Srsly Risky Biz: DeepSeek a boon for Chinese APTs

Summary

Risky Bulletin Podcast Summary

Title: Srsly Risky Biz: DeepSeek a Boon for Chinese APTs
Host: Patrick from Risky Business
Guest: Tom Uren, Colleague at Risky Business
Release Date: February 6, 2025

1. Introduction to the Episode

In this episode of Risky Bulletin, Patrick and Tom delve into critical cybersecurity topics, focusing on government policies, regulation, and significant trends shaping the cybersecurity landscape. Skipping over the usual advertisements and intros, the conversation kicks off promptly with insights from Tom’s latest newsletter.

2. NCSC’s Guidance on Forgivable Vulnerabilities

Overview: Patrick introduces the discussion by highlighting the UK's National Cyber Security Centre (NCSC) publication on distinguishing between forgivable and unforgivable vulnerabilities. This framework aims to evaluate software bugs not just by their severity (as measured by CVSS scores) but by their origins and the developer’s adherence to secure development practices.

Key Points:

Definition of Forgivable vs. Unforgivable Vulnerabilities: Tom explains that unforgivable vulnerabilities are those that should not exist due to a blatant disregard for secure development practices. The NCSC references a 2007 description by Steve Christie from Mitre, emphasizing that such bugs indicate a failure in secure programming methodologies.

Tom [02:26]: “If a bug's unforgivable, it means basically that the vendor totally disregarded secure development practices. They just shouldn't exist. No excuses.”
Methodology: The framework introduces a matrix that scores the ease of implementing mitigations for different types of vulnerabilities. For instance, input validation is considered easy to implement (score of 3), categorizing related vulnerabilities as unforgivable.

Tom [03:49]: “Input validation, they've scored it as a three because it's widely understood, it's cheap to implement and the complexity is very low.”
Practical Application: A worked example in the NCSC report demonstrates a real-world vulnerability that could have been eliminated with proper input validation, deeming it unforgivable.

Tom [04:49]: “They provided this worked example at the end which is a real-world but anonymized, very serious bug... the overall assessment is this vulnerability should not have existed and is unforgivable.”
Critique and Future Implications: While Tom appreciates the framework, he notes the absence of publicly anonymized real-world vulnerabilities in the report. He suggests that incorporating such examples could enhance transparency and acceptance.

Patrick [06:15]: “It's a nice compromise where other people can take this criteria, work through the Kev list and then publish a report on it, you know, according to the NCSC's framework.”

Impact on Policy and Regulation: The discussion transitions to the potential influence of this framework on future government guidance and regulations. Patrick contemplates whether this initiative could lead to new laws or procurement standards that penalize vendors for unforgivable bugs.

Patrick [07:11]: “Do you think this will help policymakers to issue guidance, regulation, draft new laws, things like that?”

Tom concurs, viewing the framework as a step towards incentivizing secure development practices and potentially influencing government procurement policies.

Tom [07:52]: “This is like kind of a complimentary approach to all the other procurement side things that you...”

3. DeepSeek AI: Enhancing Chinese APT Capabilities

Introduction: Patrick shifts the conversation to the emergence of DeepSeek, a Chinese large language model (LLM), and its implications for Advanced Persistent Threats (APTs) originating from China.

Key Points:

Perception vs. Reality: While many are concerned about DeepSeek’s privacy policies, Tom emphasizes that the greater threat lies in how Chinese APTs can leverage such AI tools for malicious activities without detection in Western threat reports.

Patrick [08:55]: “...people can check out more detail in the newsletter. Another thing that you've written about, like everybody's talking about Deep Seq...”
Visibility and Countermeasures: Tom contrasts DeepSeek with Western models like those from OpenAI and Google, which generate threat reports that aid in developing countermeasures. DeepSeek, being a smaller entity, lacks the resources to provide similar visibility, potentially increasing the effectiveness of Chinese APTs.

Tom [10:21]: “DeepSeek, it doesn't seem like they're malicious at all in any way, but they're just a very much smaller company... that scale of effort just doesn't seem plausible.”
Operational Advantages: The reduced visibility means that Chinese APT activities may go undetected longer, providing them with a strategic advantage.

Tom [12:21]: “It just makes it easier for those crews when they don't have to worry about working their way or jailbreaking, I guess companies that definitely view them as adversaries.”
Quality and Capability: DeepSeek is noted for its superior capabilities compared to existing open-source models, enhancing its utility for malicious purposes.

Patrick [13:05]: “It's more capable than the open source stuff that they could access already. But it's not like they didn't have any sort of ability to run a ring fenced LLM previously.”

Implications: The hosts discuss the potential long-term impact of DeepSeek on cybersecurity, emphasizing the need for improved Western AI threat intelligence to counteract the invisible enhancements to Chinese APT operations.

Tom [13:48]: “I think this is a thing that will happen. There'll be a loss of visibility for Google. So I think that's a kind of more...”

4. EU Sanctions Against Russian APT Unit 29155

Overview: Patrick and Tom explore recent EU sanctions targeting a Russian APT group, identified as Unit 29155 of the GRU, notorious for activities ranging from sabotage to the rumored Havana syndrome incidents.

Key Points:

Background and Significance: The sanctions are based on cyber activities that date back several years, marking a significant move as it is the first formal attribution of Unit 29155 to malicious cyber operations.

Patrick [13:48]: “Now the final thing that we're going to talk about today are some sanctions, some EU sanctions against a Russian APT...”
Effectiveness and Timing: Tom reflects on whether sanctioning past activities is meaningful, pondering the delayed response since the incidents occurred five years prior.

Tom [15:27]: “It's a slap on the wrist for something that they did find.”
Political Will and Policy: The hosts discuss the challenges in enforcing sanctions due to geopolitical dependencies, such as Europe’s reliance on cheap Russian gas, which often hampers swift punitive actions.

Tom [16:32]: “When these incidents originally happened, there just wasn't the political will in to do anything about them because. Exactly. Like five years ago.”
Institutional Response: The EU’s move is seen as both a sign of bureaucratic momentum and a necessary step in holding rogue state actors accountable, albeit belatedly.

Tom [17:02]: “Yeah, I mean, the problem you're really trying to tackle is that Russia is just gangster state...”

Expert Insight: Consulting insights from Stefan Susanto of ETH Zurich, the discussion highlights the historical inaction due to geopolitical complexities and the eventual need for decisive measures.

Tom [16:32]: “I spoke to Stefan Susanto, who's at ETH Zurich, and his view was that when these incidents originally happened, there just wasn't the political will in to do anything about them because.”

Conclusion on Sanctions: While the sanctions may seem delayed and limited in immediate impact, the hosts agree that they represent a critical acknowledgment of past cyber aggressions and a step towards more robust future responses.

Patrick [17:17]: “Yes. Yeah. I mean, the problem you're really trying to tackle is that Russia is just gangster state.”

5. Closing Remarks

Patrick wraps up the episode by encouraging listeners to subscribe to Tom’s newsletter and stay updated with Risky Business’ offerings.

Patrick [17:31]: “And that, you know, better late to learn than never, right? Tom Uren, that is it for this edition of the podcast...”

Key Takeaways:

Forgivable vs. Unforgivable Vulnerabilities: The NCSC’s framework introduces a method to assess software bugs based on their preventability and the ease of mitigation, aiming to standardize accountability in software development.
DeepSeek’s Impact on APTs: The emergence of DeepSeek enhances the operational capabilities of Chinese APTs by providing advanced AI tools without the corresponding threat intelligence and countermeasure development found in Western counterparts.
EU Sanctions on Russian APTs: The EU’s sanctions against Russia’s Unit 29155 signify a formal stance against state-sponsored cyber aggression, albeit with challenges related to geopolitical dependencies and delayed responses.

