PRESENTED BY

Cyber AI Chronicle

By Simon Ganiere · 9th June 2024

Welcome back!

Project Overwatch is a cutting-edge newsletter at the intersection of cybersecurity, AI, technology, and resilience, designed to navigate the complexities of our rapidly evolving digital landscape. It delivers insightful analysis and actionable intelligence, empowering you to stay ahead in a world where staying informed is not just an option, but a necessity.

Note: There will be no newsletter next week-end as i’m traveling and taking a break!

Table of Contents

What I learned this week

TL;DR

  • I know some of the read might think i’m bashing after Microsoft but honestly what’s going on there is really important for the industry. It really looks like whoever is in charge of Recall did not get the memo named “Prioritizing security above all else” from Satya. However, thanks to the pressure from the security industry and its leader, Microsoft finally decided to make some changes! Recall will not be enabled by default, required authentication and encryption of the data. I can’t comprehend how all of those controls were missed from the start for the sake of marketing and announcement. I just hope that the rest of the Microsoft product team read that memo and we won’t see something this bad any time soon!

  • The war on data continues. Data was already a hot commodity and the whole AI movement is making this even more important. On a personal note, I would strongly recommend to cross-check some of the terms of use of the services you use. Adobe is now in hot water about it and it’s not the first company to struggle with recent terms changes.

  • A great research paper from Google on Security The AI Software Supply Chain. This paper is well written and highlight some interesting point like the fact that AI application still have to deal with the basic of security. Most interestingly, as building model is expensive, it’s literally just pushing the necessity to rely on the software supply chain » MORE

  • Also a lot of positive news from law enforcement. It seems there is a shift here as well as we have seen quite a few successful law enforcement operations since the start of the year. The latest one, named Operation Endgame, targeted droppers such as IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. This highlight the great collaboration between private section and law enforcement and the importance of those operations. Time will tell how successful this one was but let’s hope it has a lasting effect.

  • No time to work on coding project this week but whilst reading a non-security books I came to learn about habituation and semantic satiation. Two concepts that are actually very relevant in cyber security and in particular on how we communicate cyber threats and risks. I really like how non-security concept can be applied to cyber and how much we can learn from other disciplines » MORE

Rethinking Cybersecurity Communication

I had a busy week traveling, so spent less time than I wanted in front of my computer in order to follow-up to last week experiment. I really want to continue to explore creating a more mature workflow to get information on a specific event in the security world and enrich and visualise the information automatically.

Whilst I was away from my keyboard, I still had time to read a few chapters of a book (ah those couple of hours in a plane with no phone, emails or Teams messages 🥰 ): The Diary of a CEO (by Steven Bartlett). One of the chapter explain two concepts I was not familiar with: habituation and semantic satiation:

  • Habituation is when people become desensitised to repeated stimuli;

  • Semantic satiation happens when words lose their meaning through repetition.

As I was reading that chapter, my security news feed was still buzzing with the Snowflake story and the apparently related stories about Santander and Ticketmaster. Representing a total of a little bit less than 600m user/employees/clients recorded being stolen…and, well yes, it made it to the press and in the news but honestly nobody is either shocked or surprise by this situation!

I then connected the dots. The cyber world is clearly in a situation of habituation and semantic satiation! We have been bombarded with news about data breaches, hacking and cyber wizards that can breach anything at any time. We have certainly reached a point where the weekly (or daily) news that says your data has been breached again is not triggering any type of response.

Google Trends for “Data Breaches”

The impact on security controls

Security controls are also impacted by this situation. If the security controls are too intrusive and keep flashing pop-ups or messages, the user will initially complain and then just overlook the control or even worse bypass the control altogether. This is just the reality of it. If you have a pop-up to warn you about sending email externally at some point, you will just “click through” without thinking about it. Phishing is another good example of this situation, the industry has added so many warnings, banners, messages, pop-ups that people don’t want to pay attention anymore.

This can also play out for other situations like a SOC analyst. The usual alert fatigue situation where a SOC analyst review thousands of time the same type of alerts and at the end miss the alerts that actually matter. Security controls must find the right balance from that perspective. Especially in regards to the notification/interaction with the user. Sometimes it’s better to have a control taking action directly (prevention) rather than relying on the user, it’s therefore important to configure the control appropriately.

How to communicate cyber risk?

The way we communication cyber risks or threats is also heavily influenced habituation and semantic satiation. The continuous repetition lead to a “wallpaper” effect, nobody pay attention anymore. If every single presentation at the board level is always following the same set of terms or keywords at some point, the board will disengage.

So how can we avoid to fall into this situation? Here are a few recommendations:

  • Vary the message and regularly changing the focus.

  • Change the language and be more specific.

  • People pay more attention to emotionally impactful stories or visuals.

  • Use real-life examples.

  • Leverage relevant analogy to help illustrate your message.

In order to be heard, tell stories in an unrepetitive, unfiltered and unconventional way.

Steven Bartlett

A note on fear mongering

Positive framing can create urgency without fear. Fear can slow down habituation, but relying solely on scare tactics can lead to anxiety and resistance. Instead, focus on the benefits of good cybersecurity practices, such as protecting customer trust and maintaining business continuity. Highlight success stories where proactive measures prevented significant losses. For instance, "By following these security protocols, we ensure that our data remains secure, allowing us to innovate and serve our customers better."

Conclusion

In summary, effective cybersecurity communication requires breaking the pattern of repetition, using fresh language, and balancing emotional impact with practical benefits. This approach helps keep the audience engaged and informed, driving meaningful action without resorting to ineffective scare tactics.

Worth a full read

Securing the AI Software Supply Chain

Provenance information is essential for securing the AI software supply chain against data poisoning and tampering.

research.google/pubs/securing-the-ai-software-supply-chain

Key Takeaway

  • Provenance information is essential for securing AI artifacts and data.

  • Traditional software security measures can be adapted to AI ecosystems.

  • Dependency tracking and tampering protection are critical for supply chain security.

  • Signed provenance documents provide tamper-proof attestation of software production.

  • Data poisoning and tampering are significant risks in AI supply chains.

  • Model serialization allows transferring models into new environments securely.

  • Training frameworks optimize hardware use but introduce vulnerabilities.

  • Provenance collection is essential for tracking AI artifact integrity.

  • Security measures must be usable by developers to be effective.

  • Collective action is key to securing the AI software supply chain.

The race to make a business out of secure defaults

The article discusses the increasing adoption of "secure defaults" in technology, highlighting contributions from government organizations, major tech companies, and insights from Travis McPeak of Resourcely.

tldrsec.com/p/business-of-secure-defaults

Key Takeaway

  • Secure defaults represent a shift towards embedding security into the fabric of technology use.

  • The balance between flexibility and prescription in secure defaults mirrors broader tech design challenges.

  • Adoption of secure defaults reflects a cultural shift towards prioritizing security in development processes.

  • The evolution of secure defaults highlights the dynamic nature of security needs and solutions.

  • The challenge of selling secure defaults underscores the complexity of integrating security into diverse tech environments.

  • Open-source initiatives are crucial for democratizing access to secure technologies and practices.

  • The journey towards universally secure-by-default technologies is ongoing, with significant progress yet to be made.

  • Secure defaults necessitate a holistic approach, considering both technical capabilities and human behavior.

  • The market for secure defaults is an indicator of the growing recognition of security as a foundational element.

Research Paper

ThreatKG: A Threat Knowledge Graph for Automated Open-Source Cyber Threat Intelligence Gathering and Management

Summary: The paper presents THREAT KG, a system for automated open-source cyber threat intelligence gathering and management. It collects OSCTI reports, extracts high-fidelity threat knowledge using deep learning and NLP techniques, constructs a threat knowledge graph, and continuously updates it. The system addresses challenges such as diverse report formats, nuances in natural language, and the need for continuous updates. Evaluations demonstrate its effectiveness in filtering non-threat reports, extracting various types of threat knowledge, and constructing a comprehensive threat knowledge graph. The system is scalable, extensible, and efficient, making it practical for real-world deployment.

Published: 2022-12-20T16:13:59Z

Authors: Peng Gao, Xiaoyuan Liu, Edward Choi, Sibo Ma, Xinyu Yang, Zhengjie Ji, Zilin Zhang, Dawn Song

Organizations: Virginia Tech, University of California, Berkeley

Findings:

  • THREAT KG collects OSCTI reports from 40+ sources.

  • Constructs a threat knowledge graph with 347K+ entities.

  • Achieves 99.98% F1 score in entity extraction.

  • Achieves 85% F1 score in relation extraction with data programming.

Final Score: Grade: A, Explanation: Novel, rigorous, empirical study with low conflicts of interest.

Download Report

Some more reading

Sam Altman interview: AI and The Future of Art (YouTube) » READ

GitHub repos targeted in cyber-extortion attacks » READ

Uber ex-CSO Joe Sullivan: We need security leaders running to work, not giving up » READ

FBI says it has 7’000 LockBit ransomware decryption keys » READ

How Underground Groups Use Stolen Identities and Deepfakes » READ

Wisdom of the week

Stop telling yourself you’re not qualified, good enough or worthy. Growth happens when you start doing the things you’re not qualified to do.”

Steven Bartlett

Contact

Let me know if you have any feedback or any topics you want me to cover. You can ping me on LinkedIn or on Twitter/X. I’ll do my best to reply promptly!

Thanks! see you next week! Simon

Reply

Avatar

or to participate

Keep Reading

© 2026 Project Overwatch - The views and opinions expressed are my own and not those of any of my current, previous, or future employers..
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv