Week in Review: Microsoft deactivation flaw, BeyondTrust on KEV, LLM generated malware - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines: Week in Review – December 27, 2024

Host: Rich Stroffolino
Guest: Steve Zaluski, CyberSecurity Advisor and CISO in Residence
Episode: Week in Review: Microsoft deactivation flaw, BeyondTrust on KEV, LLM generated malware

1. General Dynamics Phishing Attack

Summary:
The episode opens with a discussion on a recent phishing attack targeting General Dynamics employees. The aerospace and defense giant reported that threat actors successfully compromised dozens of employee benefits accounts through a sophisticated phishing campaign. This incident affected 37 individuals, leading to unauthorized access to Personally Identifiable Information (PII) and government ID numbers. Additionally, attackers altered bank account information, posing significant risks.

Key Insights:
Steve Zaluski expresses deep frustration over the recurring human vulnerabilities exploited in such attacks, especially within organizations like defense contractors that prioritize security training and infrastructure.

Notable Quote:

“I'm frustrated. It's just incredibly frustrating, right... we continuously see humans make mistakes.” — Steve Zaluski [03:03]

Discussion Points:

The persistent challenge of human error in cybersecurity despite robust training and systems.
The balance between implementing stringent security measures and maintaining user convenience.
The necessity of ongoing efforts to influence and change human behavior to enhance security postures.

2. Japan Airlines Cyber Attack

Summary:
Japan Airlines experienced a cyber attack that disrupted its systems, leading to flight delays. The outage, which occurred at 7:24 am local time, was attributed to a malfunctioning router. The airline promptly restored its systems, assuring that no customer data was compromised. This incident follows a similar outage by American Airlines on Christmas Eve, albeit with different causes.

Key Insights:
Steve highlights the vulnerability of critical infrastructure like airlines to Distributed Denial of Service (DDoS) attacks, emphasizing how even short-term outages can have cascading effects on operations and public safety.

Notable Quote:

“...these types of DDoS attacks... have to go into hold mode. All the major airports have got slotting so you can have these huge disruptions.” — Steve Zaluski [10:15]

Discussion Points:

The increasing trend of using DDoS attacks to disrupt essential services.
The potential for such attacks to undermine public trust and operational integrity.
The importance of resilience strategies in mitigating the impact of service outages.

3. TechCrunch's List of Badly Handled Data Breaches of 2024

Summary:
TechCrunch released its annual compilation of the most poorly managed data breaches of the year. Notable mentions include:

23andMe: Blamed customers for inadequate account security during a credential stuffing attack.
Change Healthcare: Delayed confirmation of a breach that compromised a majority of America's health data due to insufficient multi-factor authentication (MFA).
Snowflake: Suffered a breach attributed to the lack of mandated MFA use.
City of Columbus, Ohio: Sued a security researcher for reporting a ransomware attack truthfully.

Key Insights:
Steve critiques the recurring theme of identity and access management (IAM) failures, particularly the over-reliance on customer diligence rather than enforcing robust security measures like MFA.

Notable Quote:

“Half of those incidences were identity and access management where the humans were phished and their credentials were compromised.” — Steve Zaluski [12:40]

Discussion Points:

The critical role of MFA and its underutilization across various organizations.
The tendency of companies to shift blame onto consumers instead of addressing internal security shortcomings.
The necessity for organizations to prioritize security, especially when handling sensitive data.

4. Microsoft 365 Product Deactivation Errors

Summary:
Microsoft 365 users have reported encountering product deactivation errors, particularly when transitioning between licensing groups such as moving from Office 365 to Microsoft 365. Affected users can resolve the issue by reactivating their accounts or signing out and back into their applications. Microsoft is implementing a server-side fix to address the problem.

Key Insights:
Steve draws parallels between such user-facing issues and phishing tactics, warning that simplifying resolutions like “click the Reactivate button” could inadvertently train users to follow dangerous cues similar to those exploited in phishing attacks.

Notable Quote:

“As long as we continue to enable and support that type of behavior, we're basically giving it to the bad guys.” — Steve Zaluski [19:30]

Discussion Points:

The potential security risks of user-friendly prompts that resemble phishing lures.
The importance of robust product testing to prevent such vulnerabilities from reaching end-users.
The broader implications of software design choices on user security behavior.

5. BeyondTrust Vulnerability Added to CISA's KEV Catalog

Summary:
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in BeyondTrust's privileged remote access and remote support products to its Known Exploited Vulnerabilities (KEV) catalog. This flaw allows unauthenticated attackers to inject commands executed as a site user, carrying a CVSS score of 9.8. Federal agencies were given a deadline of December 27th to implement fixes.

Key Insights:
Steve expresses aggravation over vulnerabilities in trusted security products, emphasizing the increased burden on IT and security teams to respond swiftly to such critical flaws despite their best efforts in securing their environments.

Notable Quote:

“I'm implementing PAM tools, doing everything right for my teams to be able to try to prevent the bad guys. And then the underlying software... has problems exploitable.” — Steve Zaluski [22:06]

Discussion Points:

The challenges posed by vulnerabilities in security tools themselves and the cascading effects on organizational security.
The heightened responsibility and pressure on security teams to remediate critical flaws promptly.
The need for higher standards and more rigorous testing in security product development.

6. LLM-Generated Malware Variants

Summary:
Palo Alto Networks' Unit 42 released a report on the utilization of Large Language Models (LLMs) to generate malware variants. By iteratively modifying existing malware through techniques like variable renaming and junk code insertion, threat actors can create numerous variants that evade traditional detection systems. Palo Alto responded by generating tens of thousands of these variants to enhance their detection algorithms, achieving a 10% improvement in detection rates.

Key Insights:
Steve discusses the escalating arms race between threat actors and defenders, where the rapid weaponization of AI-driven technologies by malicious actors outpaces defensive capabilities. This dynamic poses significant challenges for cybersecurity professionals striving to keep systems secure.

Notable Quote:

“The protectors are the mice. I'd like to be the cat for a change.” — Steve Zaluski [25:00]

Discussion Points:

The dual-use nature of AI technologies in both enhancing and undermining cybersecurity.
The reactive nature of defenses in contrast to the proactive weaponization by adversaries.
The potential for more aggressive and innovative defensive tools leveraging AI to counteract evolving threats.

Closing Remarks

The episode concludes with reflections on the discussed topics and a commendation for Steve Zaluski’s insightful contributions. Emphasis is placed on the ongoing challenges in cybersecurity, the necessity for continuous adaptation, and the hopeful pursuit of more effective defensive strategies.

Final Quote:

“We are acknowledging the limitations of our ability for defense and we've got to continue to think outside the box to figure out how we can someday be the cat.” — Steve Zaluski [28:14]

Additional Resources:

CISO Series Website: CISOseries.com
ThreatLocker: Zero Trust Endpoint Protection Platform
Defense in Depth Podcast: Featuring Steve Zaluski

This comprehensive review encapsulates the critical cybersecurity events of the past week, offering expert analysis and highlighting the persistent challenges faced by organizations in safeguarding their digital assets.

Loading summary

Transcript36 lines

[00:00]
Steve Zaluski
From the CISO series, it's cybersecurity headlines.
[00:07]
Rich Stroffolino
General Dynamics says employees targeted in phishing attack Japan Airlines systems are back to normal after a Cyber attack. And TechCrunch lists the most badly handled data breaches of 2024. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And now ready for some insight opinion and expertise. And expertise. Excuse me. From our five time returning guest, the Martin Short of the week in review, Steve Zaluski, CyberSecurity Advisor and CISO in residence. Steve, I gotta ask, it was a holiday week. How was your week in cybersecurity?
[00:47]
Steve Zaluski
Fortunately, I would say pretty quiet and pretty productive.
[00:53]
Rich Stroffolino
That's what we were hoping for on our last week in review. We're hoping. Let's not jinx it. Let's keep stuff quiet. We got a little bit of activity over the weekend, so we'll get into it in the week's news. But Steve, I'm so thrilled to have you on to send out 2024. Of course, our sponsor that's joining us on this journey to end the year is of course threat locker zero trust endpoint protection platform. You can join us on YouTube live. To do so, go to CISO series.com, hit the events dropdown and look for the cybersecurity headlines Week in review image. You can join CCL and all of our other regulars in the chat. We've got the big boss man, David Spark in there as well. You help make the show better. Please get your comments in. I love to see your perspective. What your, what stands out to you in the stories, what's what, what your reaction to them is what what you're worried about in the news. Like that always helps inform how we can bring the best stories to you. And just a quick reminder before we jump into the stories that the opinions that Steve is going to express are in fact his, uh, his own and not necessarily those of anyone else. This is, this is. You're getting the pure, undiluted Steve Zaluski opinions. We've got about 20 minutes though, so let's jump into it. First story here. General Dynamics as employees are targeted in a phishing attack. The aerospace and defense company says threat actors compromised dozens of employee benefits accounts after a successful phishing campaign targeted its personnel. The activity was discovered on October 10 and took the form of a fraudulent advertising campaign that directed General Dynamics employees to a phishing site where they were deceived into entering their usernames and passwords. A total of 37 people were impacted. In addition to accessing PII and government ID numbers which not great in some cases, attackers changed bank account information that can have all sorts of nastiness attached to it. So Steve, we've talked many times on this show about the propensity for sophisticated threat actors to penetrate infrastructure of organizations. Not necessarily for, you know, stealing email addresses or direct monetary theft, but to take risk root inside the system. You know, here we have a major defense contractor. That's basically what's going on here. I'm curious as a ciso, how does that make you feel?
[03:04]
Steve Zaluski
I'm frustrated. It's just incredibly frustrating, right When I see things like this where humans and human weakness to want to help each other and do the right thing just continues to be preyed on over and over again. And in this case it's a defense contractor that knows that they're targeted, okay, obviously has good security, puts a lot of time and effort into training. So they do everything right. And yet we continuously see humans make mistakes. Right. And so that's why I characterize it. It's so frustrating that we do everything we know how to do. But until I can get humans to just change their underlying behavior, we are going to constantly be in this kind of fight.
[04:02]
Rich Stroffolino
And I imagine any large organization defense contract I would hope has they have a playbook to deal with this. There's the anticipation that one, they are going to be targeted with this kind of stuff all the time. And at some point that's just part of any resiliency strategy, right? At this point. Right.
[04:21]
Steve Zaluski
Yeah. You'll hear compensating controls and defense in depth which is attempting to implement this resiliency, this realization that as much as I want to prevent the attack, that some do come through, in this case social engineering is it. And so I protect some things more than others. Intellectual property, maybe military secrets. So there's a lot more friction, right, that's put into the process. Role based access control, multi factor authentication where we're making it harder for the employee to do their job. But they understand that that friction is necessary because we can't let the bad guys win. Right. But there's a line there as to how much friction I can introduce depending upon the, the secrecy or the importance of what it is I'm trying to protect for the company.
[05:21]
Rich Stroffolino
And as CCL points out, you know, this is the fifth largest defense contractor in the world. I have to imagine, I would imagine for an employee there, there is a greater understanding of that like that Friction, trade off. Right. Whereas, I don't know, if you're at an insurance firm, it may just be like, oh, I can't, you know, this is, this is getting in the way. But regardless of the organization, I feel like there needs to be more of that conversation of how do we communicate that, like, these controls are not arbitrary. You know, these are, you know, yes, you have to do mfa or you have to, you know, you have to add some additional controls on top of that, like, to show the benefit that it's worth making your job a little bit more of a pain in the butt to do. Right.
[06:02]
Steve Zaluski
Well, remember, it comes down to time and money.
[06:06]
Rich Stroffolino
Yeah. Okay.
[06:07]
Steve Zaluski
I can put a front door in. I can put a front gate in. I can, I can put a back gate in, and I can make it very difficult for you to go outside and play in traffic. But at the end of the day, I can only put so much time and effort in, and then I have to just educate you and have you do the right thing. And I think that's the yin and the yang that you hear on the security side about, well, I'm just going to make you do the right thing. But the line of business ultimately is deciding how much pain and aggravation they're willing to accept from cybersecurity, and then they just ignore it. And that's why we can't control our destiny, our lines of business, and the bad guys do generally.
[06:52]
Rich Stroffolino
All right, well, next up here, speaking of disruption to business, Japan Airline systems are back to normal after a cyber attack. The airline announced yesterday, Thursday, December 26, that its systems have returned to normal following a cyber attack that delayed some flights. The attack occurred at 7:24am local time and shut down a router that was causing malfunctions and which suspended ticket sales for flights departing on Thursday. Representatives said no customer data was leaked and no damage was registered. Question mark this event follows on the heels of a brief outage that also impacted flights for American Airlines on Tuesday, Christmas Eve. That particular outage was issued at the airline's request after experienced trouble with the flight operating system, or foam. The airline blamed technology from one of its vendors. There's no indication that this was a cyber attack, but, you know, we had two transportation holiday disruption stories, so it kind of made sense here. But Steve, so many flights occurring worldwide, especially during, you know, the busy holiday season, these small incidents can easily get buried in the news cycle when it's not when you, when you can't have cameras pointing to thousands of people, you know, sitting in the airport and kind of stranded. And that kind of stuff doesn't make that great of a story. But wouldn't it be disturbing if maybe six months down the road an investigation shows this was a little bit more than a simple router malfunction. In the case of American Airlines, we also have, you know, another standard explanation. The old third party vendor. I'm curious these two stories, what's your take on this?
[08:18]
Steve Zaluski
So this, this when I read this and There was a DDoS attack associated with this, is the appreciation of, of the difference between health and safety versus availability. Right. Security, confidentiality, availability and integrity. Health and safety. You don't want people to get hurt. Things like airlines are driven by health and safety. So a simple DDoS attack that you can't get to. Let's assume the FOS system. So they can't assign the pilots and the airline support personnel. They can't fly. Right. Because they're obligated to have full crews. So what I see more and more often here is that these major systemic impacts to services that people take for granted, like health care or like airlines, where they haven't had to breach the systems, they've just had to impact the availability of certain systems which then causes the system to have to go into hold mode. Okay. We're going to see more and more of that because what people are trying to do in some cases is just impact the social fabric of how we live. And these types of DDoS attacks to your point, may go under the radar screen, but not really because a 30 minute outage for DDoS attack, that's all it took, right? They had to do a groundhog for 30 minutes. Everything that flies is now in hold for 30 minutes. It backs up the entire system because those planes can't leave. All the major airports have got slotting so you can have these huge disruptions. Because we can't mess with health and safety.
[10:16]
Rich Stroffolino
Yeah, these limits and we've talked to healthcare CEOs and I always have the most empathy for that situation because you're right that health and safety is the business. Right. Like that's the mission right there. That's the cannot compromise this. And it seemingly opens up so many different ways to disrupt that, like you said, with just a simple DDoS and it has all this knock on effect. So yeah, definitely something. This has been kind of a trend that we've been seeing, I think of municipalities, healthcare and kind of the airlines as seeing for different reasons having different kind of being particularly vulnerable to this kind of stuff. So it'll be interesting to see how the industry, if we've come to any kind of best practices for responding to this next year or if this trend just continues for sure.
[11:04]
Steve Zaluski
Well, the trend is going to continue and here's what kills me. A 30 minute outage can take six hours to remediate, right? Because once the damage is done, it doesn't take me 30 minutes to just get everything back. Okay, those planes have to take off. I can't compress time. And so here are ways, right, if you want to be able to do Major impact It takes a minor exercise to have a pretty major impact on society.
[11:33]
Rich Stroffolino
All right, next up here, TechCrunch lists the most badly handled data breaches of 2024. TechCrunch is out with its annual summary of breaches whose behavior or response to could at least be seen as maybe a learning opportunity for others. If we're being generous, this year's list includes 23andMe who blamed their customers for not sufficiently securing their accounts. They were attacked with a credential stuffing attack. Change Healthcare, who took months to configure to confirm hackers stole most of America's health data by bridging a basic user account with a lack of multi factor authentication. Also on the list, Snowflake, whose breach was a result of a lack of mandated use of multi factor security. And the city of Columbus, Ohio, sorry, Buckeyes, who sued a security researcher for truthfully reporting on a ransomware attack. So Steve, we're not looking to certainly make light of the efforts of dedicated security personnel who work for these companies or organizations, but all eight of the stories listed by TechCrunch seem to show some degree of corporate clumsiness or maybe a misunderstanding. Some interesting priorities, let's say. I'm curious, do you have one or two from that list that stand out to you? Or maybe something that didn't make the list?
[12:41]
Steve Zaluski
I went through the list and I actually looked at each of the type incident and just tried to summarize. The thing that struck me was depending upon how you count, half of those incidences were identity and access management where the humans were phished and their credentials were compromised. That's it. So it's funny how the conversation we were just having at the defense contractor and the fact that people are being socially engineered all the time because we want to help and we're the weakest link that that is the majority of the incidences for last year and the consequence always is, well do multifactor authentication, right? And yet why, for something that's so obvious. Can't we do it? Because the friction. Right. And then we, it comes back to well you're blaming the customer and the customer can never be wrong. So I just wanted from my perspective when I look to give people an opportunity to go. When you look at that and you look at the root cause and you look at how either they're placing blame or trying to train people on the value of implementing multi factor authentication and they're counting on us as the consumers to do it and we choose not to. Right. Then they get breached. Well we can't tell the customer he was wrong. Yet I as the, as the business. Right. Can only have a certain amount of influence in your behavior.
[14:15]
Rich Stroffolino
Well 23andMe tried. Right. They tried to throw everybody and we saw how well that will and that one I'm of two minds. One just don't do that ever. It's like it's never the right, it's never the right call. Right. But also like I also feel like in some ways that was like to tell shareholders that but that, that gets kind of more into, into a little bit of corporate speak. But yeah, like, like, I mean but you also like in that particular case you also have to know like that's the game, right? Like whenever you allow users to create accounts, they're going to do it badly. Like that that just has to be the basic assumption, right?
[14:51]
Steve Zaluski
Or, and that's what I mean. I go if the intrinsic value of the data like 23andMe if it's my DNA data, then do I have an obligation to only allow multi factor authentication to log in? Because I am making the determination that the classification of that data is radioactive hot for what would happen if you make a mistake. So I'm taking the steps to preventing you from making the mistake. That is some of the conversations we're having to have is well, is it obvious, intuitively obvious that that data is so critical if it got out like healthcare data. Okay. That's a classic case. You don't let that get out, we're going to make you do mfa. You're going to complain about it, but we're simply saying we can't assume the risk of you being wrong.
[15:46]
Rich Stroffolino
All right, well before we get into our next story, which kind of links kind of is the other side of the coin here, so it's a really interesting story. We have to spend a few moments with our sponsor for today. ThreatLocker. Do zero day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with Threat Locker. Threat Locker helps you take a proactive default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com.
[16:32]
Steve Zaluski
All right.
[16:32]
Rich Stroffolino
Steve, I can't wait to get your take on this. Microsoft 365 users hit by Random Product Deactivation Errors Microsoft is looking into an issue in which customers using Microsoft 365 Office apps are encountering product deactivated errors. Specifically, these occur when moving users between licensing groups. So something like Azure Active Directory groups or synced on premises security groups or switching user subscriptions. So going from an Office 365 to Microsoft 365 license and all of the glorious byzantine confusion that can occur there, affected users should be able to click the Reactivate button on the error banner and sign in when prompted to resolve the issue. Or they could sign out of everything all Microsoft 365 apps, close them all down, restart, and then be able to sign back in. And Microsoft also said it's doing a server side fix on the back end a few days later. But Steve, this might seem a little innocuous, maybe an obscure story, limited, you know, small number of users and some admins, but there's some things that stand out here. First, it's Microsoft at their scale. There's kind of nothing small, even if it's a small percentage of users. Please try and take a feature out of Windows and see what a small percentage of Microsoft users will have to say about that. Second, maybe more disturbing is the ease by which they say just click that Reactivate button. Isn't that literally the type of stuff we're talking about where that seems like a very phishing adjacent behavior? Right? A threat actor with a spoof Windows login page has that same lure that we're training people not to do. Is that a problem?
[18:02]
Steve Zaluski
Here's the ying and the yang effect. For as long as computers have been around laptops and desktops and Windows, what's the answer been when something goes wrong? Reboot. Right? It's a software problem. Just reboot. Your point here is we've been doing that for 35 or 40 years. When something goes wrong, what do we do? Reboot? And yet, from a product testing perspective, that should not be an acceptable answer. We should be able to build systems that are robust and stay up yet so Here's a situation where there was a mistake made in coding. It wasn't caught in all of the testing. Okay. And so now it's out in the field. Well, why didn't get caught in testing? Shame on you. And now that it's out in the field, what do we do? We basically say reboot, which is the very thing that the bad guys constantly reinforcing, which is, hey, just reboot. Okay. And so to your point, this is why I say, look, look at what we're doing now is because we're not taking responsibility to remove this as an alternative, since I just reactivate again and we'll catch it next time through. Not as a normal course of operation. And so long as we continue to enable and support that type of behavior, we're basically giving it to the bad guys.
[19:30]
Rich Stroffolino
Yeah, to me, yeah, this. This just screams as, like, I don't know, like, learning. I don't even want to call it the learning opportunity. It just. It seems to just go against a lot of what we constantly are talking about in the show in terms of security practice, stuff like that. So thank you for elucidating that so well, Steve. I really appreciate that. Speaking of responsibility, though, CISA taking responsibility, adding Beyond Trust flaw to its known exploited vulnerabilities catalog. This is a story that we discussed last Friday on Week in Review. But now things have escalated a little with Beyond Trust having been added to CISA's Known Exploited Vulnerability, or KEV, catalog. According to its advisory, a critical vulnerability has been discovered in privileged remote access and remote support products which can allow an unauthenticated attacker to inject commands that are run as a site user. The CVSS scores for this is 9.8, and federal agencies have until December 27th to fix it. Of course, today is December 27th, so I imagine quite a few security people working for federal agencies have had to cut their holiday season maybe a little short or work into maybe a little later in the year they're planning for. I'm curious, Steve, what are your thoughts about incidents where companies we trust to supply security make a mistake or even get sabotaged?
[20:45]
Steve Zaluski
Yeah, this is crowdstrike all over again, right? From a different perspective. But these are the crown jewels. This product protects our crown jewels, our service accounts, our privileged things, where the IT people are trying to do the right thing. And you could argue they should have a much higher bar of testing and release because they are protecting the crown jewels. Whereas the last time you asked me earlier, right. And I go, I was, you know, frustrated. Well, this One just gets me aggravated. Okay. Because here I am implementing PAM tools, doing everything right for my teams to be able to try to prevent the bad guys. And then the underlying software. Right. Has problems exploitable. Right. And now I've got to have a fire drill. Right. Of bringing in because 9.8, 9.9 criticals have to be patched within 48 hours, exploited in the wild. Right. So the IT teams and the security teams are having to pay the burden of us not being able to build truly. Right. World class protected software, especially for critical systems.
[22:07]
Rich Stroffolino
Yeah. That perspective of, yeah, the. You're doing the things that people are telling you to do, right. You're trying to be ahead of the curve here and you're getting bit because of that, I imagine. Like, I just imagine that, like, just explaining that has to be incredibly frustrating, right? Like as a ciso, it's like, oh, we had, yeah, we had to pull in people for, we had to pull in this whole staff for overtime, you know? You know, all this stuff like that alone has to be so insanely frustrating.
[22:34]
Steve Zaluski
Right. And it's because it's got a larger systemic impact, right? It's the IT people with the trusted secrets that if they get in, they can do substantial damage. Right. About how they're propagating through my systems. So it's a small hole that I've protected highly. But once you're in, right, you're into the Garden of Eden, so to speak. And that is why it's really, really frustrating to go through all that. And can you imagine having a conversation, me as a CISO with my executive team? Well, Steve, we gave you all this money and all these people. You put it all in. So what now what.
[23:13]
Rich Stroffolino
So, Steve, we've, we've gone from frustrated, we're approaching anger here. Okay. I don't like the way the curve of this show is going, so I'm going to try and bring us all back here. Okay. I'm going to. Let's, let's pull some, maybe some good news out of this last story here for today. Using LLMs to generate malware variants. Okay. Doesn't sound, doesn't sound great on the outset, but let's dig into the details here. An analysis by Palo Alto Networks Unit 42 looked at the ability of threat actors to rewrite existing malware. The researchers use models to rewrite known malware samples iteratively using techniques like variable renaming, string splitting, junk code insertion, removal of unnecessary white spaces, and a complete reimplementation of the code. The idea is that these Changes small or large could degrade the overall effectiveness of malware classification systems while also making the code look more naturally written when reviewed by a human. To combat this, Palo Alto generated tens of thousands of variants to train its own detection. Excuse me. Palo Alto generated tens of thousands of variants to train its own detection algorithms and it reportedly saw a 10% detection rate improvement. So, Steve, a little bit of the old cat and mouse game being played by Palo Alto here. And they're certainly not the only ones that are doing this, but they documented this report, which I found really interesting. Identifying techniques to improve malware through gen generative AI as well as using those same techniques to train their own products to get better. A story in today's Superhuman AI newsletter, which if you're not subscribed is definitely worth giving it a gander, shows that jailbreaking LLMs not all that difficult. With even just random capitalizations within a prompt, you can get an LLM to do things that theoretically it shouldn't be able to do. I'm curious, what are your observations on the success of Genai on kind of either side of this battle?
[25:01]
Steve Zaluski
You know, you call it a cat and mouse game and I agree. The problem is defense. Right? The protectors are the mice. I'd like to be the cat for a change. Okay, what you're seeing here is the weaponization of technology generally plays to the advantage of the cat. Right. In this case, the bad guys can weaponize that technology much faster than I can for defense, meaning they can generate tens of thousands, hundreds of thousands of variations. Right. And they can throw it at me at the speed of machine. I on the other side can try to get a little smarter by doing some of that proactively, but for the most part I'm reactive. I have to respond to the attacks as they come in and I don't have the computes necessarily right to determine if it's really bad and some is going to get through. And that from a weaponization perspective is just the current reality and has been for a while, which is I would love to be on the front end of weaponization for defense. But you know, it's just a really difficult problem because generally I'm held to a higher accountability of being right, whereas they just have to be good enough.
[26:22]
Rich Stroffolino
Yeah, it would be nice if it was kind of a Tom and Jerry situation. Right. You know, we can like, you know, pull out a tongue and you know, all the grizzly stuff. But. And CCL brings up a really good point in here saying static detections, this would you know, definitely seems like it would good approach here, but I wonder if these variants avoid dynamic detections too. Really? Yeah. And I mean, I think we're all, I think what Palo Alto is doing is, you know, again Steve, to your point, trying to respond to what they know is going to be a flood of these if they're not already seeing it. They know this is just an inevitability at this point and trying to just see what works and trying to stay ahead there. I do wonder if we are going to see a little bit more of those not strike back tools but more aggressive defensive tools because we're able to turn around more quickly theoretically if we're, if we're able to, you know, do this kind of software variation at this kind of scale and with this kind of speed. I wonder if there is an opportunity there for like a more aggressive set of tools in that regard. But we will, we will have to see. I'm very interested to see this and I know we either have or have just released a defense in depth that gets into this topic as well, the pros and cons. I think it's coming out in January in fact, if it helps or detracts from AI tools from defense. So it's, it's very interesting and definitely a topic we'll be, we'll be very visiting a lot. Another person will be revisiting a lot is you, Steve Zaluski. Just crushing it. Fifth time here. Can't wait to have you on a six before we get you out of here. Was there any story that was a thumbs up or an eye roller today? Hey, we got a trophy for you by the way. I didn't mention it before. We have a trophy for your five time. If you're watching the video. Yeah, it's, it's, it's the best. I mean that would be my thumbs up personally if I got a trophy. But was there any story that stood out to you today that, that you just had a strong reaction to?
[28:14]
Steve Zaluski
I, I was gonna, to me it's the LLMs to generate variants. It's the appreciation that we are seeing technology. Right. Abused quicker than we can use it for good. And just a lot of this energy and enthusiasm is again, I would say I'm frustrated for a set of reasons right today with these kinds of things. Not that I'm giving up the good fight, but we're acknowledging the limitations of our ability for defense and we've got to continue to think outside the box to figure out how we can someday be the cat.
[28:56]
Rich Stroffolino
Well, thank you so much again, Steve Zaliewski, CyberSecurity Advisor and CISO in Residence and co host of Defense in Depth. If you're not subscribed to that podcast, what are you doing? Get over there. Subscribe. Get over there. CISO series dot com. Subscribe to it. Steve is amazing on there with all of our great guests and of course the big boss man, David Spark. David Cross in the chat wants to know where's the fifth timer jacket like on snl that's in the mail. I sent it DHL snail. So, you know, we don't know when that's going to get there, but you know, hopefully everything will be okay. I have insurance on it, so don't worry, Steve. It's going to be okay. And Steve, where can people find you on the cyberspace if they are so inclined to keep following you for some great thoughts?
[29:39]
Steve Zaluski
Sure. Well, I think what you said, CISO series, Defense in Depth, that's kind of my home base where we talk not about what's hard about security, but what we can do about it. And then people are willing to look at me on LinkedIn and then a shout out to being CSO in residence for the Professional association of CISOs, which is a new organization that's patterned after the American Bar association where we're taking the practice of cybersecurity and we're now on the path of making it the profession of cybersecurity with attestation and accreditation processes.
[30:18]
Rich Stroffolino
Excellent. That sounds exciting. That sounds really awesome, Steve. So thank you for sharing that, for all of your wisdom and just for your time today on a busy holiday week for joining us to close out the air. Truly appreciate it.
[30:31]
Steve Zaluski
It pleasure was all mine, Rich. Thank you.
[30:35]
Rich Stroffolino
Thanks also to our sponsor for today, Threat Locker Zero Trust Endpoint Protection platform. Thanks to everybody that was in our audience today. I see David Cross, ccl. I'm doing Romper Room again, but I'm gonna, I'm gonna name you. If you show up, I'm going to name you and of course the big boss man, David Spark himself in there helping us make the show better, giving us their thoughts, perhaps even a little snark. That's fine with me too. We can, we can take it. We have thick skin as well. But if you haven't joined us already, you should definitely. We are here every Single Friday at 3:30pm Eastern and you can check us out. We'll go through the week of the news of the week with one of our great CISO guests. Just a quick programming note, there will be no Super Cyber Friday next week, but we will have a Week in Review show so that will be a lot of fun. If you always want to check out our events, look at our events page at CISO Series. And in the meantime, you can still get your daily news fix every single day through cybersecurity headlines. Give us about six minutes, we'll get you all caught up. Until the next time we meet. I'm Rich Stroffolino reminding you to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.