Notable Quotes:

Tom [02:26]: “If a bug's unforgivable, it means basically that the vendor totally disregarded secure development practices. They just shouldn't exist. No excuses.”
Tom [07:52]: “This is like kind of a complimentary approach to all the other procurement side things that you...”
Tom [10:21]: “DeepSeek, it doesn't seem like they're malicious at all in any way, but they're just a very much smaller company... that scale of effort just doesn't seem plausible.”
Tom [17:02]: “Yeah, I mean, the problem you're really trying to tackle is that Russia is just gangster state...”

For More Information: Listeners are encouraged to visit RiskyBiz to subscribe to newsletters and access additional podcast episodes for comprehensive cybersecurity insights.

This summary encapsulates the essential discussions from the February 6, 2025 episode of Risky Bulletin, providing a comprehensive overview for those who have yet to listen.

Summary

Risky Bulletin Podcast Summary

Title: Srsly Risky Biz: DeepSeek a Boon for Chinese APTs
Host: Patrick from Risky Business
Guest: Tom Uren, Colleague at Risky Business
Release Date: February 6, 2025

1. Introduction to the Episode

2. NCSC’s Guidance on Forgivable Vulnerabilities

Key Points:

Definition of Forgivable vs. Unforgivable Vulnerabilities: Tom explains that unforgivable vulnerabilities are those that should not exist due to a blatant disregard for secure development practices. The NCSC references a 2007 description by Steve Christie from Mitre, emphasizing that such bugs indicate a failure in secure programming methodologies.

Tom [02:26]: “If a bug's unforgivable, it means basically that the vendor totally disregarded secure development practices. They just shouldn't exist. No excuses.”
Methodology: The framework introduces a matrix that scores the ease of implementing mitigations for different types of vulnerabilities. For instance, input validation is considered easy to implement (score of 3), categorizing related vulnerabilities as unforgivable.

Tom [03:49]: “Input validation, they've scored it as a three because it's widely understood, it's cheap to implement and the complexity is very low.”
Practical Application: A worked example in the NCSC report demonstrates a real-world vulnerability that could have been eliminated with proper input validation, deeming it unforgivable.

Tom [04:49]: “They provided this worked example at the end which is a real-world but anonymized, very serious bug... the overall assessment is this vulnerability should not have existed and is unforgivable.”
Critique and Future Implications: While Tom appreciates the framework, he notes the absence of publicly anonymized real-world vulnerabilities in the report. He suggests that incorporating such examples could enhance transparency and acceptance.

Patrick [06:15]: “It's a nice compromise where other people can take this criteria, work through the Kev list and then publish a report on it, you know, according to the NCSC's framework.”

Patrick [07:11]: “Do you think this will help policymakers to issue guidance, regulation, draft new laws, things like that?”

Tom concurs, viewing the framework as a step towards incentivizing secure development practices and potentially influencing government procurement policies.

Tom [07:52]: “This is like kind of a complimentary approach to all the other procurement side things that you...”

3. DeepSeek AI: Enhancing Chinese APT Capabilities

Key Points:

Perception vs. Reality: While many are concerned about DeepSeek’s privacy policies, Tom emphasizes that the greater threat lies in how Chinese APTs can leverage such AI tools for malicious activities without detection in Western threat reports.

Patrick [08:55]: “...people can check out more detail in the newsletter. Another thing that you've written about, like everybody's talking about Deep Seq...”
Visibility and Countermeasures: Tom contrasts DeepSeek with Western models like those from OpenAI and Google, which generate threat reports that aid in developing countermeasures. DeepSeek, being a smaller entity, lacks the resources to provide similar visibility, potentially increasing the effectiveness of Chinese APTs.

Tom [10:21]: “DeepSeek, it doesn't seem like they're malicious at all in any way, but they're just a very much smaller company... that scale of effort just doesn't seem plausible.”
Operational Advantages: The reduced visibility means that Chinese APT activities may go undetected longer, providing them with a strategic advantage.

Tom [12:21]: “It just makes it easier for those crews when they don't have to worry about working their way or jailbreaking, I guess companies that definitely view them as adversaries.”
Quality and Capability: DeepSeek is noted for its superior capabilities compared to existing open-source models, enhancing its utility for malicious purposes.

Patrick [13:05]: “It's more capable than the open source stuff that they could access already. But it's not like they didn't have any sort of ability to run a ring fenced LLM previously.”

Tom [13:48]: “I think this is a thing that will happen. There'll be a loss of visibility for Google. So I think that's a kind of more...”

4. EU Sanctions Against Russian APT Unit 29155

Key Points:

Background and Significance: The sanctions are based on cyber activities that date back several years, marking a significant move as it is the first formal attribution of Unit 29155 to malicious cyber operations.

Patrick [13:48]: “Now the final thing that we're going to talk about today are some sanctions, some EU sanctions against a Russian APT...”
Effectiveness and Timing: Tom reflects on whether sanctioning past activities is meaningful, pondering the delayed response since the incidents occurred five years prior.

Tom [15:27]: “It's a slap on the wrist for something that they did find.”
Political Will and Policy: The hosts discuss the challenges in enforcing sanctions due to geopolitical dependencies, such as Europe’s reliance on cheap Russian gas, which often hampers swift punitive actions.

Tom [16:32]: “When these incidents originally happened, there just wasn't the political will in to do anything about them because. Exactly. Like five years ago.”
Institutional Response: The EU’s move is seen as both a sign of bureaucratic momentum and a necessary step in holding rogue state actors accountable, albeit belatedly.

Tom [17:02]: “Yeah, I mean, the problem you're really trying to tackle is that Russia is just gangster state...”

Tom [16:32]: “I spoke to Stefan Susanto, who's at ETH Zurich, and his view was that when these incidents originally happened, there just wasn't the political will in to do anything about them because.”

Patrick [17:17]: “Yes. Yeah. I mean, the problem you're really trying to tackle is that Russia is just gangster state.”

5. Closing Remarks

Patrick wraps up the episode by encouraging listeners to subscribe to Tom’s newsletter and stay updated with Risky Business’ offerings.

Patrick [17:31]: “And that, you know, better late to learn than never, right? Tom Uren, that is it for this edition of the podcast...”

Key Takeaways:

Forgivable vs. Unforgivable Vulnerabilities: The NCSC’s framework introduces a method to assess software bugs based on their preventability and the ease of mitigation, aiming to standardize accountability in software development.
DeepSeek’s Impact on APTs: The emergence of DeepSeek enhances the operational capabilities of Chinese APTs by providing advanced AI tools without the corresponding threat intelligence and countermeasure development found in Western counterparts.
EU Sanctions on Russian APTs: The EU’s sanctions against Russia’s Unit 29155 signify a formal stance against state-sponsored cyber aggression, albeit with challenges related to geopolitical dependencies and delayed responses.

Notable Quotes:

Tom [02:26]: “If a bug's unforgivable, it means basically that the vendor totally disregarded secure development practices. They just shouldn't exist. No excuses.”
Tom [07:52]: “This is like kind of a complimentary approach to all the other procurement side things that you...”
Tom [10:21]: “DeepSeek, it doesn't seem like they're malicious at all in any way, but they're just a very much smaller company... that scale of effort just doesn't seem plausible.”
Tom [17:02]: “Yeah, I mean, the problem you're really trying to tackle is that Russia is just gangster state...”

For More Information: Listeners are encouraged to visit RiskyBiz to subscribe to newsletters and access additional podcast episodes for comprehensive cybersecurity insights.

This summary encapsulates the essential discussions from the February 6, 2025 episode of Risky Bulletin, providing a comprehensive overview for those who have yet to listen.

wavePod

Powered by Wave AI

Summary

1. Introduction to the Episode

2. NCSC’s Guidance on Forgivable Vulnerabilities

3. DeepSeek AI: Enhancing Chinese APT Capabilities

4. EU Sanctions Against Russian APT Unit 29155

5. Closing Remarks

Key Takeaways:

Notable Quotes:

Summary

1. Introduction to the Episode

2. NCSC’s Guidance on Forgivable Vulnerabilities

3. DeepSeek AI: Enhancing Chinese APT Capabilities

4. EU Sanctions Against Russian APT Unit 29155

5. Closing Remarks

Key Takeaways:

Notable Quotes: