Triaging the Week 013

Triaging the Week

Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company.

This week, some serious moves were made on the defender side. Google released a new AI tool to help you identify malicious files, and a joint law enforcement operation took down some serious LockBit ransomware gang members. Some new findings were also released; researchers discovered they could inject voice commands to manipulate virtual assistants, CrowdStrike released their annual threat report, and Mandiant taught us how to assess our CTI program effectively.

As always, a list of learning resources is included at the end. This time, some stuff on managing your email inbox, threat hunting fundamentals, securing credentials in your Python code, and leveraging Large Language Models (LLMs) for cyber threat intelligence. Let’s get started!


Top 5 News Stories

Triaging the Week News Stories

Story #1: Google Open Sources File-Identifying Magika AI

Magika is a machine-learning-powered file identifier that can quickly and accurately identify file types from file data. The software has been used across various Google products and services, such as Gmail, Drive, Chrome, and VirusTotal, to improve security and malware analysis. 

Google has now open-sourced this tool as part of its AI Cyber Defense Initiative in an effort to leverage AI to enhance cybersecurity, such as partnering with startups, funding research, and experimenting with other tools like Gemini and RETVec.The tool can be used by threat hunters and malware analysts to better automate the initial triage of malicious files and uncover potential threats. Give the tool a go! 

Google Open Source Blog

Story #2: LockBit Ransomware Disrupted by Global Police Operation

A joint law enforcement action known as Operation Cronos has seized the servers and websites of the LockBit ransomware gang. The operation included the National Crime Agency of the UK, the FBI, Europol, and other agencies who managed to gain access to the gang’s data leak site and affiliate panel and obtain information on the group and its affiliates.

The LockBit ransomware-as-a-service operation emerged in 2019 and targeted various high-profile organizations worldwide, extorting at least $91 million from US victims since 2020. It has been one of the major players on the ransomware scene. This joint takedown will disrupt their operations, but, more importantly, the intelligence gained will hopefully lead to key members being arrested.

Bleeping Computer

Story #3: New Attacks Inject Voice Commands to Manipulate Virtual Assistants

Researchers have uncovered a new set of attacks called ‘VoltSchemer’ that can manipulate wireless chargers and smartphones using electromagnetic interference. VoltSchemer can cause overcharging, overheating, physical damage, data loss, and voice command injection on the devices and items near the charger.

VoltSchemer exploits security flaws in the hardware design and communication protocols of wireless charging systems by introducing noise signals to the voltage input of the charger. The researchers disclosed their findings to the vendors and suggested better designs that are more resilient to electromagnetic interference. 

CertiK – University of Florida

Story #4: Crowdstrike 2024 Global Threat Report Drops

CrowdStrike has released its annual report on the latest trends and insights on the cyber threat landscape, based on its analysis of 230+ adversaries and their activities in 2023. It highlights the rise of stealthy and sophisticated attacks by adversaries who exploit identity, cloud, and supply chain vulnerabilities, as well as leverage generative AI and valid credentials to evade detection.

I highly recommend giving it a read to stay up-to-date. There are some buzzwords and sales fluff, but the production value and pretty visuals make up for them.

CrowdStrike

Story #5: Mandiant Unveils Their CTI Program Maturity Assessment

Mandiant has just released a web-based tool to help organizations evaluate the maturity of their cyber threat intelligence (CTI) program and provide recommendations for improvement. 

The tool consists of 42 questions across six areas that measure the people, processes, and technologies involved in CTI, as well as the strategic alignment, organizational reach, and community engagement of the CTI program. It provides a maturity score based on the CMMI framework and offers practical suggestions for enhancing the CTI program.

This tool is a great place to start assessing your CTI program, but it won’t provide prescribed advice; for that, you need to pay. There are other tools that are similar to this, including Google Cloud’s Solution Center, which hosts the Security & Reliance Framework (SRF). 

Mandiant


Top Tips of the Week

Triaging the Week Top Tips of the Week

Threat Intelligence

  • Document your CTI processes thoroughly. Clear documentation aids in understanding, dissemination, and continuous improvement.
  • Document your CTI processes thoroughly. Clear documentation aids in understanding, dissemination, and continuous improvement.

Threat Hunting

  • Test your defenses regularly. Simulate cyber attacks to evaluate preparedness and identify areas for improvement.
  • Share findings with the community. Collective insights strengthen everyone’s ability to respond to threats. 
  • Implement a feedback loop in cyber threat hunting. Gather insights from team members and stakeholders to continually improve processes.

Custom Tooling

  • Consider the user’s perspective in custom tool design. Prioritize features and functionalities based on user needs and preferences.
  • Encourage collaboration between developers and end-users in custom tool design. Align functionality with user needs and expectations.

Feature Article

The Courses of Action Matrix (CoA)

Do you know what defensive capabilities your organization has? Do you know what team is doing what to combat threats? Do you have a way of coordinating your defensive efforts? Let me introduce you to the Courses of Action (CoA) matrix.

This key strategic planning tool will allow you to assess your defensive capabilities, provide security teams with situational awareness, and enable you to coordinate defensive efforts. It provides a structured framework to help you organize your tactical and procedural responses to cyber threats. 

In this article, you will see how to use the CoA matrix in the real world by mapping your defensive actions against an adversary’s actions using the Cyber Kill Chain and MITRE ATT&CK. This will enable you to assess how resilient your organization is against a cyber attack, help you answer intelligence requirements, and drive critical thinking about defensive capabilities. Let’s get started! 

Read Now


Learning Resources

Triaging the Week Learning Resources

Spend Way Too Long Checking Emails? Try This Strategy

In this article, the renowned productivity expert Tiago Forte walks you through how to optimize your email inbox. He describes his process for keeping a clean email inbox, making the most of email tools, and organizing his daily inputs into actionable buckets.

 It is a great article if you want to become more productive, organize your life, or just get rid of those annoying red notifications above your email app. I highly recommend giving it a try!

Forte Labs

Threat Hunting Fundamentals From Trustedsec

Another great interview from the team at TrustedSec. This time, featuring a topic more in my wheelhouse. Carlos Perez and Justin Vaicaro discuss the fundamentals of threat hunting, different methodologies that can help, and how all threat hunters need some offensive knowledge to excel.

It was great to see the research side of threat hunting discussed. This is often an overlooked area of the trade that most teams do not spend enough time doing. Research allows you to recognize hacking tools, discover custom tooling, and develop your offensive knowledge and skillset beyond the basics. 

How to Secure Your Python Credentials

Learn how to secure your Python credentials and keep them safe in this great demo from Arjan Codes. He explains everything from how environment variables can help you keep your sensitive data local to using credential scanning tools to prevent data leaks. If you code security tools, you better make sure they are secure! 

Large Language Models and Cyber Threat Intelligence

At the SANS Cyber Threat Intelligence Summit 2024, researchers Thomas Roccia and Roberto Rodriguez dropped major bombshells about leveraging LLMs for threat intelligence. They discussed strategies and techniques to get the most out of LLMs, automate CTI processes, and their limitations. 

This excellent talk is now available for FREE on YouTube. Check it out and discover how to harness LLMs in your daily work.

How to Get Into Cyber Security

Do you want to know how to get into cyber security? This guide will show you how. 

You’ll discover what you must do to enter this booming industry and get access to high salaries, a remote work lifestyle, and rewarding career opportunities. 

First, this guide will help you evaluate if you’re suited for a role in cyber. Then you’ll learn what skills are necessary to enter the field and how to demonstrate them with industry certifications. 

Finally, you’ll learn how to prepare and apply for cyber jobs by gaining experience, building an online presence, preparing for an interview, and finding the right job.

Let’s start learning!

StationX


Personal Notes

Triaging the Week Personal Notes

🤔 At Kraven this week, we focused on creating content around structured analytical techniques. These frameworks, models, and methodologies help you make better decisions when analyzing threat intelligence. Our new series covering them will teach you the core ones you must know as a cyber defender. 

There was also a reprioritization of programming projects with a move to a project-based organization system. This was done so we could deliver more content on building custom tools similar to our Python Threat Hunting Tools series. 

Finally, we had some fun experimenting with a Linux operating system called NixOS, which is currently rising in popularity. The OS has a unique approach to package management and system configuration, and we hope to create some content around how you can use it to create development environments in the future. 

I hope everyone has a great weekend and makes the most of the learning resources provided!

Back to top arrow

Interesting in Learning More?

Learn the dark arts of red teaming

If you want more of a challenge, take on one of their certification exams and land your next job in cyber:

Learn more cyber security skills

If you’re looking to level up your skills even more, have a go at one of their certifications: