PRESENTED BY

Cyber AI Chronicle

By Simon Ganiere · 17th March 2024

Welcome back! This week newsletter is a 15 minutes read.

Project Overwatch is a cutting-edge newsletter at the intersection of cybersecurity, AI, technology, and resilience, designed to navigate the complexities of our rapidly evolving digital landscape. It delivers insightful analysis and actionable intelligence, empowering you to stay ahead in a world where staying informed is not just an option, but a necessity.

Table of Contents

What I learned this week

TL;DR

  • The impact of geopolitical into cyber is still significant. Whatever is happening at Microsoft with Midnight Blizzard is a very good reminder of this. Midnight Blizzard is probably the definition of a persistent actor as well :)

  • Vulnerability management is an important topic - especially when time-to-exploit is going down significantly for edge technology (VPN, remote access, etc.) - and reading about the challenged observed with the NVD (see in the section below) is something you should all have a look at and understand how it will impact your vulnerability management process.

  • I took a step back in term of my RAG project, you can find the details below. The potential of this is huge in my opinion as it’s a real augmentation that can help you doing a better job at work or for your personal projects.

Leverage GenAI to stay up to date

You know I have been trying to build a RAG to support some of my cyber research. After that miserable failure 😀 and with the help of some of you, I have taken a step back and thought about what I’m trying to achieve. Hopefully, this will be useful for all of you!

Turn out this week was a perfect example of what I want to achieve. Reading my cyber news feed the following list of reports / articles got my attention:

Total: 125+ pages! (I’m not counting the 161 pages of the Redcanary report 😅). Different topics, different formats, different structure, etc. Not sure for you but between work (e.g. meetings, calls, actual work, etc.) and personal life (e.g. sports, family time, kiddo, friends, etc.) I’m struggling to go through that much content or to be precise I can go through that much content I’ll, however, struggle to identify key takeaways and identify what its worth reading.

So in the end, what I need to solve is the following:

  1. I need a way to rate the content and identify what is worth having a full read vs. not. I can then prioritise and focus on the right content;

  2. I need a way to extract summary and key information (e.g. keywords, takeaway, recommendation, quotes, key stats, etc.);

  3. Ideally I would want to extract this automatically and even more ideally get that in a sort in a sort of a database where I can then query the content to extract it when I need it.

Let’s go step by step! For step #1, let’s look at what GenAI can do. LLMs are good a dealing with text, assuming the right prompt is given. I did mention this several times already but Daniel Miessler Fabric project is exactly what I need!

Here is a few patterns (aka prompt) that matched what I need:

  • rate_content

  • summarize

  • extract_wisdom

  • analyze_threat_report

  • analyze_threat_report_trends

So applying this to the Sophos Threat Report, we can get #1 solve with the rate_content pattern:

pbpaste | fabric --pattern rate_content

LABELS:

Cybersecurity, Ransomware, SmallBusiness, DataTheft, Malware, Phishing, CredentialTheft, Cybercrime, ThreatReport, IncidentResponse, Malvertising, SEO, MobileSecurity, SocialEngineering, ZeroDay, SupplyChain, Spam, MobileMalware, CyberDefense, MultifactorAuthentication

RATING:

S Tier: (Must Consume Original Content Immediately)

Explanation:

- The report comprehensively covers the multifaceted aspects of cybersecurity threats facing small businesses.
- It provides detailed insights into the evolution of cyber threats, including ransomware, data theft, and phishing.
- The inclusion of real-world data and statistics enhances the credibility and relevance of the information.
- The report offers actionable advice for small businesses on improving their cybersecurity posture.
- It aligns well with the themes of continuous improvement and the future of AI in cybersecurity.

CONTENT SCORE:

95

Explanation:

- The content is rich in detailed analysis and current data on cybersecurity threats, making it highly informative.
- It addresses a wide audience by focusing on small businesses, which are often underrepresented in cybersecurity discussions.
- The report's depth in covering various types of cyber threats and defenses provides a comprehensive overview of the current landscape.
- The actionable advice given is practical and directly applicable, offering high value to readers.
- The only minor deduction is due to the highly technical nature of the content which might not be as accessible to all readers.

Ok good that outcome is telling me I will need to read this fully. Looking for step #2, you can leverage several patterns but for the Sophos article it looks like analyze_threat_report might be a god choice:

pbpaste | fabric --pattern analyze_threat_report

ONE-SENTENCE-SUMMARY:
Small businesses face increasingly sophisticated cyber threats, with ransomware and data theft leading the charge, demanding robust defenses and swift response strategies.

TRENDS:
- Small businesses are disproportionately affected by cyberattacks due to limited cybersecurity resources.
- Over 75% of customer incident response cases for small businesses involved ransomware in 2023.
- Data theft, particularly through malware like password stealers and phishing, is a major threat to small businesses.
- Web-based malware distribution methods, such as malvertising and SEO poisoning, are on the rise.
- Unprotected devices on networks serve as primary entry points for cyberattacks on small businesses.
- The abuse of legitimate drivers to evade malware defenses is increasing.
- Email attacks are evolving from simple social engineering to more interactive engagements.
[...cut short for brevity...]

STATISTICS:
- More than 90% of the world's businesses are small- and medium-sized, accounting for over 50% of employment worldwide.
- In the United States, small and medium businesses account for over 40% of overall economic activity.
- In 2023, over 75% of Sophos' customer incident response cases were for small businesses.
- Nearly half of malware detections in 2023 targeted data theft.
- LockBit ransomware accounted for the largest number of incidents investigated by Sophos Incident Response in 2023.
- AgentTesla was the most detected malware by endpoint protection in 2023 overall.
- About 15% of total spam blocked by Sophos by year's end had been sent using Microsoft’s onmicrosoft.com messaging system.

QUOTES:
- "Cybercrime affects people from all walks of life, but it hits small businesses the hardest."
- "Data theft is the focus of most malware targeting small and medium businesses."
- "Attackers have turned increasingly to abuse of drivers to evade and disable malware defenses."
- "Ransomware remains a top threat for small businesses."
[...cut short for brevity...]

REFERENCES:
- World Bank
- Sophos X-Ops Incident Response service
- SophosLabs
- Managed Detection and Response (MDR)
- Active Adversary Report (AAR)
[...cut short for brevity...]

RECOMMENDATIONS:
- Educate staff on cybersecurity threats and best practices.
- Deploy multifactor authentication on all externally facing assets.
- Prioritize patching servers and network appliances.
- Consider migrating difficult-to-manage assets like Microsoft Exchange servers to SaaS email platforms.
- Monitor networks and respond swiftly to any signs of a breach.
- Stay informed about the latest cyber threats targeting small businesses.
- Implement layered defenses to minimize damages from potential attacks.
- Regularly back up critical data to mitigate the impact of ransomware attacks.
- Vet third-party service providers for security risks to prevent supply chain attacks.
- Encourage the use of secure mobile applications and educate users about mobile security threats.

So there you have it! more or less everything I want and if something is missing you can always go either tweak the pattern or add a new one.

Conclusion

That was a lot of quick wins to cover steps #1 and #2. Here are a few things to keep in mind:

  • I previously mention the context window, this basically means you can paste load of content into this. we are talking in the 100 pages of input if you have to. This is a lot bigger than people think.

  • Prompt is everything and I would highly recommend you go check the prompt details to get some inspiration. Obviously, the output is text but you can most probably have this change to json or other format if you need it.

  • Fabric has also a basic API server. This is where automation can kick in at scale. Not much is preventing you to then have a feed of webpages or report to be submitted to pattern and process the output.

  • The ideal output here would be a mix of traditional database so you can record some of the output and query them but also into a RAG so you can ask additional questions and get more context from all of the content you are putting in

  • Highly recommend that you follow Daniel Miessler work!

