AS-PATH caused by misconfiguration, path hijacking and BGP poisoning. However, Metis has certain limitations, because it cannot detect fake AS-PATH with real AS links or links with high authentication. In order to solve this problem, it is planned to change the detection mechanism of Metis in the future, and input the link prediction value and AS-PATH features into the machine model for automatic classification. Future work also includes exploring more reliable AS library construction methods, link prediction algorithms and Type-1 rules.
Azure Automation - Advanced Auditing
Nathan McNulty highlights some gaps and how they can be addressed in auditing within Office 365. This default unintuitive behaviour should also likely be addressed.
In Office 365, applying an E5 license with the Advanced Auditing component to a user does not enable all auditable events. For tenants created more than a few years ago, it's possible MailItemsAccessed and Send are not enabled by default, especially if audit events were previously modified. Another important one, SearchQueryInitiated (covers both Exchange and SharePoint) is never enabled by default. We usually want to ensure all auditable events are being collected for appropriately licensed users, and ideally, have it automated.
https://blog.nathanmcnulty.com/azure-automation-advanced-auditing/
Google Workspace Log Extraction
Megan Roddie provides a practical guide to getting logs out of Google. Again comes with gaps and caveats which would likely benefit from the development of a standard for an interface, format and coverage security logs from cloud.
One option is to query the logs in the Admin Console, although there are several limitations that result in this not being the most ideal method. The best option to obtain the most thorough and easily parsable data is to use the Reports API in the Admin SDK. We also mentioned the use of forwarding logs to Google Cloud for a subset of audit logs to be available via Google Cloud Logging.
https://www.sans.org/blog/google-workspace-log-extraction/
Related ALFA: ALFA stands for Automated Audit Log Forensic Analysis for Google Workspace
Everything in its Right Place: Improving DNS Resilience
Raffaele Sommese’s PhD thesis provides some insights as to the value of anycast in providing DDoS resilient services.
While traditional resilience techniques, such as network diversity, have been available for decades and provide some level of protection, we found anycast to be a powerful differentiator that really pays off in overcoming the challenges 9.2. posed by the increasing threat of DDoS attacks against vital internet infrastructure. While these requirements may come with additional costs, particularly for smaller operators, it is worthwhile to consider using multiple third-party providers to increase overall infrastructure resilience with careful planning and training. Alternatively, incentives should be provided to reduce the barriers to anycast adoption for smaller operators, allowing them to provide more reliable services at a lower cost.
https://ris.utwente.nl/ws/portalfiles/portal/306181219/thesis_ebook.pdf
Vulnerability
Our attack surface.
Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability
Cisco has not released software updates that address this vulnerability. There are no workarounds
could allow an unauthenticated, remote attacker to read or modify intersite encrypted traffic.
MOVEit Transfer 2020.1 (12.1) Service Pack (July 2023)
More critical vulnerabilities in this product. The technical debt is being forced to be paid back right now.
https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023
Various Mastodon Security Advisories
With some clangers, is this the first real test for the fediverse?
Arbitrary file creation through media attachments
XSS through oEmbed preview cards
https://github.com/mastodon/mastodon/security/advisories
Hunting for Bitwarden master passwords stored in memory
Naz Markuta highlights another example of where a security vendor hasn’t fully understood how to implement their product in a secure fashion.
It is possible to identify unknown Bitwarden master passwords in memory, even after a vault is locked. We developed a proof of concept tool, called BW-dump, that works on Windows platforms. It was tested with Bitwarden desktop app version (2023.2.0).
https://redmaple.tech/blogs/2023/extract-bitwarden-vault-passwords/
Offense
Attack capability, techniques and trade-craft.
Obscurities with MS Teams part 3
PfiatDe provides some novel Microsoft Teams based phishing tradecraft for us all to contend with. The use of emojis to build trust is very much a sociotechnical cyber style challenge.
When phishing via Teams, an attacker controls the source AAD. Therefore, he can set every username he want. This opens some possibilities.
E-Mail as username
Suffix the Username to generate some context around warnings from teams (external)
Unicode spaces, to break the layout and move things out of sight
Unicode emojis to generate trust
Unicode characters (Right-To-Left-Override, …) to break things
And furthermore when sending a message, we can provide a lot of HTML tags, generating unnormal looking messages, which might trick users.
Punycode in links is also interpreted, so we can also spoof some URLs with this.
https://badoption.eu/blog/2023/06/30/teams3.html
AiTM/ MFA phishing attacks in combination with "new" Microsoft protections (2023 edition)
Jeffrey Appel highlights the remaining gaps against Adversary in the Middle phishing. This work generally is excellent and provides a comprehensive evidence base of what works and what doesn’t in the Microsoft eco-system.
There is currently no new block option for preventing token replay/ token stealing via AiTM toolkits. All there is an improvement with the token protection capabilities and the powerful attack disruption capabilities to make sure the attack disrupts before it can continue to spread.
Brute-Forcing One-Time Passwords
Konstantin provides some interesting statistical work. I will be very interested to see this applied to the real-world and that evidence base being presented.
With five guesses per TOTP, you can guess a 4-digit number within 3 days with a probability greater than 99%.
https://kpwn.de/2023/06/brute-forcing-one-time-passwords/
TakeMyRDP
Saad AHLA delivers an exceptional bit of capability which will be used by threat actors in 3..2..
A keystroke logger targeting the Remote Desktop Protocol (RDP) related processes, It utilizes a low-level keyboard input hook, allowing it to record keystrokes in certain contexts (like in mstsc.exe and CredentialUIBroker.exe)
https://github.com/TheD1rkMtr/TakeMyRDP
AtlasReaper
We all know developer infrastructure is often under loved. The fact we are now having specific tooling such as this be developed and released should come as a warning. The amount of sensitive information Confluence and Jira is often vast.
A command-line tool for reconnaissance and targeted write operations on Confluence and Jira instances.
https://github.com/werdhaihai/AtlasReaper
ShellGhost
Angelo Frasca Caccia releases a tool which implements a technique we have discussed a lot over the years, nevertheless this will cause some EDR vendors pain. I’ve released research and tooling previously around VEH and HBP misuse detection previously..
ShellGhost relies on Vectored Exception Handling in combination with software breakpoints to cyclically stop thread execution, replace the executed breakpoint with a RC4-encrypted shellcode instruction, decrypt the instruction and resume execution after restoring memory protection to RX.
https://github.com/lem0nSec/ShellGhost
Exploitation
What is being exploited.
Nothing of note this week other than the the below- in general things are on 🔥
Increased Truebot Activity Infects U.S. and Canada Based Networks
Warning from US Government on this exploitation.
Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199—(a remote code execution vulnerability in the Netwrix Auditor application), enabling deployment of the malware at scale within the compromised environment. Based on confirmation from open-source reporting and analytical findings of Truebot variants, the authoring organizations assess cyber threat actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants.
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Finding Gadgets for CPU Side-Channels with Static Analysis Tools
Jordy Zomer and Alexandra Sandulescu show how static analysis can once again be used for good-good and good-evil.
We have recently begun research on using static analysis tools to find Spectre-v1 gadgets. During this research, we discovered two gadgets, one in
do_prlimit
(CVE-2023-0458) and one incopy_from_user
(CVE-2023-0459). In this writeup, we explain these issues and how we found them.
https://github.com/google/security-research/tree/master/pocs/cpus/spectre-gadgets
RepoFusion: Training Code Models to Understand Your Repository
Disha Shrivastava, Denis Kocetkov, Harm de Vries, Dzmitry Bahdanau and Torsten Scholak answer the questions a number of us had around what happens when we introduce code not seen before during the training phase.
Despite the huge success of Large Language Models (LLMs) in coding assistants like GitHub Copilot, these models struggle to understand the context present in the repository (e.g., imports, parent classes, files with similar names, etc.), thereby producing inaccurate code completions. This effect is more pronounced when using these assistants for repositories that the model has not seen during training, such as proprietary software or work-in-progress code projects. Recent work has shown the promise of using context from the repository during inference. In this work, we extend this idea and propose RepoFusion, a framework to train models to incorporate relevant repository context. Experiments on single-line code completion show that our models trained with repository context significantly outperform much larger code models as CodeGen-16B-multi (∼73× larger) and closely match the performance of the ∼70× larger StarCoderBase model that was trained with the Fill-in-the-Middle objective. We find these results to be a novel and compelling demonstration of the gains that training with repository context can bring. We carry out extensive ablation studies to investigate the impact of design choices such as context type, number of contexts, context length, and initialization within our framework. Lastly, we release Stack-Repo, a dataset of 200 Java repositories with permissive licenses and near-deduplicated files that are augmented with three types of repository contexts.
https://arxiv.org/abs/2306.10998
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Aggregate reporting
It's more than just money: The real-world harms from ransomware attacks
Creating Cyber Resilience By Routine: By honing a core set of primary and enabling activities that are consistent, specific and measurable, leaders can boost cyber resilience and create business value.
Journal of Cybersecurity and Privacy, June 2023 - including papers such as:
Modeling Intruder Reconnaissance Behavior through State Diagrams to Support Defensive Deception
Cybersecurity for AI Systems: A Survey
Characterizing the Impact of Data-Damaged Models on Generalization Strength in Intrusion Detection
EU’s ENISA Digital Identity Standards report - an overview of the most important standards and standardisation organisations in this area.
22nd Workshop on the Economics of Information Security in Geneva live blog as written by Ross Anderson.
Coordinated Vulnerability Disclosure: A Quick Win for Cyber Norms and Software Security - coordinated vulnerability disclosure (CVD) policies require less of governments, in terms of both investment and technical capability. In fact, CVD practices leverage the broader community of industry, academia and IT security researchers.
Hotlines for the Digital Age: Improving communications in cyber-generated national security crises - While a point of contact directory won’t immediately change the calculus of states that turn a blind eye to criminals, hopefully when governments are able to reach one another in the face of an urgent threat, we will see more action to reduce the harm caused by these serious threats to peace and security.
Intelligence
Ditchley Foundation Annual Lecture LIX: A world transformed and the role of intelligence - On Saturday 1st July, U.S. Central Intelligence Agency Director William J Burns delivered Ditchley’s 59th Annual
Why Do We Need a New Research Agenda for the Study of Intelligence?
The Power of People on the Edges - For innovation to happen, we need people on the edges of networks. They are the bridges; the weak ties that connect different networks and ecosystems together. It is these people over whom new information travels most effectively, and almost exclusively; sociologists define them as weak, bridging ties in social networks.
Transnational Repression And The Different Faces Of Sovereignty - The risk is that without “an agreed set of principles about what constitutes reasonable diaspora engagement, governments in many parts of the world have begun to treat interference with ‘their’ citizens abroad as part of normal politics.
Machine Learning and Artificial Intelligence
Events etc.
Status Check: The Proposal for a UN Cyber Programme of Action - July 17, 2023
PEPR '23 - 2023 USENIX Conference on Privacy Engineering Practice and Respect - September 11th, 2023
Call for Papers: The Israeli Conference on Intelligence Studies
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
For sponsorship enquiries regarding Bluepurple or anything else contact hello@binaryfirefly.com.