PRESENTED BY
Cyber AI Chronicle
By Simon Ganiere · 2nd June 2024
Welcome back!
Project Overwatch is a cutting-edge newsletter at the intersection of cybersecurity, AI, technology, and resilience, designed to navigate the complexities of our rapidly evolving digital landscape. It delivers insightful analysis and actionable intelligence, empowering you to stay ahead in a world where staying informed is not just an option, but a necessity.
Table of Contents
What I learned this week
TL;DR
This week cyber security headline is brought to you by Snowflake! The situation is still complicated and evovling but looks like it’s already having some significant impact as it seems to be link to some data breaches at Santander and Ticketmaster. I decided to leverage some magic prompts to generate a visualisation summary and a timeline of the key dates and events. The ability of a model like ChatGPT (and others) to generate an output in a specific format is often overlooked. In this case, I’m showing example of how to use it with markmap and mermaid.js format to generate visualisation and timeline » MORE
On my rant on Microsoft Recall last week which increase the attack surface. Highly recommend to read Kevin Beaumont latest post on it as well. The other scenario that didn’t hit me last week is BYOD. If your employee use Recall and connect via remote access to a VDI to do work…all of your DLP controls are just bypassed and how do you deal with an employee leaving? Yes, you can exclude an application as per the FAQ but you need a way to enforce this. A lot of company do not control fully the BYOD devices to enforce configuration. This is going to be really interesting.
OpenAI published their work to disrupt covert operations that were leveraging ChatGPT. Not a big surprise to see that if i’m being honest but i’m wondering if this is not going to give us a glimpse of the future. Both in terms of disinformation but also in terms of what the future of detection and response looks like » MORE
Check out the article from Bessemer Venture Partners on the trends on the cyber security markets. There are a couple of really interesting points in this article and not the least about the consolidation and “platforming” we are observing » MORE
I have continued to develop my little ArXiv project from a couple of weeks ago. As I mentioned, not a developer, but doing pair programming with ChatGPT is just so cool 😎 Assuming you have some basic understanding of programming to cross-check what’s going on, it’s absolutely amazing. I was able to add several key features in a couple of hours when it would have taken me days before. Such features include refactoring the summary page, adding paging, add some extra fields like published date, better search filter, loading overlay, etc. simply amazing! I’m now thinking about expanding this to over sources such as some RSS feeds or website of reference.
Oh and well Google had to do something about the AI search overview situation 😆 Whilst this is all fun it shows as well that adoption of AI is not easy and should not be taken lightly by companies as the price of fixing your reputation is probably higher than you think.
Visualizing Cyber Threats with AI
I’m a visual person, I prefer to have an image even if it’s basic rather than a big blurb of text. The cyber news of the week did not disappoint, as always, so this was another good opportunity to run a small experiment 😃
Yes, talking about the Snowflake incident. There were quite a few articles, from less technical (BBC News) to more technical blog post or comments on social media post. It’s always difficult to get a good summary or a good visualisation. Was thinking about all of this and I wish to have a sort of a mind mapped type of summary from all of those articles. GenAI to the rescue!
I took the following articles as input:
Mitiga blog post on tactical threat hunting
Hudsonrock blog post, which was later taken down for unknown reason (if anyone knows please ping me)
Bleepingcomputer.com summary article
Techtarget.com summary article
The Stack summary article
BBC News article on Ticketmaster and Santander
Community Page article from Snowflake itself
Copy all of that content in a single document and send this to Fabric and a pattern named create_markmap_visualization.
pbpaste | fabric --pattern create_markmap_visualizationOnce with ChatGPT 4o model and once with Claude 3 Opus model. Here is the output:
ChatGPT 4o output
Claude 3 Opus output
Obviously, the output of the pattern is text but the pattern define the output and its using the markmap format, you can then use the visualisation tool on their website to get the above
The input was 40+ pages with 10’000+ words. Not everything is perfect in the summary but it gives you a pretty good 50’000 level view of what’s going on. What I’m basically saying is this can probably not be used “as-is” in a corporate environment but it’s a solid base that can help provide a high-level summary of what is going on.
I also wanted to have a time context for all this, there are a couple of dates in the above visualisation but I’m also a big fan of a nice timeline. Not a problem! I just created a create_timeline pattern in a couple of minutes, leveraging Mermaid.js to get this visualised. Plug it into Fabric and up you go:
pbpaste | fabric --pattern create_timelineand the results (yes you can argue with me about the colours but that’s the default) is the following and also very helpful, in my opinion.
Timeline extraction using Mermaid (using ChatGPT 4o)
Connecting the dots
Now, whilst this is obviously good and very helpful, there is probably more that can be done to make this even more accurate. My thoughts are the following:
Move this to an Agent based architecture
Ability to start the whole process with a coupe of keywords or basic context. Something like: I want to know more about the Snowflake incident and in particular what happens, threat actors, target, impact and recommendations.
Get one of the agent to go on the internet based on a curated list of data sources to pull the content. This can potentially be based on a something like your trusted RSS feeds or websites.
Rate the content of those article based on specific requirements like the level of details, threat actors or TTPs coverage, etc.
Use an agent to identify the key elements: one for what a timeline, one to zoom into the threat actors and the TTPs, one going after the target and impact, one after the recommendation
Final touch is a set of agent to produce the output from a text summary, to visualisation like the above.
How would you approach this? Do you think this would be useful?
Worth a full read
Disrupting deceptive uses of AI by covert influence operations
Key Takeaway
OpenAI disrupted five covert influence operations aiming to manipulate public opinion.
These operations did not significantly increase audience engagement through OpenAI's services.
The disrupted operations attempted to manipulate public opinion on global political issues.
Disrupting covert operations requires a blend of AI innovation and human collaboration.
The balance between AI-generated and traditional content shapes public perception of authenticity.
Regularly update your knowledge on AI safety and responsible use practices.
Engage with cross-sector collaborations to tackle digital threats effectively.
Bessemer Venture Partners: Cybersecurity trends in 2024
Key Takeaway
Cybersecurity is becoming a leading sector in innovation across markets in 2024.
Public cybersecurity companies are reaching unprecedented market capitalizations in 2024.
Major cybersecurity players are focusing on acquisitions to build comprehensive platforms.
Consolidation and platformization in cybersecurity reflect a strategic shift towards efficiency
Basic security hygiene remains foundational amidst advancing technological threats and solutions.
Compliance and regulation challenges underscore the growing importance of governance in cybersecurity
Research Paper
TTPXHunter: Actionable Threat Intelligence Extraction as TTPs from Finished Cyber Threat Reports
Summary: The paper introduces TTPXHunter, an advanced tool for extracting Tactics, Techniques, and Procedures (TTPs) from cyber threat reports using a domain-specific language model. It addresses the limitations of previous tools by expanding the range of TTPs to 193 and improving accuracy through data augmentation and fine-tuning with SecureBERT. The tool achieves high performance, with an f1-score of 97.09% on real-world threat reports, significantly outperforming existing methods. TTPXHunter automates threat intelligence extraction, providing cybersecurity professionals with actionable insights to enhance defensive strategies and share intelligence efficiently.
Published: 2024-03-05T19:04:09Z
Authors: Nanda Rani, Bikash Saha, Vikas Maurya, Sandeep Kumar Shukla
Organizations: Indian Institute of Technology Kanpur
Findings:
TTPXHunter extracts 193 TTPs from threat reports.
Achieves 97.09% f1-score on real-world reports.
Outperforms existing TTP extraction methods.
Final Score: Grade: A, Explanation: High novelty, rigor, and empiricism with no conflicts of interest.
Some more reading
Critical Apache Log4j flaw still threatens global finance » READ
US senator claims UnitedHealth’s CEO, board appointed ‘unqualified’ CISO » READ
AI red-teaming tools helped X-Force break into a major tech manufacturer ‘in 8 hours’ » READ
Bank could lose $40 billion from fraud with the help of AI, Deloitte predicts » READ
Rather than measuring risk, fix an interesting problem » READ
Wisdom of the week
Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest health care company in the world should not be someone's first cybersecurity job.
Contact
Let me know if you have any feedback or any topics you want me to cover. You can ping me on LinkedIn or on Twitter/X. I’ll do my best to reply promptly!
Thanks! see you next week! Simon