Worth a full read

The CEO Report on Cyber Resilience

The CEO Report on Cyber Resilience, authored by Dr. Manuel Hepfer, Rashmy Chatterjee, and Professor Michael Smets, explores the shift from cybersecurity to cyber resilience among CEOs of large global enterprises. It emphasizes the need for CEOs to adopt new mindsets and actions to anticipate, withstand, respond, and adapt to cyberattacks, aiming to minimize impact and emerge stronger.

istari-global.com/insights/news/ceo-report-on-cyber-resilience

Key Takeaway

  • CEOs should actively engage in developing and implementing a cyber resilience strategy.

  • Organizations should foster a culture that prioritizes cyber resilience.

  • Continuous learning and adaptation are essential in the face of evolving cyber threats.

  • Collaboration across industries and with government entities should be pursued to enhance cyber resilience.

  • Develop and track resilience metrics alongside traditional performance metrics.

  • Leadership should promote an organizational mindset geared towards resilience.

  • Integrate cyber resilience into the overall business strategy.

  • Prepare to not only survive but thrive after a cyberattack through proactive planning.

  • Embrace new technologies like AI and machine learning for advanced cyber defense strategies.

  • Ensure that all levels of the organization understand their role in maintaining cyber resilience.

Death Knell of the NVD?

A look at recent concerns around the NIST National Vulnerability Database (NVD) and its implications

resilientcyber.substack.com/p/death-knell-of-the-nvd

Key Takeaway

  • The NIST NVD is a critical repository for vulnerability management data, widely used across the cybersecurity industry.

  • Concerns have arisen due to an announcement about changes to the NVD, causing uncertainty in the cybersecurity community.

  • Researchers noticed a significant drop in analyzed CVEs and enriched vulnerability data following the announcement.

  • The delay in processing and analyzing CVEs could impact organizations' ability to manage vulnerabilities effectively.

  • Key components like CPE, CVSS, and CWE are essential for identifying, scoring, and categorizing vulnerabilities.

  • Alternatives to NVD exist, such as Sonatype OSS Index, OSV Database, and GitHub Advisory Database, each with unique focuses.

  • The OSV project by Google aims to improve vulnerability triage for open-source software with a standardized format.

  • GitHub Advisory Database leverages the OSV format to provide a comprehensive list of security vulnerabilities and malware.

  • The future of the NVD is uncertain, with calls for more transparency and efficiency from the cybersecurity community.

  • Despite criticisms, the NVD remains a foundational element of the vulnerability management ecosystem.

Some more reading

Although ransomware gangs started 2024 off at a slow pace, attacks picked up across several key sectors throughout February. » READ

Sophisticated Vishing Campaigns Take World by Storm » READ

China’s AI Enabled Cyber capabilities » READ

Identity Security - How best to strengthen enterprise security » READ

Continuing the Citrix Saga: CVE-2023-5914 & CVE-2023-6184 » READ

Security Flaws within ChatGPT Ecosystem Allowed Access to Accounts On Third-Party Websites and Sensitive Data » READ

Google's Gemini AI Vulnerable to Content Manipulation » READ

Some learning about API Security…keep saying this but this is super important » READ

Fortinet warns on critical SQL injection (!) bug after NCSC disclosure…if it’s internet facing you must be ready to patch in 24h! » READ

The CISO role is changing but can CISO themselves keep up? » READ

We talked about deepfake in a previous newsletter…I can only feel slightly weird when i’m reading AI startup are getting $18m in funding and their key product read: […]hyper-personalized videos that actually look and sound like you […] and i’m wondering of much this can be misuse ? » READ

British Library pushes the cloud button, says legacy IT estate cause of hefty rebuild….or when ransomware is the main driver of your digital transformation! » READ

Wisdom of the week

Security isn’t something you buy, it’s something you do, and it takes talented people to do it right.

Contact

Let me know if you have any feedback or any topics you want me to cover. You can ping me on LinkedIn or on Twitter/X. I’ll do my best to reply promptly!

Thanks! see you next week! Simon

Reply

Avatar

or to participate

Keep Reading

© 2026 Project Overwatch - The views and opinions expressed are my own and not those of any of my current, previous, or future employers..
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv